Hi Mark, Sorry for top posting - I want to wrap this thread up.
I was bitten again by the default SSL Implementation. While I wanted to use JSSE on Port 8443, I just noticed today that without telling the connector to do so (sslImplementationName=„org.apache.tomcat.util.net.jsse.JSSEImplementation"), it used the OpenSSLImplementation - well that does not support OCSP as we all know. The documentation is a bit vague on the defaults To enable it, the native library should be enabled as if intending to use the APR connector, and Tomcat will automatically enable it and the default value of this attribute becomes org.apache.tomcat.util.net.openssl.OpenSSLImplementation My basic test case uses the tomcat docker image with openjdk11. I did not specifically install tc native and enable APR. Now when I look at below logfile I can see all that‘s wrong… Sorry for the noise! PS: now waiting for the openssl fix for tc native ;-) Am 28.06.2019 um 14:14 schrieb logo <l...@kreuser.name <mailto:l...@kreuser.name>>: > Mark, > > Still no luck with 8.5.42/JDK11/JSSE. > >> Am 17.06.2019 um 22:11 schrieb logo <l...@kreuser.name >> <mailto:l...@kreuser.name>>: >> >> Mark, >> >> >>> Am 17.06.2019 um 18:00 schrieb Mark Thomas <ma...@apache.org >>> <mailto:ma...@apache.org>>: >>> >>> On 17/06/2019 15:51, logo wrote: >>>> Mark, >>>> >>>> >>>> Am 2019-06-17 16:29, schrieb Mark Thomas: >>>>> On 17/06/2019 15:15, logo wrote: >>>>>> Hi Mark, >>>>>> >>>>>> having been in contact with Усманов, I can confirm your summary. >>>>>> >>>>>> May I add my question from February with additional info to this thread: >>>>>> https://markmail.org/message/zvziqrhm32bctm7e >>>>>> <https://markmail.org/message/zvziqrhm32bctm7e> >>>>> >>>>> Thanks. >>>>> >>>>> Progress can be tracked here: >>>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 >>>>> <https://bz.apache.org/bugzilla/show_bug.cgi?id=56148> >>>>> >>>>> At the moment, the pure JSSE solutions (NIO+JSSE, NIO2+JSSE) support >>>>> OCSP stapling with appropriate configuration. >>>>> >>>> >>>> Do you mean on trunk or really only configuration? >>>> >>>> I just tried it on 8.5.42 and it will not send the message on my >>>> letsencrypt cert. >>>> >>>> If it should work out of the box, do you mind to share the "appropriate" >>>> config here. >>> >>> I was testing Tomcat 9.0.x (latest source from Git) but with the >>> knowledge that we haven't made *any* changes to Tomcat to support OCSP >>> stapling and that 9.0.x and 8.5.x have very similar TLS code. >>> >>> I have just tested with 8.5.42. Both NIO+JSSE and NIO2+JSSE support OCSP >>> stapling. My Connector configuration is: >>> >>> <Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol" >>> port="8443" >>> proxyPort="443" >>> maxThreads="150" >>> useAsyncIO="true" >>> SSLEnabled="true"> >>> <UpgradeProtocol >>> className="org.apache.coyote.http2.Http2Protocol" >>> useSendfile="false" >>> maxConcurrentStreamExecution="50" /> >>> <SSLHostConfig> >>> <Certificate certificateKeyFile="/.../privkey.pem" >>> certificateFile="/.../cert.pem" >>> certificateChainFile="/.../chain.pem" >>> type="RSA" /> >>> </SSLHostConfig> >>> </Connector> >>> >>> Mark >>> >> I’m lost. My conf is pretty much similar. >> > <snip> > >> Any debug info I can create? >> >> Thanks Peter > > > Started from scratch, plain tc 8.5.42 with JDK 11 (Docker Hub version) > > Only added my certs to server.xml, > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > maxThreads="150" SSLEnabled="true" > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> > <SSLHostConfig> > <Certificate > certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem" > certificateFile="${catalina.base}/conf/ssl/cert.pem" > certificateChainFile="${catalina.base}/conf/ssl/chain.pem" > type="RSA" /> > </SSLHostConfig> > </Connector> > > export JAVA_OPTS="${JAVA_OPTS} > -Djdk.tls.server.enableStatusRequestExtension=true“ > alternatively > export CATALINA_OPTS="${CATALINA_OPTS} > -Djdk.tls.server.enableStatusRequestExtension=true" > to bin/setenv.sh > > That gets picked up: > > 28-Jun-2019 14:05:04.509 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Server version: > Apache Tomcat/8.5.42 > 28-Jun-2019 14:05:04.524 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Server built: > Jun 4 2019 20:29:04 UTC > 28-Jun-2019 14:05:04.525 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Server number: > 8.5.42.0 > 28-Jun-2019 14:05:04.526 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log OS Name: > Linux > 28-Jun-2019 14:05:04.527 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log OS Version: > 4.14.116-boot2docker > 28-Jun-2019 14:05:04.532 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Architecture: > amd64 > 28-Jun-2019 14:05:04.533 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Java Home: > /usr/local/openjdk-11 > 28-Jun-2019 14:05:04.533 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log JVM Version: > 11.0.3+7 > 28-Jun-2019 14:05:04.534 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: > Oracle Corporation > 28-Jun-2019 14:05:04.534 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: > /opt/apache-tomcat.base > 28-Jun-2019 14:05:04.535 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: > /usr/local/tomcat > 28-Jun-2019 14:05:04.535 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > --add-opens=java.base/java.lang=ALL-UNNAMED > 28-Jun-2019 14:05:04.536 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > --add-opens=java.base/java.io <http://java.io/>=ALL-UNNAMED > 28-Jun-2019 14:05:04.537 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED > 28-Jun-2019 14:05:04.538 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > -Djava.util.logging.config.file=/opt/apache-tomcat.base/conf/logging.properties > 28-Jun-2019 14:05:04.538 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > 28-Jun-2019 14:05:04.539 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > -Djdk.tls.server.enableStatusRequestExtension=true > 28-Jun-2019 14:05:04.540 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > -Djdk.tls.ephemeralDHKeySize=2048 > 28-Jun-2019 14:05:04.540 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > -Djava.protocol.handler.pkgs=org.apache.catalina.webresources > 28-Jun-2019 14:05:04.540 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 > 28-Jun-2019 14:05:04.541 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > -Dignore.endorsed.dirs= > 28-Jun-2019 14:05:04.542 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > -Dcatalina.base=/opt/apache-tomcat.base > 28-Jun-2019 14:05:04.542 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > -Dcatalina.home=/usr/local/tomcat > 28-Jun-2019 14:05:04.542 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log Command line argument: > -Djava.io.tmpdir=/opt/apache-tomcat.base/temp > 28-Jun-2019 14:05:04.543 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based > Apache Tomcat Native library [1.2.21] using APR version [1.5.2]. > 28-Jun-2019 14:05:04.546 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], random > [true]. > 28-Jun-2019 14:05:04.547 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL > configuration: useAprConnector [false], useOpenSSL [true] > 28-Jun-2019 14:05:04.554 INFO [main] > org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL > successfully initialized [OpenSSL 1.1.0j 20 Nov 2018] > 28-Jun-2019 14:05:04.639 INFO [main] > org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The > ["https-openssl-nio2-8443"] connector has been configured to support > negotiation to [h2] via ALPN > 28-Jun-2019 14:05:04.640 INFO [main] org.apache.coyote.AbstractProtocol.init > Initializing ProtocolHandler ["https-openssl-nio2-8443"] > 28-Jun-2019 14:05:04.877 INFO [main] > org.apache.catalina.startup.Catalina.load Initialization processed in 1184 ms > 28-Jun-2019 14:05:05.017 INFO [main] > org.apache.catalina.core.StandardService.startInternal Starting service > [Catalina] > 28-Jun-2019 14:05:05.018 INFO [main] > org.apache.catalina.core.StandardEngine.startInternal Starting Servlet > Engine: Apache Tomcat/8.5.42 > 28-Jun-2019 14:05:05.036 SEVERE [Catalina-startStop-1] > org.apache.catalina.startup.HostConfig.beforeStart Unable to create directory > for deployment: [/opt/apache-tomcat.base/conf/Catalina/localhost] > 28-Jun-2019 14:05:05.076 INFO [localhost-startStop-1] > org.apache.catalina.startup.HostConfig.deployDirectory Deploying web > application directory [/opt/apache-tomcat.base/webapps/ROOT] > 28-Jun-2019 14:05:08.827 WARNING [localhost-startStop-1] > org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation > of SecureRandom instance for session ID generation using [SHA1PRNG] took > [3,029] milliseconds. > 28-Jun-2019 14:05:08.876 INFO [localhost-startStop-1] > org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web > application directory [/opt/apache-tomcat.base/webapps/ROOT] has finished in > [3,800] ms > 28-Jun-2019 14:05:08.881 INFO [main] org.apache.coyote.AbstractProtocol.start > Starting ProtocolHandler ["https-openssl-nio2-8443"] > 28-Jun-2019 14:05:08.885 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 4007 ms > > > Still openssl says > > *****OCSP response: no response sent******** > > And testssl.sh on my domain says: > > Testing server defaults (Server Hello) > > TLS extensions (standard) "renegotiation info/#65281" "server name/#0" > "EC point formats/#11" "session ticket/#35" > "next protocol/#13172" "encrypt-then-mac/#22" > "extended master secret/#23" > "application layer protocol negotiation/#16" > Session Ticket RFC 5077 hint 86400 seconds, session tickets keys seems to be > rotated < daily > SSL Session ID support yes > Session Resumption Tickets: yes, ID: no > TLS clock skew Random values, no fingerprinting possible > Signature Algorithm SHA256 with RSA > Server key size RSA 4096 bits > Server key usage Digital Signature, Key Encipherment > Server extended key usage TLS Web Server Authentication, TLS Web Client > Authentication > Serial / Fingerprints xx / SHA1 xx > SHA256 xx > Common Name (CN) xxx.dedyn.io <http://xxx.dedyn.io/> > subjectAltName (SAN) xxx xxx xxx.dedyn.io <http://xxx.dedyn.io/> > Issuer Let's Encrypt Authority X3 (Let's Encrypt from > US) > Trust (hostname) Ok via SAN and CN (same w/o SNI) > Chain of trust Ok > EV cert (experimental) no > ETS/"eTLS", visibility info not present > Certificate Validity (UTC) expires < 30 days (20) (2019-04-20 00:48 --> > 2019-07-19 00:48) > # of certificates provided 2 > Certificate Revocation List -- > OCSP URI http://ocsp.int-x3.letsencrypt.org > <http://ocsp.int-x3.letsencrypt.org/> > OCSP stapling ****not offered**** > OCSP must staple extension ****requires OCSP stapling (NOT ok)**** > DNS CAA RR (experimental) available - please check for match with > "Issuer" above > iodef=mailto:x...@xx.com <mailto:x...@xx.com>, > issue=letsencrypt.org <http://letsencrypt.org/> > Certificate Transparency yes (certificate extension) > > > > Anything I can do to figure that out? > > Thank you for your help! > >> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> <mailto:users-unsubscr...@tomcat.apache.org> >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> <mailto:users-h...@tomcat.apache.org>
smime.p7s
Description: S/MIME cryptographic signature
