On 17/06/2019 15:15, logo wrote: > Hi Mark, > > having been in contact with Усманов, I can confirm your summary. > > May I add my question from February with additional info to this thread: > https://markmail.org/message/zvziqrhm32bctm7e
Thanks. Progress can be tracked here: https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 At the moment, the pure JSSE solutions (NIO+JSSE, NIO2+JSSE) support OCSP stapling with appropriate configuration. The OpenSSL ones (APR/native, NIO+OpenSSL, NIO2+OpenSSL) do not. It might be simply a configuration issue with OpenSSL. It might need code changes in APR/Native. I'm currently looking in to that. Mark > > Thanks. > > Peter > > Am 2019-06-17 15:44, schrieb Mark Thomas: >> Coming back to this as it has been on my TODO list for a while. >> >> Having re-read the thread I think it would be helpful to first clarify >> exactly what behaviour you are expecting and not seeing. >> >> The issue relates to OCSP checks when Tomcat is presenting it's server >> certificate to the client. >> >> You are expecting Tomcat to use OCSP stapling to provide the OCSP >> information to the client so that the client does not have to request it >> itself. >> >> Tomcat is not providing the OCSP information. It appears that OCSP >> stapling is not working. >> >> Is the above a fair summary? If not, please provide corrections. >> >> Thanks, >> >> Mark >> >> >> On 27/05/2019 12:36, Усманов Азат Анварович wrote: >>> Just a quick follow up , trying to get some answers, I added include >>> <stdio.h> to sslutils.c (which has alll the ocsp functions ) to >>> print some info.I added printf calls to every function defined in >>> this file. Interestingly enough when I issue the openssl s_client >>> -connect debug.ieml.ru:8443 -tls1_2 -status -proxy 192.168.1.6:3131 >>> both tls1_2 and tls 1_3 versions and when I access the server from >>> another machine via browser none of printf calls are displayed, >>> however, when I issue ssllabs server test (which is also supposedly >>> capable of detecting ocsp) some of them start to appear. sadly >>> none of them are ocsp related. I did put basic ifdef test for >>> HAVE_OCSP_STAPLING, surprisingly it shows that ocsp support is >>> indeed enabled . So here are both the modified sslutils.c file >>> and tomcat log snippet (not sure if attachments are allowed on the >>> list so posting it here ) >>> Not sure where to go from here >>> /* Licensed to the Apache Software Foundation (ASF) under one or more >>> * contributor license agreements. See the NOTICE file distributed with >>> * this work for additional information regarding copyright ownership. >>> * The ASF licenses this file to You under the Apache License, >>> Version 2.0 >>> * (the "License"); you may not use this file except in compliance with >>> * the License. You may obtain a copy of the License at >>> * >>> * http://www.apache.org/licenses/LICENSE-2.0 >>> * >>> * Unless required by applicable law or agreed to in writing, software >>> * distributed under the License is distributed on an "AS IS" BASIS, >>> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or >>> implied. >>> * See the License for the specific language governing permissions and >>> * limitations under the License. >>> */ >>> >>> /** SSL Utilities >>> */ >>> >>> #include "tcn.h" >>> #include <stdio.h> >>> #ifdef HAVE_OPENSSL >>> #include "apr_poll.h" >>> #include "ssl_private.h" >>> >>> >>> #ifdef WIN32 >>> extern int WIN32_SSL_password_prompt(tcn_pass_cb_t *data); >>> #endif >>> >>> #ifdef HAVE_OCSP_STAPLING >>> #include <openssl/bio.h> >>> #include <openssl/ocsp.h> >>> /* defines with the values as seen by the asn1parse -dump openssl >>> command */ >>> #define ASN1_SEQUENCE 0x30 >>> #define ASN1_OID 0x06 >>> #define ASN1_STRING 0x86 >>> static int ssl_verify_OCSP(X509_STORE_CTX *ctx); >>> static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX >>> *ctx); >>> #endif >>> >>> /* _________________________________________________________________ >>> ** >>> ** Additional High-Level Functions for OpenSSL >>> ** _________________________________________________________________ >>> */ >>> >>> /* we initialize this index at startup time >>> * and never write to it at request time, >>> * so this static is thread safe. >>> * also note that OpenSSL increments at static variable when >>> * SSL_get_ex_new_index() is called, so we _must_ do this at startup. >>> */ >>> static int SSL_app_data2_idx = -1; >>> static int SSL_app_data3_idx = -1; >>> static int SSL_app_data4_idx = -1; >>> >>> void SSL_init_app_data_idx(void) >>> { printf(" SSL_init_app_data_idx\n"); >>> #ifdef HAVE_OCSP_STAPLING >>> printf("Hi OCSP \n"); >>> #else >>> printf("Sorry no OCSP support\n"); >>> #endif >>> >>> int i; >>> >>> if (SSL_app_data2_idx > -1) { >>> return; >>> } >>> >>> /* we _do_ need to call this twice */ >>> for (i = 0; i <= 1; i++) { >>> SSL_app_data2_idx = >>> SSL_get_ex_new_index(0, >>> "Second Application Data for SSL", >>> NULL, NULL, NULL); >>> } >>> >>> if (SSL_app_data3_idx > -1) { >>> return; >>> } >>> >>> SSL_app_data3_idx = >>> SSL_get_ex_new_index(0, >>> "Third Application Data for SSL", >>> NULL, NULL, NULL); >>> >>> if (SSL_app_data4_idx > -1) { >>> return; >>> } >>> >>> SSL_app_data4_idx = >>> SSL_get_ex_new_index(0, >>> "Fourth Application Data for SSL", >>> NULL, NULL, NULL); >>> >>> } >>> >>> void *SSL_get_app_data2(SSL *ssl) >>> { >>> printf("ssl_get_app_data2 \n"); >>> return (void *)SSL_get_ex_data(ssl, SSL_app_data2_idx); >>> } >>> >>> void SSL_set_app_data2(SSL *ssl, void *arg) >>> { >>> printf("ssl_set_app_data2 \n"); >>> >>> SSL_set_ex_data(ssl, SSL_app_data2_idx, (char *)arg); >>> return; >>> } >>> >>> >>> void *SSL_get_app_data3(const SSL *ssl) >>> { >>> printf("ssl_get_app_data3 \n"); >>> >>> return SSL_get_ex_data(ssl, SSL_app_data3_idx); >>> } >>> >>> void SSL_set_app_data3(SSL *ssl, void *arg) >>> { >>> printf("ssl_set_app_data3 \n"); >>> SSL_set_ex_data(ssl, SSL_app_data3_idx, arg); >>> } >>> >>> void *SSL_get_app_data4(const SSL *ssl) >>> { >>> printf("ssl_get_app_data4 \n"); >>> return SSL_get_ex_data(ssl, SSL_app_data4_idx); >>> } >>> >>> void SSL_set_app_data4(SSL *ssl, void *arg) >>> { >>> printf("ssl_set_app_data4 \n"); >>> SSL_set_ex_data(ssl, SSL_app_data4_idx, arg); >>> } >>> >>> /* Simple echo password prompting */ >>> int SSL_password_prompt(tcn_pass_cb_t *data) >>> { >>> >>> printf(" SSL_password_prompt\n"); >>> int rv = 0; >>> data->password[0] = '\0'; >>> if (data->cb.obj) { >>> JNIEnv *e; >>> jobject o; >>> jstring prompt; >>> tcn_get_java_env(&e); >>> prompt = AJP_TO_JSTRING(data->prompt); >>> if ((o = (*e)->CallObjectMethod(e, data->cb.obj, >>> data->cb.mid[0], prompt))) { >>> TCN_ALLOC_CSTRING(o); >>> if (J2S(o)) { >>> strncpy(data->password, J2S(o), SSL_MAX_PASSWORD_LEN); >>> data->password[SSL_MAX_PASSWORD_LEN-1] = '\0'; >>> rv = (int)strlen(data->password); >>> } >>> TCN_FREE_CSTRING(o); >>> } >>> } >>> else { >>> #ifdef WIN32 >>> rv = WIN32_SSL_password_prompt(data); >>> #else >>> EVP_read_pw_string(data->password, SSL_MAX_PASSWORD_LEN, >>> data->prompt, 0); >>> #endif >>> rv = (int)strlen(data->password); >>> } >>> if (rv > 0) { >>> /* Remove LF char if present */ >>> char *r = strchr(data->password, '\n'); >>> if (r) { >>> *r = '\0'; >>> rv--; >>> } >>> #ifdef WIN32 >>> if ((r = strchr(data->password, '\r'))) { >>> *r = '\0'; >>> rv--; >>> } >>> #endif >>> } >>> return rv; >>> } >>> >>> int SSL_password_callback(char *buf, int bufsiz, int verify, >>> void *cb) >>> { printf("SSL_password_callback\n"); >>> tcn_pass_cb_t *cb_data = (tcn_pass_cb_t *)cb; >>> >>> if (buf == NULL) >>> return 0; >>> *buf = '\0'; >>> if (cb_data == NULL) >>> cb_data = &tcn_password_callback; >>> if (!cb_data->prompt) >>> cb_data->prompt = SSL_DEFAULT_PASS_PROMPT; >>> if (cb_data->password[0]) { >>> /* Return already obtained password */ >>> strncpy(buf, cb_data->password, bufsiz); >>> buf[bufsiz - 1] = '\0'; >>> return (int)strlen(buf); >>> } >>> else { >>> if (SSL_password_prompt(cb_data) > 0) >>> strncpy(buf, cb_data->password, bufsiz); >>> } >>> buf[bufsiz - 1] = '\0'; >>> return (int)strlen(buf); >>> } >>> >>> /* _________________________________________________________________ >>> ** >>> ** Custom (EC)DH parameter support >>> ** _________________________________________________________________ >>> */ >>> DH *SSL_dh_GetParamFromFile(const char *file) >>> { >>> printf("SSL_dh_GetParamFromFile\n"); >>> DH *dh = NULL; >>> BIO *bio; >>> >>> if ((bio = BIO_new_file(file, "r")) == NULL) >>> return NULL; >>> dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); >>> BIO_free(bio); >>> return dh; >>> } >>> >>> #ifdef HAVE_ECC >>> EC_GROUP *SSL_ec_GetParamFromFile(const char *file) >>> { >>> >>> printf("SSL_ec_GetParamFromFile\n"); >>> EC_GROUP *group = NULL; >>> BIO *bio; >>> >>> if ((bio = BIO_new_file(file, "r")) == NULL) >>> return NULL; >>> group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); >>> BIO_free(bio); >>> return (group); >>> } >>> #endif >>> >>> /* >>> * Hand out standard DH parameters, based on the authentication strength >>> */ >>> DH *SSL_callback_tmp_DH(SSL *ssl, int export, int keylen) >>> { >>> printf("SSL_callback_tmp_DH\n"); >>> EVP_PKEY *pkey = SSL_get_privatekey(ssl); >>> int type = pkey != NULL ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE; >>> >>> /* >>> * OpenSSL will call us with either keylen == 512 or keylen == 1024 >>> * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h). >>> * Adjust the DH parameter length according to the size of the >>> * RSA/DSA private key used for the current connection, and always >>> * use at least 1024-bit parameters. >>> * Note: This may cause interoperability issues with implementations >>> * which limit their DH support to 1024 bit - e.g. Java 7 and >>> earlier. >>> * In this case, SSLCertificateFile can be used to specify fixed >>> * 1024-bit DH parameters (with the effect that OpenSSL skips this >>> * callback). >>> */ >>> if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) { >>> keylen = EVP_PKEY_bits(pkey); >>> } >>> return SSL_get_dh_params(keylen); >>> } >>> >>> /* >>> * Read a file that optionally contains the server certificate in PEM >>> * format, possibly followed by a sequence of CA certificates that >>> * should be sent to the peer in the SSL Certificate message. >>> */ >>> int SSL_CTX_use_certificate_chain(SSL_CTX *ctx, const char *file, >>> int skipfirst) >>> { >>> printf("SSL_CTX_use_certificate_chain\n"); >>> >>> BIO *bio; >>> X509 *x509; >>> unsigned long err; >>> int n; >>> >>> if ((bio = BIO_new(BIO_s_file())) == NULL) >>> return -1; >>> if (BIO_read_filename(bio, file) <= 0) { >>> BIO_free(bio); >>> return -1; >>> } >>> /* optionally skip a leading server certificate */ >>> if (skipfirst) { >>> if ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) { >>> BIO_free(bio); >>> return -1; >>> } >>> X509_free(x509); >>> } >>> >>> /* free a perhaps already configured extra chain */ >>> SSL_CTX_clear_extra_chain_certs(ctx); >>> >>> /* create new extra chain by loading the certs */ >>> n = 0; >>> while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) { >>> if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) { >>> X509_free(x509); >>> BIO_free(bio); >>> return -1; >>> } >>> n++; >>> } >>> /* Make sure that only the error is just an EOF */ >>> if ((err = ERR_peek_error()) > 0) { >>> if (!( ERR_GET_LIB(err) == ERR_LIB_PEM >>> && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) { >>> BIO_free(bio); >>> return -1; >>> } >>> while (SSL_ERR_get() > 0) ; >>> } >>> BIO_free(bio); >>> return n; >>> } >>> >>> /* >>> * This OpenSSL callback function is called when OpenSSL >>> * does client authentication and verifies the certificate chain. >>> */ >>> >>> >>> int SSL_callback_SSL_verify(int ok, X509_STORE_CTX *ctx) >>> { >>> printf("SSL_callback_SSL_verify\n"); >>> /* Get Apache context back through OpenSSL context */ >>> SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, >>> >>> SSL_get_ex_data_X509_STORE_CTX_idx()); >>> tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl); >>> /* Get verify ingredients */ >>> int errnum = X509_STORE_CTX_get_error(ctx); >>> int errdepth = X509_STORE_CTX_get_error_depth(ctx); >>> int verify = con->ctx->verify_mode; >>> int depth = con->ctx->verify_depth; >>> >>> #if defined(SSL_OP_NO_TLSv1_3) >>> con->pha_state = PHA_COMPLETE; >>> #endif >>> >>> if (verify == SSL_CVERIFY_UNSET || >>> verify == SSL_CVERIFY_NONE) { >>> return 1; >>> } >>> >>> if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) && >>> (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) { >>> ok = 1; >>> SSL_set_verify_result(ssl, X509_V_OK); >>> } >>> >>> /* >>> * Expired certificates vs. "expired" CRLs: by default, OpenSSL >>> * turns X509_V_ERR_CRL_HAS_EXPIRED into a "certificate_expired(45)" >>> * SSL alert, but that's not really the message we should convey >>> to the >>> * peer (at the very least, it's confusing, and in many cases, >>> it's also >>> * inaccurate, as the certificate itself may very well not have >>> expired >>> * yet). We set the X509_STORE_CTX error to something which >>> OpenSSL's >>> * s3_both.c:ssl_verify_alarm_type() maps to >>> SSL_AD_CERTIFICATE_UNKNOWN, >>> * i.e. the peer will receive a "certificate_unknown(46)" alert. >>> * We do not touch errnum, though, so that later on we will still >>> log >>> * the "real" error, as returned by OpenSSL. >>> */ >>> if (!ok && errnum == X509_V_ERR_CRL_HAS_EXPIRED) { >>> X509_STORE_CTX_set_error(ctx, -1); >>> } >>> >>> #ifdef HAVE_OCSP_STAPLING >>> /* First perform OCSP validation if possible */ >>> if (ok) { >>> /* If there was an optional verification error, it's not >>> * possible to perform OCSP validation since the issuer may be >>> * missing/untrusted. Fail in that case. >>> */ >>> if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum)) { >>> X509_STORE_CTX_set_error(ctx, >>> X509_V_ERR_APPLICATION_VERIFICATION); >>> errnum = X509_V_ERR_APPLICATION_VERIFICATION; >>> ok = 0; >>> } >>> else { >>> int ocsp_response = ssl_verify_OCSP(ctx); >>> if (ocsp_response == OCSP_STATUS_REVOKED) { >>> ok = 0 ; >>> errnum = X509_STORE_CTX_get_error(ctx); >>> } >>> else if (ocsp_response == OCSP_STATUS_UNKNOWN) { >>> /* TODO: do nothing for time being */ >>> ; >>> } >>> } >>> } >>> #endif >>> /* >>> * If we already know it's not ok, log the real reason >>> */ >>> if (!ok) { >>> /* TODO: Some logging >>> * Certificate Verification: Error >>> */ >>> if (con->peer) { >>> X509_free(con->peer); >>> con->peer = NULL; >>> } >>> } >>> if (errdepth > depth) { >>> /* TODO: Some logging >>> * Certificate Verification: Certificate Chain too long >>> */ >>> ok = 0; >>> } >>> return ok; >>> } >>> >>> /* >>> * This callback function is executed while OpenSSL processes the SSL >>> * handshake and does SSL record layer stuff. It's used to trap >>> * client-initiated renegotiations, and for dumping everything to the >>> * log. >>> */ >>> void SSL_callback_handshake(const SSL *ssl, int where, int rc) >>> { >>> printf("SSL_callback_handshake\n"); >>> tcn_ssl_conn_t *con = (tcn_ssl_conn_t *)SSL_get_app_data(ssl); >>> #ifdef HAVE_TLSV1_3 >>> const SSL_SESSION *session = SSL_get_session(ssl); >>> #endif >>> >>> /* Retrieve the conn_rec and the associated SSLConnRec. */ >>> if (con == NULL) { >>> return; >>> } >>> >>> #ifdef HAVE_TLSV1_3 >>> /* TLS 1.3 does not use renegotiation so do not update the >>> renegotiation >>> * state once we know we are using TLS 1.3. */ >>> if (session != NULL) { >>> if (SSL_SESSION_get_protocol_version(session) == >>> TLS1_3_VERSION) { >>> return; >>> } >>> } >>> #endif >>> >>> /* If the reneg state is to reject renegotiations, check the SSL >>> * state machine and move to ABORT if a Client Hello is being >>> * read. */ >>> if ((where & SSL_CB_HANDSHAKE_START) && >>> con->reneg_state == RENEG_REJECT) { >>> con->reneg_state = RENEG_ABORT; >>> } >>> /* If the first handshake is complete, change state to reject any >>> * subsequent client-initated renegotiation. */ >>> else if ((where & SSL_CB_HANDSHAKE_DONE) && con->reneg_state == >>> RENEG_INIT) { >>> con->reneg_state = RENEG_REJECT; >>> } >>> } >>> >>> int SSL_callback_next_protos(SSL *ssl, const unsigned char **data, >>> unsigned int *len, void *arg) >>> { >>> printf("SSL_callback_next_protos\n"); >>> tcn_ssl_ctxt_t *ssl_ctxt = arg; >>> >>> *data = ssl_ctxt->next_proto_data; >>> *len = ssl_ctxt->next_proto_len; >>> >>> return SSL_TLSEXT_ERR_OK; >>> } >>> >>> /* The code here is inspired by nghttp2 >>> * >>> * See >>> https://github.com/tatsuhiro-t/nghttp2/blob/ae0100a9abfcf3149b8d9e62aae216e946b517fb/src/shrpx_ssl.cc#L244 >>> */ >>> int select_next_proto(SSL *ssl, const unsigned char **out, unsigned >>> char *outlen, >>> const unsigned char *in, unsigned int inlen, unsigned char >>> *supported_protos, >>> unsigned int supported_protos_len, int failure_behavior) { >>> printf("select_next_proto\n"); >>> >>> unsigned int i = 0; >>> unsigned char target_proto_len; >>> const unsigned char *p; >>> const unsigned char *end; >>> const unsigned char *proto; >>> unsigned char proto_len = '\0'; >>> >>> while (i < supported_protos_len) { >>> target_proto_len = *supported_protos; >>> ++supported_protos; >>> >>> p = in; >>> end = in + inlen; >>> >>> while (p < end) { >>> proto_len = *p; >>> proto = ++p; >>> >>> if (proto + proto_len <= end && target_proto_len == >>> proto_len && >>> memcmp(supported_protos, proto, proto_len) == 0) { >>> >>> // We found a match, so set the output and return >>> with OK! >>> *out = proto; >>> *outlen = proto_len; >>> >>> return SSL_TLSEXT_ERR_OK; >>> } >>> // Move on to the next protocol. >>> p += proto_len; >>> } >>> >>> // increment len and pointers. >>> i += target_proto_len; >>> supported_protos += target_proto_len; >>> } >>> >>> if (supported_protos_len > 0 && inlen > 0 && failure_behavior == >>> SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL) { >>> // There were no match but we just select our last protocol >>> and hope the other peer support it. >>> // >>> // decrement the pointer again so the pointer points to the >>> start of the protocol. >>> p -= proto_len; >>> *out = p; >>> *outlen = proto_len; >>> return SSL_TLSEXT_ERR_OK; >>> } >>> // TODO: OpenSSL currently not support to fail with fatal error. >>> Once this changes we can also support it here. >>> // Issue https://github.com/openssl/openssl/issues/188 has >>> been created for this. >>> // Nothing matched so not select anything and just accept. >>> return SSL_TLSEXT_ERR_NOACK; >>> } >>> >>> int SSL_callback_select_next_proto(SSL *ssl, unsigned char **out, >>> unsigned char *outlen, >>> const unsigned char *in, unsigned int inlen, >>> void *arg) { >>> printf("ssl_callback_select_next_proto\n"); >>> tcn_ssl_ctxt_t *ssl_ctxt = arg; >>> return select_next_proto(ssl, (const unsigned char **) out, >>> outlen, in, inlen, ssl_ctxt->next_proto_data, >>> ssl_ctxt->next_proto_len, ssl_ctxt->next_selector_failure_behavior); >>> } >>> >>> int SSL_callback_alpn_select_proto(SSL* ssl, const unsigned char >>> **out, unsigned char *outlen, >>> const unsigned char *in, unsigned int inlen, void *arg) { >>> tcn_ssl_ctxt_t *ssl_ctxt = arg; >>> printf("ssl_callback_alpn_select_proto\n"); >>> return select_next_proto(ssl, out, outlen, in, inlen, >>> ssl_ctxt->alpn_proto_data, ssl_ctxt->alpn_proto_len, >>> ssl_ctxt->alpn_selector_failure_behavior); >>> } >>> #ifdef HAVE_OCSP_STAPLING >>> >>> /* Function that is used to do the OCSP verification */ >>> static int ssl_verify_OCSP(X509_STORE_CTX *ctx) >>> { >>> printf("ssl_verify_OCSP\n"); >>> >>> X509 *cert, *issuer; >>> int r = OCSP_STATUS_UNKNOWN; >>> printf("Hello, OCSP\n"); >>> cert = X509_STORE_CTX_get_current_cert(ctx); >>> >>> if (!cert) { >>> printf("CERT NOT OK\n"); >>> /* starting with OpenSSL 1.0, X509_STORE_CTX_get_current_cert() >>> * may yield NULL. Return early, but leave the ctx error as >>> is. */ >>> return OCSP_STATUS_UNKNOWN; >>> } >>> #if OPENSSL_VERSION_NUMBER < 0x10100000L >>> else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { >>> #else >>> /* No need to check cert->valid, because ssl_verify_OCSP() only >>> * is called if OpenSSL already successfully verified the >>> certificate >>> * (parameter "ok" in SSL_callback_SSL_verify() must be true). >>> */ >>> else if (X509_check_issued(cert,cert) == X509_V_OK) { >>> #endif >>> /* don't do OCSP checking for valid self-issued certs */ >>> X509_STORE_CTX_set_error(ctx, X509_V_OK); >>> return OCSP_STATUS_UNKNOWN; >>> } >>> >>> /* if we can't get the issuer, we cannot perform OCSP >>> verification */ >>> issuer = X509_STORE_CTX_get0_current_issuer(ctx); >>> if (issuer != NULL) { >>> r = ssl_ocsp_request(cert, issuer, ctx); >>> switch (r) { >>> case OCSP_STATUS_OK: >>> X509_STORE_CTX_set_error(ctx, X509_V_OK); >>> break; >>> case OCSP_STATUS_REVOKED: >>> /* we set the error if we know that it is revoked */ >>> X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); >>> break; >>> case OCSP_STATUS_UNKNOWN: >>> /* ssl_ocsp_request() sets the error correctly already. */ >>> break; >>> } >>> } >>> return r; >>> } >>> >>> >>> /* Helps with error handling or realloc */ >>> static void *apr_xrealloc(void *buf, size_t oldlen, size_t len, >>> apr_pool_t *p) >>> { >>> printf("apr_xrealloc\n"); >>> void *newp = apr_palloc(p, len); >>> >>> if(newp) >>> memcpy(newp, buf, oldlen); >>> return newp; >>> } >>> >>> /* Parses an ASN.1 length. >>> * On entry, asn1 points to the current tag. >>> * Updates the pointer to the ASN.1 structure to point to the start >>> of the data. >>> * Returns 0 on success, 1 on failure. >>> */ >>> static int parse_asn1_length(unsigned char **asn1, int *len) { >>> printf("parse_asn1_length\n"); >>> /* Length immediately follows tag so increment before reading >>> first (and >>> * possibly only) length byte. >>> */ >>> (*asn1)++; >>> >>> if (**asn1 & 0x80) { >>> // MSB set. Remaining bits are number of bytes used to store >>> the length. >>> int i, l; >>> >>> // How many bytes for this length? >>> i = **asn1 & 0x7F; >>> >>> if (i == 0) { >>> /* This is the indefinite form of length. Since >>> certificates use DER >>> * this should never happen and is therefore an error. >>> */ >>> return 1; >>> } >>> if (i > 3) { >>> /* Three bytes for length gives a maximum of 16MB which >>> should be >>> * far more than is required. (2 bytes is 64K which is >>> probably more >>> * than enough but play safe.) >>> */ >>> return 1; >>> } >>> >>> // Most significant byte is first >>> l = 0; >>> while (i > 0) { >>> l <<= 8; >>> (*asn1)++; >>> l += **asn1; >>> i--; >>> } >>> *len = l; >>> } else { >>> // Single byte length >>> *len = **asn1; >>> } >>> >>> (*asn1)++; >>> >>> return 0; >>> } >>> >>> /* parses the ocsp url and updates the ocsp_urls and nocsp_urls >>> variables >>> returns 0 on success, 1 on failure */ >>> static int parse_ocsp_url(unsigned char *asn1, char ***ocsp_urls, >>> int *nocsp_urls, apr_pool_t *p) >>> { >>> printf("parse_ocsp_url\n"); >>> char **new_ocsp_urls, *ocsp_url; >>> int len, err = 0, new_nocsp_urls; >>> >>> if (*asn1 == ASN1_STRING) { >>> err = parse_asn1_length(&asn1, &len); >>> >>> if (!err) { >>> new_nocsp_urls = *nocsp_urls+1; >>> if ((new_ocsp_urls = apr_xrealloc(*ocsp_urls,*nocsp_urls, >>> new_nocsp_urls, p)) == NULL) >>> err = 1; >>> } >>> if (!err) { >>> *ocsp_urls = new_ocsp_urls; >>> *nocsp_urls = new_nocsp_urls; >>> *(*ocsp_urls + *nocsp_urls) = NULL; >>> if ((ocsp_url = apr_palloc(p, len + 1)) == NULL) { >>> err = 1; >>> } >>> else { >>> memcpy(ocsp_url, asn1, len); >>> ocsp_url[len] = '\0'; >>> *(*ocsp_urls + *nocsp_urls - 1) = ocsp_url; >>> } >>> } >>> } >>> return err; >>> >>> } >>> >>> /* parses the ANS1 OID and if it is an OCSP OID then calls the >>> parse_ocsp_url function */ >>> static int parse_ASN1_OID(unsigned char *asn1, char ***ocsp_urls, int >>> *nocsp_urls, apr_pool_t *p) >>> { >>> printf("PARSE OCSP_OID\n"); >>> int len, err = 0 ; >>> const unsigned char OCSP_OID[] = {0x2b, 0x06, 0x01, 0x05, 0x05, >>> 0x07, 0x30, 0x01}; >>> >>> err = parse_asn1_length(&asn1, &len); >>> >>> if (!err && len == 8 && memcmp(asn1, OCSP_OID, 8) == 0) { >>> asn1+=len; >>> err = parse_ocsp_url(asn1, ocsp_urls, nocsp_urls, p); >>> } >>> return err; >>> } >>> >>> >>> /* Parses an ASN1 Sequence. It is a recursive function, since if it >>> finds a sequence >>> within the sequence it calls recursively itself. This function >>> stops when it finds >>> the end of the ASN1 sequence (marked by '\0'), so if there are >>> other sequences within >>> the same sequence the while loop parses the sequences */ >>> >>> /* This algo was developed with AIA in mind so it was tested only >>> with this extension */ >>> static int parse_ASN1_Sequence(unsigned char *asn1, char ***ocsp_urls, >>> int *nocsp_urls, apr_pool_t *p) >>> { >>> printf("parse_ASN1_Sequence\n"); >>> >>> int len = 0 , err = 0; >>> >>> while (!err && *asn1 != '\0') { >>> switch(*asn1) { >>> case ASN1_SEQUENCE: >>> err = parse_asn1_length(&asn1, &len); >>> if (!err) { >>> err = parse_ASN1_Sequence(asn1, ocsp_urls, >>> nocsp_urls, p); >>> } >>> break; >>> case ASN1_OID: >>> err = parse_ASN1_OID(asn1,ocsp_urls,nocsp_urls, p); >>> return err; >>> break; >>> default: >>> err = 1; /* we shouldn't have any errors */ >>> break; >>> } >>> asn1+=len; >>> } >>> return err; >>> } >>> >>> /* the main function that gets the ASN1 encoding string and returns >>> a pointer to a NULL terminated "array" of char *, that contains >>> the ocsp_urls */ >>> static char **decode_OCSP_url(ASN1_OCTET_STRING *os, apr_pool_t *p) >>> { >>> printf("decode_OCSP_url\n"); >>> >>> char **response = NULL; >>> unsigned char *ocsp_urls; >>> int len, numofresponses = 0 ; >>> >>> len = ASN1_STRING_length(os); >>> >>> ocsp_urls = apr_palloc(p, len + 1); >>> memcpy(ocsp_urls,os->data, len); >>> ocsp_urls[len] = '\0'; >>> >>> if ((response = apr_pcalloc(p, sizeof(char *))) == NULL) >>> return NULL; >>> if (parse_ASN1_Sequence(ocsp_urls, &response, &numofresponses, p)) >>> response = NULL; >>> return response; >>> } >>> >>> >>> /* stolen from openssl ocsp command */ >>> static int add_ocsp_cert(OCSP_REQUEST *req, X509 *cert, X509 *issuer) >>> { >>> printf("add_ocsp_cert\n"); >>> OCSP_CERTID *id; >>> >>> if (!issuer) >>> return 0; >>> id = OCSP_cert_to_id(NULL, cert, issuer); >>> if (!id) >>> return 0; >>> if (!OCSP_request_add0_id(req, id)) { >>> OCSP_CERTID_free(id); >>> return 0; >>> } else { >>> /* id will be freed by OCSP_REQUEST_free() */ >>> return 1; >>> } >>> } >>> >>> >>> /* Creates the APR socket and connect to the hostname. Returns the >>> socket or NULL if there is an error. >>> */ >>> static apr_socket_t *make_socket(char *hostname, int port, apr_pool_t >>> *mp) >>> { >>> printf("*make_socket\n"); >>> apr_sockaddr_t *sa_in; >>> apr_status_t status; >>> apr_socket_t *sock = NULL; >>> >>> >>> status = apr_sockaddr_info_get(&sa_in, hostname, APR_INET, port, >>> 0, mp); >>> >>> if (status == APR_SUCCESS) >>> status = apr_socket_create(&sock, sa_in->family, SOCK_STREAM, >>> APR_PROTO_TCP, mp); >>> if (status == APR_SUCCESS) >>> status = apr_socket_connect(sock, sa_in); >>> >>> if (status == APR_SUCCESS) >>> return sock; >>> return NULL; >>> } >>> >>> >>> /* Creates the request in a memory BIO in order to send it to the >>> OCSP server. >>> Most parts of this function are taken from mod_ssl support for >>> OCSP (with some >>> minor modifications >>> */ >>> static BIO *serialize_request(OCSP_REQUEST *req, char *host, int >>> port, char *path) >>> { >>> printf("serialize_request\n"); >>> BIO *bio; >>> int len; >>> >>> len = i2d_OCSP_REQUEST(req, NULL); >>> >>> bio = BIO_new(BIO_s_mem()); >>> >>> BIO_printf(bio, "POST %s HTTP/1.0\r\n" >>> "Host: %s:%d\r\n" >>> "Content-Type: application/ocsp-request\r\n" >>> "Content-Length: %d\r\n" >>> "\r\n", >>> path, host, port, len); >>> >>> if (i2d_OCSP_REQUEST_bio(bio, req) != 1) { >>> BIO_free(bio); >>> return NULL; >>> } >>> >>> return bio; >>> } >>> >>> >>> /* Send the OCSP request to the OCSP server. Taken from mod_ssl OCSP >>> support */ >>> static int ocsp_send_req(apr_socket_t *sock, BIO *req) >>> { >>> printf("ocsp_send_req\n"); >>> int len; >>> char buf[TCN_BUFFER_SZ]; >>> apr_status_t rv; >>> >>> while ((len = BIO_read(req, buf, sizeof buf)) > 0) { >>> char *wbuf = buf; >>> apr_size_t remain = len; >>> >>> do { >>> apr_size_t wlen = remain; >>> rv = apr_socket_send(sock, wbuf, &wlen); >>> wbuf += remain; >>> remain -= wlen; >>> } while (rv == APR_SUCCESS && remain > 0); >>> >>> if (rv != APR_SUCCESS) { >>> return 0; >>> } >>> } >>> >>> return 1; >>> } >>> >>> >>> >>> /* Parses the buffer from the response and extracts the OCSP response. >>> Taken from openssl library */ >>> static OCSP_RESPONSE *parse_ocsp_resp(char *buf, int len) >>> { >>> printf("parse_ocsp_resp\n"); >>> BIO *mem = NULL; >>> char tmpbuf[1024]; >>> OCSP_RESPONSE *resp = NULL; >>> char *p, *q, *r; >>> int retcode; >>> >>> mem = BIO_new(BIO_s_mem()); >>> if(mem == NULL) >>> return NULL; >>> >>> BIO_write(mem, buf, len); /* write the buffer to the bio */ >>> if (BIO_gets(mem, tmpbuf, 512) <= 0) { >>> #if OPENSSL_VERSION_NUMBER < 0x10100000L >>> >>> OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR); >>> #endif >>> goto err; >>> } >>> /* Parse the HTTP response. This will look like this: >>> * "HTTP/1.0 200 OK". We need to obtain the numeric code and >>> * (optional) informational message. >>> */ >>> >>> /* Skip to first white space (passed protocol info) */ >>> for (p = tmpbuf; *p && !apr_isspace(*p); p++) >>> continue; >>> if (!*p) { >>> goto err; >>> } >>> /* Skip past white space to start of response code */ >>> while (apr_isspace(*p)) >>> p++; >>> if (!*p) { >>> goto err; >>> } >>> /* Find end of response code: first whitespace after start of >>> code */ >>> for (q = p; *q && !apr_isspace(*q); q++) >>> continue; >>> if (!*q) { >>> goto err; >>> } >>> /* Set end of response code and start of message */ >>> *q++ = 0; >>> /* Attempt to parse numeric code */ >>> retcode = strtoul(p, &r, 10); >>> if (*r) >>> goto err; >>> /* Skip over any leading white space in message */ >>> while (apr_isspace(*q)) >>> q++; >>> if (*q) { >>> /* Finally zap any trailing white space in message (include >>> CRLF) */ >>> /* We know q has a non white space character so this is OK */ >>> for(r = q + strlen(q) - 1; apr_isspace(*r); r--) *r = 0; >>> } >>> if (retcode != 200) { >>> goto err; >>> } >>> /* Find blank line marking beginning of content */ >>> while (BIO_gets(mem, tmpbuf, 512) > 0) { >>> for (p = tmpbuf; apr_isspace(*p); p++) >>> continue; >>> if (!*p) >>> break; >>> } >>> if (*p) { >>> goto err; >>> } >>> if (!(resp = d2i_OCSP_RESPONSE_bio(mem, NULL))) { >>> goto err; >>> } >>> err: >>> /* XXX No error logging? */ >>> BIO_free(mem); >>> return resp; >>> } >>> >>> >>> /* Reads the response from the APR socket to a buffer, and parses the >>> buffer to >>> return the OCSP response */ >>> #define ADDLEN 512 >>> static OCSP_RESPONSE *ocsp_get_resp(apr_pool_t *mp, apr_socket_t *sock) >>> { >>> printf("ocsp_get_resp\n"); >>> int buflen; >>> apr_size_t totalread = 0; >>> apr_size_t readlen; >>> char *buf, tmpbuf[ADDLEN]; >>> apr_status_t rv = APR_SUCCESS; >>> apr_pool_t *p; >>> OCSP_RESPONSE *resp; >>> >>> apr_pool_create(&p, mp); >>> buflen = ADDLEN; >>> buf = apr_palloc(p, buflen); >>> if (buf == NULL) { >>> apr_pool_destroy(p); >>> return NULL; >>> } >>> >>> while (rv == APR_SUCCESS ) { >>> readlen = sizeof(tmpbuf); >>> rv = apr_socket_recv(sock, tmpbuf, &readlen); >>> if (rv == APR_SUCCESS) { /* if we have read something .. we >>> can put it in the buffer*/ >>> if ((totalread + readlen) >= buflen) { >>> buf = apr_xrealloc(buf, buflen, buflen + ADDLEN, p); >>> if (buf == NULL) { >>> apr_pool_destroy(p); >>> return NULL; >>> } >>> buflen += ADDLEN; /* if needed we enlarge the buffer */ >>> } >>> memcpy(buf + totalread, tmpbuf, readlen); /* the copy to >>> the buffer */ >>> totalread += readlen; /* update the total bytes read */ >>> } >>> else { >>> if (rv == APR_EOF && readlen == 0) >>> ; /* EOF, normal situation */ >>> else if (readlen == 0) { >>> /* Not success, and readlen == 0 .. some error */ >>> apr_pool_destroy(p); >>> return NULL; >>> } >>> } >>> } >>> >>> resp = parse_ocsp_resp(buf, buflen); >>> apr_pool_destroy(p); >>> return resp; >>> } >>> >>> /* Creates and OCSP request and returns the OCSP_RESPONSE */ >>> static OCSP_RESPONSE *get_ocsp_response(apr_pool_t *p, X509 *cert, >>> X509 *issuer, char *url) >>> { >>> printf("get_ocsp_response\n"); >>> OCSP_RESPONSE *ocsp_resp = NULL; >>> OCSP_REQUEST *ocsp_req = NULL; >>> BIO *bio_req; >>> char *hostname, *path, *c_port; >>> int port, use_ssl; >>> int ok = 0; >>> apr_socket_t *apr_sock = NULL; >>> apr_pool_t *mp; >>> >>> if (OCSP_parse_url(url,&hostname, &c_port, &path, &use_ssl) == 0 ) >>> goto end; >>> >>> if (sscanf(c_port, "%d", &port) != 1) >>> goto end; >>> >>> /* Create the OCSP request */ >>> ocsp_req = OCSP_REQUEST_new(); >>> if (ocsp_req == NULL) >>> goto end; >>> >>> if (add_ocsp_cert(ocsp_req,cert,issuer) == 0 ) >>> goto free_req; >>> >>> /* create the BIO with the request to send */ >>> bio_req = serialize_request(ocsp_req, hostname, port, path); >>> if (bio_req == NULL) { >>> goto free_req; >>> } >>> >>> apr_pool_create(&mp, p); >>> apr_sock = make_socket(hostname, port, mp); >>> if (apr_sock == NULL) { >>> goto free_bio; >>> } >>> >>> ok = ocsp_send_req(apr_sock, bio_req); >>> if (ok) { >>> ocsp_resp = ocsp_get_resp(mp, apr_sock); >>> } >>> apr_socket_close(apr_sock); >>> >>> free_bio: >>> BIO_free(bio_req); >>> apr_pool_destroy(mp); >>> >>> free_req: >>> OCSP_REQUEST_free(ocsp_req); >>> >>> end: >>> OPENSSL_free(hostname); >>> OPENSSL_free(c_port); >>> OPENSSL_free(path); >>> >>> return ocsp_resp; >>> } >>> >>> /* Process the OCSP_RESPONSE and returns the corresponding >>> answert according to the status. >>> */ >>> static int process_ocsp_response(OCSP_RESPONSE *ocsp_resp, X509 >>> *cert, X509 *issuer) >>> { >>> printf("process_ocsp_response\n"); >>> int r, o = V_OCSP_CERTSTATUS_UNKNOWN, i; >>> OCSP_BASICRESP *bs; >>> OCSP_SINGLERESP *ss; >>> OCSP_CERTID *certid; >>> >>> r = OCSP_response_status(ocsp_resp); >>> >>> if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) { >>> return OCSP_STATUS_UNKNOWN; >>> } >>> bs = OCSP_response_get1_basic(ocsp_resp); >>> >>> certid = OCSP_cert_to_id(NULL, cert, issuer); >>> if (certid == NULL) { >>> return OCSP_STATUS_UNKNOWN; >>> } >>> ss = OCSP_resp_get0(bs, OCSP_resp_find(bs, certid, -1)); /* find >>> by serial number and get the matching response */ >>> >>> >>> i = OCSP_single_get0_status(ss, NULL, NULL, NULL, NULL); >>> if (i == V_OCSP_CERTSTATUS_GOOD) >>> o = OCSP_STATUS_OK; >>> else if (i == V_OCSP_CERTSTATUS_REVOKED) >>> o = OCSP_STATUS_REVOKED; >>> else if (i == V_OCSP_CERTSTATUS_UNKNOWN) >>> o = OCSP_STATUS_UNKNOWN; >>> >>> /* we clean up */ >>> OCSP_CERTID_free(certid); >>> OCSP_BASICRESP_free(bs); >>> return o; >>> } >>> >>> static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX >>> *ctx) >>> { >>> printf("ssl_ocsp_request\n"); >>> char **ocsp_urls = NULL; >>> int nid; >>> X509_EXTENSION *ext; >>> ASN1_OCTET_STRING *os; >>> apr_pool_t *p; >>> >>> apr_pool_create(&p, NULL); >>> >>> /* Get the proper extension */ >>> nid = X509_get_ext_by_NID(cert,NID_info_access,-1); >>> if (nid >= 0 ) { >>> ext = X509_get_ext(cert,nid); >>> os = X509_EXTENSION_get_data(ext); >>> >>> ocsp_urls = decode_OCSP_url(os, p); >>> } >>> printf("OCSP request\n"); >>> >>> /* if we find the extensions and we can parse it check >>> the ocsp status. Otherwise, return OCSP_STATUS_UNKNOWN */ >>> if (ocsp_urls != NULL) { >>> printf("ocsp url not null\n"); >>> OCSP_RESPONSE *resp; >>> int rv = OCSP_STATUS_UNKNOWN; >>> /* for the time being just check for the fist response .. a >>> better >>> approach is to iterate for all the possible ocsp urls */ >>> resp = get_ocsp_response(p, cert, issuer, ocsp_urls[0]); >>> if (resp != NULL) { >>> rv = process_ocsp_response(resp, cert, issuer); >>> } else { >>> /* correct error code for application errors? */ >>> X509_STORE_CTX_set_error(ctx, >>> X509_V_ERR_APPLICATION_VERIFICATION); >>> } >>> >>> if (resp != NULL) { >>> OCSP_RESPONSE_free(resp); >>> apr_pool_destroy(p); >>> return rv; >>> } >>> } >>> apr_pool_destroy(p); >>> return OCSP_STATUS_UNKNOWN; >>> } >>> >>> #endif /* HAVE_OCSP_STAPLING */ >>> #endif /* HAVE_OPENSSL */ >>> >>> >>> >>> >>> -----------------------------------------tomcat log >>> 27-May-2019 14:15:59.727 INFO [main] >>> org.apache.catalina.startup.Catalina.start Server startup in 31619 ms >>> SSL_init_app_data_idx >>> Hi OCSP >>> ssl_set_app_data3 >>> ssl_set_app_data4 >>> ssl_set_app_data2 >>> ssl_get_app_data3 >>> ssl_get_app_data4 >>> ssl_get_app_data4 >>> SSL_dh_GetParamFromFile >>> SSL_ec_GetParamFromFile >>> SSL_CTX_use_certificate_chain >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_next_protos >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_next_protos >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_next_protos >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_next_protos >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_next_protos >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callback_alpn_select_proto >>> select_next_proto >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_set_app_data2 >>> SSL_callback_handshake >>> SSL_callback_handshake >>> SSL_callback_handshake >>> ssl_callbac >>> >>> >>> >>> ________________________________ >>> От: Усманов Азат Анварович <usma...@ieml.ru> >>> Отправлено: 24 мая 2019 г. 7:21 >>> Кому: Tomcat Users List >>> Тема: Re: OCSP with openSSL >>> >>> >>> >>> Chris, >>> Yes the version is the same in >>> /usr/local/openssl/bin/openssl as well. >>> It is the same version Tomcat uses,I get this info in the logs >>> >>> 23-May-2019 12:55:42.145 INFO [main] org.apache.catalina.core.AprLife >>> cycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL >>> 1.1.1a 20 Nov 2018] >>> ________________________________ >>> От: Christopher Schultz <ch...@christopherschultz.net> >>> Отправлено: 23 мая 2019 г. 18:04:29 >>> Кому: Усманов Азат Анварович >>> Тема: Re: OCSP with openSSL >>> >>> Азат, >>> >>> On 5/22/19 14:02, Усманов Азат Анварович wrote: >>>> [root] ~# openssl version >>>> OpenSSL 1.1.1a 20 Nov 2018 >>> >>> Great. Is this also the same version in /usr/local/openssl/bin/openssl? >>> >>>> [root] ~# openssl ocsp -help >>>> Usage: ocsp [options] >>> >>> Excellent. >>> >>> When you launch Tomcat, are you getting a message about the version of >>> OpenSSL in use, and does it agree with above? >>> >>> AFAIK, OCSP is enabled by default in libtcnative. There were some posts >>> a few months/years ago about someone trying to get it to work, and >>> having to edit the JVM's security.properties file and all kinds of weird >>> stuff. I must admit it didn't make any sense to me at the time. I'm >>> sorry, but I don't personally have any experience with dealing with >>> OCSP, but hopefully this additio0nal information will give someone else >>> some good info. >>> >>> -chris >>> >>>> ________________________________ >>>> От: Christopher Schultz <ch...@christopherschultz.net> >>>> Отправлено: 22 мая 2019 г. 19:45 >>>> Кому: users@tomcat.apache.org >>>> Тема: Re: OCSP with openSSL >>>> >>>> Усманов, >>>> >>>> On 5/22/19 07:28, Усманов Азат Анварович wrote: >>>>> Mark, I installed it just by downloading tcnative src tar.gz >>>>> file from tomcat website and issued ./configure >>>>> --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 >>>>> -with-ssl=/usr/local/openssl && make && make install && make clean >>>>> I'm not sure how to specify any ocsp related configure options >>>>> when building tomcat native from source >>>> >>>> What is your OpenSSL version and capabilities? >>>> >>>> $ openssl version >>>> >>>> $ openssl -help >>>> >>>> $ openssl ocsp -help >>>> >>>> -chris >>>> >>>>> ________________________________ От: Mark Thomas >>>>> <ma...@apache.org> Отправлено: 22 мая 2019 г. 13:41 Кому: >>>>> users@tomcat.apache.org Тема: Re: OCSP with openSSL >>>> >>>>> On 22/05/2019 11:28, Усманов Азат Анварович wrote: >>>>>> Hi everyone! I have a web app running on tomcat and java 7 using >>>>>> apr for TLS related issues. I m still unable to have OCSP >>>>>> verification working with tomcat. >>>> >>>>> <snip/> >>>> >>>>>> I have tried running tcpdump on the server but don't' see any >>>>>> Comodo related IP addresses in the output when I access the >>>>>> server in question in the browser. At this point I don't know >>>>>> what else to do, If it was java I would just put some >>>>>> System.out.println statements in OCSP SSL related source code and >>>>>> recompile the tomcat source, but since in my case tomcat uses >>>>>> OpenSSL and tomcat native I'm not sure how/where to do that. the >>>>>> only places I found in the TC-native source that mentions OCSP >>>>>> is sslutils.c source file. I'm not sure when/ if it is actually >>>>>> gets called in my case. Maybe be someone with more c experience >>>>>> c++ would help me with that. I really want to get to the bottom >>>>>> of this. Any help is appreciated my tomcat version is 8.5.39 APR >>>>>> based Apache Tomcat Native library [1.2.21] using APR version >>>>>> [1.6.5]. Openssl version is [OpenSSL 1.1.1a 20 Nov 2018 OS: >>>>>> Linux RHEL 6.6 >>>> >>>>> How did you build the Tomcat Native library? Was OCSP enabled? >>>> >>>>> Mark >>>> >>>>> --------------------------------------------------------------------- >>>> >>>> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
