tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Coty Sutherland <csuth...@apache.org>
Subject Re: OSCP support in tomcat-native (was OCSP)
Date Fri, 10 Nov 2017 17:33:56 GMT
On Thu, Nov 9, 2017 at 1:45 PM, Christopher Schultz
<chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Coty,
>
> On 11/9/17 12:19 PM, Coty Sutherland wrote:
>> Hi,
>>
>> I'm trying to determine whether or not we fully support OCSP in
>> tomcat-native 1.2.x on Linux. There isn't any documentation about
>> it other than some on the Downloads page that says it's
>> experimental on Windows:
>>
>> "The Windows binaries are available in two variants. a) Default.
>> This is what people usually use. This version of library is
>> included in Apache Tomcat distributions. b) OCSP-enabled. This one
>> has enabled (experimental) support for verification of client SSL
>> certificates via OCSP protocol (45392)."
>>
>> I see that it's enabled by default when building Linux, but for
>> Windows you have to enable it in the build.
>>
>> Can anyone help me out here?
>
> Without reading anything at all (from memory), I believe it all has to
> do with how OpenSSL itself was built.
>
> The reason we are mum on *NIX is because the consumer is expected to
> provide their own OpenSSL library, while the Windows build comes from
> us with a statically-linked OpenSSL (with or without OSCP compiled-in).

So technically all OCSP support is considered experimental then (since
we consider OCSP support in Windows experimental where we know that
openssl supports it)? It isn't just a pass through to openssl, the
call to the OCSP server (for example) happens inside of tomcat-native.
I have a user complaining about the fact that there's no logging in
those functions, so I plan to eventually add some, but I wanted to
make sure we are confident that it works correctly first :)

> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEokkACgkQHPApP6U8
> pFgdcA/+LomHqxKsVS5VMn9ZCZT3Vuwdwl6JbBL5Tfrx+r226zfEvDDP/xjrKDNm
> WxD+fXhfi4Vrf+vcZEdTSr2/ubCQIIE+fgj2WYhz9XWWGgPNOK1LRgk92HvWqy9B
> tSbv5+hg6T7+gP8YoNKSr32j+MicgbkNE8BGmewMJNOMKkyHTWeGZaU726kqGeFC
> oCGmuUbcWWxcE6wkk48Cdsy+/oTZcvAEDu82Pfl490joBI7gCURqa2AfYpv7b3qu
> oYs/T7Cm+YMZAIU/kZBtlEQUUIscc/vf2AqHM8n22Uft5s9F9e1pSnm3aWmzAF6a
> fM3NifxyQl1Yabl5wTfXxm3hBTzovZJsOQhfASq1pkbNS2dRGg1s9Z4ITXzCYwVv
> +whoNLocxWeFmOY8S9CQM4PaGDPEWT2Pd7dFL1ae9xBNdNuc4mnbnvk980DpCHbG
> 7p6+U8T7Pun+GBC602VXDgdajfGHO6bWhwuu33H7G1JgGnPnrYaOCLupaQhXT/FC
> ZQiyex2n+j3g07d269gs3UqsHxM3SA3COdogNpdfOYrdq+cYhov19G3R2O+lGd1/
> WqciphuopiUbMtDs+s88zhw5AZldwEDHdsI2bxzthjATbT7VH+BLGSR+aF8SS3H/
> ybix8mdlIP4G28Ml2q7jYzXoBji7SeTNt95Bes0xaQ6FcfaPI+Q=
> =uwu2
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message