Re: OCSP Stapling Configuration and Tomcat 9

Fri, 05 Jan 2024 11:07:05 -0800 

Bhavesh,

On 1/5/24 12:57, Bhavesh Mistry wrote:

Hi All,

According to Tomcat 9 Official documentation, only Tomcat NATIVE Connector
supports it.
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates

But this site claims
https://community.progress.com/s/article/PASOE-OCSP-Stapling-does-not-work
that it works with non-native connectors.   Please let me know if a
non-native connector works or not for OCSP Stamping.

Here is the reference configuration:


    - Update the *protocol *property and add the *sslImplementationName
*property
    as follows:

     <Connector executor="tomcatThreadPool"
                port="${psc.as.https.port}"
                protocol="org.apache.coyote.http11.*Http11NioProtocol*"
                
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"


    - Add the *-Djdk.tls.server.enableStatusRequestExtension=true* JVM
    system property in the *<PASOE_instance>\conf\jvm.properties* file to
    enable OCSP Stapling support for the JVM.
    - It is also recommended to add the -Djdk.tls.ephemeralDHKeySize=2048 JVM
    parameter to the *<PASOE_instance>\conf\jvm.properties* file to prevent
    the use of weak Diffie-Hellman (DH) keys. For more information, please
    refer to the following Oracle
According to https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 this is not complete for the APR connector. I do recall lots of conversation about this, and I thought it was working, but Mark is very diligent about updating bugs when they are complete, so it's unlikely he completed the work and then didn't close the bug.
According to the conversation in that bug, NIO and NIO2 should work if you have a recent Java (9 or later ought to work) if you set that system property you have listed above.
I have no idea what <PASOE_instance>\conf\jvm.properties is for, but you should make absolutely sure that the system property is actually being set at JVM launch. You can write a simple servlet or JSP to inspect that to verify, or use something like jinfo to inspect a running process's system properties.
Did you follow the instructions from the progress.com page concerning the importing of your server's key and certificate and the CA's intermediate and root certs? 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to