Discussion:
OCSP stapling in tomcat 7 with APR
Усманов Азат Анварович
2018-10-14 17:45:30 UTC
Permalink
Hello everyone! I have an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
I did search the mailing list and found this question
https://www.mail-archive.com/***@tomcat.apache.org/msg129303.html
but that user is using JSSE implementation for TLS not APR
documentation for tomcat7 does have an example

Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>


but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
Mark Thomas
2018-10-15 12:01:58 UTC
Permalink
Post by Усманов Азат Анварович
Hello everyone! I have an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
I did search the mailing list and found this question
but that user is using JSSE implementation for TLS not APR
documentation for tomcat7 does have an example
Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Усманов Азат Анварович
2018-10-15 15:20:14 UTC
Permalink
how do I make sure ocsp is enabled on tomcat native

when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning


./configure --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt -lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp



________________________________
ïÔ: Mark Thomas <***@apache.org>
ïÔÐÒÁ×ÌÅÎÏ: 15 ÏËÔÑÂÒÑ 2018 Ç. 15:01:58
ëÏÍÕ: ***@tomcat.apache.org
ôÅÍÁ: Re: OCSP stapling in tomcat 7 with APR
Post by Усманов Азат Анварович
Hello everyone! I have an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
I did search the mailing list and found this question
but that user is using JSSE implementation for TLS not APR
documentation for tomcat7 does have an example
Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Mark Thomas
2018-10-15 15:38:57 UTC
Permalink
Post by Усманов Азат Анварович
how do I make sure ocsp is enabled on tomcat native
when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning
As far as I can tell, you'd need to explicitly define OPENSSL_NO_OCSP to
disable OCSP when building on Linux so you should be good with a
standard build.

Mark
Post by Усманов Азат Анварович
./configure --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt -lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp
________________________________
Отправлено: 15 октября 2018 г. 15:01:58
Тема: Re: OCSP stapling in tomcat 7 with APR
Post by Усманов Азат Анварович
Hello everyone! I have an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
I did search the mailing list and found this question
but that user is using JSSE implementation for TLS not APR
documentation for tomcat7 does have an example
Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.
Mark
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Coty Sutherland
2018-10-15 16:37:09 UTC
Permalink
Post by Усманов Азат Анварович
Post by Усманов Азат Анварович
how do I make sure ocsp is enabled on tomcat native
when I try to pass --enable-ocsp to tomcat native configure i get
unrecognized option warning
As far as I can tell, you'd need to explicitly define OPENSSL_NO_OCSP to
disable OCSP when building on Linux so you should be good with a
standard build.
+1, just build it and as long as the openssl version you're using supports
it you're good.
Post by Усманов Азат Анварович
Mark
Post by Усманов Азат Анварович
./configure --with-apr=/usr/local/apr
--with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl
--enable-ocsp
Post by Усманов Азат Анварович
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to
TCNATIVE_PRIV_INCLUDES
Post by Усманов Азат Анварович
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from
/usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
Post by Усманов Азат Анварович
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib
-Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
Post by Усманов Азат Анварович
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt
-lcrypt -lpthread"
Post by Усманов Азат Анварович
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp
________________________________
ОтправлеМП: 15 Пктября 2018 г. 15:01:58
ТеЌа: Re: OCSP stapling in tomcat 7 with APR
Post by Усманов Азат Анварович
Hello everyone! I have an java 7 web app running on tomcat 7 with
APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP
stapling on tomcat
Post by Усманов Азат Анварович
Post by Усманов Азат Анварович
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its
own certificate and deliver the response to the user's browser during the
TLS handshake. This eliminates the need to make a separate connection to
the CA's revocation service before the Web page is displayed, improving the
page's performance and reliability.
Post by Усманов Азат Анварович
Post by Усманов Азат Анварович
I did search the mailing list and found this question
but that user is using JSSE implementation for TLS not APR
documentation for tomcat7 does have an example
Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
but that is for client-cert verification, Can we do it on server side?
or do I miss something on how ocsp is supposed to work in the first place?
Post by Усманов Азат Анварович
If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.
Mark
---------------------------------------------------------------------
---------------------------------------------------------------------
Усманов Азат Анварович
2018-10-17 13:09:06 UTC
Permalink
SSLLabs test still shows "OCSP stapling no" even with the latest version openssl

I've tried to test it manually and got an error


openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR _ieml_ru.crt -text -url http://ocsp.comodoca.com
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Request Extensions:
OCSP Nonce:
041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response er ror:crypto/ocsp/ocsp_ht.c:260:Code=301

Not sure what might be the problem?
301 looks like a http error Moved Permamently which is strange because
i tried to access http://ocsp.comodoca.com via wget

wget http://ocsp.comodoca.com
--2018-10-17 16:03:12-- http://ocsp.comodoca.com/
Óñòàíàâëèâàåòñÿ ñîåäèíåíèå ñ 192.168.1.2:3128... ñîåäèíåíèå óñòàíîâëåíî.
Çàïðîñ Proxy ïîñëàí, îæèäàåòñÿ îòâåò... 200 OK
Äëèíà: 5 [application/ocsp-response]
Saving to: «index.html.7»

100%[===================================================================================================================================================================================================>] 5 --.-K/s â 0s

2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]

[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?


________________________________
Îò: Óñìàíîâ Àçàò Àíâàðîâè÷ <***@ieml.ru>
Îòïðàâëåíî: 15 îêòÿáðÿ 2018 ã. 18:20:14
Êîìó: ***@tomcat.apache.org
Òåìà: Re: OCSP stapling in tomcat 7 with APR

how do I make sure ocsp is enabled on tomcat native

when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning


./configure --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt -lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp



________________________________
Îò: Mark Thomas <***@apache.org>
Îòïðàâëåíî: 15 îêòÿáðÿ 2018 ã. 15:01:58
Êîìó: ***@tomcat.apache.org
Òåìà: Re: OCSP stapling in tomcat 7 with APR
Post by Усманов Азат Анварович
Hello everyone! I have an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
I did search the mailing list and found this question
but that user is using JSSE implementation for TLS not APR
documentation for tomcat7 does have an example
Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Rainer Jung
2018-10-17 13:41:27 UTC
Permalink
Redirect when accessing http://ocsp.comodoca.com could simply be a
trailing slash redirect (Location: http://ocsp.comodoca.com/). You
better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).

Regards,

Rainer
Post by Усманов Азат Анварович
SSLLabs test still shows "OCSP stapling no" even with the latest version openssl
I've tried to test it manually and got an error
openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR _ieml_ru.crt -text -url http://ocsp.comodoca.com
Version: 1 (0x0)
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response er ror:crypto/ocsp/ocsp_ht.c:260:Code=301
Not sure what might be the problem?
301 looks like a http error Moved Permamently which is strange because
i tried to access http://ocsp.comodoca.com via wget
wget http://ocsp.comodoca.com
--2018-10-17 16:03:12-- http://ocsp.comodoca.com/
Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
Запрос Proxy послан, ожидается ответ... 200 OK
Длина: 5 [application/ocsp-response]
Saving to: «index.html.7»
100%[===================================================================================================================================================================================================>] 5 --.-K/s в 0s
2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?
________________________________
Отправлено: 15 октября 2018 г. 18:20:14
Тема: Re: OCSP stapling in tomcat 7 with APR
how do I make sure ocsp is enabled on tomcat native
when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning
./configure --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt -lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp
________________________________
Отправлено: 15 октября 2018 г. 15:01:58
Тема: Re: OCSP stapling in tomcat 7 with APR
Post by Усманов Азат Анварович
Hello everyone! I have an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
I did search the mailing list and found this question
but that user is using JSSE implementation for TLS not APR
documentation for tomcat7 does have an example
Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Усманов Азат Анварович
2018-10-17 14:02:42 UTC
Permalink
Unfortunately, I still got the same issue with the slash
openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Request Extensions:
OCSP Nonce:
0410A42C073C3EA560D427D719BA3A8EC5FB
Error querying OCSP responder
139868527687424:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=301



________________________________
Îò: Rainer Jung <***@kippdata.de>
Îòïðàâëåíî: 17 îêòÿáðÿ 2018 ã. 16:41:27
Êîìó: Tomcat Users List; Óñìàíîâ Àçàò Àíâàðîâè÷
Òåìà: Re: OCSP stapling in tomcat 7 with APR

Redirect when accessing http://ocsp.comodoca.com could simply be a
trailing slash redirect (Location: http://ocsp.comodoca.com/). You
better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).

Regards,

Rainer
Post by Усманов Азат Анварович
SSLLabs test still shows "OCSP stapling no" even with the latest version openssl
I've tried to test it manually and got an error
openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR _ieml_ru.crt -text -url http://ocsp.comodoca.com
Version: 1 (0x0)
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response er ror:crypto/ocsp/ocsp_ht.c:260:Code=301
Not sure what might be the problem?
301 looks like a http error Moved Permamently which is strange because
i tried to access http://ocsp.comodoca.com via wget
wget http://ocsp.comodoca.com
--2018-10-17 16:03:12-- http://ocsp.comodoca.com/
Óñòàíàâëèâàåòñÿ ñîåäèíåíèå ñ 192.168.1.2:3128... ñîåäèíåíèå óñòàíîâëåíî.
Çàïðîñ Proxy ïîñëàí, îæèäàåòñÿ îòâåò... 200 OK
Äëèíà: 5 [application/ocsp-response]
Saving to: «index.html.7»
100%[===================================================================================================================================================================================================>] 5 --.-K/s â 0s
2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?
________________________________
Îòïðàâëåíî: 15 îêòÿáðÿ 2018 ã. 18:20:14
Òåìà: Re: OCSP stapling in tomcat 7 with APR
how do I make sure ocsp is enabled on tomcat native
when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning
./configure --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt -lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp
________________________________
Îòïðàâëåíî: 15 îêòÿáðÿ 2018 ã. 15:01:58
Òåìà: Re: OCSP stapling in tomcat 7 with APR
Post by Усманов Азат Анварович
Hello everyone! I have an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
I did search the mailing list and found this question
but that user is using JSSE implementation for TLS not APR
documentation for tomcat7 does have an example
Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.
Mark
Mark Thomas
2018-10-17 15:43:39 UTC
Permalink
Post by Усманов Азат Анварович
Unfortunately, I still got the same issue with the slash
openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
Version: 1 (0x0)
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
0410A42C073C3EA560D427D719BA3A8EC5FB
Error querying OCSP responder
139868527687424:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=301
That is http so you could use Wireshark or similar to do a network trace
and see exactly what is going on there.

Mark
Post by Усманов Азат Анварович
________________________________
Отправлено: 17 октября 2018 г. 16:41:27
Кому: Tomcat Users List; Усманов Азат Анварович
Тема: Re: OCSP stapling in tomcat 7 with APR
Redirect when accessing http://ocsp.comodoca.com could simply be a
trailing slash redirect (Location: http://ocsp.comodoca.com/). You
better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).
Regards,
Rainer
Post by Усманов Азат Анварович
SSLLabs test still shows "OCSP stapling no" even with the latest version openssl
I've tried to test it manually and got an error
openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR _ieml_ru.crt -text -url http://ocsp.comodoca.com
Version: 1 (0x0)
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response er ror:crypto/ocsp/ocsp_ht.c:260:Code=301
Not sure what might be the problem?
301 looks like a http error Moved Permamently which is strange because
i tried to access http://ocsp.comodoca.com via wget
wget http://ocsp.comodoca.com
--2018-10-17 16:03:12-- http://ocsp.comodoca.com/
Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
Запрос Proxy послан, ожидается ответ... 200 OK
Длина: 5 [application/ocsp-response]
Saving to: «index.html.7»
100%[===================================================================================================================================================================================================>] 5 --.-K/s в 0s
2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?
________________________________
Отправлено: 15 октября 2018 г. 18:20:14
Тема: Re: OCSP stapling in tomcat 7 with APR
how do I make sure ocsp is enabled on tomcat native
when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning
./configure --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt -lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp
________________________________
Отправлено: 15 октября 2018 г. 15:01:58
Тема: Re: OCSP stapling in tomcat 7 with APR
Post by Усманов Азат Анварович
Hello everyone! I have an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
I did search the mailing list and found this question
but that user is using JSSE implementation for TLS not APR
documentation for tomcat7 does have an example
Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Усманов Азат Анварович
2018-10-19 12:29:54 UTC
Permalink
Hi !turns out to be a proxy issue because once I modify the openssl ocp command to include my proxy 192.168.1.6 and port I get the correct response

openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt -CAfile issuer.crt -host 192.168.1.6:3131 -path http://ocsp.comodoca.com/ -text

OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Produced At: Oct 14 07:35:10 2018 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
Cert Status: good
This Update: Oct 14 07:35:10 2018 GMT
Next Update: Oct 21 07:35:10 2018 GMT

Signature Algorithm: sha256WithRSAEncryption
28:c0:93:7d:9b:4d:96:16:37:f4:1f:fc:ca:8c:32:b1:bb:22:
be:d8:33:14:9b:e9:75:18:b2:a5:20:77:ef:f9:6c:48:1c:72:
8f:db:87:4a:30:50:04:72:9d:75:0f:ce:09:82:b7:56:bf:aa:
62:fe:50:b7:10:96:82:b6:53:0f:a0:c8:b1:49:bf:0e:88:19:
bf:41:64:21:8f:8f:9a:f3:1a:e5:3b:36:d0:96:7e:01:89:c4:
a2:c3:19:3c:fa:fa:e7:ad:df:4e:76:37:32:72:ba:95:23:4e:
c6:09:c8:a6:a1:28:63:5f:e6:6a:62:55:e3:a2:a8:29:47:4b:
70:a2:6b:e3:07:0a:a0:b2:28:79:61:24:f8:ab:9a:ff:bf:b6:
ff:2b:ca:0e:f1:a8:cc:2a:ae:a5:4a:90:40:14:64:b1:ca:10:
ca:44:a3:f9:00:af:d7:55:0b:5b:0e:0f:d9:8b:3a:c9:a2:41:
4e:e5:23:23:9a:36:dc:28:c3:a8:4d:1c:08:c7:64:87:a5:0c:
d7:08:57:a8:62:85:73:d5:f7:14:a2:c7:07:e9:57:e9:e1:1a:
21:d0:d9:56:62:06:0f:05:bc:19:b7:c8:63:5a:a8:97:28:f3:
1b:5b:30:3c:d6:31:ec:f5:cb:cd:f8:7e:61:cd:2b:ea:19:1c:
17:8c:a4:9a
Response verify OK
/home/idis/STAR_ieml_ru.crt: good
This Update: Oct 14 07:35:10 2018 GMT
Next Update: Oct 21 07:35:10 2018 GMT


now the question is how to tell tomcat to use proxy when making ocsp requests
I have tried to put proxyName and proxyPort to the Connector definition that didn't do anything to ocsp support (ssllabs still says no for ocsp )
Any suggestions?





________________________________
Îò: Mark Thomas <***@apache.org>
Îòïðàâëåíî: 17 îêòÿáðÿ 2018 ã. 18:43:39
Êîìó: Tomcat Users List
Òåìà: Re: OCSP stapling in tomcat 7 with APR
Post by Усманов Азат Анварович
Unfortunately, I still got the same issue with the slash
openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
Version: 1 (0x0)
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
0410A42C073C3EA560D427D719BA3A8EC5FB
Error querying OCSP responder
139868527687424:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=301
That is http so you could use Wireshark or similar to do a network trace
and see exactly what is going on there.

Mark
Post by Усманов Азат Анварович
________________________________
Îòïðàâëåíî: 17 îêòÿáðÿ 2018 ã. 16:41:27
Êîìó: Tomcat Users List; Óñìàíîâ Àçàò Àíâàðîâè÷
Òåìà: Re: OCSP stapling in tomcat 7 with APR
Redirect when accessing http://ocsp.comodoca.com could simply be a
trailing slash redirect (Location: http://ocsp.comodoca.com/). You
better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).
Regards,
Rainer
Post by Усманов Азат Анварович
SSLLabs test still shows "OCSP stapling no" even with the latest version openssl
I've tried to test it manually and got an error
openssl ocsp -issuer /home/idis/authorities.crt -cert /home/idis/STAR _ieml_ru.crt -text -url http://ocsp.comodoca.com
Version: 1 (0x0)
Hash Algorithm: sha1
Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response er ror:crypto/ocsp/ocsp_ht.c:260:Code=301
Not sure what might be the problem?
301 looks like a http error Moved Permamently which is strange because
i tried to access http://ocsp.comodoca.com via wget
wget http://ocsp.comodoca.com
--2018-10-17 16:03:12-- http://ocsp.comodoca.com/
Óñòàíàâëèâàåòñÿ ñîåäèíåíèå ñ 192.168.1.2:3128... ñîåäèíåíèå óñòàíîâëåíî.
Çàïðîñ Proxy ïîñëàí, îæèäàåòñÿ îòâåò... 200 OK
Äëèíà: 5 [application/ocsp-response]
Saving to: «index.html.7»
100%[===================================================================================================================================================================================================>] 5 --.-K/s â 0s
2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?
________________________________
Îòïðàâëåíî: 15 îêòÿáðÿ 2018 ã. 18:20:14
Òåìà: Re: OCSP stapling in tomcat 7 with APR
how do I make sure ocsp is enabled on tomcat native
when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning
./configure --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
setting CC to "gcc"
setting CPP to "gcc -E"
setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory... linux
adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
adding "-DHAVE_OPENSSL" to CFLAGS
setting TCNATIVE_LIBS to ""
setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt -lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp
________________________________
Îòïðàâëåíî: 15 îêòÿáðÿ 2018 ã. 15:01:58
Òåìà: Re: OCSP stapling in tomcat 7 with APR
Post by Усманов Азат Анварович
Hello everyone! I have an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
I did search the mailing list and found this question
but that user is using JSSE implementation for TLS not APR
documentation for tomcat7 does have an example
Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Усманов Азат Анварович
2018-10-23 17:04:08 UTC
Permalink
This post might be inappropriate. Click to display it.
Christopher Schultz
2018-10-23 20:28:14 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Усманов,
Post by Усманов Азат Анварович
Hi everyone! I did manage to run ocsp check manually without a
proxy (some network issue),still no success with tomcat ocsp or
ssllabs however.
openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer
issuer.crt -cert /home/idis/STAR_ieml_ru.crt -url
http://ocsp.comodoca.com/ -CAfile issuer.crt Response verify OK
/home/idis/STAR_ieml_ru.crt: good This Update: Oct 21 07:35:07 2018
GMT Next Update: Oct 28 07:35:07 2018 GMT
I'm a little lost: are you trying to get your local responder working
for testing, or are you trying to get your server to connect to
Comodo's OCSP service?

It looks like the above worked correctly.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPhF4ACgkQHPApP6U8
pFjmtQ//RciGyhtAFGuWlFxdCJy7OLzE1eZ0EfjE/9sRlI4UhtSqbG2eetrLGYDh
SOpBZ5HaWN6zIShGvy36TtViTtCqsldkFvg8WD51DtVz7Mv36bNm/uXXzn5mk7GQ
k7/AM22KWPewUWoyz8+XgVLnAbJw3zr3paBIBqqm5YXiNOONpK01UqGITs+kzrlr
n+dwpit4tAx3u1rYOOefQLoFqmSGx36hic4+SiQNHrqdzLCYkyoMjQ5sCTA/YEV8
22ev/86AjE9i3//+1k8yZDdtHo0dIbXhecvyyT6U3TCZVE5r8eBUMTc1U2oyGWYK
3exqAfUCg7TaGifV3haKCIGF0mwbt1zYRDwz0P2SMk4PvOTT5rnDwTAmaxJaT/Og
zeTM1lYgYGwNUFR67Iyfc5Yq9b5bjGjRWVymkS2cdH1q/IBPiIPtv8k7PqC72nEM
EvTvqWNTF5njhA/8wqFnOZEfmQtA3KJy+HXncH7SaJvq5DtIkivEsvleg5FZ4yR4
tZpU3bCcjq1ZfWvfd+XoEYMV+cq80I5Ypov0GFqa2wBiba8lhxa39KrMEC00Tvz7
/J9vtsCXO3baI2onTfEjRFIxDWkjip4VIJbvFWMAoNlnnJ4W5GoGXFax831Wczh/
0tVojP3fJ8FFD2rLSU99Y7Azp9r+NpM6KEDlmAoSJsB1snjZDDY=
=9Yca
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Усманов Азат Анварович
2018-10-23 21:35:15 UTC
Permalink
Hi Chris!My main goal is for Tomcat to connect to Cš®modo ,to get server side OCSP stapling working,I was only testing with OpenSSL OCSP command to make sure that Cš®modo OCSP is reachable in the first place.
________________________________
§°§ä: Christopher Schultz <***@christopherschultz.net>
§°§ä§á§â§Ñ§Ó§Ý§Ö§ß§à: 23 §à§Ü§ä§ñ§Ò§â§ñ 2018 §Ô. 23:28:14
§¬§à§Þ§å: ***@tomcat.apache.org
§Ž§Ö§Þ§Ñ: Re: OCSP stapling in tomcat 7 with APR

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

§µ§ã§Þ§Ñ§ß§à§Ó,
Post by Усманов Азат Анварович
Hi everyone! I did manage to run ocsp check manually without a
proxy (some network issue),still no success with tomcat ocsp or
ssllabs however.
openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer
issuer.crt -cert /home/idis/STAR_ieml_ru.crt -url
http://ocsp.comodoca.com/ -CAfile issuer.crt Response verify OK
/home/idis/STAR_ieml_ru.crt: good This Update: Oct 21 07:35:07 2018
GMT Next Update: Oct 28 07:35:07 2018 GMT
I'm a little lost: are you trying to get your local responder working
for testing, or are you trying to get your server to connect to
Comodo's OCSP service?

It looks like the above worked correctly.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPhF4ACgkQHPApP6U8
pFjmtQ//RciGyhtAFGuWlFxdCJy7OLzE1eZ0EfjE/9sRlI4UhtSqbG2eetrLGYDh
SOpBZ5HaWN6zIShGvy36TtViTtCqsldkFvg8WD51DtVz7Mv36bNm/uXXzn5mk7GQ
k7/AM22KWPewUWoyz8+XgVLnAbJw3zr3paBIBqqm5YXiNOONpK01UqGITs+kzrlr
n+dwpit4tAx3u1rYOOefQLoFqmSGx36hic4+SiQNHrqdzLCYkyoMjQ5sCTA/YEV8
22ev/86AjE9i3//+1k8yZDdtHo0dIbXhecvyyT6U3TCZVE5r8eBUMTc1U2oyGWYK
3exqAfUCg7TaGifV3haKCIGF0mwbt1zYRDwz0P2SMk4PvOTT5rnDwTAmaxJaT/Og
zeTM1lYgYGwNUFR67Iyfc5Yq9b5bjGjRWVymkS2cdH1q/IBPiIPtv8k7PqC72nEM
EvTvqWNTF5njhA/8wqFnOZEfmQtA3KJy+HXncH7SaJvq5DtIkivEsvleg5FZ4yR4
tZpU3bCcjq1ZfWvfd+XoEYMV+cq80I5Ypov0GFqa2wBiba8lhxa39KrMEC00Tvz7
/J9vtsCXO3baI2onTfEjRFIxDWkjip4VIJbvFWMAoNlnnJ4W5GoGXFax831Wczh/
0tVojP3fJ8FFD2rLSU99Y7Azp9r+NpM6KEDlmAoSJsB1snjZDDY=
=9Yca
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Loading...