On 17/06/2019 15:51, logo wrote: > Mark, > > > Am 2019-06-17 16:29, schrieb Mark Thomas: >> On 17/06/2019 15:15, logo wrote: >>> Hi Mark, >>> >>> having been in contact with Усманов, I can confirm your summary. >>> >>> May I add my question from February with additional info to this thread: >>> https://markmail.org/message/zvziqrhm32bctm7e >> >> Thanks. >> >> Progress can be tracked here: >> https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 >> >> At the moment, the pure JSSE solutions (NIO+JSSE, NIO2+JSSE) support >> OCSP stapling with appropriate configuration. >> > > Do you mean on trunk or really only configuration? > > I just tried it on 8.5.42 and it will not send the message on my > letsencrypt cert. > > If it should work out of the box, do you mind to share the "appropriate" > config here.
I was testing Tomcat 9.0.x (latest source from Git) but with the knowledge that we haven't made *any* changes to Tomcat to support OCSP stapling and that 9.0.x and 8.5.x have very similar TLS code. I have just tested with 8.5.42. Both NIO+JSSE and NIO2+JSSE support OCSP stapling. My Connector configuration is: <Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol" port="8443" proxyPort="443" maxThreads="150" useAsyncIO="true" SSLEnabled="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" useSendfile="false" maxConcurrentStreamExecution="50" /> <SSLHostConfig> <Certificate certificateKeyFile="/.../privkey.pem" certificateFile="/.../cert.pem" certificateChainFile="/.../chain.pem" type="RSA" /> </SSLHostConfig> </Connector> Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org