Thanks. Is that setup using a CRL instead of OCSP?
________________________________
From: Mark Thomas <ma...@apache.org>
Sent: Friday, June 21, 2019 8:44 AM
To: users@tomcat.apache.org
Subject: Re: OCSP Connector on Tomcat 8.5 not working
On 21/06/2019 16:31, Michael Magnuson wrote:
> Hmm. It's still not working at all for me. Can you post your SSL connector
> configuration?
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig certificateVerification="required"
caCertificateFile="conf/ca-rsa-cert.pem"
certificateRevocationListFile="conf/crl.pem">
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
Mark
>
>
>
> ________________________________
> From: Mark Thomas <ma...@apache.org>
> Sent: Thursday, June 20, 2019 11:36 AM
> To: users@tomcat.apache.org
> Subject: Re: OCSP Connector on Tomcat 8.5 not working
>
> On 20/06/2019 18:50, Mark Thomas wrote:
>> On 20/06/2019 18:27, Michael Magnuson wrote:
>>> Thanks Mark. A couple clarifications on your example first. You don't
>>> list the clientAuth= attribute. I assume this was a simple oversight.
>>
>> It is replaced by certificateVerification="required"
>>
>>> You list the SSLEnabled="true" attribute twice. Should one of these be
>>> secure="true"?
>>
>> It should.
>>
>>> For the certificateVerification= attribute, is the correct syntax
>>> "require" or "required"?
>>
>> "required"
>>
>> Setting up an OCSP responder locally is next on my TODO list. I'll
>> report back with the results.
>
> Works as expected.
>
> Mark
>
>
>>
>> Mark
>>
>>
>>>
>>> Thanks,
>>> Mike
>>>
>>>
>>>
>>> ________________________________
>>> From: Mark Thomas <ma...@apache.org>
>>> Sent: Thursday, June 20, 2019 10:00 AM
>>> To: users@tomcat.apache.org
>>> Subject: Re: OCSP Connector on Tomcat 8.5 not working
>>>
>>> On 20/06/2019 17:24, Michael Magnuson wrote:
>>>> Mark,
>>>>
>>>> Thank you for your replies and help.
>>>>
>>>> I'm not sure how to verify that Tomcat Native was built with OCSP support?
>>>
>>> Lets assume it has been. I think that is a safe assumption for now.
>>>
>>>> Removing the <Certificate/> element had no negative effect. I originally
>>>> put it in there following this guide:
>>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connector&data=02%7C01%7Cmmagnuson%40sempervalens.com%7C410a86aa49c041d4c51208d6f65f5db1%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636967286823962847&sdata=h10h73IHgmzkRikvK%2B3AxcaGWf20PPbejYe8gt87Tcc%3D&reserved=0
>>>
>>> Hmm. We might need to revisit that. It looks "odd".
>>>
>>>> Without the trustStore attributes, it prompts for the smart card PIN and
>>>> you can select the cert you want to use, but then it doesn't do anything
>>>> from there. With those attributes present, Tomcat serves up the expected
>>>> page after PIN+cert.
>>>
>>> Interesting. That suggests Tomcat is using the trustStore to validate
>>> the client certs.
>>>
>>> I've looked at this again and the config is more mixed up that I first
>>> realised. Lets get that fixed first.
>>>
>>>> Changing clientAuth to "required" from "want" has no effect either way.
>>>
>>> OK. Lets leave it on required for now since that takes one variable out
>>> of the equation.
>>>
>>> Back to the config. I'm going to try and convert everything to the new
>>> style format.
>>>
>>> <Connector port="8443"
>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>> maxThreads="150"
>>> SSLEnabled="true"
>>> scheme="https"
>>> SSLEnabled="true"
>>> <SSLHostConfig sslProtocol="TLSv1.1+TLSv1.2"
>>> certificateVerification="required"
>>> caCertificateFile="path_to_ca_file">
>>> <Certificate certificateFile="path_to_server.crt"
>>> certificateKeyFile="path_to_server.key"
>>> certificateKeyPassword="password"
>>> certificateChainFile="path_to_chain" />
>>> </SSLHostConfig>
>>> </Connector>
>>>
>>> I have removed settings that are the same as the defaults.
>>> SSLCertificateChainFile isn't a recognised attribute.
>>>
>>> I opted for the OpenSSL style store for trusted CA certs. That probably
>>> means you need to export the trusted certs from your trustStoreFile to a
>>> PEM encoded file for caCertificateFile.
>>>
>>> For the purposes of the test, you only need to export the cert that
>>> issued cert used by the client.
>>>
>>> I'm wondering if the slightly odd trust store config was causing
>>> problems. We really need more logging in Tomcat Native to figure that
>>> sort of thing out.
>>>
>>> I also think I need to get OCSP working with client certs locally so I
>>> can test it as well. I'll add that to my TODO list.
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
