Can I point certificateRevocationListFile= to an empty file so it always reverts to OCSP?
________________________________ From: Mark Thomas <ma...@apache.org> Sent: Friday, June 21, 2019 9:10 AM To: users@tomcat.apache.org Subject: Re: OCSP Connector on Tomcat 8.5 not working On 21/06/2019 16:46, Michael Magnuson wrote: > > > Thanks. Is that setup using a CRL instead of OCSP? It will work with either/both. I had a local OCSP responder running with OpenSSL so I could monitor the requests and responses. OCSP was working correctly. It rejected a cert that had been invalidated that wasn't in the CRL. Mark > > ________________________________ > From: Mark Thomas <ma...@apache.org> > Sent: Friday, June 21, 2019 8:44 AM > To: users@tomcat.apache.org > Subject: Re: OCSP Connector on Tomcat 8.5 not working > > On 21/06/2019 16:31, Michael Magnuson wrote: >> Hmm. It's still not working at all for me. Can you post your SSL connector >> configuration? > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > maxThreads="150" SSLEnabled="true" > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/> > <SSLHostConfig certificateVerification="required" > caCertificateFile="conf/ca-rsa-cert.pem" > certificateRevocationListFile="conf/crl.pem"> > <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" > certificateFile="conf/localhost-rsa-cert.pem" > certificateChainFile="conf/localhost-rsa-chain.pem" > type="RSA" /> > </SSLHostConfig> > </Connector> > > Mark > > >> >> >> >> ________________________________ >> From: Mark Thomas <ma...@apache.org> >> Sent: Thursday, June 20, 2019 11:36 AM >> To: users@tomcat.apache.org >> Subject: Re: OCSP Connector on Tomcat 8.5 not working >> >> On 20/06/2019 18:50, Mark Thomas wrote: >>> On 20/06/2019 18:27, Michael Magnuson wrote: >>>> Thanks Mark. A couple clarifications on your example first. You don't >>>> list the clientAuth= attribute. I assume this was a simple oversight. >>> >>> It is replaced by certificateVerification="required" >>> >>>> You list the SSLEnabled="true" attribute twice. Should one of these be >>>> secure="true"? >>> >>> It should. >>> >>>> For the certificateVerification= attribute, is the correct syntax >>>> "require" or "required"? >>> >>> "required" >>> >>> Setting up an OCSP responder locally is next on my TODO list. I'll >>> report back with the results. >> >> Works as expected. >> >> Mark >> >> >>> >>> Mark >>> >>> >>>> >>>> Thanks, >>>> Mike >>>> >>>> >>>> >>>> ________________________________ >>>> From: Mark Thomas <ma...@apache.org> >>>> Sent: Thursday, June 20, 2019 10:00 AM >>>> To: users@tomcat.apache.org >>>> Subject: Re: OCSP Connector on Tomcat 8.5 not working >>>> >>>> On 20/06/2019 17:24, Michael Magnuson wrote: >>>>> Mark, >>>>> >>>>> Thank you for your replies and help. >>>>> >>>>> I'm not sure how to verify that Tomcat Native was built with OCSP support? >>>> >>>> Lets assume it has been. I think that is a safe assumption for now. >>>> >>>>> Removing the <Certificate/> element had no negative effect. I originally >>>>> put it in there following this guide: >>>>> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomcat.apache.org%2Ftomcat-8.5-doc%2Fssl-howto.html%23Configuring_OCSP_Connector&data=02%7C01%7Cmmagnuson%40sempervalens.com%7C70a560314fd34bd2daae08d6f662f60d%7Cd2be4b7da12a4d0ab36310a94aadff1e%7C1%7C0%7C636967302246863617&sdata=yjo3dU%2B8NquIICb4qLJe42AOWjRpAqCilN2RSdjUlMw%3D&reserved=0 >>>> >>>> Hmm. We might need to revisit that. It looks "odd". >>>> >>>>> Without the trustStore attributes, it prompts for the smart card PIN and >>>>> you can select the cert you want to use, but then it doesn't do anything >>>>> from there. With those attributes present, Tomcat serves up the expected >>>>> page after PIN+cert. >>>> >>>> Interesting. That suggests Tomcat is using the trustStore to validate >>>> the client certs. >>>> >>>> I've looked at this again and the config is more mixed up that I first >>>> realised. Lets get that fixed first. >>>> >>>>> Changing clientAuth to "required" from "want" has no effect either way. >>>> >>>> OK. Lets leave it on required for now since that takes one variable out >>>> of the equation. >>>> >>>> Back to the config. I'm going to try and convert everything to the new >>>> style format. >>>> >>>> <Connector port="8443" >>>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>>> maxThreads="150" >>>> SSLEnabled="true" >>>> scheme="https" >>>> SSLEnabled="true" >>>> <SSLHostConfig sslProtocol="TLSv1.1+TLSv1.2" >>>> certificateVerification="required" >>>> caCertificateFile="path_to_ca_file"> >>>> <Certificate certificateFile="path_to_server.crt" >>>> certificateKeyFile="path_to_server.key" >>>> certificateKeyPassword="password" >>>> certificateChainFile="path_to_chain" /> >>>> </SSLHostConfig> >>>> </Connector> >>>> >>>> I have removed settings that are the same as the defaults. >>>> SSLCertificateChainFile isn't a recognised attribute. >>>> >>>> I opted for the OpenSSL style store for trusted CA certs. That probably >>>> means you need to export the trusted certs from your trustStoreFile to a >>>> PEM encoded file for caCertificateFile. >>>> >>>> For the purposes of the test, you only need to export the cert that >>>> issued cert used by the client. >>>> >>>> I'm wondering if the slightly odd trust store config was causing >>>> problems. We really need more logging in Tomcat Native to figure that >>>> sort of thing out. >>>> >>>> I also think I need to get OCSP working with client certs locally so I >>>> can test it as well. I'll add that to my TODO list. >>>> >>>> Mark >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org