tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Усманов Азат Анварович <usma...@ieml.ru>
Subject Re: OCSP with openSSL
Date Fri, 24 May 2019 04:21:14 GMT


Chris,
Yes the version is the same in
/usr/local/openssl/bin/openssl as well.
It is the same version Tomcat uses,I get this info in the logs

23-May-2019 12:55:42.145 INFO [main] org.apache.catalina.core.AprLife
cycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL
1.1.1a  20 Nov 2018]
________________________________
От: Christopher Schultz <chris@christopherschultz.net>
Отправлено: 23 мая 2019 г. 18:04:29
Кому: Усманов Азат Анварович
Тема: Re: OCSP with openSSL

Азат,

On 5/22/19 14:02, Усманов Азат Анварович wrote:
> [root] ~# openssl version
> OpenSSL 1.1.1a  20 Nov 2018

Great. Is this also the same version in /usr/local/openssl/bin/openssl?

> [root] ~# openssl  ocsp -help
> Usage: ocsp [options]

Excellent.

When you launch Tomcat, are you getting a message about the version of
OpenSSL in use, and does it agree with above?

AFAIK, OCSP is enabled by default in libtcnative. There were some posts
a few months/years ago about someone trying to get it to work, and
having to edit the JVM's security.properties file and all kinds of weird
stuff. I must admit it didn't make any sense to me at the time. I'm
sorry, but I don't personally have any experience with dealing with
OCSP, but hopefully this additio0nal information will give someone else
some good info.

-chris

> ________________________________
> От: Christopher Schultz <chris@christopherschultz.net>
> Отправлено: 22 мая 2019 г. 19:45
> Кому: users@tomcat.apache.org
> Тема: Re: OCSP with openSSL
>
> Усманов,
>
> On 5/22/19 07:28, Усманов Азат Анварович wrote:
>> Mark,  I installed it  just   by  downloading  tcnative src  tar.gz
>> file from tomcat  website and issued  ./configure
>> --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79
>> -with-ssl=/usr/local/openssl && make && make install && make
clean
>> I'm not sure  how to specify any ocsp related configure options
>> when building tomcat native    from source
>
> What is your OpenSSL version and capabilities?
>
> $ openssl version
>
> $ openssl -help
>
> $ openssl ocsp -help
>
> -chris
>
>> ________________________________ От: Mark Thomas
>> <markt@apache.org> Отправлено: 22 мая 2019 г. 13:41 Кому:
>> users@tomcat.apache.org Тема: Re: OCSP with openSSL
>
>> On 22/05/2019 11:28, Усманов Азат Анварович wrote:
>>> Hi everyone! I have a web app running on tomcat and java 7 using
>>> apr for TLS related issues. I m still unable to have OCSP
>>> verification working with tomcat.
>
>> <snip/>
>
>>> I have tried running tcpdump on the server but don't' see any
>>> Comodo related IP addresses in the output when I access the
>>> server in question in the browser. At this point I don't know
>>> what else to do, If it was java I would just put some
>>> System.out.println statements in OCSP SSL related source code and
>>> recompile the tomcat source, but since in my case tomcat uses
>>> OpenSSL and tomcat native I'm not sure how/where to do that. the
>>> only places I found in the TC-native source that mentions OCSP
>>> is sslutils.c  source file. I'm not sure when/ if it is actually
>>> gets called in my case. Maybe be someone with more c experience
>>> c++ would help me with that.  I really want to get to the bottom
>>> of this. Any help is appreciated my tomcat version  is 8.5.39 APR
>>> based Apache Tomcat Native library [1.2.21] using APR version
>>> [1.6.5]. Openssl version is [OpenSSL 1.1.1a  20 Nov 2018 OS:
>>> Linux RHEL 6.6
>
>> How did you build the Tomcat Native library? Was OCSP enabled?
>
>> Mark
>
>> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message