tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: OCSP Connector on Tomcat 8.5 not working
Date Thu, 20 Jun 2019 18:36:06 GMT
On 20/06/2019 18:50, Mark Thomas wrote:
> On 20/06/2019 18:27, Michael Magnuson wrote:
>> Thanks Mark.  A couple clarifications on your example first.  You don't list the
clientAuth= attribute.  I assume this was a simple oversight.
> 
> It is replaced by certificateVerification="required"
> 
>>  You list the SSLEnabled="true" attribute twice.  Should one of these be secure="true"?
> 
> It should.
> 
>>  For the certificateVerification= attribute, is the correct syntax "require" or "required"?
> 
> "required"
> 
> Setting up an OCSP responder locally is next on my TODO list. I'll
> report back with the results.

Works as expected.

Mark


> 
> Mark
> 
> 
>>
>> Thanks,
>> Mike
>>
>>
>>
>> ________________________________
>> From: Mark Thomas <markt@apache.org>
>> Sent: Thursday, June 20, 2019 10:00 AM
>> To: users@tomcat.apache.org
>> Subject: Re: OCSP Connector on Tomcat 8.5 not working
>>
>> On 20/06/2019 17:24, Michael Magnuson wrote:
>>> Mark,
>>>
>>> Thank you for your replies and help.
>>>
>>> I'm not sure how to verify that Tomcat Native was built with OCSP support?
>>
>> Lets assume it has been. I think that is a safe assumption for now.
>>
>>> Removing the <Certificate/> element had no negative effect.  I originally
put it in there following this guide:
>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connector&amp;data=02%7C01%7Cmmagnuson%40sempervalens.com%7Cd6ce870ea03649db5c6f08d6f5a0dc44%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966468590827314&amp;sdata=LgLtvPKCm7G3qgNzhEGCh318WSaizgN0ZXuUtAkt%2FLA%3D&amp;reserved=0
>>
>> Hmm. We might need to revisit that. It looks "odd".
>>
>>> Without the trustStore attributes, it prompts for the smart card PIN and you
can select the cert you want to use, but then it doesn't do anything from there.  With those
attributes present, Tomcat serves up the expected page after PIN+cert.
>>
>> Interesting. That suggests Tomcat is using the trustStore to validate
>> the client certs.
>>
>> I've looked at this again and the config is more mixed up that I first
>> realised. Lets get that fixed first.
>>
>>> Changing clientAuth to "required" from "want" has no effect either way.
>>
>> OK. Lets leave it on required for now since that takes one variable out
>> of the equation.
>>
>> Back to the config. I'm going to try and convert everything to the new
>> style format.
>>
>> <Connector port="8443"
>>            protocol="org.apache.coyote.http11.Http11AprProtocol"
>>            maxThreads="150"
>>            SSLEnabled="true"
>>            scheme="https"
>>            SSLEnabled="true"
>>     <SSLHostConfig sslProtocol="TLSv1.1+TLSv1.2"
>>                    certificateVerification="required"
>>                    caCertificateFile="path_to_ca_file">
>>         <Certificate certificateFile="path_to_server.crt"
>>                      certificateKeyFile="path_to_server.key"
>>                      certificateKeyPassword="password"
>>                      certificateChainFile="path_to_chain" />
>>     </SSLHostConfig>
>> </Connector>
>>
>> I have removed settings that are the same as the defaults.
>> SSLCertificateChainFile isn't a recognised attribute.
>>
>> I opted for the OpenSSL style store for trusted CA certs. That probably
>> means you need to export the trusted certs from your trustStoreFile to a
>> PEM encoded file for caCertificateFile.
>>
>> For the purposes of the test, you only need to export the cert that
>> issued cert used by the client.
>>
>> I'm wondering if the slightly odd trust store config was causing
>> problems. We really need more logging in Tomcat Native to figure that
>> sort of thing out.
>>
>> I also think I need to get OCSP working with client certs locally so I
>> can test it as well. I'll add that to my TODO list.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message