Chris, [root] ~# openssl version OpenSSL 1.1.1a 20 Nov 2018 [root] ~# openssl help Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dhparam dsa dsaparam ec ecparam enc engine errstr gendsa genpkey genrsa help list nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand rehash req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp storeutl ts verify version x509
Message Digest commands (see the `dgst' command for more details) blake2b512 blake2s256 gost md4 md5 mdc2 rmd160 sha1 sha224 sha256 sha3-224 sha3-256 sha3-384 sha3-512 sha384 sha512 sha512-224 sha512-256 shake128 shake256 sm3 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1 aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8 aria-256-ctr aria-256-ecb aria-256-ofb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb sm4-cbc sm4-cfb sm4-ctr sm4-ecb sm4-ofb zlib [root] ~# openssl ocsp -help Usage: ocsp [options] Valid options are: -help Display this summary -out outfile Output filename -timeout +int Connection timeout (in seconds) to the OCSP responder -url val Responder URL -host val TCP/IP hostname:port to connect to -port +int Port to run responder on -ignore_err Ignore error on OCSP request or response and continue running -noverify Don't verify response at all -nonce Add OCSP nonce to request -no_nonce Don't add OCSP nonce to request -resp_no_certs Don't include any certificates in response -resp_key_id Identify response by signing certificate key ID -multi +int run multiple responder processes -no_certs Don't include any certificates in signed request -no_signature_verify Don't check signature on response -no_cert_verify Don't check signing certificate -no_chain Don't chain verify response -no_cert_checks Don't do additional checks on signing certificate -no_explicit Do not explicitly check the chain, just verify the root -trust_other Don't verify additional certificates -no_intern Don't search certificates contained in response for signer -badsig Corrupt last byte of loaded OSCP response signature (for test) -text Print text form of request and response -req_text Print text form of request -resp_text Print text form of response -reqin val File with the DER-encoded request -respin val File with the DER-encoded response -signer infile Certificate to sign OCSP request with -VAfile infile Validator certificates file -sign_other infile Additional certificates to include in signed request -verify_other infile Additional certificates to search for signer -CAfile infile Trusted certificates file -CApath infile Trusted certificates directory -no-CAfile Do not load the default certificates file -no-CApath Do not load certificates from the default certificates directory -validity_period ulong Maximum validity discrepancy in seconds -status_age +int Maximum status age in seconds -signkey val Private key to sign OCSP request with -reqout val Output file for the DER-encoded request -respout val Output file for the DER-encoded response -path val Path to use in OCSP request -issuer infile Issuer certificate -cert infile Certificate to check -serial val Serial number to check -index infile Certificate status index file -CA infile CA certificate -nmin +int Number of minutes before next update -nrequest +int Number of requests to accept (default unlimited) -ndays +int Number of days before next update -rsigner infile Responder certificate to sign responses with -rkey infile Responder key to sign responses with -rother infile Other certificates to include in response -rmd val Digest Algorithm to use in signature of OCSP response -rsigopt val OCSP response signature parameter in n:v form -header val key=value header to add -* Any supported digest algorithm (sha1,sha256, ... ) -policy val adds policy to the acceptable policy set -purpose val certificate chain purpose -verify_name val verification policy name -verify_depth int chain depth limit -auth_level int chain authentication security level -attime intmax verification epoch time -verify_hostname val expected peer hostname -verify_email val expected peer email -verify_ip val expected peer IP address -ignore_critical permit unhandled critical extensions -issuer_checks (deprecated) -crl_check check leaf certificate revocation -crl_check_all check full chain revocation -policy_check perform rfc5280 policy checks -explicit_policy set policy variable require-explicit-policy -inhibit_any set policy variable inhibit-any-policy -inhibit_map set policy variable inhibit-policy-mapping -x509_strict disable certificate compatibility work-arounds -extended_crl enable extended CRL features -use_deltas use delta CRLs -policy_print print policy processing diagnostics -check_ss_sig check root CA self-signatures -trusted_first search trust store first (default) -suiteB_128_only Suite B 128-bit-only mode -suiteB_128 Suite B 128-bit mode allowing 192-bit algorithms -suiteB_192 Suite B 192-bit-only mode -partial_chain accept chains anchored by intermediate trust-store CAs -no_alt_chains (deprecated) -no_check_time ignore certificate validity time -allow_proxy_certs allow the use of proxy certificates ________________________________ От: Christopher Schultz <ch...@christopherschultz.net> Отправлено: 22 мая 2019 г. 19:45 Кому: users@tomcat.apache.org Тема: Re: OCSP with openSSL -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Усманов, On 5/22/19 07:28, Усманов Азат Анварович wrote: > Mark, I installed it just by downloading tcnative src tar.gz > file from tomcat website and issued ./configure > --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 > -with-ssl=/usr/local/openssl && make && make install && make clean > I'm not sure how to specify any ocsp related configure options > when building tomcat native from source What is your OpenSSL version and capabilities? $ openssl version $ openssl -help $ openssl ocsp -help - -chris > ________________________________ От: Mark Thomas > <ma...@apache.org> Отправлено: 22 мая 2019 г. 13:41 Кому: > users@tomcat.apache.org Тема: Re: OCSP with openSSL > > On 22/05/2019 11:28, Усманов Азат Анварович wrote: >> Hi everyone! I have a web app running on tomcat and java 7 using >> apr for TLS related issues. I m still unable to have OCSP >> verification working with tomcat. > > <snip/> > >> I have tried running tcpdump on the server but don't' see any >> Comodo related IP addresses in the output when I access the >> server in question in the browser. At this point I don't know >> what else to do, If it was java I would just put some >> System.out.println statements in OCSP SSL related source code and >> recompile the tomcat source, but since in my case tomcat uses >> OpenSSL and tomcat native I'm not sure how/where to do that. the >> only places I found in the TC-native source that mentions OCSP >> is sslutils.c source file. I'm not sure when/ if it is actually >> gets called in my case. Maybe be someone with more c experience >> c++ would help me with that. I really want to get to the bottom >> of this. Any help is appreciated my tomcat version is 8.5.39 APR >> based Apache Tomcat Native library [1.2.21] using APR version >> [1.6.5]. Openssl version is [OpenSSL 1.1.1a 20 Nov 2018 OS: >> Linux RHEL 6.6 > > How did you build the Tomcat Native library? Was OCSP enabled? > > Mark > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzlfKEACgkQHPApP6U8 pFjWvBAAhHnL9esNEDViUB6nBIzQtcgsn0FxKWVTlrM+mv1JMlZWeD1zpKAPGuOr ip3Dl/HlHANR8poi8l3NpIUUNq74UqXRHu0ETdjl2vyCl96pYHrmXWLwYuyDeFN4 cN4bm6dm1MkpNyxIv4ig9gJ1/GfAhZW22wcJTKaxu/QyKPVJwejGf3Xbtb4lEjoS FxEbcE+IJENXME/5+KYyVJdpuRlrbY4P4DXPeZjVcw0yOCB33jNxY9SJtImuXTtl wiWDPW/8/NM5FUIdbZGUCXx76k2g71iYPZdAcZ94R86pOoFjbAmu6LxSddDeQDZ7 cswpq1wNeTql7aLYCVBG0/I6FgmRBEQvSeS9StuWhjwogdSzK2CmyJuct+y1UBLm uY4SH5+DvbM57HZdQZ2WHHyjp+VEMI2qQypmVsZf7MqoCYypegOFNwtXqjgRzvmd PReFjxz6orHlczJ4psjbpKA+BrSNWyeFJu8wBxjfhFuIzsAQyWL3nDwoxSJFQeuq d1TIDuq5yHRnUWqqf6Tn33qOZvbjKwaeA4XPLCcfZOGWtgIaEYPLfiPSHZujmo7q jM8EBQGraOChT+P35aNtzxiDac09Ow1wT3hnpDnMdOgWdwwWGR7lLvLUHp/JC+Vn eUt1mv+bzq0JOpfPpRpCDa5/5LoMh1YJnRw/3JnqhyQ5lpUrB40= =Bl8+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
