Mark, Thank you for your replies and help.
I'm not sure how to verify that Tomcat Native was built with OCSP support? Removing the <Certificate/> element had no negative effect. I originally put it in there following this guide: https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuring_OCSP_Connector Without the trustStore attributes, it prompts for the smart card PIN and you can select the cert you want to use, but then it doesn't do anything from there. With those attributes present, Tomcat serves up the expected page after PIN+cert. Changing clientAuth to "required" from "want" has no effect either way. Mike ________________________________ From: Mark Thomas <ma...@apache.org> Sent: Thursday, June 20, 2019 9:02 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 20/06/2019 16:19, Michael Magnuson wrote: > Mark, > > Tomcat version 8.5.41 and TCNative version 1.2.21. There is a OCSP related bug in 1.2.21 but that should not affect you since the client certs have a responder URL. 8.5.41 isn't the latest but there aren't any OCSP related changes in 8.5.42 or any known bugs I can think of so you should be OK there as well. I'm assuming that Tomcat Native was built with OCSP support. That is the default on Linux and I can't think of a good reason why it would be explicitly disabled. <snip/> >> My connector configuration is as follows: >> >> <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" >> maxThreads="150" SSLEnabled="true" >> scheme="https" SSLEnabled="true" >> SSLCertificateFile="path_to_server.crt" >> SSLCertificateKeyFile="path_to_server.key" >> SSLPassword="password" >> SSLCertificateChainFile="path_to_chain" >> SSLProtocol="TLSv1.1+TLSv1.2" >> clientAuth="want" trustStoreFile="path_to_truststore" >> trustStorePass="password" >> caCertificateFile="path_to_ca_file" >> certificateVerification="require" >> certificateVerificationDepth="10" > >> <Certificate >> certificateFile="path_to_OCSP_signing_cert" >> certificateKeyFile="path_to_OCSP_public_key" /> >> </Connector> That is a mix of deprecated 8.0.x style config and incorrect (you can't nest a <Certificate.../> directly inside a <Connector.../>) 8.5.x onwards style configuration. There also appears to be a few JSSE attributes (trustStore*) amongst a lot of OpenSSL attributes. I'm surprised there isn't something in the logs complaining about the configuration. I'm not sure what the <Certificate .../> element is meant to be configuring. Can you elaborate? I'd first suggest: - remove the <Certificate .../> element - remove the trustStore* attributes - re-test to ensure everything works as it did before those changes Next I'd confirm that CLIENT-CERT is working as intended. The simplest way is probably to set clientAuth="required" temporarily and make sure that a) you are prompted for a cert and b) you can see the expected page from Tomcat when you provide one. If all that is working and still OCSP is not working then I don't have any more ideas at this point. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
