Re: OCSP with openSSL

logo Fri, 28 Jun 2019 05:14:21 -0700

Mark,

Still no luck with 8.5.42/JDK11/JSSE.


> Am 17.06.2019 um 22:11 schrieb logo <l...@kreuser.name>:
> 
> Mark,
> 
> 
>> Am 17.06.2019 um 18:00 schrieb Mark Thomas <ma...@apache.org 
>> <mailto:ma...@apache.org>>:
>> 
>> On 17/06/2019 15:51, logo wrote:
>>> Mark,
>>> 
>>> 
>>> Am 2019-06-17 16:29, schrieb Mark Thomas:
>>>> On 17/06/2019 15:15, logo wrote:
>>>>> Hi Mark,
>>>>> 
>>>>> having been in contact with Усманов, I can confirm your summary.
>>>>> 
>>>>> May I add my question from February with additional info to this thread:
>>>>> https://markmail.org/message/zvziqrhm32bctm7e 
>>>>> <https://markmail.org/message/zvziqrhm32bctm7e>
>>>> 
>>>> Thanks.
>>>> 
>>>> Progress can be tracked here:
>>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 
>>>> <https://bz.apache.org/bugzilla/show_bug.cgi?id=56148>
>>>> 
>>>> At the moment, the pure JSSE solutions (NIO+JSSE, NIO2+JSSE) support
>>>> OCSP stapling with appropriate configuration.
>>>> 
>>> 
>>> Do you mean on trunk or really only configuration?
>>> 
>>> I just tried it on 8.5.42 and it will not send the message on my
>>> letsencrypt cert.
>>> 
>>> If it should work out of the box, do you mind to share the "appropriate"
>>> config here.
>> 
>> I was testing Tomcat 9.0.x (latest source from Git) but with the
>> knowledge that we haven't made *any* changes to Tomcat to support OCSP
>> stapling and that 9.0.x and 8.5.x have very similar TLS code.
>> 
>> I have just tested with 8.5.42. Both NIO+JSSE and NIO2+JSSE support OCSP
>> stapling. My Connector configuration is:
>> 
>>    <Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>>               port="8443"
>>               proxyPort="443"
>>               maxThreads="150"
>>               useAsyncIO="true"
>>               SSLEnabled="true">
>>        <UpgradeProtocol
>>                 className="org.apache.coyote.http2.Http2Protocol"
>>                 useSendfile="false"
>>                 maxConcurrentStreamExecution="50" />
>>        <SSLHostConfig>
>>            <Certificate certificateKeyFile="/.../privkey.pem"
>>                         certificateFile="/.../cert.pem"
>>                         certificateChainFile="/.../chain.pem"
>>                         type="RSA" />
>>        </SSLHostConfig>
>>    </Connector>
>> 
>> Mark
>> 
> I’m lost. My conf is pretty much similar.
> 
<snip>

> Any debug info I can create?
> 
> Thanks Peter


Started from scratch, plain tc 8.5.42 with JDK 11 (Docker Hub version)

Only added my certs to server.xml,

    <Connector port="8443" 
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate
              certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem"
              certificateFile="${catalina.base}/conf/ssl/cert.pem"
              certificateChainFile="${catalina.base}/conf/ssl/chain.pem"
              type="RSA" />           
        </SSLHostConfig>
    </Connector>

export JAVA_OPTS="${JAVA_OPTS} 
-Djdk.tls.server.enableStatusRequestExtension=true“
alternatively
export CATALINA_OPTS="${CATALINA_OPTS} 
-Djdk.tls.server.enableStatusRequestExtension=true"
to bin/setenv.sh

That gets picked up:

28-Jun-2019 14:05:04.509 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server version:        
Apache Tomcat/8.5.42
28-Jun-2019 14:05:04.524 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server built:          
Jun 4 2019 20:29:04 UTC
28-Jun-2019 14:05:04.525 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server number:         
8.5.42.0
28-Jun-2019 14:05:04.526 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Name:               
Linux
28-Jun-2019 14:05:04.527 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Version:            
4.14.116-boot2docker
28-Jun-2019 14:05:04.532 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Architecture:          
amd64
28-Jun-2019 14:05:04.533 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Java Home:             
/usr/local/openjdk-11
28-Jun-2019 14:05:04.533 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           
11.0.3+7
28-Jun-2019 14:05:04.534 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            
Oracle Corporation
28-Jun-2019 14:05:04.534 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         
/opt/apache-tomcat.base
28-Jun-2019 14:05:04.535 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         
/usr/local/tomcat
28-Jun-2019 14:05:04.535 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
--add-opens=java.base/java.lang=ALL-UNNAMED
28-Jun-2019 14:05:04.536 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
--add-opens=java.base/java.io=ALL-UNNAMED
28-Jun-2019 14:05:04.537 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
28-Jun-2019 14:05:04.538 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.util.logging.config.file=/opt/apache-tomcat.base/conf/logging.properties
28-Jun-2019 14:05:04.538 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
28-Jun-2019 14:05:04.539 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djdk.tls.server.enableStatusRequestExtension=true
28-Jun-2019 14:05:04.540 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djdk.tls.ephemeralDHKeySize=2048
28-Jun-2019 14:05:04.540 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
28-Jun-2019 14:05:04.540 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
28-Jun-2019 14:05:04.541 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dignore.endorsed.dirs=
28-Jun-2019 14:05:04.542 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dcatalina.base=/opt/apache-tomcat.base
28-Jun-2019 14:05:04.542 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dcatalina.home=/usr/local/tomcat
28-Jun-2019 14:05:04.542 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.io.tmpdir=/opt/apache-tomcat.base/temp
28-Jun-2019 14:05:04.543 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based 
Apache Tomcat Native library [1.2.21] using APR version [1.5.2].
28-Jun-2019 14:05:04.546 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: 
IPv6 [true], sendfile [true], accept filters [false], random [true].
28-Jun-2019 14:05:04.547 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL 
configuration: useAprConnector [false], useOpenSSL [true]
28-Jun-2019 14:05:04.554 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL 
successfully initialized [OpenSSL 1.1.0j  20 Nov 2018]
28-Jun-2019 14:05:04.639 INFO [main] 
org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The 
["https-openssl-nio2-8443"] connector has been configured to support 
negotiation to [h2] via ALPN
28-Jun-2019 14:05:04.640 INFO [main] org.apache.coyote.AbstractProtocol.init 
Initializing ProtocolHandler ["https-openssl-nio2-8443"]
28-Jun-2019 14:05:04.877 INFO [main] org.apache.catalina.startup.Catalina.load 
Initialization processed in 1184 ms
28-Jun-2019 14:05:05.017 INFO [main] 
org.apache.catalina.core.StandardService.startInternal Starting service 
[Catalina]
28-Jun-2019 14:05:05.018 INFO [main] 
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: 
Apache Tomcat/8.5.42
28-Jun-2019 14:05:05.036 SEVERE [Catalina-startStop-1] 
org.apache.catalina.startup.HostConfig.beforeStart Unable to create directory 
for deployment: [/opt/apache-tomcat.base/conf/Catalina/localhost]
28-Jun-2019 14:05:05.076 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
application directory [/opt/apache-tomcat.base/webapps/ROOT]
28-Jun-2019 14:05:08.827 WARNING [localhost-startStop-1] 
org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of 
SecureRandom instance for session ID generation using [SHA1PRNG] took [3,029] 
milliseconds.
28-Jun-2019 14:05:08.876 INFO [localhost-startStop-1] 
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web 
application directory [/opt/apache-tomcat.base/webapps/ROOT] has finished in 
[3,800] ms
28-Jun-2019 14:05:08.881 INFO [main] org.apache.coyote.AbstractProtocol.start 
Starting ProtocolHandler ["https-openssl-nio2-8443"]
28-Jun-2019 14:05:08.885 INFO [main] org.apache.catalina.startup.Catalina.start 
Server startup in 4007 ms


Still openssl says

*****OCSP response: no response sent********

And testssl.sh on my domain says:

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "server name/#0" "EC 
point formats/#11" "session ticket/#35"
                              "next protocol/#13172" "encrypt-then-mac/#22" 
"extended master secret/#23"
                              "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint 86400 seconds, session tickets keys seems to be 
rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: no
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 4096 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client 
Authentication
 Serial / Fingerprints        xx / SHA1 xx
                              SHA256 xx
 Common Name (CN)             xxx.dedyn.io
 subjectAltName (SAN)         xxx xxx xxx.dedyn.io 
 Issuer                       Let's Encrypt Authority X3 (Let's Encrypt from US)
 Trust (hostname)             Ok via SAN and CN (same w/o SNI)
 Chain of trust               Ok   
 EV cert (experimental)       no 
 ETS/"eTLS", visibility info  not present
 Certificate Validity (UTC)   expires < 30 days (20) (2019-04-20 00:48 --> 
2019-07-19 00:48)
 # of certificates provided   2
 Certificate Revocation List  --
 OCSP URI                     http://ocsp.int-x3.letsencrypt.org
 OCSP stapling                ****not offered****
 OCSP must staple extension   ****requires OCSP stapling (NOT ok)****
 DNS CAA RR (experimental)    available - please check for match with "Issuer" 
above
                              iodef=mailto:x...@xx.com, issue=letsencrypt.org
 Certificate Transparency     yes (certificate extension)



Anything I can do to figure that out?

Thank you for your help!

> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
>> <mailto:users-unsubscr...@tomcat.apache.org>
>> For additional commands, e-mail: users-h...@tomcat.apache.org 
>> <mailto:users-h...@tomcat.apache.org>

smime.p7s
Description: S/MIME cryptographic signature

Re: OCSP with openSSL

Reply via email to