tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From logo <l...@kreuser.name>
Subject Re: OCSP with openSSL
Date Fri, 28 Jun 2019 12:14:03 GMT
Mark,

Still no luck with 8.5.42/JDK11/JSSE.

> Am 17.06.2019 um 22:11 schrieb logo <logo@kreuser.name>:
> 
> Mark,
> 
> 
>> Am 17.06.2019 um 18:00 schrieb Mark Thomas <markt@apache.org <mailto:markt@apache.org>>:
>> 
>> On 17/06/2019 15:51, logo wrote:
>>> Mark,
>>> 
>>> 
>>> Am 2019-06-17 16:29, schrieb Mark Thomas:
>>>> On 17/06/2019 15:15, logo wrote:
>>>>> Hi Mark,
>>>>> 
>>>>> having been in contact with Усманов, I can confirm your summary.
>>>>> 
>>>>> May I add my question from February with additional info to this thread:
>>>>> https://markmail.org/message/zvziqrhm32bctm7e <https://markmail.org/message/zvziqrhm32bctm7e>
>>>> 
>>>> Thanks.
>>>> 
>>>> Progress can be tracked here:
>>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 <https://bz.apache.org/bugzilla/show_bug.cgi?id=56148>
>>>> 
>>>> At the moment, the pure JSSE solutions (NIO+JSSE, NIO2+JSSE) support
>>>> OCSP stapling with appropriate configuration.
>>>> 
>>> 
>>> Do you mean on trunk or really only configuration?
>>> 
>>> I just tried it on 8.5.42 and it will not send the message on my
>>> letsencrypt cert.
>>> 
>>> If it should work out of the box, do you mind to share the "appropriate"
>>> config here.
>> 
>> I was testing Tomcat 9.0.x (latest source from Git) but with the
>> knowledge that we haven't made *any* changes to Tomcat to support OCSP
>> stapling and that 9.0.x and 8.5.x have very similar TLS code.
>> 
>> I have just tested with 8.5.42. Both NIO+JSSE and NIO2+JSSE support OCSP
>> stapling. My Connector configuration is:
>> 
>>    <Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>>               port="8443"
>>               proxyPort="443"
>>               maxThreads="150"
>>               useAsyncIO="true"
>>               SSLEnabled="true">
>>        <UpgradeProtocol
>>                 className="org.apache.coyote.http2.Http2Protocol"
>>                 useSendfile="false"
>>                 maxConcurrentStreamExecution="50" />
>>        <SSLHostConfig>
>>            <Certificate certificateKeyFile="/.../privkey.pem"
>>                         certificateFile="/.../cert.pem"
>>                         certificateChainFile="/.../chain.pem"
>>                         type="RSA" />
>>        </SSLHostConfig>
>>    </Connector>
>> 
>> Mark
>> 
> I’m lost. My conf is pretty much similar.
> 
<snip>

> Any debug info I can create?
> 
> Thanks Peter


Started from scratch, plain tc 8.5.42 with JDK 11 (Docker Hub version)

Only added my certs to server.xml,

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate
              certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem"
              certificateFile="${catalina.base}/conf/ssl/cert.pem"
              certificateChainFile="${catalina.base}/conf/ssl/chain.pem"
              type="RSA" />           
        </SSLHostConfig>
    </Connector>

export JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.server.enableStatusRequestExtension=true“
alternatively
export CATALINA_OPTS="${CATALINA_OPTS} -Djdk.tls.server.enableStatusRequestExtension=true"
to bin/setenv.sh

That gets picked up:

28-Jun-2019 14:05:04.509 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Server version:        Apache Tomcat/8.5.42
28-Jun-2019 14:05:04.524 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Server built:          Jun 4 2019 20:29:04 UTC
28-Jun-2019 14:05:04.525 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Server number:         8.5.42.0
28-Jun-2019 14:05:04.526 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
OS Name:               Linux
28-Jun-2019 14:05:04.527 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
OS Version:            4.14.116-boot2docker
28-Jun-2019 14:05:04.532 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Architecture:          amd64
28-Jun-2019 14:05:04.533 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Java Home:             /usr/local/openjdk-11
28-Jun-2019 14:05:04.533 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
JVM Version:           11.0.3+7
28-Jun-2019 14:05:04.534 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
JVM Vendor:            Oracle Corporation
28-Jun-2019 14:05:04.534 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
CATALINA_BASE:         /opt/apache-tomcat.base
28-Jun-2019 14:05:04.535 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
CATALINA_HOME:         /usr/local/tomcat
28-Jun-2019 14:05:04.535 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
28-Jun-2019 14:05:04.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
28-Jun-2019 14:05:04.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
28-Jun-2019 14:05:04.538 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: -Djava.util.logging.config.file=/opt/apache-tomcat.base/conf/logging.properties
28-Jun-2019 14:05:04.538 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
28-Jun-2019 14:05:04.539 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: -Djdk.tls.server.enableStatusRequestExtension=true
28-Jun-2019 14:05:04.540 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
28-Jun-2019 14:05:04.540 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
28-Jun-2019 14:05:04.540 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
28-Jun-2019 14:05:04.541 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: -Dignore.endorsed.dirs=
28-Jun-2019 14:05:04.542 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: -Dcatalina.base=/opt/apache-tomcat.base
28-Jun-2019 14:05:04.542 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: -Dcatalina.home=/usr/local/tomcat
28-Jun-2019 14:05:04.542 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log
Command line argument: -Djava.io.tmpdir=/opt/apache-tomcat.base/temp
28-Jun-2019 14:05:04.543 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
Loaded APR based Apache Tomcat Native library [1.2.21] using APR version [1.5.2].
28-Jun-2019 14:05:04.546 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
28-Jun-2019 14:05:04.547 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
28-Jun-2019 14:05:04.554 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL
OpenSSL successfully initialized [OpenSSL 1.1.0j  20 Nov 2018]
28-Jun-2019 14:05:04.639 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol
The ["https-openssl-nio2-8443"] connector has been configured to support negotiation to [h2]
via ALPN
28-Jun-2019 14:05:04.640 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
ProtocolHandler ["https-openssl-nio2-8443"]
28-Jun-2019 14:05:04.877 INFO [main] org.apache.catalina.startup.Catalina.load Initialization
processed in 1184 ms
28-Jun-2019 14:05:05.017 INFO [main] org.apache.catalina.core.StandardService.startInternal
Starting service [Catalina]
28-Jun-2019 14:05:05.018 INFO [main] org.apache.catalina.core.StandardEngine.startInternal
Starting Servlet Engine: Apache Tomcat/8.5.42
28-Jun-2019 14:05:05.036 SEVERE [Catalina-startStop-1] org.apache.catalina.startup.HostConfig.beforeStart
Unable to create directory for deployment: [/opt/apache-tomcat.base/conf/Catalina/localhost]
28-Jun-2019 14:05:05.076 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deploying web application directory [/opt/apache-tomcat.base/webapps/ROOT]
28-Jun-2019 14:05:08.827 WARNING [localhost-startStop-1] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom
Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [3,029]
milliseconds.
28-Jun-2019 14:05:08.876 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory
Deployment of web application directory [/opt/apache-tomcat.base/webapps/ROOT] has finished
in [3,800] ms
28-Jun-2019 14:05:08.881 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
["https-openssl-nio2-8443"]
28-Jun-2019 14:05:08.885 INFO [main] org.apache.catalina.startup.Catalina.start Server startup
in 4007 ms


Still openssl says

*****OCSP response: no response sent********

And testssl.sh on my domain says:

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "server name/#0" "EC point formats/#11"
"session ticket/#35"
                              "next protocol/#13172" "encrypt-then-mac/#22" "extended master
secret/#23"
                              "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint 86400 seconds, session tickets keys seems to be rotated <
daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: no
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 4096 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial / Fingerprints        xx / SHA1 xx
                              SHA256 xx
 Common Name (CN)             xxx.dedyn.io
 subjectAltName (SAN)         xxx xxx xxx.dedyn.io 
 Issuer                       Let's Encrypt Authority X3 (Let's Encrypt from US)
 Trust (hostname)             Ok via SAN and CN (same w/o SNI)
 Chain of trust               Ok   
 EV cert (experimental)       no 
 ETS/"eTLS", visibility info  not present
 Certificate Validity (UTC)   expires < 30 days (20) (2019-04-20 00:48 --> 2019-07-19
00:48)
 # of certificates provided   2
 Certificate Revocation List  --
 OCSP URI                     http://ocsp.int-x3.letsencrypt.org
 OCSP stapling                ****not offered****
 OCSP must staple extension   ****requires OCSP stapling (NOT ok)****
 DNS CAA RR (experimental)    available - please check for match with "Issuer" above
                              iodef=mailto:xx@xx.com, issue=letsencrypt.org
 Certificate Transparency     yes (certificate extension)



Anything I can do to figure that out?

Thank you for your help!

> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org <mailto:users-unsubscribe@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org <mailto:users-help@tomcat.apache.org>

Mime
View raw message