From users-return-267757-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Fri Jun 21 15:44:44 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id C9E2618064F for ; Fri, 21 Jun 2019 17:44:43 +0200 (CEST) Received: (qmail 44000 invoked by uid 500); 21 Jun 2019 15:44:26 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 43990 invoked by uid 99); 21 Jun 2019 15:44:26 -0000 Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.159) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Jun 2019 15:44:26 +0000 Received: from [192.168.23.12] (host109-148-147-127.range109-148.btcentralplus.com [109.148.147.127]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id E9B381CA4 for ; Fri, 21 Jun 2019 15:44:25 +0000 (UTC) Subject: Re: OCSP Connector on Tomcat 8.5 not working To: users@tomcat.apache.org References: <45bade6d-abc5-6f79-bbbb-363ccd256d95@apache.org> <1cb740bc-ce73-f17e-5bad-70fb3b8dd32a@apache.org> From: Mark Thomas Openpgp: preference=signencrypt Autocrypt: addr=markt@apache.org; prefer-encrypt=mutual; keydata= mQINBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmXpqtOJKKw W2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t6RZBq2dJsYKF0CEh 6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6KGH59oysn1NE7a2a+kZzjBSEg v23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz4yvDOZItqDURP24zWOodxgboldV6Y88C 3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7MUVviQcy29y/RlLSDTTYoVlCZ1ni14qFU7Hpw43KJ tgXmcUwq31T1+SlXdYjNJ1aFkUi8BjCHDcSgE/IReKUanjHzm4XSymKDTeqqzidi4k6PDD4j yHb8k8vxi6qT6Udnlcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURiJg1WS77egI4P/8 2oPbzzFiGFqXyJKULVgxtdQ3JikCpodp3f1fh6PlYZwkW4xCJLJucJ5MiQp07HAkMVW5w+k8 Xvuk4i5quh3N+2kzKHOOiQCDmN0sz0XjOE+7XBvM1lvz3+UarLfgSVmW8aheLd7eaIl5ItBk 8844ZJ60LrQ+JiIqvqJemxyIM6epoZvY5a3ZshZpcLilC5hW8QARAQABtCJNYXJrIEUgRCBU aG9tYXMgPG1hcmt0QGFwYWNoZS5vcmc+iQI3BBMBCgAhBQJKtA7pAhsDBQsJCAcDBRUKCQgL BRYCAwEAAh4BAheAAAoJEBDAHFovYFnn2YgQAKN6FLG/I1Ij3PUlC/XNlhasQxPeE3w2Ovtt weOQPYkblJ9nHtGH5pNqG2/qoGShlpI04jJy9GxWKOo7NV4v7M0mbVlCXVgjdlvMFWdL7lno cggwJAFejQcYlVtxyhu4m50LBvBunEhxCbQcKnnWmkB7Ocm0Ictaqjc9rCc1F/aNhVMUpJ0z G1kyTp9hxvN6TbCQlacMx5ocTWzL0zn6QZhbUfrYwfxYJmSnkVYZOYzXIXIsLN5sJ9Q4P8tj Y4qWgd+bQvOqPWrkzL9LVRnGOrSYIsoM5zWdoj1g1glMzK/ZqJdRqqqBhe6FYTbXipz8oX8i mCebcaxZnfLhGiqqX+yDa3YUwDiqom+sZOc0iXGvKkqltPLpNeF0MVT7aZjalsQ/v2Ysb24R Ql9FfjfWmvT8ZPWz8Kore1AI4UcIIgFVtM+zuLlL9CIsGjg+gHDE2dhZDY0qfizlHL9CoAWU DM3pIfxM2V4BRn1xO+j/mModhjmYLZvnFVz4KGkNO7wRkofAANIWYo3WI5x83BGDH371t3NR rrpSSFP0XpQX6/Leaj2j6U6puABL2qBxhscsO6chc3u4/+019ff+peZVsc9ttcTQXsKIujmM b8p2sk5usmv6PKVX3oW/RAxpbVHU5kZ5px1Hq7mMQdZfLs5ff4YymXBH02z4/RmSzPam0Xb5 uQINBEq0DukBEADCNEkws5YroBmbu8789Xf006gTl5LzD/Hdt3sAp9iCfPgucO+l7U+xbo1X HTMJQwEVfS+Rx3RbaLYRG+hU7FuJLQB/5NaCDNRuqw5KHyQtJUH+zo84IqqfMzG8aOSdHg1y r2xKH4QTmgQONBu/W0xEZmZro6TjYNwkk2pwXK2yuImZPUOy+mK1qF8Wm3hTtkPE+FFSNFIa eHDoTGmx/0Riu/K7dNJTrC0TlRpn2K6d60zB53YYTc+0DYSDyB0FupXiAx/+XEGn3Q7eNi2B V6w50v5r51QP8zptiFflMfFKNAfV8xS5MteQd98YS5qqd/LPo3gS5HFPQaSL0k3RTClv7fQN HcZFqmv0OWpix6zm2npYxhqsTDGeSa52/uXehVXF5JubYFifMSLpbGVZqdrmG5hr2cycxsjF iY0zJOaRitmN/JWbOGLiwrcN4ukKNyFntFG5jPaFnJdx9rHfyJNeF9cgv9JlZeFxJ6WqIAhl KOuH3K8/py0SPE6ZOFfRo0YUxvh25K/siOcPLm613aOxyY7YfQ8ME2vgn7I0mAtg9am+YFDa bGqj839odwZdzZv2T2mUHnybFTJFBuMWGWKYstYDS6eZEmhupbPvUKkDug/mO+gdo+pSKF9Y S6DM5RtCdTNJq4NZY50ypBb5RSj+INHPocIp2V/DDTbzySsu6wARAQABiQIfBBgBCgAJBQJK tA7pAhsMAAoJEBDAHFovYFnnLe0P/i34oK5cE2LlqUEITEcTO94x1EX0UmtKokRfQ3AYWK8X eFD8cmSty72hMkL+1c0V//4Qc53SUyLIWXk8FKWF7hdL3zyuBqlRb55721CYC35GA/jR90p0 k1vr701gaat2cNTOVC0/6H9cE5yYXT+zMr9TSiKCDwONhhSbmAJZc6X0fgsmCD7I5xUI5Vri hN/Wx0CZBtrXGUyE4hgFaYSGptZmkY5Ln1e+nI185Bda7bpLwcAIGrI9nYtVXgf71ybGKdPP tFfXIoPXuctn99M7NnWBhNuGDms2YWkOC7eeWBTxKkZDWR3vRmRy52B6GxR7USk/KXs7yqGP kfT/c4CZFfOurZUXXuC3PvOme0DQmqwExtJormoG4Fy6suEFPrfhYMigTy7kSbVTCOBMjQLH +U/FFNshvg9+M/ZvaKT+0lpRvBSuG5ngsC0bO0xWsXhb6qfH2h53g4VcwFvCBL5IfqgAeUbC nGGHNcGWpmwdeb7D7ahrNZSHEUUYR7lTbjkYS01/QDOcEwNZOqDRIJUQOOUq35721VeROkdh ZmMZtFlsQeQJsWoqGrQo/kEYicVlMVOgjmOOzOa5fRb/IqlGlBn4a4me3hWthLLtMy+OOEim 6ENjntVTBQiTP/YqrxWDbCkaD7b2e9wY5N3JlRxMIQHfcHaND3PRdQSn7oHYXmJl Message-ID: <6c371c61-b006-4a8f-a04b-a44b2f82fd17@apache.org> Date: Fri, 21 Jun 2019 16:44:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Language: en-GB Content-Transfer-Encoding: 7bit On 21/06/2019 16:31, Michael Magnuson wrote: > Hmm. It's still not working at all for me. Can you post your SSL connector configuration? Mark > > > > ________________________________ > From: Mark Thomas > Sent: Thursday, June 20, 2019 11:36 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 20/06/2019 18:50, Mark Thomas wrote: >> On 20/06/2019 18:27, Michael Magnuson wrote: >>> Thanks Mark. A couple clarifications on your example first. You don't list the clientAuth= attribute. I assume this was a simple oversight. >> >> It is replaced by certificateVerification="required" >> >>> You list the SSLEnabled="true" attribute twice. Should one of these be secure="true"? >> >> It should. >> >>> For the certificateVerification= attribute, is the correct syntax "require" or "required"? >> >> "required" >> >> Setting up an OCSP responder locally is next on my TODO list. I'll >> report back with the results. > > Works as expected. > > Mark > > >> >> Mark >> >> >>> >>> Thanks, >>> Mike >>> >>> >>> >>> ________________________________ >>> From: Mark Thomas >>> Sent: Thursday, June 20, 2019 10:00 AM >>> To: users@tomcat.apache.org >>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>> >>> On 20/06/2019 17:24, Michael Magnuson wrote: >>>> Mark, >>>> >>>> Thank you for your replies and help. >>>> >>>> I'm not sure how to verify that Tomcat Native was built with OCSP support? >>> >>> Lets assume it has been. I think that is a safe assumption for now. >>> >>>> Removing the element had no negative effect. I originally put it in there following this guide: >>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connector&data=02%7C01%7Cmmagnuson%40sempervalens.com%7C0c191aa872024cbf07a708d6f5ae2ceb%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966525783014430&sdata=gg7Xk9uuawyPhOt0q96e9gHsjsFVSdZSc2E0NPpWuHA%3D&reserved=0 >>> >>> Hmm. We might need to revisit that. It looks "odd". >>> >>>> Without the trustStore attributes, it prompts for the smart card PIN and you can select the cert you want to use, but then it doesn't do anything from there. With those attributes present, Tomcat serves up the expected page after PIN+cert. >>> >>> Interesting. That suggests Tomcat is using the trustStore to validate >>> the client certs. >>> >>> I've looked at this again and the config is more mixed up that I first >>> realised. Lets get that fixed first. >>> >>>> Changing clientAuth to "required" from "want" has no effect either way. >>> >>> OK. Lets leave it on required for now since that takes one variable out >>> of the equation. >>> >>> Back to the config. I'm going to try and convert everything to the new >>> style format. >>> >>> >> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> maxThreads="150" >>> SSLEnabled="true" >>> scheme="https" >>> SSLEnabled="true" >>> >> certificateVerification="required" >>> caCertificateFile="path_to_ca_file"> >>> >> certificateKeyFile="path_to_server.key" >>> certificateKeyPassword="password" >>> certificateChainFile="path_to_chain" /> >>> >>> >>> >>> I have removed settings that are the same as the defaults. >>> SSLCertificateChainFile isn't a recognised attribute. >>> >>> I opted for the OpenSSL style store for trusted CA certs. That probably >>> means you need to export the trusted certs from your trustStoreFile to a >>> PEM encoded file for caCertificateFile. >>> >>> For the purposes of the test, you only need to export the cert that >>> issued cert used by the client. >>> >>> I'm wondering if the slightly odd trust store config was causing >>> problems. We really need more logging in Tomcat Native to figure that >>> sort of thing out. >>> >>> I also think I need to get OCSP working with client certs locally so I >>> can test it as well. I'll add that to my TODO list. >>> >>> Mark >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>> For additional commands, e-mail: users-help@tomcat.apache.org >>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org