Усманов Азат Анварович
2018-11-02 11:05:24 UTC
Hi everyone! Is it possible to specify proxy server address for server-side ocsp checking on tomcat when using apr /tomcat native for tls connections ? Something apache-like
SSLStaplingForceURL http://internal-proxy.example.org:port
or something nginx-like directive
ssl_stapling_file file;
so the stapled OCSP response will be taken from the specified file instead of querying the OCSP responder specified in the server certificate.
I tried using
SSLStaplingForceURL="http://internal-proxy.example.org:port"
on both connector and Certificate element with latest tomcat 9.0.12 which resulted in " {Server/Service/Connector/SSLHostConfig/Certificate} Setting property 'SSLStaplingForceURL' to 'http://192.168.1.6:3131' did not find a matching property" in logs. So it looks like tomcat doesn't support this (yet)
Should I put an enhancement request for that?
SSLStaplingForceURL http://internal-proxy.example.org:port
or something nginx-like directive
ssl_stapling_file file;
so the stapled OCSP response will be taken from the specified file instead of querying the OCSP responder specified in the server certificate.
I tried using
SSLStaplingForceURL="http://internal-proxy.example.org:port"
on both connector and Certificate element with latest tomcat 9.0.12 which resulted in " {Server/Service/Connector/SSLHostConfig/Certificate} Setting property 'SSLStaplingForceURL' to 'http://192.168.1.6:3131' did not find a matching property" in logs. So it looks like tomcat doesn't support this (yet)
Should I put an enhancement request for that?