From users-return-267717-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Mon Jun 17 14:29:16 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id BAED218062B for ; Mon, 17 Jun 2019 16:29:15 +0200 (CEST) Received: (qmail 67469 invoked by uid 500); 17 Jun 2019 14:29:08 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 67459 invoked by uid 99); 17 Jun 2019 14:29:08 -0000 Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.159) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Jun 2019 14:29:08 +0000 Received: from [192.168.23.12] (host109-148-147-127.range109-148.btcentralplus.com [109.148.147.127]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id BAB278BD7 for ; Mon, 17 Jun 2019 14:29:07 +0000 (UTC) Subject: Re: OCSP with openSSL To: users@tomcat.apache.org References: <98c3b15b-8946-a829-3aa1-2e806cd8ef57@apache.org> From: Mark Thomas Openpgp: preference=signencrypt Autocrypt: addr=markt@apache.org; prefer-encrypt=mutual; keydata= mQINBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmXpqtOJKKw W2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t6RZBq2dJsYKF0CEh 6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6KGH59oysn1NE7a2a+kZzjBSEg v23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz4yvDOZItqDURP24zWOodxgboldV6Y88C 3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7MUVviQcy29y/RlLSDTTYoVlCZ1ni14qFU7Hpw43KJ tgXmcUwq31T1+SlXdYjNJ1aFkUi8BjCHDcSgE/IReKUanjHzm4XSymKDTeqqzidi4k6PDD4j yHb8k8vxi6qT6Udnlcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURiJg1WS77egI4P/8 2oPbzzFiGFqXyJKULVgxtdQ3JikCpodp3f1fh6PlYZwkW4xCJLJucJ5MiQp07HAkMVW5w+k8 Xvuk4i5quh3N+2kzKHOOiQCDmN0sz0XjOE+7XBvM1lvz3+UarLfgSVmW8aheLd7eaIl5ItBk 8844ZJ60LrQ+JiIqvqJemxyIM6epoZvY5a3ZshZpcLilC5hW8QARAQABtCJNYXJrIEUgRCBU aG9tYXMgPG1hcmt0QGFwYWNoZS5vcmc+iQI3BBMBCgAhBQJKtA7pAhsDBQsJCAcDBRUKCQgL BRYCAwEAAh4BAheAAAoJEBDAHFovYFnn2YgQAKN6FLG/I1Ij3PUlC/XNlhasQxPeE3w2Ovtt weOQPYkblJ9nHtGH5pNqG2/qoGShlpI04jJy9GxWKOo7NV4v7M0mbVlCXVgjdlvMFWdL7lno cggwJAFejQcYlVtxyhu4m50LBvBunEhxCbQcKnnWmkB7Ocm0Ictaqjc9rCc1F/aNhVMUpJ0z G1kyTp9hxvN6TbCQlacMx5ocTWzL0zn6QZhbUfrYwfxYJmSnkVYZOYzXIXIsLN5sJ9Q4P8tj Y4qWgd+bQvOqPWrkzL9LVRnGOrSYIsoM5zWdoj1g1glMzK/ZqJdRqqqBhe6FYTbXipz8oX8i mCebcaxZnfLhGiqqX+yDa3YUwDiqom+sZOc0iXGvKkqltPLpNeF0MVT7aZjalsQ/v2Ysb24R Ql9FfjfWmvT8ZPWz8Kore1AI4UcIIgFVtM+zuLlL9CIsGjg+gHDE2dhZDY0qfizlHL9CoAWU DM3pIfxM2V4BRn1xO+j/mModhjmYLZvnFVz4KGkNO7wRkofAANIWYo3WI5x83BGDH371t3NR rrpSSFP0XpQX6/Leaj2j6U6puABL2qBxhscsO6chc3u4/+019ff+peZVsc9ttcTQXsKIujmM b8p2sk5usmv6PKVX3oW/RAxpbVHU5kZ5px1Hq7mMQdZfLs5ff4YymXBH02z4/RmSzPam0Xb5 uQINBEq0DukBEADCNEkws5YroBmbu8789Xf006gTl5LzD/Hdt3sAp9iCfPgucO+l7U+xbo1X HTMJQwEVfS+Rx3RbaLYRG+hU7FuJLQB/5NaCDNRuqw5KHyQtJUH+zo84IqqfMzG8aOSdHg1y r2xKH4QTmgQONBu/W0xEZmZro6TjYNwkk2pwXK2yuImZPUOy+mK1qF8Wm3hTtkPE+FFSNFIa eHDoTGmx/0Riu/K7dNJTrC0TlRpn2K6d60zB53YYTc+0DYSDyB0FupXiAx/+XEGn3Q7eNi2B V6w50v5r51QP8zptiFflMfFKNAfV8xS5MteQd98YS5qqd/LPo3gS5HFPQaSL0k3RTClv7fQN HcZFqmv0OWpix6zm2npYxhqsTDGeSa52/uXehVXF5JubYFifMSLpbGVZqdrmG5hr2cycxsjF iY0zJOaRitmN/JWbOGLiwrcN4ukKNyFntFG5jPaFnJdx9rHfyJNeF9cgv9JlZeFxJ6WqIAhl KOuH3K8/py0SPE6ZOFfRo0YUxvh25K/siOcPLm613aOxyY7YfQ8ME2vgn7I0mAtg9am+YFDa bGqj839odwZdzZv2T2mUHnybFTJFBuMWGWKYstYDS6eZEmhupbPvUKkDug/mO+gdo+pSKF9Y S6DM5RtCdTNJq4NZY50ypBb5RSj+INHPocIp2V/DDTbzySsu6wARAQABiQIfBBgBCgAJBQJK tA7pAhsMAAoJEBDAHFovYFnnLe0P/i34oK5cE2LlqUEITEcTO94x1EX0UmtKokRfQ3AYWK8X eFD8cmSty72hMkL+1c0V//4Qc53SUyLIWXk8FKWF7hdL3zyuBqlRb55721CYC35GA/jR90p0 k1vr701gaat2cNTOVC0/6H9cE5yYXT+zMr9TSiKCDwONhhSbmAJZc6X0fgsmCD7I5xUI5Vri hN/Wx0CZBtrXGUyE4hgFaYSGptZmkY5Ln1e+nI185Bda7bpLwcAIGrI9nYtVXgf71ybGKdPP tFfXIoPXuctn99M7NnWBhNuGDms2YWkOC7eeWBTxKkZDWR3vRmRy52B6GxR7USk/KXs7yqGP kfT/c4CZFfOurZUXXuC3PvOme0DQmqwExtJormoG4Fy6suEFPrfhYMigTy7kSbVTCOBMjQLH +U/FFNshvg9+M/ZvaKT+0lpRvBSuG5ngsC0bO0xWsXhb6qfH2h53g4VcwFvCBL5IfqgAeUbC nGGHNcGWpmwdeb7D7ahrNZSHEUUYR7lTbjkYS01/QDOcEwNZOqDRIJUQOOUq35721VeROkdh ZmMZtFlsQeQJsWoqGrQo/kEYicVlMVOgjmOOzOa5fRb/IqlGlBn4a4me3hWthLLtMy+OOEim 6ENjntVTBQiTP/YqrxWDbCkaD7b2e9wY5N3JlRxMIQHfcHaND3PRdQSn7oHYXmJl Message-ID: <032ad8ce-bafd-aa43-3174-238a79052cd4@apache.org> Date: Mon, 17 Jun 2019 15:29:06 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit On 17/06/2019 15:15, logo wrote: > Hi Mark, > > having been in contact with Усманов, I can confirm your summary. > > May I add my question from February with additional info to this thread: > https://markmail.org/message/zvziqrhm32bctm7e Thanks. Progress can be tracked here: https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 At the moment, the pure JSSE solutions (NIO+JSSE, NIO2+JSSE) support OCSP stapling with appropriate configuration. The OpenSSL ones (APR/native, NIO+OpenSSL, NIO2+OpenSSL) do not. It might be simply a configuration issue with OpenSSL. It might need code changes in APR/Native. I'm currently looking in to that. Mark > > Thanks. > > Peter > > Am 2019-06-17 15:44, schrieb Mark Thomas: >> Coming back to this as it has been on my TODO list for a while. >> >> Having re-read the thread I think it would be helpful to first clarify >> exactly what behaviour you are expecting and not seeing. >> >> The issue relates to OCSP checks when Tomcat is presenting it's server >> certificate to the client. >> >> You are expecting Tomcat to use OCSP stapling to provide the OCSP >> information to the client so that the client does not have to request it >> itself. >> >> Tomcat is not providing the OCSP information. It appears that OCSP >> stapling is not working. >> >> Is the above a fair summary? If not, please provide corrections. >> >> Thanks, >> >> Mark >> >> >> On 27/05/2019 12:36, Усманов Азат Анварович wrote: >>> Just a quick follow up , trying to get some answers, I added  include >>> to sslutils.c (which has alll the ocsp functions )   to >>> print some info.I  added printf calls to every function defined in >>> this file.  Interestingly enough  when I issue  the  openssl s_client >>> -connect debug.ieml.ru:8443  -tls1_2 -status -proxy 192.168.1.6:3131 >>> both tls1_2 and tls 1_3  versions and when I access  the server from >>> another machine via browser none of printf  calls are displayed,  >>> however, when I issue ssllabs server test (which is also supposedly >>> capable of detecting ocsp)   some of them start to appear.  sadly >>> none of them are ocsp related. I did put basic  ifdef  test for >>> HAVE_OCSP_STAPLING, surprisingly  it  shows that ocsp support is >>> indeed enabled . So here are  both   the modified  sslutils.c file >>> and tomcat log snippet (not sure if attachments are allowed on  the >>> list  so posting it  here ) >>> Not sure where to go from here >>> /* Licensed to the Apache Software Foundation (ASF) under one or more >>>  * contributor license agreements.  See the NOTICE file distributed with >>>  * this work for additional information regarding copyright ownership. >>>  * The ASF licenses this file to You under the Apache License, >>> Version 2.0 >>>  * (the "License"); you may not use this file except in compliance with >>>  * the License.  You may obtain a copy of the License at >>>  * >>>  *     http://www.apache.org/licenses/LICENSE-2.0 >>>  * >>>  * Unless required by applicable law or agreed to in writing, software >>>  * distributed under the License is distributed on an "AS IS" BASIS, >>>  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or >>> implied. >>>  * See the License for the specific language governing permissions and >>>  * limitations under the License. >>>  */ >>> >>> /** SSL Utilities >>>  */ >>> >>> #include "tcn.h" >>> #include >>> #ifdef HAVE_OPENSSL >>> #include "apr_poll.h" >>> #include "ssl_private.h" >>> >>> >>> #ifdef WIN32 >>> extern int WIN32_SSL_password_prompt(tcn_pass_cb_t *data); >>> #endif >>> >>> #ifdef HAVE_OCSP_STAPLING >>> #include >>> #include >>> /* defines with the values as seen by the asn1parse -dump openssl >>> command */ >>> #define ASN1_SEQUENCE 0x30 >>> #define ASN1_OID      0x06 >>> #define ASN1_STRING   0x86 >>> static int ssl_verify_OCSP(X509_STORE_CTX *ctx); >>> static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX >>> *ctx); >>> #endif >>> >>> /*  _________________________________________________________________ >>> ** >>> **  Additional High-Level Functions for OpenSSL >>> **  _________________________________________________________________ >>> */ >>> >>> /* we initialize this index at startup time >>>  * and never write to it at request time, >>>  * so this static is thread safe. >>>  * also note that OpenSSL increments at static variable when >>>  * SSL_get_ex_new_index() is called, so we _must_ do this at startup. >>>  */ >>> static int SSL_app_data2_idx = -1; >>> static int SSL_app_data3_idx = -1; >>> static int SSL_app_data4_idx = -1; >>> >>> void SSL_init_app_data_idx(void) >>> { printf(" SSL_init_app_data_idx\n"); >>>    #ifdef HAVE_OCSP_STAPLING >>> printf("Hi OCSP \n"); >>> #else >>> printf("Sorry no OCSP support\n"); >>> #endif >>> >>>     int i; >>> >>>     if (SSL_app_data2_idx > -1) { >>>         return; >>>     } >>> >>>     /* we _do_ need to call this twice */ >>>     for (i = 0; i <= 1; i++) { >>>         SSL_app_data2_idx = >>>             SSL_get_ex_new_index(0, >>>                                  "Second Application Data for SSL", >>>                                  NULL, NULL, NULL); >>>     } >>> >>>     if (SSL_app_data3_idx > -1) { >>>         return; >>>     } >>> >>>     SSL_app_data3_idx = >>>             SSL_get_ex_new_index(0, >>>                                  "Third Application Data for SSL", >>>                                   NULL, NULL, NULL); >>> >>>     if (SSL_app_data4_idx > -1) { >>>         return; >>>     } >>> >>>     SSL_app_data4_idx = >>>             SSL_get_ex_new_index(0, >>>                                  "Fourth Application Data for SSL", >>>                                   NULL, NULL, NULL); >>> >>> } >>> >>> void *SSL_get_app_data2(SSL *ssl) >>> { >>>      printf("ssl_get_app_data2 \n"); >>>     return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx); >>> } >>> >>> void SSL_set_app_data2(SSL *ssl, void *arg) >>> { >>> printf("ssl_set_app_data2 \n"); >>> >>>     SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg); >>>     return; >>> } >>> >>> >>> void *SSL_get_app_data3(const SSL *ssl) >>> { >>> printf("ssl_get_app_data3 \n"); >>> >>>     return SSL_get_ex_data(ssl, SSL_app_data3_idx); >>> } >>> >>> void SSL_set_app_data3(SSL *ssl, void *arg) >>> { >>> printf("ssl_set_app_data3 \n"); >>>     SSL_set_ex_data(ssl, SSL_app_data3_idx, arg); >>> } >>> >>> void *SSL_get_app_data4(const SSL *ssl) >>> { >>> printf("ssl_get_app_data4 \n"); >>>     return SSL_get_ex_data(ssl, SSL_app_data4_idx); >>> } >>> >>> void SSL_set_app_data4(SSL *ssl, void *arg) >>> { >>> printf("ssl_set_app_data4 \n"); >>>     SSL_set_ex_data(ssl, SSL_app_data4_idx, arg); >>> } >>> >>> /* Simple echo password prompting */ >>> int SSL_password_prompt(tcn_pass_cb_t *data) >>> { >>> >>>     printf(" SSL_password_prompt\n"); >>> int rv = 0; >>>     data->password[0] = '\0'; >>>     if (data->cb.obj) { >>>         JNIEnv *e; >>>         jobject  o; >>>         jstring  prompt; >>>         tcn_get_java_env(&e); >>>         prompt = AJP_TO_JSTRING(data->prompt); >>>         if ((o = (*e)->CallObjectMethod(e, data->cb.obj, >>>                             data->cb.mid[0], prompt))) { >>>             TCN_ALLOC_CSTRING(o); >>>             if (J2S(o)) { >>>                 strncpy(data->password, J2S(o), SSL_MAX_PASSWORD_LEN); >>>                 data->password[SSL_MAX_PASSWORD_LEN-1] = '\0'; >>>                 rv = (int)strlen(data->password); >>>             } >>>             TCN_FREE_CSTRING(o); >>>         } >>>     } >>>     else { >>> #ifdef WIN32 >>>         rv = WIN32_SSL_password_prompt(data); >>> #else >>>         EVP_read_pw_string(data->password, SSL_MAX_PASSWORD_LEN, >>>                            data->prompt, 0); >>> #endif >>>         rv = (int)strlen(data->password); >>>     } >>>     if (rv > 0) { >>>         /* Remove LF char if present */ >>>         char *r = strchr(data->password, '\n'); >>>         if (r) { >>>             *r = '\0'; >>>             rv--; >>>         } >>> #ifdef WIN32 >>>         if ((r = strchr(data->password, '\r'))) { >>>             *r = '\0'; >>>             rv--; >>>         } >>> #endif >>>     } >>>     return rv; >>> } >>> >>> int SSL_password_callback(char *buf, int bufsiz, int verify, >>>                           void *cb) >>> {   printf("SSL_password_callback\n"); >>>     tcn_pass_cb_t *cb_data = (tcn_pass_cb_t *)cb; >>> >>>     if (buf == NULL) >>>         return 0; >>>     *buf = '\0'; >>>     if (cb_data == NULL) >>>         cb_data = &tcn_password_callback; >>>     if (!cb_data->prompt) >>>         cb_data->prompt = SSL_DEFAULT_PASS_PROMPT; >>>     if (cb_data->password[0]) { >>>         /* Return already obtained password */ >>>         strncpy(buf, cb_data->password, bufsiz); >>>         buf[bufsiz - 1] = '\0'; >>>         return (int)strlen(buf); >>>     } >>>     else { >>>         if (SSL_password_prompt(cb_data) > 0) >>>             strncpy(buf, cb_data->password, bufsiz); >>>     } >>>     buf[bufsiz - 1] = '\0'; >>>     return (int)strlen(buf); >>> } >>> >>> /*  _________________________________________________________________ >>> ** >>> **  Custom (EC)DH parameter support >>> **  _________________________________________________________________ >>> */ >>> DH *SSL_dh_GetParamFromFile(const char *file) >>> { >>>    printf("SSL_dh_GetParamFromFile\n"); >>>  DH *dh = NULL; >>>     BIO *bio; >>> >>>     if ((bio = BIO_new_file(file, "r")) == NULL) >>>         return NULL; >>>     dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); >>>     BIO_free(bio); >>>     return dh; >>> } >>> >>> #ifdef HAVE_ECC >>> EC_GROUP *SSL_ec_GetParamFromFile(const char *file) >>> { >>> >>>    printf("SSL_ec_GetParamFromFile\n"); >>> EC_GROUP *group = NULL; >>>     BIO *bio; >>> >>>     if ((bio = BIO_new_file(file, "r")) == NULL) >>>         return NULL; >>>     group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); >>>     BIO_free(bio); >>>     return (group); >>> } >>> #endif >>> >>> /* >>>  * Hand out standard DH parameters, based on the authentication strength >>>  */ >>> DH *SSL_callback_tmp_DH(SSL *ssl, int export, int keylen) >>> { >>> printf("SSL_callback_tmp_DH\n"); >>> EVP_PKEY *pkey = SSL_get_privatekey(ssl); >>>     int type = pkey != NULL ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE; >>> >>>     /* >>>      * OpenSSL will call us with either keylen == 512 or keylen == 1024 >>>      * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h). >>>      * Adjust the DH parameter length according to the size of the >>>      * RSA/DSA private key used for the current connection, and always >>>      * use at least 1024-bit parameters. >>>      * Note: This may cause interoperability issues with implementations >>>      * which limit their DH support to 1024 bit - e.g. Java 7 and >>> earlier. >>>      * In this case, SSLCertificateFile can be used to specify fixed >>>      * 1024-bit DH parameters (with the effect that OpenSSL skips this >>>      * callback). >>>      */ >>>     if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) { >>>         keylen = EVP_PKEY_bits(pkey); >>>     } >>>     return SSL_get_dh_params(keylen); >>> } >>> >>> /* >>>  * Read a file that optionally contains the server certificate in PEM >>>  * format, possibly followed by a sequence of CA certificates that >>>  * should be sent to the peer in the SSL Certificate message. >>>  */ >>> int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file, >>>                                   int skipfirst) >>> { >>>      printf("SSL_CTX_use_certificate_chain\n"); >>> >>>     BIO *bio; >>>     X509 *x509; >>>     unsigned long err; >>>     int n; >>> >>>     if ((bio = BIO_new(BIO_s_file())) == NULL) >>>         return -1; >>>     if (BIO_read_filename(bio, file) <= 0) { >>>         BIO_free(bio); >>>         return -1; >>>     } >>>     /* optionally skip a leading server certificate */ >>>     if (skipfirst) { >>>         if ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) { >>>             BIO_free(bio); >>>             return -1; >>>         } >>>         X509_free(x509); >>>     } >>> >>>     /* free a perhaps already configured extra chain */ >>>     SSL_CTX_clear_extra_chain_certs(ctx); >>> >>>     /* create new extra chain by loading the certs */ >>>     n = 0; >>>     while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) { >>>         if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) { >>>             X509_free(x509); >>>             BIO_free(bio); >>>             return -1; >>>         } >>>         n++; >>>     } >>>     /* Make sure that only the error is just an EOF */ >>>     if ((err = ERR_peek_error()) > 0) { >>>         if (!(   ERR_GET_LIB(err) == ERR_LIB_PEM >>>               && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) { >>>             BIO_free(bio); >>>             return -1; >>>         } >>>         while (SSL_ERR_get() > 0) ; >>>     } >>>     BIO_free(bio); >>>     return n; >>> } >>> >>> /* >>>  * This OpenSSL callback function is called when OpenSSL >>>  * does client authentication and verifies the certificate chain. >>>  */ >>> >>> >>> int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) >>> { >>>      printf("SSL_callback_SSL_verify\n"); >>> /* Get Apache context back through OpenSSL context */ >>>     SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, >>>                                           >>> SSL_get_ex_data_X509_STORE_CTX_idx()); >>>     tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl); >>>     /* Get verify ingredients */ >>>     int errnum   = X509_STORE_CTX_get_error(ctx); >>>     int errdepth = X509_STORE_CTX_get_error_depth(ctx); >>>     int verify   = con->ctx->verify_mode; >>>     int depth    = con->ctx->verify_depth; >>> >>> #if defined(SSL_OP_NO_TLSv1_3) >>>     con->pha_state = PHA_COMPLETE; >>> #endif >>> >>>     if (verify == SSL_CVERIFY_UNSET || >>>         verify == SSL_CVERIFY_NONE) { >>>         return 1; >>>     } >>> >>>     if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) && >>>         (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) { >>>         ok = 1; >>>         SSL_set_verify_result(ssl, X509_V_OK); >>>     } >>> >>>     /* >>>      * Expired certificates vs. "expired" CRLs: by default, OpenSSL >>>      * turns X509_V_ERR_CRL_HAS_EXPIRED into a "certificate_expired(45)" >>>      * SSL alert, but that's not really the message we should convey >>> to the >>>      * peer (at the very least, it's confusing, and in many cases, >>> it's also >>>      * inaccurate, as the certificate itself may very well not have >>> expired >>>      * yet). We set the X509_STORE_CTX error to something which >>> OpenSSL's >>>      * s3_both.c:ssl_verify_alarm_type() maps to >>> SSL_AD_CERTIFICATE_UNKNOWN, >>>      * i.e. the peer will receive a "certificate_unknown(46)" alert. >>>      * We do not touch errnum, though, so that later on we will still >>> log >>>      * the "real" error, as returned by OpenSSL. >>>      */ >>>     if (!ok && errnum == X509_V_ERR_CRL_HAS_EXPIRED) { >>>         X509_STORE_CTX_set_error(ctx, -1); >>>     } >>> >>> #ifdef HAVE_OCSP_STAPLING >>>     /* First perform OCSP validation if possible */ >>>     if (ok) { >>>         /* If there was an optional verification error, it's not >>>          * possible to perform OCSP validation since the issuer may be >>>          * missing/untrusted.  Fail in that case. >>>          */ >>>         if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)) { >>>             X509_STORE_CTX_set_error(ctx, >>> X509_V_ERR_APPLICATION_VERIFICATION); >>>             errnum = X509_V_ERR_APPLICATION_VERIFICATION; >>>             ok = 0; >>>         } >>>         else { >>>             int ocsp_response = ssl_verify_OCSP(ctx); >>>             if (ocsp_response == OCSP_STATUS_REVOKED) { >>>                 ok = 0 ; >>>                 errnum = X509_STORE_CTX_get_error(ctx); >>>             } >>>             else if (ocsp_response == OCSP_STATUS_UNKNOWN) { >>>                 /* TODO: do nothing for time being */ >>>                 ; >>>             } >>>         } >>>     } >>> #endif >>>     /* >>>      * If we already know it's not ok, log the real reason >>>      */ >>>     if (!ok) { >>>         /* TODO: Some logging >>>          * Certificate Verification: Error >>>          */ >>>         if (con->peer) { >>>             X509_free(con->peer); >>>             con->peer = NULL; >>>         } >>>     } >>>     if (errdepth > depth) { >>>         /* TODO: Some logging >>>          * Certificate Verification: Certificate Chain too long >>>          */ >>>         ok = 0; >>>     } >>>     return ok; >>> } >>> >>> /* >>>  * This callback function is executed while OpenSSL processes the SSL >>>  * handshake and does SSL record layer stuff.  It's used to trap >>>  * client-initiated renegotiations, and for dumping everything to the >>>  * log. >>>  */ >>> void SSL_callback_handshake(const SSL *ssl, int where, int rc) >>> { >>>          printf("SSL_callback_handshake\n"); >>>  tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl); >>> #ifdef HAVE_TLSV1_3 >>>     const SSL_SESSION *session = SSL_get_session(ssl); >>> #endif >>> >>>     /* Retrieve the conn_rec and the associated SSLConnRec. */ >>>     if (con == NULL) { >>>         return; >>>     } >>> >>> #ifdef HAVE_TLSV1_3 >>>     /* TLS 1.3 does not use renegotiation so do not update the >>> renegotiation >>>      * state once we know we are using TLS 1.3. */ >>>     if (session != NULL) { >>>         if (SSL_SESSION_get_protocol_version(session) == >>> TLS1_3_VERSION) { >>>             return; >>>         } >>>     } >>> #endif >>> >>>     /* If the reneg state is to reject renegotiations, check the SSL >>>      * state machine and move to ABORT if a Client Hello is being >>>      * read. */ >>>     if ((where & SSL_CB_HANDSHAKE_START) && >>>          con->reneg_state == RENEG_REJECT) { >>>         con->reneg_state = RENEG_ABORT; >>>     } >>>     /* If the first handshake is complete, change state to reject any >>>      * subsequent client-initated renegotiation. */ >>>     else if ((where & SSL_CB_HANDSHAKE_DONE) && con->reneg_state == >>> RENEG_INIT) { >>>         con->reneg_state = RENEG_REJECT; >>>     } >>> } >>> >>> int SSL_callback_next_protos(SSL *ssl, const unsigned char **data, >>>                              unsigned int *len, void *arg) >>> { >>>       printf("SSL_callback_next_protos\n"); >>> tcn_ssl_ctxt_t *ssl_ctxt = arg; >>> >>>     *data = ssl_ctxt->next_proto_data; >>>     *len = ssl_ctxt->next_proto_len; >>> >>>     return SSL_TLSEXT_ERR_OK; >>> } >>> >>> /* The code here is inspired by nghttp2 >>>  * >>>  * See >>> https://github.com/tatsuhiro-t/nghttp2/blob/ae0100a9abfcf3149b8d9e62aae216e946b517fb/src/shrpx_ssl.cc#L244 >>> */ >>> int select_next_proto(SSL *ssl, const unsigned char **out, unsigned >>> char *outlen, >>>         const unsigned char *in, unsigned int inlen, unsigned char >>> *supported_protos, >>>         unsigned int supported_protos_len, int failure_behavior) { >>>    printf("select_next_proto\n"); >>> >>>     unsigned int i = 0; >>>     unsigned char target_proto_len; >>>     const unsigned char *p; >>>     const unsigned char *end; >>>     const unsigned char *proto; >>>     unsigned char proto_len = '\0'; >>> >>>     while (i < supported_protos_len) { >>>         target_proto_len = *supported_protos; >>>         ++supported_protos; >>> >>>         p = in; >>>         end = in + inlen; >>> >>>         while (p < end) { >>>             proto_len = *p; >>>             proto = ++p; >>> >>>             if (proto + proto_len <= end && target_proto_len == >>> proto_len && >>>                     memcmp(supported_protos, proto, proto_len) == 0) { >>> >>>                 // We found a match, so set the output and return >>> with OK! >>>                 *out = proto; >>>                 *outlen = proto_len; >>> >>>                 return SSL_TLSEXT_ERR_OK; >>>             } >>>             // Move on to the next protocol. >>>             p += proto_len; >>>         } >>> >>>         // increment len and pointers. >>>         i += target_proto_len; >>>         supported_protos += target_proto_len; >>>     } >>> >>>     if (supported_protos_len > 0 && inlen > 0 && failure_behavior == >>> SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL) { >>>          // There were no match but we just select our last protocol >>> and hope the other peer support it. >>>          // >>>          // decrement the pointer again so the pointer points to the >>> start of the protocol. >>>          p -= proto_len; >>>          *out = p; >>>          *outlen = proto_len; >>>          return SSL_TLSEXT_ERR_OK; >>>     } >>>     // TODO: OpenSSL currently not support to fail with fatal error. >>> Once this changes we can also support it here. >>>     //       Issue https://github.com/openssl/openssl/issues/188 has >>> been created for this. >>>     // Nothing matched so not select anything and just accept. >>>     return SSL_TLSEXT_ERR_NOACK; >>> } >>> >>> int SSL_callback_select_next_proto(SSL *ssl, unsigned char **out, >>> unsigned char *outlen, >>>                          const unsigned char *in, unsigned int inlen, >>>                          void *arg) { >>>     printf("ssl_callback_select_next_proto\n"); >>>     tcn_ssl_ctxt_t *ssl_ctxt = arg; >>>     return select_next_proto(ssl, (const unsigned char **) out, >>> outlen, in, inlen, ssl_ctxt->next_proto_data, >>> ssl_ctxt->next_proto_len, ssl_ctxt->next_selector_failure_behavior); >>> } >>> >>> int SSL_callback_alpn_select_proto(SSL* ssl, const unsigned char >>> **out, unsigned char *outlen, >>>         const unsigned char *in, unsigned int inlen, void *arg) { >>>     tcn_ssl_ctxt_t *ssl_ctxt = arg; >>>       printf("ssl_callback_alpn_select_proto\n"); >>>     return select_next_proto(ssl, out, outlen, in, inlen, >>> ssl_ctxt->alpn_proto_data, ssl_ctxt->alpn_proto_len, >>> ssl_ctxt->alpn_selector_failure_behavior); >>> } >>> #ifdef HAVE_OCSP_STAPLING >>> >>> /* Function that is used to do the OCSP verification */ >>> static int ssl_verify_OCSP(X509_STORE_CTX *ctx) >>> { >>>      printf("ssl_verify_OCSP\n"); >>> >>> X509 *cert, *issuer; >>>     int r = OCSP_STATUS_UNKNOWN; >>>      printf("Hello, OCSP\n"); >>>     cert = X509_STORE_CTX_get_current_cert(ctx); >>> >>>     if (!cert) { >>>        printf("CERT NOT OK\n"); >>>  /* starting with OpenSSL 1.0, X509_STORE_CTX_get_current_cert() >>>          * may yield NULL. Return early, but leave the ctx error as >>> is. */ >>>         return OCSP_STATUS_UNKNOWN; >>>     } >>> #if OPENSSL_VERSION_NUMBER < 0x10100000L >>>     else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { >>> #else >>>     /* No need to check cert->valid, because ssl_verify_OCSP() only >>>      * is called if OpenSSL already successfully verified the >>> certificate >>>      * (parameter "ok" in SSL_callback_SSL_verify() must be true). >>>      */ >>>     else if (X509_check_issued(cert,cert) == X509_V_OK) { >>> #endif >>>         /* don't do OCSP checking for valid self-issued certs */ >>>         X509_STORE_CTX_set_error(ctx, X509_V_OK); >>>         return OCSP_STATUS_UNKNOWN; >>>     } >>> >>>     /* if we can't get the issuer, we cannot perform OCSP >>> verification */ >>>     issuer = X509_STORE_CTX_get0_current_issuer(ctx); >>>     if (issuer != NULL) { >>>         r = ssl_ocsp_request(cert, issuer, ctx); >>>         switch (r) { >>>         case OCSP_STATUS_OK: >>>             X509_STORE_CTX_set_error(ctx, X509_V_OK); >>>             break; >>>         case OCSP_STATUS_REVOKED: >>>             /* we set the error if we know that it is revoked */ >>>             X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); >>>             break; >>>         case OCSP_STATUS_UNKNOWN: >>>             /* ssl_ocsp_request() sets the error correctly already. */ >>>             break; >>>         } >>>     } >>>     return r; >>> } >>> >>> >>> /* Helps with error handling or realloc */ >>> static void *apr_xrealloc(void *buf, size_t oldlen, size_t len, >>> apr_pool_t *p) >>> { >>>       printf("apr_xrealloc\n"); >>> void *newp = apr_palloc(p, len); >>> >>>     if(newp) >>>         memcpy(newp, buf, oldlen); >>>     return newp; >>> } >>> >>> /* Parses an ASN.1 length. >>>  * On entry, asn1 points to the current tag. >>>  * Updates the pointer to the ASN.1 structure to point to the start >>> of the data. >>>  * Returns 0 on success, 1 on failure. >>>  */ >>> static int parse_asn1_length(unsigned char **asn1, int *len) { >>>   printf("parse_asn1_length\n"); >>>     /* Length immediately follows tag so increment before reading >>> first (and >>>      * possibly only) length byte. >>>      */ >>>     (*asn1)++; >>> >>>     if (**asn1 & 0x80) { >>>         // MSB set. Remaining bits are number of bytes used to store >>> the length. >>>         int i, l; >>> >>>         // How many bytes for this length? >>>         i = **asn1 & 0x7F; >>> >>>         if (i == 0) { >>>             /* This is the indefinite form of length. Since >>> certificates use DER >>>              * this should never happen and is therefore an error. >>>              */ >>>             return 1; >>>         } >>>         if (i > 3) { >>>             /* Three bytes for length gives a maximum of 16MB which >>> should be >>>              * far more than is required. (2 bytes is 64K which is >>> probably more >>>              * than enough but play safe.) >>>              */ >>>             return 1; >>>         } >>> >>>         // Most significant byte is first >>>         l = 0; >>>         while (i > 0) { >>>             l <<= 8; >>>             (*asn1)++; >>>             l += **asn1; >>>             i--; >>>         } >>>         *len = l; >>>     } else { >>>         // Single byte length >>>         *len = **asn1; >>>     } >>> >>>     (*asn1)++; >>> >>>     return 0; >>> } >>> >>> /* parses the ocsp url and updates the ocsp_urls and nocsp_urls >>> variables >>>    returns 0 on success, 1 on failure */ >>> static int parse_ocsp_url(unsigned char *asn1, char ***ocsp_urls, >>>                           int *nocsp_urls, apr_pool_t *p) >>> { >>>   printf("parse_ocsp_url\n"); >>>     char **new_ocsp_urls, *ocsp_url; >>>     int len, err = 0, new_nocsp_urls; >>> >>>     if (*asn1 == ASN1_STRING) { >>>         err = parse_asn1_length(&asn1, &len); >>> >>>         if (!err) { >>>             new_nocsp_urls = *nocsp_urls+1; >>>             if ((new_ocsp_urls = apr_xrealloc(*ocsp_urls,*nocsp_urls, >>> new_nocsp_urls, p)) == NULL) >>>                 err = 1; >>>         } >>>         if (!err) { >>>             *ocsp_urls  = new_ocsp_urls; >>>             *nocsp_urls = new_nocsp_urls; >>>             *(*ocsp_urls + *nocsp_urls) = NULL; >>>             if ((ocsp_url = apr_palloc(p, len + 1)) == NULL) { >>>                 err = 1; >>>             } >>>             else { >>>                 memcpy(ocsp_url, asn1, len); >>>                 ocsp_url[len] = '\0'; >>>                 *(*ocsp_urls + *nocsp_urls - 1) = ocsp_url; >>>             } >>>         } >>>     } >>>     return err; >>> >>> } >>> >>> /* parses the ANS1 OID and if it is an OCSP OID then calls the >>> parse_ocsp_url function */ >>> static int parse_ASN1_OID(unsigned char *asn1, char ***ocsp_urls, int >>> *nocsp_urls, apr_pool_t *p) >>> { >>>   printf("PARSE  OCSP_OID\n"); >>>   int len, err = 0 ; >>>     const unsigned char OCSP_OID[] = {0x2b, 0x06, 0x01, 0x05, 0x05, >>> 0x07, 0x30, 0x01}; >>> >>>     err = parse_asn1_length(&asn1, &len); >>> >>>     if (!err && len == 8 && memcmp(asn1, OCSP_OID, 8) == 0) { >>>         asn1+=len; >>>         err = parse_ocsp_url(asn1, ocsp_urls, nocsp_urls, p); >>>     } >>>     return err; >>> } >>> >>> >>> /* Parses an ASN1 Sequence. It is a recursive function, since if it >>> finds a  sequence >>>    within the sequence it calls recursively itself. This function >>> stops when it finds >>>    the end of the ASN1 sequence (marked by '\0'), so if there are >>> other sequences within >>>    the same sequence the while loop parses the sequences */ >>> >>> /* This algo was developed with AIA in mind so it was tested only >>> with this extension */ >>> static int parse_ASN1_Sequence(unsigned char *asn1, char ***ocsp_urls, >>>                                int *nocsp_urls, apr_pool_t *p) >>> { >>>      printf("parse_ASN1_Sequence\n"); >>> >>>  int len = 0 , err = 0; >>> >>>     while (!err && *asn1 != '\0') { >>>         switch(*asn1) { >>>             case ASN1_SEQUENCE: >>>                 err = parse_asn1_length(&asn1, &len); >>>                 if (!err) { >>>                     err = parse_ASN1_Sequence(asn1, ocsp_urls, >>> nocsp_urls, p); >>>                 } >>>             break; >>>             case ASN1_OID: >>>                 err = parse_ASN1_OID(asn1,ocsp_urls,nocsp_urls, p); >>>                 return err; >>>             break; >>>             default: >>>                 err = 1; /* we shouldn't have any errors */ >>>             break; >>>         } >>>         asn1+=len; >>>     } >>>     return err; >>> } >>> >>> /* the main function that gets the ASN1 encoding string and returns >>>    a pointer to a NULL terminated "array" of char *, that contains >>>    the ocsp_urls */ >>> static char **decode_OCSP_url(ASN1_OCTET_STRING *os, apr_pool_t *p) >>> { >>>         printf("decode_OCSP_url\n"); >>> >>> char **response = NULL; >>>     unsigned char *ocsp_urls; >>>     int len, numofresponses = 0 ; >>> >>>     len = ASN1_STRING_length(os); >>> >>>     ocsp_urls = apr_palloc(p,  len + 1); >>>     memcpy(ocsp_urls,os->data, len); >>>     ocsp_urls[len] = '\0'; >>> >>>     if ((response = apr_pcalloc(p, sizeof(char *))) == NULL) >>>         return NULL; >>>     if (parse_ASN1_Sequence(ocsp_urls, &response, &numofresponses, p)) >>>         response = NULL; >>>     return response; >>> } >>> >>> >>> /* stolen from openssl ocsp command */ >>> static int add_ocsp_cert(OCSP_REQUEST *req, X509 *cert, X509 *issuer) >>> { >>>       printf("add_ocsp_cert\n"); >>> OCSP_CERTID *id; >>> >>>     if (!issuer) >>>         return 0; >>>     id = OCSP_cert_to_id(NULL, cert, issuer); >>>     if (!id) >>>         return 0; >>>     if (!OCSP_request_add0_id(req, id)) { >>>         OCSP_CERTID_free(id); >>>         return 0; >>>     } else { >>>         /* id will be freed by OCSP_REQUEST_free() */ >>>         return 1; >>>     } >>> } >>> >>> >>> /* Creates the APR socket and connect to the hostname. Returns the >>>    socket or NULL if there is an error. >>> */ >>> static apr_socket_t *make_socket(char *hostname, int port, apr_pool_t >>> *mp) >>> { >>>      printf("*make_socket\n"); >>> apr_sockaddr_t *sa_in; >>>     apr_status_t status; >>>     apr_socket_t *sock = NULL; >>> >>> >>>     status = apr_sockaddr_info_get(&sa_in, hostname, APR_INET, port, >>> 0, mp); >>> >>>     if (status == APR_SUCCESS) >>>         status = apr_socket_create(&sock, sa_in->family, SOCK_STREAM, >>> APR_PROTO_TCP, mp); >>>     if (status == APR_SUCCESS) >>>         status = apr_socket_connect(sock, sa_in); >>> >>>     if (status == APR_SUCCESS) >>>         return sock; >>>     return NULL; >>> } >>> >>> >>> /* Creates the request in a memory BIO in order to send it to the >>> OCSP server. >>>    Most parts of this function are taken from mod_ssl support for >>> OCSP (with some >>>    minor modifications >>> */ >>> static BIO *serialize_request(OCSP_REQUEST *req, char *host, int >>> port, char *path) >>> { >>>     printf("serialize_request\n"); >>> BIO *bio; >>>     int len; >>> >>>     len = i2d_OCSP_REQUEST(req, NULL); >>> >>>     bio = BIO_new(BIO_s_mem()); >>> >>>     BIO_printf(bio, "POST %s HTTP/1.0\r\n" >>>       "Host: %s:%d\r\n" >>>       "Content-Type: application/ocsp-request\r\n" >>>       "Content-Length: %d\r\n" >>>       "\r\n", >>>       path, host, port, len); >>> >>>     if (i2d_OCSP_REQUEST_bio(bio, req) != 1) { >>>         BIO_free(bio); >>>         return NULL; >>>     } >>> >>>     return bio; >>> } >>> >>> >>> /* Send the OCSP request to the OCSP server. Taken from mod_ssl OCSP >>> support */ >>> static int ocsp_send_req(apr_socket_t *sock, BIO *req) >>> { >>>     printf("ocsp_send_req\n"); >>> int len; >>>     char buf[TCN_BUFFER_SZ]; >>>     apr_status_t rv; >>> >>>     while ((len = BIO_read(req, buf, sizeof buf)) > 0) { >>>         char *wbuf = buf; >>>         apr_size_t remain = len; >>> >>>         do { >>>             apr_size_t wlen = remain; >>>             rv = apr_socket_send(sock, wbuf, &wlen); >>>             wbuf += remain; >>>             remain -= wlen; >>>         } while (rv == APR_SUCCESS && remain > 0); >>> >>>         if (rv != APR_SUCCESS) { >>>             return 0; >>>         } >>>     } >>> >>>     return 1; >>> } >>> >>> >>> >>> /* Parses the buffer from the response and extracts the OCSP response. >>>    Taken from openssl library */ >>> static OCSP_RESPONSE *parse_ocsp_resp(char *buf, int len) >>> { >>>  printf("parse_ocsp_resp\n"); >>>    BIO *mem = NULL; >>>     char tmpbuf[1024]; >>>     OCSP_RESPONSE *resp = NULL; >>>     char *p, *q, *r; >>>     int retcode; >>> >>>     mem = BIO_new(BIO_s_mem()); >>>     if(mem == NULL) >>>         return NULL; >>> >>>     BIO_write(mem, buf, len);  /* write the buffer to the bio */ >>>     if (BIO_gets(mem, tmpbuf, 512) <= 0) { >>> #if OPENSSL_VERSION_NUMBER < 0x10100000L >>>         >>> OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR); >>> #endif >>>         goto err; >>>     } >>>     /* Parse the HTTP response. This will look like this: >>>      * "HTTP/1.0 200 OK". We need to obtain the numeric code and >>>      * (optional) informational message. >>>      */ >>> >>>     /* Skip to first white space (passed protocol info) */ >>>     for (p = tmpbuf; *p && !apr_isspace(*p); p++) >>>         continue; >>>     if (!*p) { >>>         goto err; >>>     } >>>     /* Skip past white space to start of response code */ >>>     while (apr_isspace(*p)) >>>         p++; >>>     if (!*p) { >>>         goto err; >>>     } >>>     /* Find end of response code: first whitespace after start of >>> code */ >>>     for (q = p; *q && !apr_isspace(*q); q++) >>>         continue; >>>     if (!*q) { >>>         goto err; >>>     } >>>     /* Set end of response code and start of message */ >>>     *q++ = 0; >>>     /* Attempt to parse numeric code */ >>>     retcode = strtoul(p, &r, 10); >>>     if (*r) >>>         goto err; >>>     /* Skip over any leading white space in message */ >>>     while (apr_isspace(*q)) >>>         q++; >>>     if (*q) { >>>         /* Finally zap any trailing white space in message (include >>> CRLF) */ >>>         /* We know q has a non white space character so this is OK */ >>>         for(r = q + strlen(q) - 1; apr_isspace(*r); r--) *r = 0; >>>     } >>>     if (retcode != 200) { >>>         goto err; >>>     } >>>     /* Find blank line marking beginning of content */ >>>     while (BIO_gets(mem, tmpbuf, 512) > 0) { >>>         for (p = tmpbuf; apr_isspace(*p); p++) >>>             continue; >>>         if (!*p) >>>             break; >>>     } >>>     if (*p) { >>>         goto err; >>>     } >>>     if (!(resp = d2i_OCSP_RESPONSE_bio(mem, NULL))) { >>>         goto err; >>>     } >>> err: >>>     /* XXX No error logging? */ >>>     BIO_free(mem); >>>     return resp; >>> } >>> >>> >>> /* Reads the response from the APR socket to a buffer, and parses the >>> buffer to >>>    return the OCSP response  */ >>> #define ADDLEN 512 >>> static OCSP_RESPONSE *ocsp_get_resp(apr_pool_t *mp, apr_socket_t *sock) >>> { >>>      printf("ocsp_get_resp\n"); >>> int buflen; >>>     apr_size_t totalread = 0; >>>     apr_size_t readlen; >>>     char *buf, tmpbuf[ADDLEN]; >>>     apr_status_t rv = APR_SUCCESS; >>>     apr_pool_t *p; >>>     OCSP_RESPONSE *resp; >>> >>>     apr_pool_create(&p, mp); >>>     buflen = ADDLEN; >>>     buf = apr_palloc(p, buflen); >>>     if (buf == NULL) { >>>         apr_pool_destroy(p); >>>         return NULL; >>>     } >>> >>>     while (rv == APR_SUCCESS ) { >>>         readlen = sizeof(tmpbuf); >>>         rv = apr_socket_recv(sock, tmpbuf, &readlen); >>>         if (rv == APR_SUCCESS) { /* if we have read something .. we >>> can put it in the buffer*/ >>>             if ((totalread + readlen) >= buflen) { >>>                 buf = apr_xrealloc(buf, buflen, buflen + ADDLEN, p); >>>                 if (buf == NULL) { >>>                     apr_pool_destroy(p); >>>                     return NULL; >>>                 } >>>                 buflen += ADDLEN; /* if needed we enlarge the buffer */ >>>             } >>>             memcpy(buf + totalread, tmpbuf, readlen); /* the copy to >>> the buffer */ >>>             totalread += readlen; /* update the total bytes read */ >>>         } >>>         else { >>>             if (rv == APR_EOF && readlen == 0) >>>                 ; /* EOF, normal situation */ >>>             else if (readlen == 0) { >>>                 /* Not success, and readlen == 0 .. some error */ >>>                 apr_pool_destroy(p); >>>                 return NULL; >>>             } >>>         } >>>     } >>> >>>     resp = parse_ocsp_resp(buf, buflen); >>>     apr_pool_destroy(p); >>>     return resp; >>> } >>> >>> /* Creates and OCSP request and returns the OCSP_RESPONSE */ >>> static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p, X509 *cert, >>> X509 *issuer, char *url) >>> { >>>        printf("get_ocsp_response\n"); >>> OCSP_RESPONSE *ocsp_resp = NULL; >>>     OCSP_REQUEST *ocsp_req = NULL; >>>     BIO *bio_req; >>>     char *hostname, *path, *c_port; >>>     int port, use_ssl; >>>     int ok = 0; >>>     apr_socket_t *apr_sock = NULL; >>>     apr_pool_t *mp; >>> >>>     if (OCSP_parse_url(url,&hostname, &c_port, &path, &use_ssl) == 0 ) >>>         goto end; >>> >>>     if (sscanf(c_port, "%d", &port) != 1) >>>         goto end; >>> >>>     /* Create the OCSP request */ >>>     ocsp_req = OCSP_REQUEST_new(); >>>     if (ocsp_req == NULL) >>>         goto end; >>> >>>     if (add_ocsp_cert(ocsp_req,cert,issuer) == 0 ) >>>         goto free_req; >>> >>>     /* create the BIO with the request to send */ >>>     bio_req = serialize_request(ocsp_req, hostname, port, path); >>>     if (bio_req == NULL) { >>>         goto free_req; >>>     } >>> >>>     apr_pool_create(&mp, p); >>>     apr_sock = make_socket(hostname, port, mp); >>>     if (apr_sock == NULL) { >>>         goto free_bio; >>>     } >>> >>>     ok = ocsp_send_req(apr_sock, bio_req); >>>     if (ok) { >>>         ocsp_resp = ocsp_get_resp(mp, apr_sock); >>>     } >>>     apr_socket_close(apr_sock); >>> >>> free_bio: >>>     BIO_free(bio_req); >>>     apr_pool_destroy(mp); >>> >>> free_req: >>>     OCSP_REQUEST_free(ocsp_req); >>> >>> end: >>>     OPENSSL_free(hostname); >>>     OPENSSL_free(c_port); >>>     OPENSSL_free(path); >>> >>>     return ocsp_resp; >>> } >>> >>> /* Process the OCSP_RESPONSE and returns the corresponding >>>    answert according to the status. >>> */ >>> static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 >>> *cert, X509 *issuer) >>> { >>>        printf("process_ocsp_response\n"); >>> int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i; >>>     OCSP_BASICRESP *bs; >>>     OCSP_SINGLERESP *ss; >>>     OCSP_CERTID *certid; >>> >>>     r = OCSP_response_status(ocsp_resp); >>> >>>     if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) { >>>         return OCSP_STATUS_UNKNOWN; >>>     } >>>     bs = OCSP_response_get1_basic(ocsp_resp); >>> >>>     certid = OCSP_cert_to_id(NULL, cert, issuer); >>>     if (certid == NULL) { >>>         return OCSP_STATUS_UNKNOWN; >>>     } >>>     ss = OCSP_resp_get0(bs, OCSP_resp_find(bs, certid, -1)); /* find >>> by serial number and get the matching response */ >>> >>> >>>     i = OCSP_single_get0_status(ss, NULL, NULL, NULL, NULL); >>>     if (i == V_OCSP_CERTSTATUS_GOOD) >>>         o =  OCSP_STATUS_OK; >>>     else if (i == V_OCSP_CERTSTATUS_REVOKED) >>>         o = OCSP_STATUS_REVOKED; >>>     else if (i == V_OCSP_CERTSTATUS_UNKNOWN) >>>         o = OCSP_STATUS_UNKNOWN; >>> >>>     /* we clean up */ >>>     OCSP_CERTID_free(certid); >>>     OCSP_BASICRESP_free(bs); >>>     return o; >>> } >>> >>> static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX >>> *ctx) >>> { >>>      printf("ssl_ocsp_request\n"); >>>    char **ocsp_urls = NULL; >>>     int nid; >>>     X509_EXTENSION *ext; >>>     ASN1_OCTET_STRING *os; >>>     apr_pool_t *p; >>> >>>     apr_pool_create(&p, NULL); >>> >>>     /* Get the proper extension */ >>>     nid = X509_get_ext_by_NID(cert,NID_info_access,-1); >>>     if (nid >= 0 ) { >>>         ext = X509_get_ext(cert,nid); >>>         os = X509_EXTENSION_get_data(ext); >>> >>>         ocsp_urls = decode_OCSP_url(os, p); >>>     } >>>      printf("OCSP request\n"); >>> >>>     /* if we find the extensions and we can parse it check >>>        the ocsp status. Otherwise, return OCSP_STATUS_UNKNOWN */ >>>     if (ocsp_urls != NULL) { >>>     printf("ocsp url not null\n"); >>>         OCSP_RESPONSE *resp; >>>         int rv = OCSP_STATUS_UNKNOWN; >>>         /* for the time being just check for the fist response .. a >>> better >>>            approach is to iterate for all the possible ocsp urls */ >>>         resp = get_ocsp_response(p, cert, issuer, ocsp_urls[0]); >>>         if (resp != NULL) { >>>             rv = process_ocsp_response(resp, cert, issuer); >>>         } else { >>>             /* correct error code for application errors? */ >>>             X509_STORE_CTX_set_error(ctx, >>> X509_V_ERR_APPLICATION_VERIFICATION); >>>         } >>> >>>         if (resp != NULL) { >>>             OCSP_RESPONSE_free(resp); >>>             apr_pool_destroy(p); >>>             return rv; >>>         } >>>     } >>>     apr_pool_destroy(p); >>>     return OCSP_STATUS_UNKNOWN; >>> } >>> >>> #endif /* HAVE_OCSP_STAPLING */ >>> #endif /* HAVE_OPENSSL  */ >>> >>> >>> >>> >>> -----------------------------------------tomcat log >>> 27-May-2019 14:15:59.727 INFO [main] >>> org.apache.catalina.startup.Catalina.start Server startup in 31619 ms >>>  SSL_init_app_data_idx >>> Hi OCSP >>> ssl_set_app_data3 >>> ssl_set_app_data4 >>> ssl_set_app_data2 >>> ssl_get_app_data3 >>> ssl_get_app_data4 >>> ssl_get_app_data4 >>> SSL_dh_GetParamFromFile >>> SSL_ec_GetParamFromFile >>> SSL_CTX_use_certificate_chain >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_next_protos >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_next_protos >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_next_protos >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_next_protos >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_next_protos >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callbac >>> >>> >>> >>> ________________________________ >>> От: Усманов Азат Анварович >>> Отправлено: 24 мая 2019 г. 7:21 >>> Кому: Tomcat Users List >>> Тема: Re: OCSP with openSSL >>> >>> >>> >>> Chris, >>> Yes the version is the same in >>> /usr/local/openssl/bin/openssl as well. >>> It is the same version Tomcat uses,I get this info in the logs >>> >>> 23-May-2019 12:55:42.145 INFO [main] org.apache.catalina.core.AprLife >>> cycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL >>> 1.1.1a  20 Nov 2018] >>> ________________________________ >>> От: Christopher Schultz >>> Отправлено: 23 мая 2019 г. 18:04:29 >>> Кому: Усманов Азат Анварович >>> Тема: Re: OCSP with openSSL >>> >>> Азат, >>> >>> On 5/22/19 14:02, Усманов Азат Анварович wrote: >>>> [root] ~# openssl version >>>> OpenSSL 1.1.1a  20 Nov 2018 >>> >>> Great. Is this also the same version in /usr/local/openssl/bin/openssl? >>> >>>> [root] ~# openssl  ocsp -help >>>> Usage: ocsp [options] >>> >>> Excellent. >>> >>> When you launch Tomcat, are you getting a message about the version of >>> OpenSSL in use, and does it agree with above? >>> >>> AFAIK, OCSP is enabled by default in libtcnative. There were some posts >>> a few months/years ago about someone trying to get it to work, and >>> having to edit the JVM's security.properties file and all kinds of weird >>> stuff. I must admit it didn't make any sense to me at the time. I'm >>> sorry, but I don't personally have any experience with dealing with >>> OCSP, but hopefully this additio0nal information will give someone else >>> some good info. >>> >>> -chris >>> >>>> ________________________________ >>>> От: Christopher Schultz >>>> Отправлено: 22 мая 2019 г. 19:45 >>>> Кому: users@tomcat.apache.org >>>> Тема: Re: OCSP with openSSL >>>> >>>> Усманов, >>>> >>>> On 5/22/19 07:28, Усманов Азат Анварович wrote: >>>>> Mark,  I installed it  just   by  downloading  tcnative src  tar.gz >>>>> file from tomcat  website and issued  ./configure >>>>> --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 >>>>> -with-ssl=/usr/local/openssl && make && make install && make clean >>>>> I'm not sure  how to specify any ocsp related configure options >>>>> when building tomcat native    from source >>>> >>>> What is your OpenSSL version and capabilities? >>>> >>>> $ openssl version >>>> >>>> $ openssl -help >>>> >>>> $ openssl ocsp -help >>>> >>>> -chris >>>> >>>>> ________________________________ От: Mark Thomas >>>>> Отправлено: 22 мая 2019 г. 13:41 Кому: >>>>> users@tomcat.apache.org Тема: Re: OCSP with openSSL >>>> >>>>> On 22/05/2019 11:28, Усманов Азат Анварович wrote: >>>>>> Hi everyone! I have a web app running on tomcat and java 7 using >>>>>> apr for TLS related issues. I m still unable to have OCSP >>>>>> verification working with tomcat. >>>> >>>>> >>>> >>>>>> I have tried running tcpdump on the server but don't' see any >>>>>> Comodo related IP addresses in the output when I access the >>>>>> server in question in the browser. At this point I don't know >>>>>> what else to do, If it was java I would just put some >>>>>> System.out.println statements in OCSP SSL related source code and >>>>>> recompile the tomcat source, but since in my case tomcat uses >>>>>> OpenSSL and tomcat native I'm not sure how/where to do that. the >>>>>> only places I found in the TC-native source that mentions OCSP >>>>>> is sslutils.c  source file. I'm not sure when/ if it is actually >>>>>> gets called in my case. Maybe be someone with more c experience >>>>>> c++ would help me with that.  I really want to get to the bottom >>>>>> of this. Any help is appreciated my tomcat version  is 8.5.39 APR >>>>>> based Apache Tomcat Native library [1.2.21] using APR version >>>>>> [1.6.5]. Openssl version is [OpenSSL 1.1.1a  20 Nov 2018 OS: >>>>>> Linux RHEL 6.6 >>>> >>>>> How did you build the Tomcat Native library? Was OCSP enabled? >>>> >>>>> Mark >>>> >>>>> --------------------------------------------------------------------- >>>> >>>> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>> >>>> >>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org