What, if anything, needs to be configured to ENABLE (preferably REQUIRE)
tomat to do CLIENT certificate revocation checking via OCSP in Tomcat
8.5.38 using Openssl ?
I'm sure I'm missing something simple and obvious (once pointed out) but
I've been struggling with this all morning).
1) using Openssl (the tc-native-1.dll binary for Windows, compiled w OCSP
support - the X64 dll from
tomcat-native-1.2.21-openssl-1.1.1a-ocsp-win32-bin.zip)
(will this even work with NIO2 ? - I don't HAVE to use NIO2)
(i'd prefer to have this working with OpenSSl for a couple of reasons).
(extra points for a configuration to allow it to use Axways (formerly
Tumbleweed) Desktop Validator for its OCSP-caching features).
2) using JSSE (java 8 (1.8.0_202)) with the NIO2 connector
(I've tried adding -Dcom.sun.net.ssl.checkRevocation=true to the Java
options for the tomat service).
I can't see anything indicating OCSP checks in the logs for either.
(when the tc-native-1.dll is present, the logs show it being used:
INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
Loaded APR based Apache Tomcat Native library [1.2.21] using APR version
[1.6.5].
INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true].
INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL
OpenSSL successfully initialized [OpenSSL 1.1.1a 20 Nov 2018]
INFO [main]
org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol
The ["https-openssl-nio2-192.168.1.16-443"] connector has been configured
to support negotiation to [h2] via ALPN
INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
ProtocolHandler ["https-openssl-nio2-192.168.1.16-443"]
)
for JSSE, by adding -Djavax.net.debug=ssl to the Java Options for the
tomcat service I see logging for key & trust stores being loaded, etc. in
tomcat8-stdout(date).log
the server requesting a client cert, the Client cert being received and
finding a trusted root for it ("Found trusted certificate:"),
but nothing about revocation checking....
(I do see:
check handshake state: certificate_verify[15]
update handshake state: certificate_verify[15]
but I'm not sure that's revocation checking...).
for OpenSLL, I'mnot sure how to enable equivalent logging....by enabling
pretty much ALL the logging
org.apache.coyote.http2.level=ALL
org.apache.level=ALL
org.apache.catalina.session.level=ALL
I can see the truststore ("Added client CA cert") being loaded but not much
else about certificates.
Wireshark shows me OCSP calls for the SERVER cert, presumable from the
browswer (fireFox).
(I'm testing this on a personal computer, tomcat and browser on the same
computer).
If there are equivalent OCSP calls for the CLIENT cert, I'm not seeing them.
the Connector part of the server xml.config file is (ip address and server
name etc removed):
<Connector
address="a.b.c.d"
port="443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
/>
<SSLHostConfig
protocols="+TLSv1.2+TLSv1.3"
honorCipherOrder="true"
certificateVerification="REQUIRED"
truststoreFile="C:/certs/trustStore.pfx"
truststoreType="PKCS12"
truststorePassword="abcdef"
>
<Certificate
certificateKeystoreFile="C:/certs/(server).pfx"
certificateKeystoreType="PKCS12"
certificateKeystorePassword="abcdef"
/>
</SSLHostConfig>
</Connector>
