On 20/06/2019 16:19, Michael Magnuson wrote: > Mark, > > Tomcat version 8.5.41 and TCNative version 1.2.21.
There is a OCSP related bug in 1.2.21 but that should not affect you since the client certs have a responder URL. 8.5.41 isn't the latest but there aren't any OCSP related changes in 8.5.42 or any known bugs I can think of so you should be OK there as well. I'm assuming that Tomcat Native was built with OCSP support. That is the default on Linux and I can't think of a good reason why it would be explicitly disabled. <snip/> >> My connector configuration is as follows: >> >> <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" >> maxThreads="150" SSLEnabled="true" >> scheme="https" SSLEnabled="true" >> SSLCertificateFile="path_to_server.crt" >> SSLCertificateKeyFile="path_to_server.key" >> SSLPassword="password" >> SSLCertificateChainFile="path_to_chain" >> SSLProtocol="TLSv1.1+TLSv1.2" >> clientAuth="want" trustStoreFile="path_to_truststore" >> trustStorePass="password" >> caCertificateFile="path_to_ca_file" >> certificateVerification="require" >> certificateVerificationDepth="10" > >> <Certificate >> certificateFile="path_to_OCSP_signing_cert" >> certificateKeyFile="path_to_OCSP_public_key" /> >> </Connector> That is a mix of deprecated 8.0.x style config and incorrect (you can't nest a <Certificate.../> directly inside a <Connector.../>) 8.5.x onwards style configuration. There also appears to be a few JSSE attributes (trustStore*) amongst a lot of OpenSSL attributes. I'm surprised there isn't something in the logs complaining about the configuration. I'm not sure what the <Certificate .../> element is meant to be configuring. Can you elaborate? I'd first suggest: - remove the <Certificate .../> element - remove the trustStore* attributes - re-test to ensure everything works as it did before those changes Next I'd confirm that CLIENT-CERT is working as intended. The simplest way is probably to set clientAuth="required" temporarily and make sure that a) you are prompted for a cert and b) you can see the expected page from Tomcat when you provide one. If all that is working and still OCSP is not working then I don't have any more ideas at this point. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
