On 20/06/2019 18:50, Mark Thomas wrote: > On 20/06/2019 18:27, Michael Magnuson wrote: >> Thanks Mark. A couple clarifications on your example first. You don't list >> the clientAuth= attribute. I assume this was a simple oversight. > > It is replaced by certificateVerification="required" > >> You list the SSLEnabled="true" attribute twice. Should one of these be >> secure="true"? > > It should. > >> For the certificateVerification= attribute, is the correct syntax "require" >> or "required"? > > "required" > > Setting up an OCSP responder locally is next on my TODO list. I'll > report back with the results.
Works as expected. Mark > > Mark > > >> >> Thanks, >> Mike >> >> >> >> ________________________________ >> From: Mark Thomas <ma...@apache.org> >> Sent: Thursday, June 20, 2019 10:00 AM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> On 20/06/2019 17:24, Michael Magnuson wrote: >>> Mark, >>> >>> Thank you for your replies and help. >>> >>> I'm not sure how to verify that Tomcat Native was built with OCSP support? >> >> Lets assume it has been. I think that is a safe assumption for now. >> >>> Removing the <Certificate/> element had no negative effect. I originally >>> put it in there following this guide: >>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connector&data=02%7C01%7Cmmagnuson%40sempervalens.com%7Cd6ce870ea03649db5c6f08d6f5a0dc44%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966468590827314&sdata=LgLtvPKCm7G3qgNzhEGCh318WSaizgN0ZXuUtAkt%2FLA%3D&reserved=0 >> >> Hmm. We might need to revisit that. It looks "odd". >> >>> Without the trustStore attributes, it prompts for the smart card PIN and >>> you can select the cert you want to use, but then it doesn't do anything >>> from there. With those attributes present, Tomcat serves up the expected >>> page after PIN+cert. >> >> Interesting. That suggests Tomcat is using the trustStore to validate >> the client certs. >> >> I've looked at this again and the config is more mixed up that I first >> realised. Lets get that fixed first. >> >>> Changing clientAuth to "required" from "want" has no effect either way. >> >> OK. Lets leave it on required for now since that takes one variable out >> of the equation. >> >> Back to the config. I'm going to try and convert everything to the new >> style format. >> >> <Connector port="8443" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> maxThreads="150" >> SSLEnabled="true" >> scheme="https" >> SSLEnabled="true" >> <SSLHostConfig sslProtocol="TLSv1.1+TLSv1.2" >> certificateVerification="required" >> caCertificateFile="path_to_ca_file"> >> <Certificate certificateFile="path_to_server.crt" >> certificateKeyFile="path_to_server.key" >> certificateKeyPassword="password" >> certificateChainFile="path_to_chain" /> >> </SSLHostConfig> >> </Connector> >> >> I have removed settings that are the same as the defaults. >> SSLCertificateChainFile isn't a recognised attribute. >> >> I opted for the OpenSSL style store for trusted CA certs. That probably >> means you need to export the trusted certs from your trustStoreFile to a >> PEM encoded file for caCertificateFile. >> >> For the purposes of the test, you only need to export the cert that >> issued cert used by the client. >> >> I'm wondering if the slightly odd trust store config was causing >> problems. We really need more logging in Tomcat Native to figure that >> sort of thing out. >> >> I also think I need to get OCSP working with client certs locally so I >> can test it as well. I'll add that to my TODO list. >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org