tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: OCSP Connector on Tomcat 8.5 not working
Date Fri, 21 Jun 2019 16:10:01 GMT
On 21/06/2019 16:46, Michael Magnuson wrote:
> 
> 
> Thanks.  Is that setup using a CRL instead of OCSP?

It will work with either/both. I had a local OCSP responder running with
OpenSSL so I could monitor the requests and responses. OCSP was working
correctly. It rejected a cert that had been invalidated that wasn't in
the CRL.

Mark


> 
> ________________________________
> From: Mark Thomas <markt@apache.org>
> Sent: Friday, June 21, 2019 8:44 AM
> To: users@tomcat.apache.org
> Subject: Re: OCSP Connector on Tomcat 8.5 not working
> 
> On 21/06/2019 16:31, Michael Magnuson wrote:
>> Hmm.  It's still not working at all for me.  Can you post your SSL connector configuration?
> 
> <Connector port="8443"
>            protocol="org.apache.coyote.http11.Http11AprProtocol"
>            maxThreads="150" SSLEnabled="true" >
>   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
>   <SSLHostConfig certificateVerification="required"
>                  caCertificateFile="conf/ca-rsa-cert.pem"
>                  certificateRevocationListFile="conf/crl.pem">
>     <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
>                  certificateFile="conf/localhost-rsa-cert.pem"
>                  certificateChainFile="conf/localhost-rsa-chain.pem"
>                  type="RSA" />
>   </SSLHostConfig>
> </Connector>
> 
> Mark
> 
> 
>>
>>
>>
>> ________________________________
>> From: Mark Thomas <markt@apache.org>
>> Sent: Thursday, June 20, 2019 11:36 AM
>> To: users@tomcat.apache.org
>> Subject: Re: OCSP Connector on Tomcat 8.5 not working
>>
>> On 20/06/2019 18:50, Mark Thomas wrote:
>>> On 20/06/2019 18:27, Michael Magnuson wrote:
>>>> Thanks Mark.  A couple clarifications on your example first.  You don't list
the clientAuth= attribute.  I assume this was a simple oversight.
>>>
>>> It is replaced by certificateVerification="required"
>>>
>>>>  You list the SSLEnabled="true" attribute twice.  Should one of these be
secure="true"?
>>>
>>> It should.
>>>
>>>>  For the certificateVerification= attribute, is the correct syntax "require"
or "required"?
>>>
>>> "required"
>>>
>>> Setting up an OCSP responder locally is next on my TODO list. I'll
>>> report back with the results.
>>
>> Works as expected.
>>
>> Mark
>>
>>
>>>
>>> Mark
>>>
>>>
>>>>
>>>> Thanks,
>>>> Mike
>>>>
>>>>
>>>>
>>>> ________________________________
>>>> From: Mark Thomas <markt@apache.org>
>>>> Sent: Thursday, June 20, 2019 10:00 AM
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: OCSP Connector on Tomcat 8.5 not working
>>>>
>>>> On 20/06/2019 17:24, Michael Magnuson wrote:
>>>>> Mark,
>>>>>
>>>>> Thank you for your replies and help.
>>>>>
>>>>> I'm not sure how to verify that Tomcat Native was built with OCSP support?
>>>>
>>>> Lets assume it has been. I think that is a safe assumption for now.
>>>>
>>>>> Removing the <Certificate/> element had no negative effect.  I
originally put it in there following this guide:
>>>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connector&amp;data=02%7C01%7Cmmagnuson%40sempervalens.com%7C410a86aa49c041d4c51208d6f65f5db1%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636967286823962847&amp;sdata=h10h73IHgmzkRikvK%2B3AxcaGWf20PPbejYe8gt87Tcc%3D&amp;reserved=0
>>>>
>>>> Hmm. We might need to revisit that. It looks "odd".
>>>>
>>>>> Without the trustStore attributes, it prompts for the smart card PIN
and you can select the cert you want to use, but then it doesn't do anything from there. 
With those attributes present, Tomcat serves up the expected page after PIN+cert.
>>>>
>>>> Interesting. That suggests Tomcat is using the trustStore to validate
>>>> the client certs.
>>>>
>>>> I've looked at this again and the config is more mixed up that I first
>>>> realised. Lets get that fixed first.
>>>>
>>>>> Changing clientAuth to "required" from "want" has no effect either way.
>>>>
>>>> OK. Lets leave it on required for now since that takes one variable out
>>>> of the equation.
>>>>
>>>> Back to the config. I'm going to try and convert everything to the new
>>>> style format.
>>>>
>>>> <Connector port="8443"
>>>>            protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>>            maxThreads="150"
>>>>            SSLEnabled="true"
>>>>            scheme="https"
>>>>            SSLEnabled="true"
>>>>     <SSLHostConfig sslProtocol="TLSv1.1+TLSv1.2"
>>>>                    certificateVerification="required"
>>>>                    caCertificateFile="path_to_ca_file">
>>>>         <Certificate certificateFile="path_to_server.crt"
>>>>                      certificateKeyFile="path_to_server.key"
>>>>                      certificateKeyPassword="password"
>>>>                      certificateChainFile="path_to_chain" />
>>>>     </SSLHostConfig>
>>>> </Connector>
>>>>
>>>> I have removed settings that are the same as the defaults.
>>>> SSLCertificateChainFile isn't a recognised attribute.
>>>>
>>>> I opted for the OpenSSL style store for trusted CA certs. That probably
>>>> means you need to export the trusted certs from your trustStoreFile to a
>>>> PEM encoded file for caCertificateFile.
>>>>
>>>> For the purposes of the test, you only need to export the cert that
>>>> issued cert used by the client.
>>>>
>>>> I'm wondering if the slightly odd trust store config was causing
>>>> problems. We really need more logging in Tomcat Native to figure that
>>>> sort of thing out.
>>>>
>>>> I also think I need to get OCSP working with client certs locally so I
>>>> can test it as well. I'll add that to my TODO list.
>>>>
>>>> Mark
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message