Hi, On Mon, Apr 1, 2019 at 3:30 PM John Palmer <johnpalm...@gmail.com> wrote:
> What, if anything, needs to be configured to ENABLE (preferably REQUIRE) > tomat to do CLIENT certificate revocation checking via OCSP in Tomcat > 8.5.38 using Openssl ? Setting `certificateVerification="require"` on your Connector and using a client certificate that has an OCSP URI should be it. See https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates for more information on how to configure it. > > I'm sure I'm missing something simple and obvious (once pointed out) but > I've been struggling with this all morning). > > 1) using Openssl (the tc-native-1.dll binary for Windows, compiled w OCSP > support - the X64 dll from > tomcat-native-1.2.21-openssl-1.1.1a-ocsp-win32-bin.zip) > (will this even work with NIO2 ? - I don't HAVE to use NIO2) > It will work, but only if you're using the openssl implementation. > (i'd prefer to have this working with OpenSSl for a couple of reasons). > (extra points for a configuration to allow it to use Axways (formerly > Tumbleweed) Desktop Validator for its OCSP-caching features). > > 2) using JSSE (java 8 (1.8.0_202)) with the NIO2 connector > (I've tried adding -Dcom.sun.net.ssl.checkRevocation=true to the Java > options for the tomat service). > > > I can't see anything indicating OCSP checks in the logs for either. > There isn't any OCSP code in Tomcat and tomcat-native doesn't log much of anything when it's in use, so there's not much indication that it's working there. > > (when the tc-native-1.dll is present, the logs show it being used: > INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > Loaded APR based Apache Tomcat Native library [1.2.21] using APR version > [1.6.5]. > INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > APR capabilities: IPv6 [true], sendfile [true], accept filters [false], > random [true]. > INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] > INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL > OpenSSL successfully initialized [OpenSSL 1.1.1a 20 Nov 2018] > INFO [main] > org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol > The ["https-openssl-nio2-192.168.1.16-443"] connector has been configured > to support negotiation to [h2] via ALPN > INFO [main] org.apache.coyote.AbstractProtocol.init Initializing > ProtocolHandler ["https-openssl-nio2-192.168.1.16-443"] > ) > > > for JSSE, by adding -Djavax.net.debug=ssl to the Java Options for the > tomcat service I see logging for key & trust stores being loaded, etc. in > tomcat8-stdout(date).log > the server requesting a client cert, the Client cert being received and > finding a trusted root for it ("Found trusted certificate:"), > but nothing about revocation checking.... > (I do see: > check handshake state: certificate_verify[15] > update handshake state: certificate_verify[15] > > but I'm not sure that's revocation checking...). > > for OpenSLL, I'mnot sure how to enable equivalent logging....by enabling > pretty much ALL the logging > org.apache.coyote.http2.level=ALL > org.apache.level=ALL > org.apache.catalina.session.level=ALL > I can see the truststore ("Added client CA cert") being loaded but not much > else about certificates. > > > Wireshark shows me OCSP calls for the SERVER cert, presumable from the > browswer (fireFox). > (I'm testing this on a personal computer, tomcat and browser on the same > computer). > If there are equivalent OCSP calls for the CLIENT cert, I'm not seeing > them. > > > the Connector part of the server xml.config file is (ip address and server > name etc removed): > > <Connector > address="a.b.c.d" > port="443" > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > maxThreads="150" > SSLEnabled="true" > scheme="https" > secure="true" > > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > /> > <SSLHostConfig > protocols="+TLSv1.2+TLSv1.3" > honorCipherOrder="true" > certificateVerification="REQUIRED" > truststoreFile="C:/certs/trustStore.pfx" > truststoreType="PKCS12" > truststorePassword="abcdef" > > > <Certificate > certificateKeystoreFile="C:/certs/(server).pfx" > certificateKeystoreType="PKCS12" > certificateKeystorePassword="abcdef" > /> > </SSLHostConfig> > </Connector> >