Hi Chris, Thanks for the update and confirming that we don't need a native connector for OCSP stamping to work. I have not followed any of the instructions below. I am at the beginning of the journey trying to explore what changes are needed to support OCSP stamping. Again, thanks for your support and reference. I will test it out based on the reference you provided. If I need any help, I will kindly reach out again.
*Did you follow the instructions from the progress.com <http://progress.com/> page concerningthe importing of your server's key and certificate and the CA'sintermediate and root certs?* Thanks, Bhavesh On Fri, Jan 5, 2024 at 11:07 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Bhavesh, > > On 1/5/24 12:57, Bhavesh Mistry wrote: > > Hi All, > > > > According to Tomcat 9 Official documentation, only Tomcat NATIVE > Connector > > supports it. > > > https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates > > > > But this site claims > > > https://community.progress.com/s/article/PASOE-OCSP-Stapling-does-not-work > > that it works with non-native connectors. Please let me know if a > > non-native connector works or not for OCSP Stamping. > > > > Here is the reference configuration: > > > > > > - Update the *protocol *property and add the *sslImplementationName > > *property > > as follows: > > > > <Connector executor="tomcatThreadPool" > > port="${psc.as.https.port}" > > protocol="org.apache.coyote.http11.*Http11NioProtocol*" > > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" > > > > > > - Add the *-Djdk.tls.server.enableStatusRequestExtension=true* JVM > > system property in the *<PASOE_instance>\conf\jvm.properties* file to > > enable OCSP Stapling support for the JVM. > > - It is also recommended to add the > -Djdk.tls.ephemeralDHKeySize=2048 JVM > > parameter to the *<PASOE_instance>\conf\jvm.properties* file to > prevent > > the use of weak Diffie-Hellman (DH) keys. For more information, > please > > refer to the following Oracle > > According to https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 this > is not complete for the APR connector. I do recall lots of conversation > about this, and I thought it was working, but Mark is very diligent > about updating bugs when they are complete, so it's unlikely he > completed the work and then didn't close the bug. > > According to the conversation in that bug, NIO and NIO2 should work if > you have a recent Java (9 or later ought to work) if you set that system > property you have listed above. > > I have no idea what <PASOE_instance>\conf\jvm.properties is for, but you > should make absolutely sure that the system property is actually being > set at JVM launch. You can write a simple servlet or JSP to inspect that > to verify, or use something like jinfo to inspect a running process's > system properties. > > Did you follow the instructions from the progress.com page concerning > the importing of your server's key and certificate and the CA's > intermediate and root certs? > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
