tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Palmer <johnpalm...@gmail.com>
Subject how to enable OCSP revocation checking from tomcat 8.5.x using NIO2 w OpenSSL ?
Date Thu, 06 Jun 2019 14:31:59 GMT
What, if anything, needs to be configured to ENABLE (preferably REQUIRE)
tomat to do CLIENT certificate revocation checking via OCSP in Tomcat
8.5.38 using Openssl ?
(will this work with NIO2 ? )

1) using Openssl (the tc-native-1.dll binary for Windows, compiled w OCSP
support - the X64 dll from
tomcat-native-1.2.21-openssl-1.1.1a-ocsp-win32-bin.zip
(i'd prefer to have this working with OpenSSl for a couple of reasons).

2) using JSSE (java 8 (1.8.0_202)) with the NIO2 connector
(I've tried adding -Dcom.sun.net.ssl.checkRevocation=true to the Java
options for the tomat service).


I can't see anything indicating OCSP checks in the logs for either.
(logs do indicate the OpenSSL

for JSSE, by adding -Djavax.net.debug=ssl to the Java Options for the
tomcat service I see logging for key & trust stores being loaded, etc. in
tomcat8-stdout(date).log
the server requesting a client cert, the Client cert being received and
finding a trusted root for it ("Found trusted certificate:"),
but nothing about revocation checking....
(I do see:
    check handshake state: certificate_verify[15]
    update handshake state: certificate_verify[15]

but I'm not sure that's revocation checking...).

for OpenSLL, I'mnot sure how to enable equivalent logging....by enabling
pretty much ALL the logging
    org.apache.coyote.http2.level=ALL
    org.apache.level=ALL
    org.apache.catalina.session.level=ALL
I can see the truststore ("Added client CA cert") being loaded but not much
else about certificates.


Wireshark shows me OCSP calls for the SERVER cert, presumable from the
browswer (fireFox).
(I'm testing this on a personal computer, tomcat and browser on the same
computer).
If there are equivalent OCSP calls for the CLIENT cert, I'm not seeing them.


the Connector part of the server xml.config file is (ip address and server
name etc removed):

     <Connector
            address="a.b.c.d"
            port="443"
            protocol="org.apache.coyote.http11.Http11Nio2Protocol"
            maxThreads="150"
            SSLEnabled="true"
            scheme="https"
            secure="true"
        >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
/>
        <SSLHostConfig
            protocols="+TLSv1.2+TLSv1.3"
            honorCipherOrder="true"
            certificateVerification="REQUIRED"
            truststoreFile="C:/certs/trustStore.pfx"
            truststoreType="PKCS12"
            truststorePassword="abcdef"
            >
            <Certificate
                certificateKeystoreFile="C:/certs/(server).pfx"
                certificateKeystoreType="PKCS12"
                certificateKeystorePassword="abcdef"
            />
        </SSLHostConfig>
    </Connector>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message