tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Усманов Азат Анварович <usma...@ieml.ru>
Subject OCSP with openSSL
Date Wed, 22 May 2019 10:28:05 GMT
Hi everyone! I have a web app running on tomcat and java 7 using apr for TLS related issues.
I m still unable to have OCSP verification working with tomcat. I'm  NOT  talking about the
client- certificate based auth here,  just the opposite. I want tomcat to present it's OCSP
 status to the client(browser) when it connects to the server.  Since the options on OCSP
 section tomcat docs talk about client-auth I figured I don't need to add anything on my HTTPS
connector to get OCSP working.  So here is my  https connector
   <Connector  allowTrace="false" server=" " port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
      maxThreads="350" SSLEnabled="true"   enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" compression="force">
 <UpgradeProtocol  className="org.apache.coyote.http2.Http2Protocol" compression="force"
/>
        <SSLHostConfig sessionCacheSize="50"  honorCipherOrder= "true" protocols="TLSv1.3+TLSv1.2"
ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256">
            <Certificate certificateKeyFile="/home/idis/server.key"
                         certificateFile="/home/idis/STAR_ieml_ru.crt"
                         certificateChainFile="/home/idis/authorities.crt"
                         type="RSA"/>
</SSLHostConfig>
    </Connector>
our ocsp certificate has ocsp responder address  http://ocsp.comodoca.com
 I thought that my issues  were  caused by the fact the server in question  sits behind a
proxy but I just tested ocsp stapling  manually via OpenSSL ocsp utility and it working properly
 when invoked through the command line
 openssl ocsp  -no_nonce  -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt    -url  http://ocsp.comodoca.com/
-text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
          Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
          Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
    Produced At: May 15 19:34:39 2019 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
      Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
      Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
    Cert Status: good
    This Update: May 15 19:34:39 2019 GMT
    Next Update: May 22 19:34:39 2019 GMT

    Signature Algorithm: sha256WithRSAEncryption
         37:ee:ae:ed:35:ea:2f:f5:3c:d6:4e:4b:60:fd:5b:8b:f6:24:
         90:e4:da:11:d7:57:9c:22:d6:fe:53:2f:48:a3:cb:7a:1e:c0:
         82:70:28:c9:bb:d5:07:31:c3:33:d2:0b:09:12:96:68:ed:a1:
         3f:d7:d6:46:9d:dc:9a:d8:55:27:0b:5e:c2:56:fc:47:42:de:
         f0:e6:5f:75:f1:c0:b4:42:76:f4:e6:30:b9:a8:9a:75:8f:5f:
         0c:e6:5b:1e:6b:6d:8e:66:3c:7f:73:df:22:98:4d:40:aa:e1:
         d5:fb:27:8d:9b:e6:67:ae:40:3d:1f:29:da:23:7d:74:ad:b3:
         e6:76:f9:be:18:ad:df:be:ee:7d:1a:ab:26:5b:0c:4a:3b:d3:
         7e:f4:7d:c6:6d:f4:93:90:90:ec:25:b1:d1:4a:c8:1e:47:fb:
         67:5e:50:42:97:cf:26:2e:d4:21:9f:e1:4a:a9:a1:ba:8c:0a:
         0f:f6:1e:d8:2e:f7:25:32:89:c7:af:b7:81:39:9b:57:72:9c:
         28:1b:9d:b1:58:aa:e2:47:bc:f9:5b:23:d2:f2:cb:9d:ac:72:
         cf:d9:75:12:a2:94:c3:78:d6:59:f7:96:12:18:9a:3b:b8:84:
         d2:fd:b5:54:e7:4c:51:17:01:f2:0a:0d:fa:52:e7:5e:51:6a:
         d9:14:1a:e3
Response verify OK
/home/idis/STAR_ieml_ru.crt: good
        This Update: May 15 19:34:39 2019 GMT
        Next Update: May 22 19:34:39 2019 GMT
However, then I test the server both manually and via ssllabs  server test  ocsp stapling
  still shows no
openssl s_client -connect debug.ieml.ru:8443  -tls1_2 -status
CONNECTED(00000004)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA
Certification Authority
verify error:num=20:unable to get local issuer certificate
OCSP response: no response sent
---
Certificate chain
 0 s:OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.ieml.ru
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA
Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA
Domain Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA
Certification Authority
 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA
Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA
Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgIRAPB4y44vTlpni/uQZalhG1cwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTcwNjI5MDAwMDAwWhcNMTkwODI5MjM1OTU5WjBWMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp
bGRjYXJkMRIwEAYDVQQDDAkqLmllbWwucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDDPvJ/lpxUzUyI6xAI4vm+fJG76JPJ3PjVPWshE6DQ8FSOX1tz
x/77d7DHH3o73I1fZL26o8feq1tscHg5Hn/L4S+N3pPAqz3Q6Q98O3r6lzJtK5Yz
gfWCEx6tFNvuQ96G2rN6b+wwpbo42e+Ml9HejTH3F3tdgkZ9++jq2/xge/82tRfm
F7OdKpOl0HJhjyKb4ehck032lACLLzKaiVXwuvm0PFeNVMfGli6esVjvf6qUvXIe
dxfgJu5emAdFwAWSwJYQ61sUPt/o4G5SLFx4xaDaA0W5cK8Wtd2BGe12kDVstVft
hP7KKj/giXFQSIrC5JmIE4wr8c4yiHBcrwdjAgMBAAGjggHPMIIByzAfBgNVHSME
GDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUs+5Z8D1kBsszi2+H
fbGGs7WeS7EwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw
KzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG
Z4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG
CCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMB0GA1UdEQQWMBSC
CSouaWVtbC5ydYIHaWVtbC5ydTANBgkqhkiG9w0BAQsFAAOCAQEAQTfwPlwQrEDN
Xm8cFJHnn7HhA0/fs/eaJ8SiSqZtUbPZar8V1fd0uIHElwQGTdxLBPktyAVBE7Ro
tP1QCU7Al6y0LMba1+aGIxGhVE7Ub7ntwPIPMs8Q68YZIC7oHBMtr6Qn34HF1lI0
CWHJqwWCv4UWwtwZcy4ab5tS+Nv1qd4O4fok9T/LTQCY5rbyCnhWfiRNMihLX2tk
/Cc5UvwUkS81c1A5sHgCLuqKPL7zCmJbcaFKPYTZEN2EUaKhT1jq06cmDfyXP6cq
4rmuaMxMxgsmDL4emO9LP9IfKmL3IvFngpkgAuNks/RiILFRuBv/EcF8C+FI46g5
PqY0SNxCGA==
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.ieml.ru

issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA
Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4966 bytes and written 318 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 47F268768C011706B01BA181164ADC7BE4452049E84BA24515CB4645B8717A15
    Session-ID-ctx:
    Master-Key: 87C245B1F3D8ABB69B14865AF0E650B395BFEEFB88FBC99D818439E7A60A31AADD83363D24AFFEA2A1CE14C3EDF2EA41
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 31 da bf fc ec 56 ef 77-8c 74 d8 df 15 51 b3 e8   1....V.w.t...Q..
    0010 - 69 3d 6d ba a7 5f 9c 15-3f 8f d7 e9 07 50 2b ca   i=m.._..?....P+.
    0020 - c1 f2 fd f2 7d 31 6d 52-25 16 31 45 71 c4 ef 75   ....}1mR%.1Eq..u
    0030 - 85 59 ea 14 a2 00 4a 4e-b1 c8 d7 90 32 c7 a0 3c   .Y....JN....2..<
    0040 - b5 11 e7 53 0a cc 8b 4a-26 fc fd fd e9 8c 77 12   ...S...J&.....w.
    0050 - b5 de 85 0c f1 d4 b9 ff-67 e6 5c c7 10 98 ab 20   ........g.\....
    0060 - 37 1d 95 75 09 77 76 5d-42 8f 46 96 63 c5 fa ea   7..u.wv]B.F.c...
    0070 - 58 e1 58 52 4c 07 17 c2-0b d0 64 5c 68 ce 5d 23   X.XRL.....d\h.]#
    0080 - dd 73 2c e3 83 50 fe 8f-7b f0 89 aa ee de a2 52   .s,..P..{......R
    0090 - 14 ba 68 5c 13 d7 6a b8-cc 07 73 9a 2e 11 b3 0d   ..h\..j...s.....
    00a0 - 7f 84 45 d4 8c fc a0 3a-8d f4 d9 39 48 6d bf 9c   ..E....:...9Hm..
    00b0 - 6d 7b ef 50 bc 0b e2 89-af 4e 8b 82 60 cf 22 64   m{.P.....N..`."d

    Start Time: 1558517267
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---
read:errno=0
 I have tried running tcpdump on the server but don't' see any Comodo related IP addresses
in the output when I access the server in question in the browser.
At this point I don't know what else to do, If it was java I would just put some System.out.println
statements in OCSP SSL related source code and recompile the tomcat source, but since in my
case tomcat uses OpenSSL and tomcat native I'm not sure how/where to do that. the only places
I found in the TC-native source that mentions OCSP  is sslutils.c  source file. I'm not sure
when/ if it is actually gets called in my case. Maybe be someone with more c experience c++
would help me with that.  I really want to get to the bottom of this. Any help is appreciated
 my tomcat version  is 8.5.39
 APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.5].
Openssl version is [OpenSSL 1.1.1a  20 Nov 2018
OS: Linux RHEL 6.6




Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message