What, if anything, needs to be configured to ENABLE (preferably REQUIRE) tomat to do CLIENT certificate revocation checking via OCSP in Tomcat 8.5.38 using Openssl ?
I'm sure I'm missing something simple and obvious (once pointed out) but I've been struggling with this all morning). 1) using Openssl (the tc-native-1.dll binary for Windows, compiled w OCSP support - the X64 dll from tomcat-native-1.2.21-openssl-1.1.1a-ocsp-win32-bin.zip) (will this even work with NIO2 ? - I don't HAVE to use NIO2) (i'd prefer to have this working with OpenSSl for a couple of reasons). (extra points for a configuration to allow it to use Axways (formerly Tumbleweed) Desktop Validator for its OCSP-caching features). 2) using JSSE (java 8 (1.8.0_202)) with the NIO2 connector (I've tried adding -Dcom.sun.net.ssl.checkRevocation=true to the Java options for the tomat service). I can't see anything indicating OCSP checks in the logs for either. (when the tc-native-1.dll is present, the logs show it being used: INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.5]. INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1a 20 Nov 2018] INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-nio2-192.168.1.16-443"] connector has been configured to support negotiation to [h2] via ALPN INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio2-192.168.1.16-443"] ) for JSSE, by adding -Djavax.net.debug=ssl to the Java Options for the tomcat service I see logging for key & trust stores being loaded, etc. in tomcat8-stdout(date).log the server requesting a client cert, the Client cert being received and finding a trusted root for it ("Found trusted certificate:"), but nothing about revocation checking.... (I do see: check handshake state: certificate_verify[15] update handshake state: certificate_verify[15] but I'm not sure that's revocation checking...). for OpenSLL, I'mnot sure how to enable equivalent logging....by enabling pretty much ALL the logging org.apache.coyote.http2.level=ALL org.apache.level=ALL org.apache.catalina.session.level=ALL I can see the truststore ("Added client CA cert") being loaded but not much else about certificates. Wireshark shows me OCSP calls for the SERVER cert, presumable from the browswer (fireFox). (I'm testing this on a personal computer, tomcat and browser on the same computer). If there are equivalent OCSP calls for the CLIENT cert, I'm not seeing them. the Connector part of the server xml.config file is (ip address and server name etc removed): <Connector address="a.b.c.d" port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig protocols="+TLSv1.2+TLSv1.3" honorCipherOrder="true" certificateVerification="REQUIRED" truststoreFile="C:/certs/trustStore.pfx" truststoreType="PKCS12" truststorePassword="abcdef" > <Certificate certificateKeystoreFile="C:/certs/(server).pfx" certificateKeystoreType="PKCS12" certificateKeystorePassword="abcdef" /> </SSLHostConfig> </Connector>