On 21/06/2019 16:31, Michael Magnuson wrote:
> Hmm.  It's still not working at all for me.  Can you post your SSL connector 
> configuration?

<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" >
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
  <SSLHostConfig certificateVerification="required"
                 caCertificateFile="conf/ca-rsa-cert.pem"
                 certificateRevocationListFile="conf/crl.pem">
    <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                 certificateFile="conf/localhost-rsa-cert.pem"
                 certificateChainFile="conf/localhost-rsa-chain.pem"
                 type="RSA" />
  </SSLHostConfig>
</Connector>

Mark


> 
> 
> 
> ________________________________
> From: Mark Thomas <ma...@apache.org>
> Sent: Thursday, June 20, 2019 11:36 AM
> To: users@tomcat.apache.org
> Subject: Re: OCSP Connector on Tomcat 8.5 not working
> 
> On 20/06/2019 18:50, Mark Thomas wrote:
>> On 20/06/2019 18:27, Michael Magnuson wrote:
>>> Thanks Mark.  A couple clarifications on your example first.  You don't 
>>> list the clientAuth= attribute.  I assume this was a simple oversight.
>>
>> It is replaced by certificateVerification="required"
>>
>>>  You list the SSLEnabled="true" attribute twice.  Should one of these be 
>>> secure="true"?
>>
>> It should.
>>
>>>  For the certificateVerification= attribute, is the correct syntax 
>>> "require" or "required"?
>>
>> "required"
>>
>> Setting up an OCSP responder locally is next on my TODO list. I'll
>> report back with the results.
> 
> Works as expected.
> 
> Mark
> 
> 
>>
>> Mark
>>
>>
>>>
>>> Thanks,
>>> Mike
>>>
>>>
>>>
>>> ________________________________
>>> From: Mark Thomas <ma...@apache.org>
>>> Sent: Thursday, June 20, 2019 10:00 AM
>>> To: users@tomcat.apache.org
>>> Subject: Re: OCSP Connector on Tomcat 8.5 not working
>>>
>>> On 20/06/2019 17:24, Michael Magnuson wrote:
>>>> Mark,
>>>>
>>>> Thank you for your replies and help.
>>>>
>>>> I'm not sure how to verify that Tomcat Native was built with OCSP support?
>>>
>>> Lets assume it has been. I think that is a safe assumption for now.
>>>
>>>> Removing the <Certificate/> element had no negative effect.  I originally 
>>>> put it in there following this guide:
>>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connector&amp;data=02%7C01%7Cmmagnuson%40sempervalens.com%7C0c191aa872024cbf07a708d6f5ae2ceb%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966525783014430&amp;sdata=gg7Xk9uuawyPhOt0q96e9gHsjsFVSdZSc2E0NPpWuHA%3D&amp;reserved=0
>>>
>>> Hmm. We might need to revisit that. It looks "odd".
>>>
>>>> Without the trustStore attributes, it prompts for the smart card PIN and 
>>>> you can select the cert you want to use, but then it doesn't do anything 
>>>> from there.  With those attributes present, Tomcat serves up the expected 
>>>> page after PIN+cert.
>>>
>>> Interesting. That suggests Tomcat is using the trustStore to validate
>>> the client certs.
>>>
>>> I've looked at this again and the config is more mixed up that I first
>>> realised. Lets get that fixed first.
>>>
>>>> Changing clientAuth to "required" from "want" has no effect either way.
>>>
>>> OK. Lets leave it on required for now since that takes one variable out
>>> of the equation.
>>>
>>> Back to the config. I'm going to try and convert everything to the new
>>> style format.
>>>
>>> <Connector port="8443"
>>>            protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>            maxThreads="150"
>>>            SSLEnabled="true"
>>>            scheme="https"
>>>            SSLEnabled="true"
>>>     <SSLHostConfig sslProtocol="TLSv1.1+TLSv1.2"
>>>                    certificateVerification="required"
>>>                    caCertificateFile="path_to_ca_file">
>>>         <Certificate certificateFile="path_to_server.crt"
>>>                      certificateKeyFile="path_to_server.key"
>>>                      certificateKeyPassword="password"
>>>                      certificateChainFile="path_to_chain" />
>>>     </SSLHostConfig>
>>> </Connector>
>>>
>>> I have removed settings that are the same as the defaults.
>>> SSLCertificateChainFile isn't a recognised attribute.
>>>
>>> I opted for the OpenSSL style store for trusted CA certs. That probably
>>> means you need to export the trusted certs from your trustStoreFile to a
>>> PEM encoded file for caCertificateFile.
>>>
>>> For the purposes of the test, you only need to export the cert that
>>> issued cert used by the client.
>>>
>>> I'm wondering if the slightly odd trust store config was causing
>>> problems. We really need more logging in Tomcat Native to figure that
>>> sort of thing out.
>>>
>>> I also think I need to get OCSP working with client certs locally so I
>>> can test it as well. I'll add that to my TODO list.
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to