Hi everyone! I did manage to run ocsp check manually without a proxy (some network issue),still no success with tomcat ocsp or ssllabs however.
openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt -url http://ocsp.comodoca.com/ -CAfile issuer.crt Response verify OK /home/idis/STAR_ieml_ru.crt: good This Update: Oct 21 07:35:07 2018 GMT Next Update: Oct 28 07:35:07 2018 GMT openssl s_client -connect localhost:8443 -tls1_2 -tlsextdebug -status CONNECTED(00000005) TLS server extension "renegotiation info" (id=65281), len=1 0000 - 00 . TLS server extension "server name" (id=0), len=0 TLS server extension "EC point formats" (id=11), len=4 0000 - 03 00 01 02 .... TLS server extension "session ticket" (id=35), len=0 TLS server extension "extended master secret" (id=23), len=0 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify error:num=20:unable to get local issuer certificate OCSP response: no response sent --- Certificate chain 0 s:OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.ieml.ru i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIFQzCCBCugAwIBAgIRAPB4y44vTlpni/uQZalhG1cwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg Q0EwHhcNMTcwNjI5MDAwMDAwWhcNMTkwODI5MjM1OTU5WjBWMSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp bGRjYXJkMRIwEAYDVQQDDAkqLmllbWwucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDDPvJ/lpxUzUyI6xAI4vm+fJG76JPJ3PjVPWshE6DQ8FSOX1tz x/77d7DHH3o73I1fZL26o8feq1tscHg5Hn/L4S+N3pPAqz3Q6Q98O3r6lzJtK5Yz gfWCEx6tFNvuQ96G2rN6b+wwpbo42e+Ml9HejTH3F3tdgkZ9++jq2/xge/82tRfm F7OdKpOl0HJhjyKb4ehck032lACLLzKaiVXwuvm0PFeNVMfGli6esVjvf6qUvXIe dxfgJu5emAdFwAWSwJYQ61sUPt/o4G5SLFx4xaDaA0W5cK8Wtd2BGe12kDVstVft hP7KKj/giXFQSIrC5JmIE4wr8c4yiHBcrwdjAgMBAAGjggHPMIIByzAfBgNVHSME GDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUs+5Z8D1kBsszi2+H fbGGs7WeS7EwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw FAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw KzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG Z4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG CCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMB0GA1UdEQQWMBSC CSouaWVtbC5ydYIHaWVtbC5ydTANBgkqhkiG9w0BAQsFAAOCAQEAQTfwPlwQrEDN Xm8cFJHnn7HhA0/fs/eaJ8SiSqZtUbPZar8V1fd0uIHElwQGTdxLBPktyAVBE7Ro tP1QCU7Al6y0LMba1+aGIxGhVE7Ub7ntwPIPMs8Q68YZIC7oHBMtr6Qn34HF1lI0 CWHJqwWCv4UWwtwZcy4ab5tS+Nv1qd4O4fok9T/LTQCY5rbyCnhWfiRNMihLX2tk /Cc5UvwUkS81c1A5sHgCLuqKPL7zCmJbcaFKPYTZEN2EUaKhT1jq06cmDfyXP6cq 4rmuaMxMxgsmDL4emO9LP9IfKmL3IvFngpkgAuNks/RiILFRuBv/EcF8C+FI46g5 PqY0SNxCGA== -----END CERTIFICATE----- subject=OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.ieml.ru issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4966 bytes and written 314 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 81DDFBC7755B21C63C5B1C5397D05EBB7EA8DA0022634CADC848CEECBE1F51DA Session-ID-ctx: Master-Key: 1CF1F4658FC6CD3A8B12579B7DDE4314D1A2E29BC1DED5F605C5D71467C41022FB68902C5198560FE2251519D400602C PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 14400 (seconds) TLS session ticket: 0000 - f8 1f af d2 64 6e 20 f1-89 e6 2c 38 5a 6e 81 92 ....dn ...,8Zn.. 0010 - 1d 05 10 4f 52 f8 80 98-8c 07 dc 9e 98 9d 55 64 ...OR.........Ud 0020 - bd 43 11 8d 8a bb 80 ee-0f ea dd 94 fc 95 76 08 .C............v. 0030 - 25 7c 3e dc 7a 2b 0c be-04 4e 56 13 0c 4d ae ef %|>.z+...NV..M.. 0040 - 8a 97 3a 60 dd 08 5c 04-78 32 cb ca 46 7a cb 1c ..:`..\.x2..Fz.. 0050 - f9 69 bc 85 d1 ac bc 7e-93 93 dd b9 02 dc f5 5a .i.....~.......Z 0060 - df 4a 70 0c 34 e0 37 cd-09 a7 e4 3e 77 ce 93 e2 .Jp.4.7....>w... 0070 - 9b cf a4 40 01 9f e2 36-6f 76 d1 6a 80 0f 4a 78 ...@...6ov.j..Jx 0080 - a4 ee 93 80 aa 4c 21 af-61 19 5b 6a 49 52 3d e0 .....L!.a.[jIR=. 0090 - c2 6f f1 4e 9c 4e 3d e4-91 2e e3 6a ea 52 ea a9 .o.N.N=....j.R.. 00a0 - 8e cc 33 f4 e7 aa 2a 04-93 26 a8 36 4e 01 b0 12 ..3...*..&.6N... 00b0 - ca d2 df 64 0b 98 2b 57-7f be 68 8a 0d 43 26 06 ...d..+W..h..C&. Start Time: 1540313457 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: yes Any idea how to identify which command tomcat sends to ocsp_responder ? ________________________________ От: Усманов Азат Анварович <usma...@ieml.ru> Отправлено: 19 октября 2018 г. 15:29:54 Кому: Tomcat Users List Тема: Re: OCSP stapling in tomcat 7 with APR Hi !turns out to be a proxy issue because once I modify the openssl ocp command to include my proxy 192.168.1.6 and port I get the correct response openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt -CAfile issuer.crt -host 192.168.1.6:3131 -path http://ocsp.comodoca.com/ -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Oct 14 07:35:10 2018 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 Cert Status: good This Update: Oct 14 07:35:10 2018 GMT Next Update: Oct 21 07:35:10 2018 GMT Signature Algorithm: sha256WithRSAEncryption 28:c0:93:7d:9b:4d:96:16:37:f4:1f:fc:ca:8c:32:b1:bb:22: be:d8:33:14:9b:e9:75:18:b2:a5:20:77:ef:f9:6c:48:1c:72: 8f:db:87:4a:30:50:04:72:9d:75:0f:ce:09:82:b7:56:bf:aa: 62:fe:50:b7:10:96:82:b6:53:0f:a0:c8:b1:49:bf:0e:88:19: bf:41:64:21:8f:8f:9a:f3:1a:e5:3b:36:d0:96:7e:01:89:c4: a2:c3:19:3c:fa:fa:e7:ad:df:4e:76:37:32:72:ba:95:23:4e: c6:09:c8:a6:a1:28:63:5f:e6:6a:62:55:e3:a2:a8:29:47:4b: 70:a2:6b:e3:07:0a:a0:b2:28:79:61:24:f8:ab:9a:ff:bf:b6: ff:2b:ca:0e:f1:a8:cc:2a:ae:a5:4a:90:40:14:64:b1:ca:10: ca:44:a3:f9:00:af:d7:55:0b:5b:0e:0f:d9:8b:3a:c9:a2:41: 4e:e5:23:23:9a:36:dc:28:c3:a8:4d:1c:08:c7:64:87:a5:0c: d7:08:57:a8:62:85:73:d5:f7:14:a2:c7:07:e9:57:e9:e1:1a: 21:d0:d9:56:62:06:0f:05:bc:19:b7:c8:63:5a:a8:97:28:f3: 1b:5b:30:3c:d6:31:ec:f5:cb:cd:f8:7e:61:cd:2b:ea:19:1c: 17:8c:a4:9a Response verify OK /home/idis/STAR_ieml_ru.crt: good This Update: Oct 14 07:35:10 2018 GMT Next Update: Oct 21 07:35:10 2018 GMT now the question is how to tell tomcat to use proxy when making ocsp requests I have tried to put proxyName and proxyPort to the Connector definition that didn't do anything to ocsp support (ssllabs still says no for ocsp ) Any suggestions? ________________________________ От: Mark Thomas <ma...@apache.org> Отправлено: 17 октября 2018 г. 18:43:39 Кому: Tomcat Users List Тема: Re: OCSP stapling in tomcat 7 with APR On 17/10/18 15:02, Усманов Азат Анварович wrote: > Unfortunately, I still got the same issue with the slash > openssl ocsp -issuer /home/idis/authorities.crt -cert > /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/ > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 > Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 > Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 > Request Extensions: > OCSP Nonce: > 0410A42C073C3EA560D427D719BA3A8EC5FB > Error querying OCSP responder > 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response > error:crypto/ocsp/ocsp_ht.c:260:Code=301 That is http so you could use Wireshark or similar to do a network trace and see exactly what is going on there. Mark > > > > ________________________________ > От: Rainer Jung <rainer.j...@kippdata.de> > Отправлено: 17 октября 2018 г. 16:41:27 > Кому: Tomcat Users List; Усманов Азат Анварович > Тема: Re: OCSP stapling in tomcat 7 with APR > > Redirect when accessing http://ocsp.comodoca.com could simply be a > trailing slash redirect (Location: http://ocsp.comodoca.com/). You > better use http://ocsp.comodoca.com/ (note the slash at the end of the URL). > > Regards, > > Rainer > > Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович: >> SSLLabs test still shows "OCSP stapling no" even with the latest version >> openssl >> >> I've tried to test it manually and got an error >> >> >> openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR >> >> >> _ieml_ru.crt -text -url http://ocsp.comodoca.com >> OCSP Request Data: >> Version: 1 (0x0) >> Requestor List: >> Certificate ID: >> Hash Algorithm: sha1 >> Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 >> Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 >> Serial Number: F078CB8E2F4E5A678BFB9065A9611B57 >> Request Extensions: >> OCSP Nonce: >> 041002914B015477EC5C503D4FD630D616F3 >> Error querying OCSP responder >> 140179572442880:error:27076072:OCSP routines:parse_http_line1:server >> response er >> >> ror:crypto/ocsp/ocsp_ht.c:260:Code=301 >> >> Not sure what might be the problem? >> 301 looks like a http error Moved Permamently which is strange because >> i tried to access http://ocsp.comodoca.com via wget >> >> wget http://ocsp.comodoca.com >> --2018-10-17 16:03:12-- http://ocsp.comodoca.com/ >> Устанавливается соединение с 192.168.1.2:3128... соединение установлено. >> Запрос Proxy послан, ожидается ответ... 200 OK >> Длина: 5 [application/ocsp-response] >> Saving to: «index.html.7» >> >> 100%[===================================================================================================================================================================================================>] >> 5 --.-K/s в 0s >> >> 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5] >> >> [root] ~# less index.html.7 >> 0^C >> ^A^A >> index.html.7 (END) >> any ideas what might be the problem? >> >> >> ________________________________ >> От: Усманов Азат Анварович <usma...@ieml.ru> >> Отправлено: 15 октября 2018 г. 18:20:14 >> Кому: users@tomcat.apache.org >> Тема: Re: OCSP stapling in tomcat 7 with APR >> >> how do I make sure ocsp is enabled on tomcat native >> >> when I try to pass --enable-ocsp to tomcat native configure i get >> unrecognized option warning >> >> >> ./configure --with-apr=/usr/local/apr >> --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl >> --enable-ocsp >> configure: WARNING: unrecognized options: --enable-ocsp >> checking build system type... x86_64-pc-linux-gnu >> checking host system type... x86_64-pc-linux-gnu >> checking target system type... x86_64-pc-linux-gnu >> checking for a BSD-compatible install... /usr/bin/install -c >> checking for working mkdir -p... yes >> Tomcat Native Version: 1.2.17 >> checking for chosen layout... tcnative >> checking for APR... yes >> configure: APR 1.6.5 detected. >> setting CC to "gcc" >> setting CPP to "gcc -E" >> setting LIBTOOL to "/usr/local/apr/build-1/libtool" >> checking JAVA_HOME... /usr/java/jdk1.7.0_79 >> adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES >> checking for JDK os include directory... linux >> adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES >> checking for gcc... gcc >> checking whether the C compiler works... yes >> checking for C compiler default output file name... a.out >> checking for suffix of executables... >> checking whether we are cross compiling... no >> checking for suffix of object files... o >> checking whether we are using the GNU C compiler... yes >> checking whether gcc accepts -g... yes >> checking for gcc option to accept ISO C89... none needed >> checking for OpenSSL library... using openssl from >> /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include >> checking OpenSSL library version >= 1.0.2... ok >> checking for OpenSSL DSA support... yes >> adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES >> setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib >> -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto" >> adding "-DHAVE_OPENSSL" to CFLAGS >> setting TCNATIVE_LIBS to "" >> setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt >> -lpthread" >> checking for apr_pollset_wakeup in -lapr-1... yes >> adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS >> configure: creating ./config.status >> config.status: creating tcnative.pc >> config.status: creating Makefile >> config.status: executing default commands >> configure: WARNING: unrecognized options: --enable-ocsp >> >> >> >> ________________________________ >> От: Mark Thomas <ma...@apache.org> >> Отправлено: 15 октября 2018 г. 15:01:58 >> Кому: users@tomcat.apache.org >> Тема: Re: OCSP stapling in tomcat 7 with APR >> >> On 14/10/18 18:45, Усманов Азат Анварович wrote: >>> Hello everyone! I have an java 7 web app running on tomcat 7 with >>> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP >>> stapling on tomcat >>> so that >>> When OCSP is enabled, a server will pre-fetch the OCSP response for its own >>> certificate and deliver the response to the user's browser during the TLS >>> handshake. This eliminates the need to make a separate connection to the >>> CA's revocation service before the Web page is displayed, improving the >>> page's performance and reliability. >>> I did search the mailing list and found this question >>> https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html >>> but that user is using JSSE implementation for TLS not APR >>> documentation for tomcat7 does have an example >>> >>> Connector port="8443" >>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> secure="true" scheme="https" >>> SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt" >>> SSLCertificateKeyFile="/path/to/ocsp-cert.key" >>> SSLCACertificateFile="/path/to/ca.pem" >>> SSLVerifyClient="require" >>> SSLVerifyDepth="10" >>> clientAuth="true"/> >>> >>> >>> but that is for client-cert verification, Can we do it on server side? or >>> do I miss something on how ocsp is supposed to work in the first place? >> >> If you build an OCSP enabled version of the APR/native connector, OCSP >> stapling should just happen without any additional configuration. >> Assuming you use an appropriate certificate etc. >> >> Mark > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
