Hi everyone! I have a web app running on tomcat and java 7 using apr for TLS
related issues. I m still unable to have OCSP verification working with tomcat.
I'm NOT talking about the client- certificate based auth here, just the
opposite. I want tomcat to present it's OCSP status to the client(browser)
when it connects to the server. Since the options on OCSP section tomcat docs
talk about client-auth I figured I don't need to add anything on my HTTPS
connector to get OCSP working. So here is my https connector
<Connector allowTrace="false" server=" " port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="350" SSLEnabled="true" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
compression="force">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
compression="force" />
<SSLHostConfig sessionCacheSize="50" honorCipherOrder= "true"
protocols="TLSv1.3+TLSv1.2"
ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256">
<Certificate certificateKeyFile="/home/idis/server.key"
certificateFile="/home/idis/STAR_ieml_ru.crt"
certificateChainFile="/home/idis/authorities.crt"
type="RSA"/>
</SSLHostConfig>
</Connector>
our ocsp certificate has ocsp responder address http://ocsp.comodoca.com
I thought that my issues were caused by the fact the server in question
sits behind a proxy but I just tested ocsp stapling manually via OpenSSL ocsp
utility and it working properly when invoked through the command line
openssl ocsp -no_nonce -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt
-url http://ocsp.comodoca.com/ -text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Produced At: May 15 19:34:39 2019 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Cert Status: good
This Update: May 15 19:34:39 2019 GMT
Next Update: May 22 19:34:39 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
37:ee:ae:ed:35:ea:2f:f5:3c:d6:4e:4b:60:fd:5b:8b:f6:24:
90:e4:da:11:d7:57:9c:22:d6:fe:53:2f:48:a3:cb:7a:1e:c0:
82:70:28:c9:bb:d5:07:31:c3:33:d2:0b:09:12:96:68:ed:a1:
3f:d7:d6:46:9d:dc:9a:d8:55:27:0b:5e:c2:56:fc:47:42:de:
f0:e6:5f:75:f1:c0:b4:42:76:f4:e6:30:b9:a8:9a:75:8f:5f:
0c:e6:5b:1e:6b:6d:8e:66:3c:7f:73:df:22:98:4d:40:aa:e1:
d5:fb:27:8d:9b:e6:67:ae:40:3d:1f:29:da:23:7d:74:ad:b3:
e6:76:f9:be:18:ad:df:be:ee:7d:1a:ab:26:5b:0c:4a:3b:d3:
7e:f4:7d:c6:6d:f4:93:90:90:ec:25:b1:d1:4a:c8:1e:47:fb:
67:5e:50:42:97:cf:26:2e:d4:21:9f:e1:4a:a9:a1:ba:8c:0a:
0f:f6:1e:d8:2e:f7:25:32:89:c7:af:b7:81:39:9b:57:72:9c:
28:1b:9d:b1:58:aa:e2:47:bc:f9:5b:23:d2:f2:cb:9d:ac:72:
cf:d9:75:12:a2:94:c3:78:d6:59:f7:96:12:18:9a:3b:b8:84:
d2:fd:b5:54:e7:4c:51:17:01:f2:0a:0d:fa:52:e7:5e:51:6a:
d9:14:1a:e3
Response verify OK
/home/idis/STAR_ieml_ru.crt: good
This Update: May 15 19:34:39 2019 GMT
Next Update: May 22 19:34:39 2019 GMT
However, then I test the server both manually and via ssllabs server test
ocsp stapling still shows no
openssl s_client -connect debug.ieml.ru:8443 -tls1_2 -status
CONNECTED(00000004)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
OCSP response: no response sent
---
Certificate chain
0 s:OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.ieml.ru
i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN =
COMODO RSA Domain Validation Secure Server CA
1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN =
COMODO RSA Domain Validation Secure Server CA
i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN =
COMODO RSA Certification Authority
2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN =
COMODO RSA Certification Authority
i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgIRAPB4y44vTlpni/uQZalhG1cwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTcwNjI5MDAwMDAwWhcNMTkwODI5MjM1OTU5WjBWMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp
bGRjYXJkMRIwEAYDVQQDDAkqLmllbWwucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDDPvJ/lpxUzUyI6xAI4vm+fJG76JPJ3PjVPWshE6DQ8FSOX1tz
x/77d7DHH3o73I1fZL26o8feq1tscHg5Hn/L4S+N3pPAqz3Q6Q98O3r6lzJtK5Yz
gfWCEx6tFNvuQ96G2rN6b+wwpbo42e+Ml9HejTH3F3tdgkZ9++jq2/xge/82tRfm
F7OdKpOl0HJhjyKb4ehck032lACLLzKaiVXwuvm0PFeNVMfGli6esVjvf6qUvXIe
dxfgJu5emAdFwAWSwJYQ61sUPt/o4G5SLFx4xaDaA0W5cK8Wtd2BGe12kDVstVft
hP7KKj/giXFQSIrC5JmIE4wr8c4yiHBcrwdjAgMBAAGjggHPMIIByzAfBgNVHSME
GDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUs+5Z8D1kBsszi2+H
fbGGs7WeS7EwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw
KzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG
Z4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG
CCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMB0GA1UdEQQWMBSC
CSouaWVtbC5ydYIHaWVtbC5ydTANBgkqhkiG9w0BAQsFAAOCAQEAQTfwPlwQrEDN
Xm8cFJHnn7HhA0/fs/eaJ8SiSqZtUbPZar8V1fd0uIHElwQGTdxLBPktyAVBE7Ro
tP1QCU7Al6y0LMba1+aGIxGhVE7Ub7ntwPIPMs8Q68YZIC7oHBMtr6Qn34HF1lI0
CWHJqwWCv4UWwtwZcy4ab5tS+Nv1qd4O4fok9T/LTQCY5rbyCnhWfiRNMihLX2tk
/Cc5UvwUkS81c1A5sHgCLuqKPL7zCmJbcaFKPYTZEN2EUaKhT1jq06cmDfyXP6cq
4rmuaMxMxgsmDL4emO9LP9IfKmL3IvFngpkgAuNks/RiILFRuBv/EcF8C+FI46g5
PqY0SNxCGA==
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.ieml.ru
issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4966 bytes and written 318 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 47F268768C011706B01BA181164ADC7BE4452049E84BA24515CB4645B8717A15
Session-ID-ctx:
Master-Key:
87C245B1F3D8ABB69B14865AF0E650B395BFEEFB88FBC99D818439E7A60A31AADD83363D24AFFEA2A1CE14C3EDF2EA41
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 31 da bf fc ec 56 ef 77-8c 74 d8 df 15 51 b3 e8 1....V.w.t...Q..
0010 - 69 3d 6d ba a7 5f 9c 15-3f 8f d7 e9 07 50 2b ca i=m.._..?....P+.
0020 - c1 f2 fd f2 7d 31 6d 52-25 16 31 45 71 c4 ef 75 ....}1mR%.1Eq..u
0030 - 85 59 ea 14 a2 00 4a 4e-b1 c8 d7 90 32 c7 a0 3c .Y....JN....2..<
0040 - b5 11 e7 53 0a cc 8b 4a-26 fc fd fd e9 8c 77 12 ...S...J&.....w.
0050 - b5 de 85 0c f1 d4 b9 ff-67 e6 5c c7 10 98 ab 20 ........g.\....
0060 - 37 1d 95 75 09 77 76 5d-42 8f 46 96 63 c5 fa ea 7..u.wv]B.F.c...
0070 - 58 e1 58 52 4c 07 17 c2-0b d0 64 5c 68 ce 5d 23 X.XRL.....d\h.]#
0080 - dd 73 2c e3 83 50 fe 8f-7b f0 89 aa ee de a2 52 .s,..P..{......R
0090 - 14 ba 68 5c 13 d7 6a b8-cc 07 73 9a 2e 11 b3 0d ..h\..j...s.....
00a0 - 7f 84 45 d4 8c fc a0 3a-8d f4 d9 39 48 6d bf 9c ..E....:...9Hm..
00b0 - 6d 7b ef 50 bc 0b e2 89-af 4e 8b 82 60 cf 22 64 m{.P.....N..`."d
Start Time: 1558517267
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes
---
read:errno=0
I have tried running tcpdump on the server but don't' see any Comodo related
IP addresses in the output when I access the server in question in the browser.
At this point I don't know what else to do, If it was java I would just put
some System.out.println statements in OCSP SSL related source code and
recompile the tomcat source, but since in my case tomcat uses OpenSSL and
tomcat native I'm not sure how/where to do that. the only places I found in the
TC-native source that mentions OCSP is sslutils.c source file. I'm not sure
when/ if it is actually gets called in my case. Maybe be someone with more c
experience c++ would help me with that. I really want to get to the bottom of
this. Any help is appreciated
my tomcat version is 8.5.39
APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.5].
Openssl version is [OpenSSL 1.1.1a 20 Nov 2018
OS: Linux RHEL 6.6
