I appreciate your response.... > Setting `certificateVerification="require"` on your Connector
I changed `certificateVerification="REQUIRED" to `certificateVerification="require"` still not seeing any OCSP calls in wireshark for this I did find out how to enable logging better (by adding either of these to logging.properties): org.apache.tomcat.util.net.openssl.level=ALL org.apache.tomcat.util.net.level=ALL and I can see logs confirming that the trust store is being used: OpenSSLContext.init Added client CA cert:...) ; with logging set to org.apache.tomcat.level=ALL I see confirmation that the certificateVerification is being parsed, apparently correctly. but I still don't see any evidence in the tomcat/catlina logs or in wireshark that anything is happening to accomplish this. On Tue, Apr 2, 2019 at 3:47 PM Coty Sutherland <csuth...@apache.org> wrote: > Hi, > > On Mon, Apr 1, 2019 at 3:30 PM John Palmer <johnpalm...@gmail.com> wrote: > > > What, if anything, needs to be configured to ENABLE (preferably REQUIRE) > > tomat to do CLIENT certificate revocation checking via OCSP in Tomcat > > 8.5.38 using Openssl ? > > > Setting `certificateVerification="require"` on your Connector and using a > client certificate that has an OCSP URI should be it. See > > https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates > for more information on how to configure it. > > > > > > > > I'm sure I'm missing something simple and obvious (once pointed out) but > > I've been struggling with this all morning). > > > > 1) using Openssl (the tc-native-1.dll binary for Windows, compiled w OCSP > > support - the X64 dll from > > tomcat-native-1.2.21-openssl-1.1.1a-ocsp-win32-bin.zip) > > (will this even work with NIO2 ? - I don't HAVE to use NIO2) > > > > It will work, but only if you're using the openssl implementation. > > > > (i'd prefer to have this working with OpenSSl for a couple of reasons). > > (extra points for a configuration to allow it to use Axways (formerly > > Tumbleweed) Desktop Validator for its OCSP-caching features). > > > > 2) using JSSE (java 8 (1.8.0_202)) with the NIO2 connector > > (I've tried adding -Dcom.sun.net.ssl.checkRevocation=true to the Java > > options for the tomat service). > > > > > > I can't see anything indicating OCSP checks in the logs for either. > > > > There isn't any OCSP code in Tomcat and tomcat-native doesn't log much of > anything when it's in use, so there's not much indication that it's working > there. > > > > > > (when the tc-native-1.dll is present, the logs show it being used: > > INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > > Loaded APR based Apache Tomcat Native library [1.2.21] using APR version > > [1.6.5]. > > INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > > APR capabilities: IPv6 [true], sendfile [true], accept filters [false], > > random [true]. > > INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > > APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] > > INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL > > OpenSSL successfully initialized [OpenSSL 1.1.1a 20 Nov 2018] > > INFO [main] > > org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol > > The ["https-openssl-nio2-192.168.1.16-443"] connector has been configured > > to support negotiation to [h2] via ALPN > > INFO [main] org.apache.coyote.AbstractProtocol.init Initializing > > ProtocolHandler ["https-openssl-nio2-192.168.1.16-443"] > > ) > > > > > > for JSSE, by adding -Djavax.net.debug=ssl to the Java Options for the > > tomcat service I see logging for key & trust stores being loaded, etc. in > > tomcat8-stdout(date).log > > the server requesting a client cert, the Client cert being received and > > finding a trusted root for it ("Found trusted certificate:"), > > but nothing about revocation checking.... > > (I do see: > > check handshake state: certificate_verify[15] > > update handshake state: certificate_verify[15] > > > > but I'm not sure that's revocation checking...). > > > > for OpenSLL, I'mnot sure how to enable equivalent logging....by enabling > > pretty much ALL the logging > > org.apache.coyote.http2.level=ALL > > org.apache.level=ALL > > org.apache.catalina.session.level=ALL > > I can see the truststore ("Added client CA cert") being loaded but not > much > > else about certificates. > > > > > > Wireshark shows me OCSP calls for the SERVER cert, presumable from the > > browswer (fireFox). > > (I'm testing this on a personal computer, tomcat and browser on the same > > computer). > > If there are equivalent OCSP calls for the CLIENT cert, I'm not seeing > > them. > > > > > > the Connector part of the server xml.config file is (ip address and > server > > name etc removed): > > > > <Connector > > address="a.b.c.d" > > port="443" > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > maxThreads="150" > > SSLEnabled="true" > > scheme="https" > > secure="true" > > > > > <UpgradeProtocol > className="org.apache.coyote.http2.Http2Protocol" > > /> > > <SSLHostConfig > > protocols="+TLSv1.2+TLSv1.3" > > honorCipherOrder="true" > > certificateVerification="REQUIRED" > > truststoreFile="C:/certs/trustStore.pfx" > > truststoreType="PKCS12" > > truststorePassword="abcdef" > > > > > <Certificate > > certificateKeystoreFile="C:/certs/(server).pfx" > > certificateKeystoreType="PKCS12" > > certificateKeystorePassword="abcdef" > > /> > > </SSLHostConfig> > > </Connector> > > >
