Well, after much research and experimentation I got OCSP working with the
JSSE flaovor, NIO2 connector (renamed the OCSP-enabled tc-native-1.dll so
it isn't used and JSSE is used instead).
2 things had to be set:
1: server.xml: add to the SSLHostConfig section (inside the Connector
section)
revocationEnabled="true"
certificateVerification="require"
2: java.security file in the (java)\jre\lib\security folder:
uncomment the line: ocsp.enable=true
(you get a "can't connect securely to this page" in IE if you forget.)
(if there's a way to do this with the Java options used by the tomcat
service(eg -D(something)ocsp.enable="true", I'd appreciate someone telling
me).
by adding -Djava.security.debug="certpath ocsp" to the Java options used
by the tomcat service (Windows)... I have logging showing the OCSP checking
etc....
and wireshark shows me the OCSP calls (there MAY be some caching being done
by the java (or possibly Windows CAPI) code, not all the expected OSCP
requests seem to always be there).
by restoring the NON-OCSP-enabled tc-native-1.dll, I found that the same
settings allow the same java calls to work the same way....
and by restoring the OCSP-enabled tc-native-1.dll... those still work.
Apparently there is some OTHER setting or configuration needed for the
OCSP-enabled tc-native-1.dll to work... and I haven't found it yet.
I'm trying to understand from the tc-native source what I might be missing,
but apparently I'm overlooking it.
helpful suggestions are welcomed.
On Wed, Apr 3, 2019 at 12:32 PM John Palmer <johnpalm...@gmail.com> wrote:
> I appreciate your response....
>
> > Setting `certificateVerification="require"` on your Connector
>
> I changed
> `certificateVerification="REQUIRED"
> to
> `certificateVerification="require"`
>
> still not seeing any OCSP calls in wireshark for this
>
> I did find out how to enable logging better (by adding either of these to
> logging.properties):
> org.apache.tomcat.util.net.openssl.level=ALL
> org.apache.tomcat.util.net.level=ALL
>
> and I can see logs confirming that the trust store is being used:
> OpenSSLContext.init Added client CA cert:...) ;
>
> with logging set to org.apache.tomcat.level=ALL
> I see confirmation that the certificateVerification is being parsed,
> apparently correctly.
>
> but I still don't see any evidence in the tomcat/catlina logs or in
> wireshark that anything is happening to accomplish this.
>
>
>
> On Tue, Apr 2, 2019 at 3:47 PM Coty Sutherland <csuth...@apache.org>
> wrote:
>
>> Hi,
>>
>> On Mon, Apr 1, 2019 at 3:30 PM John Palmer <johnpalm...@gmail.com> wrote:
>>
>> > What, if anything, needs to be configured to ENABLE (preferably REQUIRE)
>> > tomat to do CLIENT certificate revocation checking via OCSP in Tomcat
>> > 8.5.38 using Openssl ?
>>
>>
>> Setting `certificateVerification="require"` on your Connector and using a
>> client certificate that has an OCSP URI should be it. See
>>
>> https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates
>> for more information on how to configure it.
>>
>>
>> >
>>
>>
>> > I'm sure I'm missing something simple and obvious (once pointed out) but
>> > I've been struggling with this all morning).
>> >
>> > 1) using Openssl (the tc-native-1.dll binary for Windows, compiled w
>> OCSP
>> > support - the X64 dll from
>> > tomcat-native-1.2.21-openssl-1.1.1a-ocsp-win32-bin.zip)
>> > (will this even work with NIO2 ? - I don't HAVE to use NIO2)
>> >
>>
>> It will work, but only if you're using the openssl implementation.
>>
>>
>> > (i'd prefer to have this working with OpenSSl for a couple of reasons).
>> > (extra points for a configuration to allow it to use Axways (formerly
>> > Tumbleweed) Desktop Validator for its OCSP-caching features).
>> >
>> > 2) using JSSE (java 8 (1.8.0_202)) with the NIO2 connector
>> > (I've tried adding -Dcom.sun.net.ssl.checkRevocation=true to the Java
>> > options for the tomat service).
>> >
>> >
>> > I can't see anything indicating OCSP checks in the logs for either.
>> >
>>
>> There isn't any OCSP code in Tomcat and tomcat-native doesn't log much of
>> anything when it's in use, so there's not much indication that it's
>> working
>> there.
>>
>>
>> >
>> > (when the tc-native-1.dll is present, the logs show it being used:
>> > INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
>> > Loaded APR based Apache Tomcat Native library [1.2.21] using APR version
>> > [1.6.5].
>> > INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
>> > APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
>> > random [true].
>> > INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent
>> > APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
>> > INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL
>> > OpenSSL successfully initialized [OpenSSL 1.1.1a 20 Nov 2018]
>> > INFO [main]
>> > org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol
>> > The ["https-openssl-nio2-192.168.1.16-443"] connector has been
>> configured
>> > to support negotiation to [h2] via ALPN
>> > INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
>> > ProtocolHandler ["https-openssl-nio2-192.168.1.16-443"]
>> > )
>> >
>> >
>> > for JSSE, by adding -Djavax.net.debug=ssl to the Java Options for the
>> > tomcat service I see logging for key & trust stores being loaded, etc.
>> in
>> > tomcat8-stdout(date).log
>> > the server requesting a client cert, the Client cert being received and
>> > finding a trusted root for it ("Found trusted certificate:"),
>> > but nothing about revocation checking....
>> > (I do see:
>> > check handshake state: certificate_verify[15]
>> > update handshake state: certificate_verify[15]
>> >
>> > but I'm not sure that's revocation checking...).
>> >
>> > for OpenSLL, I'mnot sure how to enable equivalent logging....by enabling
>> > pretty much ALL the logging
>> > org.apache.coyote.http2.level=ALL
>> > org.apache.level=ALL
>> > org.apache.catalina.session.level=ALL
>> > I can see the truststore ("Added client CA cert") being loaded but not
>> much
>> > else about certificates.
>> >
>> >
>> > Wireshark shows me OCSP calls for the SERVER cert, presumable from the
>> > browswer (fireFox).
>> > (I'm testing this on a personal computer, tomcat and browser on the same
>> > computer).
>> > If there are equivalent OCSP calls for the CLIENT cert, I'm not seeing
>> > them.
>> >
>> >
>> > the Connector part of the server xml.config file is (ip address and
>> server
>> > name etc removed):
>> >
>> > <Connector
>> > address="a.b.c.d"
>> > port="443"
>> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>> > maxThreads="150"
>> > SSLEnabled="true"
>> > scheme="https"
>> > secure="true"
>> > >
>> > <UpgradeProtocol
>> className="org.apache.coyote.http2.Http2Protocol"
>> > />
>> > <SSLHostConfig
>> > protocols="+TLSv1.2+TLSv1.3"
>> > honorCipherOrder="true"
>> > certificateVerification="REQUIRED"
>> > truststoreFile="C:/certs/trustStore.pfx"
>> > truststoreType="PKCS12"
>> > truststorePassword="abcdef"
>> > >
>> > <Certificate
>> > certificateKeystoreFile="C:/certs/(server).pfx"
>> > certificateKeystoreType="PKCS12"
>> > certificateKeystorePassword="abcdef"
>> > />
>> > </SSLHostConfig>
>> > </Connector>
>> >
>>
>
