Mark, are you defining your server SSL certificate someplace else, other than within the connector in server.xml? From your example connector config, I'm not seeing it defined.
________________________________ From: Mark Thomas <ma...@apache.org> Sent: Monday, June 24, 2019 1:54 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 21/06/2019 17:12, Michael Magnuson wrote: > > > Can I point certificateRevocationListFile= to an empty file so it always > reverts to OCSP? Just don't specify it at all. I've confirmed this locally. Mark > > ________________________________ > From: Mark Thomas <ma...@apache.org> > Sent: Friday, June 21, 2019 9:10 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 21/06/2019 16:46, Michael Magnuson wrote: >> >> >> Thanks. Is that setup using a CRL instead of OCSP? > > It will work with either/both. I had a local OCSP responder running with > OpenSSL so I could monitor the requests and responses. OCSP was working > correctly. It rejected a cert that had been invalidated that wasn't in > the CRL. > > Mark > > >> >> ________________________________ >> From: Mark Thomas <ma...@apache.org> >> Sent: Friday, June 21, 2019 8:44 AM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> On 21/06/2019 16:31, Michael Magnuson wrote: >>> Hmm. It's still not working at all for me. Can you post your SSL >>> connector configuration? >> >> <Connector port="8443" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> maxThreads="150" SSLEnabled="true" > >> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/> >> <SSLHostConfig certificateVerification="required" >> caCertificateFile="conf/ca-rsa-cert.pem" >> certificateRevocationListFile="conf/crl.pem"> >> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" >> certificateFile="conf/localhost-rsa-cert.pem" >> certificateChainFile="conf/localhost-rsa-chain.pem" >> type="RSA" /> >> </SSLHostConfig> >> </Connector> >> >> Mark >> >> >>> >>> >>> >>> ________________________________ >>> From: Mark Thomas <ma...@apache.org> >>> Sent: Thursday, June 20, 2019 11:36 AM >>> To: users@tomcat.apache.org >>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>> >>> On 20/06/2019 18:50, Mark Thomas wrote: >>>> On 20/06/2019 18:27, Michael Magnuson wrote: >>>>> Thanks Mark. A couple clarifications on your example first. You don't >>>>> list the clientAuth= attribute. I assume this was a simple oversight. >>>> >>>> It is replaced by certificateVerification="required" >>>> >>>>> You list the SSLEnabled="true" attribute twice. Should one of these be >>>>> secure="true"? >>>> >>>> It should. >>>> >>>>> For the certificateVerification= attribute, is the correct syntax >>>>> "require" or "required"? >>>> >>>> "required" >>>> >>>> Setting up an OCSP responder locally is next on my TODO list. I'll >>>> report back with the results. >>> >>> Works as expected. >>> >>> Mark >>> >>> >>>> >>>> Mark >>>> >>>> >>>>> >>>>> Thanks, >>>>> Mike >>>>> >>>>> >>>>> >>>>> ________________________________ >>>>> From: Mark Thomas <ma...@apache.org> >>>>> Sent: Thursday, June 20, 2019 10:00 AM >>>>> To: users@tomcat.apache.org >>>>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>>>> >>>>> On 20/06/2019 17:24, Michael Magnuson wrote: >>>>>> Mark, >>>>>> >>>>>> Thank you for your replies and help. >>>>>> >>>>>> I'm not sure how to verify that Tomcat Native was built with OCSP >>>>>> support? >>>>> >>>>> Lets assume it has been. I think that is a safe assumption for now. >>>>> >>>>>> Removing the <Certificate/> element had no negative effect. I >>>>>> originally put it in there following this guide: >>>>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connector&data=02%7C01%7Cmmagnuson%40sempervalens.com%7Cc6ba2767e80a4283680f08d6f881adc9%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636969633202195542&sdata=CuawyPsF8hr8HKI%2F8nAFK28tk4KJDzap3%2BPl8a2LcAU%3D&reserved=0 >>>>> >>>>> Hmm. We might need to revisit that. It looks "odd". >>>>> >>>>>> Without the trustStore attributes, it prompts for the smart card PIN and >>>>>> you can select the cert you want to use, but then it doesn't do anything >>>>>> from there. With those attributes present, Tomcat serves up the >>>>>> expected page after PIN+cert. >>>>> >>>>> Interesting. That suggests Tomcat is using the trustStore to validate >>>>> the client certs. >>>>> >>>>> I've looked at this again and the config is more mixed up that I first >>>>> realised. Lets get that fixed first. >>>>> >>>>>> Changing clientAuth to "required" from "want" has no effect either way. >>>>> >>>>> OK. Lets leave it on required for now since that takes one variable out >>>>> of the equation. >>>>> >>>>> Back to the config. I'm going to try and convert everything to the new >>>>> style format. >>>>> >>>>> <Connector port="8443" >>>>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>>>> maxThreads="150" >>>>> SSLEnabled="true" >>>>> scheme="https" >>>>> SSLEnabled="true" >>>>> <SSLHostConfig sslProtocol="TLSv1.1+TLSv1.2" >>>>> certificateVerification="required" >>>>> caCertificateFile="path_to_ca_file"> >>>>> <Certificate certificateFile="path_to_server.crt" >>>>> certificateKeyFile="path_to_server.key" >>>>> certificateKeyPassword="password" >>>>> certificateChainFile="path_to_chain" /> >>>>> </SSLHostConfig> >>>>> </Connector> >>>>> >>>>> I have removed settings that are the same as the defaults. >>>>> SSLCertificateChainFile isn't a recognised attribute. >>>>> >>>>> I opted for the OpenSSL style store for trusted CA certs. That probably >>>>> means you need to export the trusted certs from your trustStoreFile to a >>>>> PEM encoded file for caCertificateFile. >>>>> >>>>> For the purposes of the test, you only need to export the cert that >>>>> issued cert used by the client. >>>>> >>>>> I'm wondering if the slightly odd trust store config was causing >>>>> problems. We really need more logging in Tomcat Native to figure that >>>>> sort of thing out. >>>>> >>>>> I also think I need to get OCSP working with client certs locally so I >>>>> can test it as well. I'll add that to my TODO list. >>>>> >>>>> Mark >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
