Mark, Still no luck with 8.5.42/JDK11/JSSE.
> Am 17.06.2019 um 22:11 schrieb logo <l...@kreuser.name>: > > Mark, > > >> Am 17.06.2019 um 18:00 schrieb Mark Thomas <ma...@apache.org >> <mailto:ma...@apache.org>>: >> >> On 17/06/2019 15:51, logo wrote: >>> Mark, >>> >>> >>> Am 2019-06-17 16:29, schrieb Mark Thomas: >>>> On 17/06/2019 15:15, logo wrote: >>>>> Hi Mark, >>>>> >>>>> having been in contact with Усманов, I can confirm your summary. >>>>> >>>>> May I add my question from February with additional info to this thread: >>>>> https://markmail.org/message/zvziqrhm32bctm7e >>>>> <https://markmail.org/message/zvziqrhm32bctm7e> >>>> >>>> Thanks. >>>> >>>> Progress can be tracked here: >>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 >>>> <https://bz.apache.org/bugzilla/show_bug.cgi?id=56148> >>>> >>>> At the moment, the pure JSSE solutions (NIO+JSSE, NIO2+JSSE) support >>>> OCSP stapling with appropriate configuration. >>>> >>> >>> Do you mean on trunk or really only configuration? >>> >>> I just tried it on 8.5.42 and it will not send the message on my >>> letsencrypt cert. >>> >>> If it should work out of the box, do you mind to share the "appropriate" >>> config here. >> >> I was testing Tomcat 9.0.x (latest source from Git) but with the >> knowledge that we haven't made *any* changes to Tomcat to support OCSP >> stapling and that 9.0.x and 8.5.x have very similar TLS code. >> >> I have just tested with 8.5.42. Both NIO+JSSE and NIO2+JSSE support OCSP >> stapling. My Connector configuration is: >> >> <Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol" >> port="8443" >> proxyPort="443" >> maxThreads="150" >> useAsyncIO="true" >> SSLEnabled="true"> >> <UpgradeProtocol >> className="org.apache.coyote.http2.Http2Protocol" >> useSendfile="false" >> maxConcurrentStreamExecution="50" /> >> <SSLHostConfig> >> <Certificate certificateKeyFile="/.../privkey.pem" >> certificateFile="/.../cert.pem" >> certificateChainFile="/.../chain.pem" >> type="RSA" /> >> </SSLHostConfig> >> </Connector> >> >> Mark >> > I’m lost. My conf is pretty much similar. > <snip> > Any debug info I can create? > > Thanks Peter Started from scratch, plain tc 8.5.42 with JDK 11 (Docker Hub version) Only added my certs to server.xml, <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem" certificateFile="${catalina.base}/conf/ssl/cert.pem" certificateChainFile="${catalina.base}/conf/ssl/chain.pem" type="RSA" /> </SSLHostConfig> </Connector> export JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.server.enableStatusRequestExtension=true“ alternatively export CATALINA_OPTS="${CATALINA_OPTS} -Djdk.tls.server.enableStatusRequestExtension=true" to bin/setenv.sh That gets picked up: 28-Jun-2019 14:05:04.509 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/8.5.42 28-Jun-2019 14:05:04.524 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Jun 4 2019 20:29:04 UTC 28-Jun-2019 14:05:04.525 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number: 8.5.42.0 28-Jun-2019 14:05:04.526 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 28-Jun-2019 14:05:04.527 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 4.14.116-boot2docker 28-Jun-2019 14:05:04.532 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 28-Jun-2019 14:05:04.533 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/local/openjdk-11 28-Jun-2019 14:05:04.533 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 11.0.3+7 28-Jun-2019 14:05:04.534 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation 28-Jun-2019 14:05:04.534 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /opt/apache-tomcat.base 28-Jun-2019 14:05:04.535 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /usr/local/tomcat 28-Jun-2019 14:05:04.535 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED 28-Jun-2019 14:05:04.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED 28-Jun-2019 14:05:04.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 28-Jun-2019 14:05:04.538 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/opt/apache-tomcat.base/conf/logging.properties 28-Jun-2019 14:05:04.538 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 28-Jun-2019 14:05:04.539 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.server.enableStatusRequestExtension=true 28-Jun-2019 14:05:04.540 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 28-Jun-2019 14:05:04.540 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources 28-Jun-2019 14:05:04.540 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 28-Jun-2019 14:05:04.541 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs= 28-Jun-2019 14:05:04.542 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/opt/apache-tomcat.base 28-Jun-2019 14:05:04.542 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat 28-Jun-2019 14:05:04.542 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/opt/apache-tomcat.base/temp 28-Jun-2019 14:05:04.543 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.21] using APR version [1.5.2]. 28-Jun-2019 14:05:04.546 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 28-Jun-2019 14:05:04.547 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 28-Jun-2019 14:05:04.554 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.0j 20 Nov 2018] 28-Jun-2019 14:05:04.639 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-nio2-8443"] connector has been configured to support negotiation to [h2] via ALPN 28-Jun-2019 14:05:04.640 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio2-8443"] 28-Jun-2019 14:05:04.877 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1184 ms 28-Jun-2019 14:05:05.017 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina] 28-Jun-2019 14:05:05.018 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.5.42 28-Jun-2019 14:05:05.036 SEVERE [Catalina-startStop-1] org.apache.catalina.startup.HostConfig.beforeStart Unable to create directory for deployment: [/opt/apache-tomcat.base/conf/Catalina/localhost] 28-Jun-2019 14:05:05.076 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/opt/apache-tomcat.base/webapps/ROOT] 28-Jun-2019 14:05:08.827 WARNING [localhost-startStop-1] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [3,029] milliseconds. 28-Jun-2019 14:05:08.876 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/apache-tomcat.base/webapps/ROOT] has finished in [3,800] ms 28-Jun-2019 14:05:08.881 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-nio2-8443"] 28-Jun-2019 14:05:08.885 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 4007 ms Still openssl says *****OCSP response: no response sent******** And testssl.sh on my domain says: Testing server defaults (Server Hello) TLS extensions (standard) "renegotiation info/#65281" "server name/#0" "EC point formats/#11" "session ticket/#35" "next protocol/#13172" "encrypt-then-mac/#22" "extended master secret/#23" "application layer protocol negotiation/#16" Session Ticket RFC 5077 hint 86400 seconds, session tickets keys seems to be rotated < daily SSL Session ID support yes Session Resumption Tickets: yes, ID: no TLS clock skew Random values, no fingerprinting possible Signature Algorithm SHA256 with RSA Server key size RSA 4096 bits Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication Serial / Fingerprints xx / SHA1 xx SHA256 xx Common Name (CN) xxx.dedyn.io subjectAltName (SAN) xxx xxx xxx.dedyn.io Issuer Let's Encrypt Authority X3 (Let's Encrypt from US) Trust (hostname) Ok via SAN and CN (same w/o SNI) Chain of trust Ok EV cert (experimental) no ETS/"eTLS", visibility info not present Certificate Validity (UTC) expires < 30 days (20) (2019-04-20 00:48 --> 2019-07-19 00:48) # of certificates provided 2 Certificate Revocation List -- OCSP URI http://ocsp.int-x3.letsencrypt.org OCSP stapling ****not offered**** OCSP must staple extension ****requires OCSP stapling (NOT ok)**** DNS CAA RR (experimental) available - please check for match with "Issuer" above iodef=mailto:x...@xx.com, issue=letsencrypt.org Certificate Transparency yes (certificate extension) Anything I can do to figure that out? Thank you for your help! > >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> <mailto:users-unsubscr...@tomcat.apache.org> >> For additional commands, e-mail: users-h...@tomcat.apache.org >> <mailto:users-h...@tomcat.apache.org>
smime.p7s
Description: S/MIME cryptographic signature