On 20/06/2019 18:27, Michael Magnuson wrote: > Thanks Mark. A couple clarifications on your example first. You don't list > the clientAuth= attribute. I assume this was a simple oversight.
It is replaced by certificateVerification="required" > You list the SSLEnabled="true" attribute twice. Should one of these be > secure="true"? It should. > For the certificateVerification= attribute, is the correct syntax "require" > or "required"? "required" Setting up an OCSP responder locally is next on my TODO list. I'll report back with the results. Mark > > Thanks, > Mike > > > > ________________________________ > From: Mark Thomas <ma...@apache.org> > Sent: Thursday, June 20, 2019 10:00 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 20/06/2019 17:24, Michael Magnuson wrote: >> Mark, >> >> Thank you for your replies and help. >> >> I'm not sure how to verify that Tomcat Native was built with OCSP support? > > Lets assume it has been. I think that is a safe assumption for now. > >> Removing the <Certificate/> element had no negative effect. I originally >> put it in there following this guide: >> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connector&data=02%7C01%7Cmmagnuson%40sempervalens.com%7Cd6ce870ea03649db5c6f08d6f5a0dc44%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636966468590827314&sdata=LgLtvPKCm7G3qgNzhEGCh318WSaizgN0ZXuUtAkt%2FLA%3D&reserved=0 > > Hmm. We might need to revisit that. It looks "odd". > >> Without the trustStore attributes, it prompts for the smart card PIN and you >> can select the cert you want to use, but then it doesn't do anything from >> there. With those attributes present, Tomcat serves up the expected page >> after PIN+cert. > > Interesting. That suggests Tomcat is using the trustStore to validate > the client certs. > > I've looked at this again and the config is more mixed up that I first > realised. Lets get that fixed first. > >> Changing clientAuth to "required" from "want" has no effect either way. > > OK. Lets leave it on required for now since that takes one variable out > of the equation. > > Back to the config. I'm going to try and convert everything to the new > style format. > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > maxThreads="150" > SSLEnabled="true" > scheme="https" > SSLEnabled="true" > <SSLHostConfig sslProtocol="TLSv1.1+TLSv1.2" > certificateVerification="required" > caCertificateFile="path_to_ca_file"> > <Certificate certificateFile="path_to_server.crt" > certificateKeyFile="path_to_server.key" > certificateKeyPassword="password" > certificateChainFile="path_to_chain" /> > </SSLHostConfig> > </Connector> > > I have removed settings that are the same as the defaults. > SSLCertificateChainFile isn't a recognised attribute. > > I opted for the OpenSSL style store for trusted CA certs. That probably > means you need to export the trusted certs from your trustStoreFile to a > PEM encoded file for caCertificateFile. > > For the purposes of the test, you only need to export the cert that > issued cert used by the client. > > I'm wondering if the slightly odd trust store config was causing > problems. We really need more logging in Tomcat Native to figure that > sort of thing out. > > I also think I need to get OCSP working with client certs locally so I > can test it as well. I'll add that to my TODO list. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
