Thanks Mark. A couple clarifications on your example first. You don't list the clientAuth= attribute. I assume this was a simple oversight. You list the SSLEnabled="true" attribute twice. Should one of these be secure="true"? For the certificateVerification= attribute, is the correct syntax "require" or "required"?
Thanks, Mike ________________________________ From: Mark Thomas <ma...@apache.org> Sent: Thursday, June 20, 2019 10:00 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 20/06/2019 17:24, Michael Magnuson wrote: > Mark, > > Thank you for your replies and help. > > I'm not sure how to verify that Tomcat Native was built with OCSP support? Lets assume it has been. I think that is a safe assumption for now. > Removing the <Certificate/> element had no negative effect. I originally put > it in there following this guide: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connector&data=02%7C01%7Cmmagnuson%40sempervalens.com%7Cd6ce870ea03649db5c6f08d6f5a0dc44%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966468590827314&sdata=LgLtvPKCm7G3qgNzhEGCh318WSaizgN0ZXuUtAkt%2FLA%3D&reserved=0 Hmm. We might need to revisit that. It looks "odd". > Without the trustStore attributes, it prompts for the smart card PIN and you > can select the cert you want to use, but then it doesn't do anything from > there. With those attributes present, Tomcat serves up the expected page > after PIN+cert. Interesting. That suggests Tomcat is using the trustStore to validate the client certs. I've looked at this again and the config is more mixed up that I first realised. Lets get that fixed first. > Changing clientAuth to "required" from "want" has no effect either way. OK. Lets leave it on required for now since that takes one variable out of the equation. Back to the config. I'm going to try and convert everything to the new style format. <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" scheme="https" SSLEnabled="true" <SSLHostConfig sslProtocol="TLSv1.1+TLSv1.2" certificateVerification="required" caCertificateFile="path_to_ca_file"> <Certificate certificateFile="path_to_server.crt" certificateKeyFile="path_to_server.key" certificateKeyPassword="password" certificateChainFile="path_to_chain" /> </SSLHostConfig> </Connector> I have removed settings that are the same as the defaults. SSLCertificateChainFile isn't a recognised attribute. I opted for the OpenSSL style store for trusted CA certs. That probably means you need to export the trusted certs from your trustStoreFile to a PEM encoded file for caCertificateFile. For the purposes of the test, you only need to export the cert that issued cert used by the client. I'm wondering if the slightly odd trust store config was causing problems. We really need more logging in Tomcat Native to figure that sort of thing out. I also think I need to get OCSP working with client certs locally so I can test it as well. I'll add that to my TODO list. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
