tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Magnuson <mmagnu...@sempervalens.com>
Subject Re: OCSP Connector on Tomcat 8.5 not working
Date Thu, 20 Jun 2019 17:27:29 GMT
Thanks Mark.  A couple clarifications on your example first.  You don't list the clientAuth=
attribute.  I assume this was a simple oversight.  You list the SSLEnabled="true" attribute
twice.  Should one of these be secure="true"?  For the certificateVerification= attribute,
is the correct syntax "require" or "required"?

Thanks,
Mike



________________________________
From: Mark Thomas <markt@apache.org>
Sent: Thursday, June 20, 2019 10:00 AM
To: users@tomcat.apache.org
Subject: Re: OCSP Connector on Tomcat 8.5 not working

On 20/06/2019 17:24, Michael Magnuson wrote:
> Mark,
>
> Thank you for your replies and help.
>
> I'm not sure how to verify that Tomcat Native was built with OCSP support?

Lets assume it has been. I think that is a safe assumption for now.

> Removing the <Certificate/> element had no negative effect.  I originally put it
in there following this guide:
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connector&amp;data=02%7C01%7Cmmagnuson%40sempervalens.com%7Cd6ce870ea03649db5c6f08d6f5a0dc44%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966468590827314&amp;sdata=LgLtvPKCm7G3qgNzhEGCh318WSaizgN0ZXuUtAkt%2FLA%3D&amp;reserved=0

Hmm. We might need to revisit that. It looks "odd".

> Without the trustStore attributes, it prompts for the smart card PIN and you can select
the cert you want to use, but then it doesn't do anything from there.  With those attributes
present, Tomcat serves up the expected page after PIN+cert.

Interesting. That suggests Tomcat is using the trustStore to validate
the client certs.

I've looked at this again and the config is more mixed up that I first
realised. Lets get that fixed first.

> Changing clientAuth to "required" from "want" has no effect either way.

OK. Lets leave it on required for now since that takes one variable out
of the equation.

Back to the config. I'm going to try and convert everything to the new
style format.

<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150"
           SSLEnabled="true"
           scheme="https"
           SSLEnabled="true"
    <SSLHostConfig sslProtocol="TLSv1.1+TLSv1.2"
                   certificateVerification="required"
                   caCertificateFile="path_to_ca_file">
        <Certificate certificateFile="path_to_server.crt"
                     certificateKeyFile="path_to_server.key"
                     certificateKeyPassword="password"
                     certificateChainFile="path_to_chain" />
    </SSLHostConfig>
</Connector>

I have removed settings that are the same as the defaults.
SSLCertificateChainFile isn't a recognised attribute.

I opted for the OpenSSL style store for trusted CA certs. That probably
means you need to export the trusted certs from your trustStoreFile to a
PEM encoded file for caCertificateFile.

For the purposes of the test, you only need to export the cert that
issued cert used by the client.

I'm wondering if the slightly odd trust store config was causing
problems. We really need more logging in Tomcat Native to figure that
sort of thing out.

I also think I need to get OCSP working with client certs locally so I
can test it as well. I'll add that to my TODO list.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message