On 17/06/2019 15:51, logo wrote:
> Mark,
>
>
> Am 2019-06-17 16:29, schrieb Mark Thomas:
>> On 17/06/2019 15:15, logo wrote:
>>> Hi Mark,
>>>
>>> having been in contact with Усманов, I can confirm your summary.
>>>
>>> May I add my question from February with additional info to this thread:
>>> https://markmail.org/message/zvziqrhm32bctm7e
>>
>> Thanks.
>>
>> Progress can be tracked here:
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=56148
>>
>> At the moment, the pure JSSE solutions (NIO+JSSE, NIO2+JSSE) support
>> OCSP stapling with appropriate configuration.
>>
>
> Do you mean on trunk or really only configuration?
>
> I just tried it on 8.5.42 and it will not send the message on my
> letsencrypt cert.
>
> If it should work out of the box, do you mind to share the "appropriate"
> config here.
I was testing Tomcat 9.0.x (latest source from Git) but with the
knowledge that we haven't made *any* changes to Tomcat to support OCSP
stapling and that 9.0.x and 8.5.x have very similar TLS code.
I have just tested with 8.5.42. Both NIO+JSSE and NIO2+JSSE support OCSP
stapling. My Connector configuration is:
<Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol"
port="8443"
proxyPort="443"
maxThreads="150"
useAsyncIO="true"
SSLEnabled="true">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol"
useSendfile="false"
maxConcurrentStreamExecution="50" />
<SSLHostConfig>
<Certificate certificateKeyFile="/.../privkey.pem"
certificateFile="/.../cert.pem"
certificateChainFile="/.../chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
