On 11/07/2019 21:18, Michael Magnuson wrote: > > > Thanks Mark. I would like to deny access if an unknown response is received.
Understood. Please open an enhancement request in Bugzilla to deny a request if an unknown OCSP response is received. http://tomcat.apache.org/bugreport.html It is going to require changes in both Tomcat and Tomcat Native. Probably best to open it against Tomcat 9. Thanks, Mark > > ________________________________ > From: Mark Thomas <ma...@apache.org> > Sent: Thursday, July 11, 2019 12:59 PM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 11/07/2019 17:46, Michael Magnuson wrote: >> The OCSP function is working as expected for both "good" and "revoked" >> responses. However, I find that it also allows "unknown" responses. Is the >> "unknown" response behavior adjustable? > > The relevant code is: > > else if (ocsp_response == OCSP_STATUS_UNKNOWN) { > /* TODO: do nothing for time being */ > > So, not at the moment. > > What behaviour would you like to see / do you think there should be? > > Mark > > >> >> Thanks, >> Mike >> >> ________________________________ >> From: Michael Magnuson <mmagnu...@sempervalens.com> >> Sent: Friday, June 28, 2019 10:38 AM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> >> >> Mark, I was able to get this working. Thank you again for all your help. >> The fix happened when I concatenated both the intermediate CA certificate >> and the root CA certificate into a single PEM file, and used it for the >> caCertificate= attribute. >> >> ________________________________ >> From: Mark Thomas <ma...@apache.org> >> Sent: Tuesday, June 25, 2019 12:41 PM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> On 25/06/2019 20:22, Michael Magnuson wrote: >>> >>> >>> Mark, thanks for the further clarification. With that setup, it prompts >>> for the smart card PIN and you can select your certificate, but then >>> nothing happens. The only way I can get it to successfully open the page >>> is if I also add the attributes trustStoreFile= and trustStorePass= but >>> still no OCSP action. >> >> Can you post your current configuration please. >> >> Please also list the certificate(s) in each of the keystores / PEM files. >> >> I'm wondering if the chain from the sever to the CA is missing. >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
