OCSP stapling in tomcat 7 with APR

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

OCSP stapling in tomcat 7 with APR

Усманов Азат Анварович
Hello everyone! I have  an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
so that
When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
I did search the mailing list and found this question
https://www.mail-archive.com/users@.../msg129303.html
but that user  is using  JSSE implementation for TLS not APR
 documentation for tomcat7 does have an example

Connector port="8443"
   protocol="org.apache.coyote.http11.Http11AprProtocol"
   secure="true" scheme="https"
   SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
   SSLCertificateKeyFile="/path/to/ocsp-cert.key"
   SSLCACertificateFile="/path/to/ca.pem"
   SSLVerifyClient="require"
   SSLVerifyDepth="10"
   clientAuth="true"/>


but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

markt
On 14/10/18 18:45, Усманов Азат Анварович wrote:

> Hello everyone! I have  an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
> so that
> When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
> I did search the mailing list and found this question
> https://www.mail-archive.com/users@.../msg129303.html
> but that user  is using  JSSE implementation for TLS not APR
>  documentation for tomcat7 does have an example
>
> Connector port="8443"
>    protocol="org.apache.coyote.http11.Http11AprProtocol"
>    secure="true" scheme="https"
>    SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>    SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>    SSLCACertificateFile="/path/to/ca.pem"
>    SSLVerifyClient="require"
>    SSLVerifyDepth="10"
>    clientAuth="true"/>
>
>
> but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?

If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

Усманов Азат Анварович
how do I make sure ocsp is enabled on tomcat native

when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning


  ./configure  --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
  setting CC to "gcc"
  setting CPP to "gcc -E"
  setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
  adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory...  linux
  adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
  adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
  setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
  adding "-DHAVE_OPENSSL" to CFLAGS
  setting TCNATIVE_LIBS to ""
  setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  -lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
  adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp



________________________________
От: Mark Thomas <[hidden email]>
Отправлено: 15 октября 2018 г. 15:01:58
Кому: [hidden email]
Тема: Re: OCSP stapling in tomcat 7 with APR

On 14/10/18 18:45, Усманов Азат Анварович wrote:

> Hello everyone! I have  an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
> so that
> When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
> I did search the mailing list and found this question
> https://www.mail-archive.com/users@.../msg129303.html
> but that user  is using  JSSE implementation for TLS not APR
>  documentation for tomcat7 does have an example
>
> Connector port="8443"
>    protocol="org.apache.coyote.http11.Http11AprProtocol"
>    secure="true" scheme="https"
>    SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>    SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>    SSLCACertificateFile="/path/to/ca.pem"
>    SSLVerifyClient="require"
>    SSLVerifyDepth="10"
>    clientAuth="true"/>
>
>
> but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?

If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

markt
On 15/10/18 16:20, Усманов Азат Анварович wrote:
> how do I make sure ocsp is enabled on tomcat native
>
> when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning

As far as I can tell, you'd need to explicitly define OPENSSL_NO_OCSP to
disable OCSP when building on Linux so you should be good with a
standard build.

Mark


>
>
>   ./configure  --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
> configure: WARNING: unrecognized options: --enable-ocsp
> checking build system type... x86_64-pc-linux-gnu
> checking host system type... x86_64-pc-linux-gnu
> checking target system type... x86_64-pc-linux-gnu
> checking for a BSD-compatible install... /usr/bin/install -c
> checking for working mkdir -p... yes
> Tomcat Native Version: 1.2.17
> checking for chosen layout... tcnative
> checking for APR... yes
> configure: APR 1.6.5 detected.
>   setting CC to "gcc"
>   setting CPP to "gcc -E"
>   setting LIBTOOL to "/usr/local/apr/build-1/libtool"
> checking JAVA_HOME... /usr/java/jdk1.7.0_79
>   adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
> checking for JDK os include directory...  linux
>   adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
> checking for gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
> checking OpenSSL library version >= 1.0.2... ok
> checking for OpenSSL DSA support... yes
>   adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
>   setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
>   adding "-DHAVE_OPENSSL" to CFLAGS
>   setting TCNATIVE_LIBS to ""
>   setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  -lpthread"
> checking for apr_pollset_wakeup in -lapr-1... yes
>   adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
> configure: creating ./config.status
> config.status: creating tcnative.pc
> config.status: creating Makefile
> config.status: executing default commands
> configure: WARNING: unrecognized options: --enable-ocsp
>
>
>
> ________________________________
> От: Mark Thomas <[hidden email]>
> Отправлено: 15 октября 2018 г. 15:01:58
> Кому: [hidden email]
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> On 14/10/18 18:45, Усманов Азат Анварович wrote:
>> Hello everyone! I have  an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
>> so that
>> When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
>> I did search the mailing list and found this question
>> https://www.mail-archive.com/users@.../msg129303.html
>> but that user  is using  JSSE implementation for TLS not APR
>>  documentation for tomcat7 does have an example
>>
>> Connector port="8443"
>>    protocol="org.apache.coyote.http11.Http11AprProtocol"
>>    secure="true" scheme="https"
>>    SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>>    SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>>    SSLCACertificateFile="/path/to/ca.pem"
>>    SSLVerifyClient="require"
>>    SSLVerifyDepth="10"
>>    clientAuth="true"/>
>>
>>
>> but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
>
> If you build an OCSP enabled version of the APR/native connector, OCSP
> stapling should just happen without any additional configuration.
> Assuming you use an appropriate certificate etc.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

csutherl
On Mon, Oct 15, 2018 at 11:39 AM Mark Thomas <[hidden email]> wrote:

> On 15/10/18 16:20, Усманов Азат Анварович wrote:
> > how do I make sure ocsp is enabled on tomcat native
> >
> > when I try to pass --enable-ocsp to tomcat native configure i get
> unrecognized option warning
>
> As far as I can tell, you'd need to explicitly define OPENSSL_NO_OCSP to
> disable OCSP when building on Linux so you should be good with a
> standard build.
>

+1, just build it and as long as the openssl version you're using supports
it you're good.


>
> Mark
>
>
> >
> >
> >   ./configure  --with-apr=/usr/local/apr
> --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl
> --enable-ocsp
> > configure: WARNING: unrecognized options: --enable-ocsp
> > checking build system type... x86_64-pc-linux-gnu
> > checking host system type... x86_64-pc-linux-gnu
> > checking target system type... x86_64-pc-linux-gnu
> > checking for a BSD-compatible install... /usr/bin/install -c
> > checking for working mkdir -p... yes
> > Tomcat Native Version: 1.2.17
> > checking for chosen layout... tcnative
> > checking for APR... yes
> > configure: APR 1.6.5 detected.
> >   setting CC to "gcc"
> >   setting CPP to "gcc -E"
> >   setting LIBTOOL to "/usr/local/apr/build-1/libtool"
> > checking JAVA_HOME... /usr/java/jdk1.7.0_79
> >   adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
> > checking for JDK os include directory...  linux
> >   adding "-I/usr/java/jdk1.7.0_79/include/linux" to
> TCNATIVE_PRIV_INCLUDES
> > checking for gcc... gcc
> > checking whether the C compiler works... yes
> > checking for C compiler default output file name... a.out
> > checking for suffix of executables...
> > checking whether we are cross compiling... no
> > checking for suffix of object files... o
> > checking whether we are using the GNU C compiler... yes
> > checking whether gcc accepts -g... yes
> > checking for gcc option to accept ISO C89... none needed
> > checking for OpenSSL library... using openssl from
> /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
> > checking OpenSSL library version >= 1.0.2... ok
> > checking for OpenSSL DSA support... yes
> >   adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
> >   setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib
> -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
> >   adding "-DHAVE_OPENSSL" to CFLAGS
> >   setting TCNATIVE_LIBS to ""
> >   setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt
> -lcrypt  -lpthread"
> > checking for apr_pollset_wakeup in -lapr-1... yes
> >   adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
> > configure: creating ./config.status
> > config.status: creating tcnative.pc
> > config.status: creating Makefile
> > config.status: executing default commands
> > configure: WARNING: unrecognized options: --enable-ocsp
> >
> >
> >
> > ________________________________
> > От: Mark Thomas <[hidden email]>
> > Отправлено: 15 октября 2018 г. 15:01:58
> > Кому: [hidden email]
> > Тема: Re: OCSP stapling in tomcat 7 with APR
> >
> > On 14/10/18 18:45, Усманов Азат Анварович wrote:
> >> Hello everyone! I have  an java 7 web app running on tomcat 7 with
> APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP
> stapling on tomcat
> >> so that
> >> When OCSP is enabled, a server will pre-fetch the OCSP response for its
> own certificate and deliver the response to the user's browser during the
> TLS handshake. This eliminates the need to make a separate connection to
> the CA's revocation service before the Web page is displayed, improving the
> page's performance and reliability.
> >> I did search the mailing list and found this question
> >> https://www.mail-archive.com/users@.../msg129303.html
> >> but that user  is using  JSSE implementation for TLS not APR
> >>  documentation for tomcat7 does have an example
> >>
> >> Connector port="8443"
> >>    protocol="org.apache.coyote.http11.Http11AprProtocol"
> >>    secure="true" scheme="https"
> >>    SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
> >>    SSLCertificateKeyFile="/path/to/ocsp-cert.key"
> >>    SSLCACertificateFile="/path/to/ca.pem"
> >>    SSLVerifyClient="require"
> >>    SSLVerifyDepth="10"
> >>    clientAuth="true"/>
> >>
> >>
> >> but that is for client-cert verification, Can we do it on server side?
> or do I miss something on how ocsp is supposed to work in the first place?
> >
> > If you build an OCSP enabled version of the APR/native connector, OCSP
> > stapling should just happen without any additional configuration.
> > Assuming you use an appropriate certificate etc.
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

Усманов Азат Анварович
In reply to this post by Усманов Азат Анварович
SSLLabs  test still shows "OCSP stapling no" even with the latest version openssl

I've tried to test it manually and got an error


 openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR                                                                                                                                                             _ieml_ru.crt -text -url http://ocsp.comodoca.com
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
          Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
          Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
    Request Extensions:
        OCSP Nonce:
            041002914B015477EC5C503D4FD630D616F3
Error querying OCSP responder
140179572442880:error:27076072:OCSP routines:parse_http_line1:server response er                                                                                                                                                             ror:crypto/ocsp/ocsp_ht.c:260:Code=301

Not sure what might be the problem?
301 looks like a http error  Moved Permamently   which is strange  because
i tried to access   http://ocsp.comodoca.com via wget

 wget  http://ocsp.comodoca.com
--2018-10-17 16:03:12--  http://ocsp.comodoca.com/
Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
Запрос Proxy послан, ожидается ответ... 200 OK
Длина: 5 [application/ocsp-response]
Saving to: «index.html.7»

100%[===================================================================================================================================================================================================>] 5           --.-K/s   в 0s

2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]

[root] ~# less index.html.7
0^C
^A^A
index.html.7 (END)
any ideas what might be the problem?


________________________________
От: Усманов Азат Анварович <[hidden email]>
Отправлено: 15 октября 2018 г. 18:20:14
Кому: [hidden email]
Тема: Re: OCSP stapling in tomcat 7 with APR

how do I make sure ocsp is enabled on tomcat native

when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning


  ./configure  --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
configure: WARNING: unrecognized options: --enable-ocsp
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.17
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.6.5 detected.
  setting CC to "gcc"
  setting CPP to "gcc -E"
  setting LIBTOOL to "/usr/local/apr/build-1/libtool"
checking JAVA_HOME... /usr/java/jdk1.7.0_79
  adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory...  linux
  adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
checking OpenSSL library version >= 1.0.2... ok
checking for OpenSSL DSA support... yes
  adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
  setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
  adding "-DHAVE_OPENSSL" to CFLAGS
  setting TCNATIVE_LIBS to ""
  setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  -lpthread"
checking for apr_pollset_wakeup in -lapr-1... yes
  adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands
configure: WARNING: unrecognized options: --enable-ocsp



________________________________
От: Mark Thomas <[hidden email]>
Отправлено: 15 октября 2018 г. 15:01:58
Кому: [hidden email]
Тема: Re: OCSP stapling in tomcat 7 with APR

On 14/10/18 18:45, Усманов Азат Анварович wrote:

> Hello everyone! I have  an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
> so that
> When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
> I did search the mailing list and found this question
> https://www.mail-archive.com/users@.../msg129303.html
> but that user  is using  JSSE implementation for TLS not APR
>  documentation for tomcat7 does have an example
>
> Connector port="8443"
>    protocol="org.apache.coyote.http11.Http11AprProtocol"
>    secure="true" scheme="https"
>    SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>    SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>    SSLCACertificateFile="/path/to/ca.pem"
>    SSLVerifyClient="require"
>    SSLVerifyDepth="10"
>    clientAuth="true"/>
>
>
> but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?

If you build an OCSP enabled version of the APR/native connector, OCSP
stapling should just happen without any additional configuration.
Assuming you use an appropriate certificate etc.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

Rainer Jung-3
Redirect when accessing http://ocsp.comodoca.com could simply be a
trailing slash redirect (Location: http://ocsp.comodoca.com/). You
better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).

Regards,

Rainer

Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:

> SSLLabs  test still shows "OCSP stapling no" even with the latest version openssl
>
> I've tried to test it manually and got an error
>
>
>   openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR                                                                                                                                                             _ieml_ru.crt -text -url http://ocsp.comodoca.com
> OCSP Request Data:
>      Version: 1 (0x0)
>      Requestor List:
>          Certificate ID:
>            Hash Algorithm: sha1
>            Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>            Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>            Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
>      Request Extensions:
>          OCSP Nonce:
>              041002914B015477EC5C503D4FD630D616F3
> Error querying OCSP responder
> 140179572442880:error:27076072:OCSP routines:parse_http_line1:server response er                                                                                                                                                             ror:crypto/ocsp/ocsp_ht.c:260:Code=301
>
> Not sure what might be the problem?
> 301 looks like a http error  Moved Permamently   which is strange  because
> i tried to access   http://ocsp.comodoca.com via wget
>
>   wget  http://ocsp.comodoca.com
> --2018-10-17 16:03:12--  http://ocsp.comodoca.com/
> Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
> Запрос Proxy послан, ожидается ответ... 200 OK
> Длина: 5 [application/ocsp-response]
> Saving to: «index.html.7»
>
> 100%[===================================================================================================================================================================================================>] 5           --.-K/s   в 0s
>
> 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
>
> [root] ~# less index.html.7
> 0^C
> ^A^A
> index.html.7 (END)
> any ideas what might be the problem?
>
>
> ________________________________
> От: Усманов Азат Анварович <[hidden email]>
> Отправлено: 15 октября 2018 г. 18:20:14
> Кому: [hidden email]
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> how do I make sure ocsp is enabled on tomcat native
>
> when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning
>
>
>    ./configure  --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
> configure: WARNING: unrecognized options: --enable-ocsp
> checking build system type... x86_64-pc-linux-gnu
> checking host system type... x86_64-pc-linux-gnu
> checking target system type... x86_64-pc-linux-gnu
> checking for a BSD-compatible install... /usr/bin/install -c
> checking for working mkdir -p... yes
> Tomcat Native Version: 1.2.17
> checking for chosen layout... tcnative
> checking for APR... yes
> configure: APR 1.6.5 detected.
>    setting CC to "gcc"
>    setting CPP to "gcc -E"
>    setting LIBTOOL to "/usr/local/apr/build-1/libtool"
> checking JAVA_HOME... /usr/java/jdk1.7.0_79
>    adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
> checking for JDK os include directory...  linux
>    adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
> checking for gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
> checking OpenSSL library version >= 1.0.2... ok
> checking for OpenSSL DSA support... yes
>    adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
>    setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
>    adding "-DHAVE_OPENSSL" to CFLAGS
>    setting TCNATIVE_LIBS to ""
>    setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  -lpthread"
> checking for apr_pollset_wakeup in -lapr-1... yes
>    adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
> configure: creating ./config.status
> config.status: creating tcnative.pc
> config.status: creating Makefile
> config.status: executing default commands
> configure: WARNING: unrecognized options: --enable-ocsp
>
>
>
> ________________________________
> От: Mark Thomas <[hidden email]>
> Отправлено: 15 октября 2018 г. 15:01:58
> Кому: [hidden email]
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> On 14/10/18 18:45, Усманов Азат Анварович wrote:
>> Hello everyone! I have  an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
>> so that
>> When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
>> I did search the mailing list and found this question
>> https://www.mail-archive.com/users@.../msg129303.html
>> but that user  is using  JSSE implementation for TLS not APR
>>   documentation for tomcat7 does have an example
>>
>> Connector port="8443"
>>     protocol="org.apache.coyote.http11.Http11AprProtocol"
>>     secure="true" scheme="https"
>>     SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>>     SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>>     SSLCACertificateFile="/path/to/ca.pem"
>>     SSLVerifyClient="require"
>>     SSLVerifyDepth="10"
>>     clientAuth="true"/>
>>
>>
>> but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
>
> If you build an OCSP enabled version of the APR/native connector, OCSP
> stapling should just happen without any additional configuration.
> Assuming you use an appropriate certificate etc.
>
> Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

Усманов Азат Анварович
Unfortunately, I still got the same issue with the slash
 openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
          Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
          Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
    Request Extensions:
        OCSP Nonce:
            0410A42C073C3EA560D427D719BA3A8EC5FB
Error querying OCSP responder
139868527687424:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=301



________________________________
От: Rainer Jung <[hidden email]>
Отправлено: 17 октября 2018 г. 16:41:27
Кому: Tomcat Users List; Усманов Азат Анварович
Тема: Re: OCSP stapling in tomcat 7 with APR

Redirect when accessing http://ocsp.comodoca.com could simply be a
trailing slash redirect (Location: http://ocsp.comodoca.com/). You
better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).

Regards,

Rainer

Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:

> SSLLabs  test still shows "OCSP stapling no" even with the latest version openssl
>
> I've tried to test it manually and got an error
>
>
>   openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR                                                                                                                                                             _ieml_ru.crt -text -url http://ocsp.comodoca.com
> OCSP Request Data:
>      Version: 1 (0x0)
>      Requestor List:
>          Certificate ID:
>            Hash Algorithm: sha1
>            Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>            Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>            Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
>      Request Extensions:
>          OCSP Nonce:
>              041002914B015477EC5C503D4FD630D616F3
> Error querying OCSP responder
> 140179572442880:error:27076072:OCSP routines:parse_http_line1:server response er                                                                                                                                                             ror:crypto/ocsp/ocsp_ht.c:260:Code=301
>
> Not sure what might be the problem?
> 301 looks like a http error  Moved Permamently   which is strange  because
> i tried to access   http://ocsp.comodoca.com via wget
>
>   wget  http://ocsp.comodoca.com
> --2018-10-17 16:03:12--  http://ocsp.comodoca.com/
> Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
> Запрос Proxy послан, ожидается ответ... 200 OK
> Длина: 5 [application/ocsp-response]
> Saving to: «index.html.7»
>
> 100%[===================================================================================================================================================================================================>] 5           --.-K/s   в 0s
>
> 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
>
> [root] ~# less index.html.7
> 0^C
> ^A^A
> index.html.7 (END)
> any ideas what might be the problem?
>
>
> ________________________________
> От: Усманов Азат Анварович <[hidden email]>
> Отправлено: 15 октября 2018 г. 18:20:14
> Кому: [hidden email]
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> how do I make sure ocsp is enabled on tomcat native
>
> when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning
>
>
>    ./configure  --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
> configure: WARNING: unrecognized options: --enable-ocsp
> checking build system type... x86_64-pc-linux-gnu
> checking host system type... x86_64-pc-linux-gnu
> checking target system type... x86_64-pc-linux-gnu
> checking for a BSD-compatible install... /usr/bin/install -c
> checking for working mkdir -p... yes
> Tomcat Native Version: 1.2.17
> checking for chosen layout... tcnative
> checking for APR... yes
> configure: APR 1.6.5 detected.
>    setting CC to "gcc"
>    setting CPP to "gcc -E"
>    setting LIBTOOL to "/usr/local/apr/build-1/libtool"
> checking JAVA_HOME... /usr/java/jdk1.7.0_79
>    adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
> checking for JDK os include directory...  linux
>    adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
> checking for gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
> checking OpenSSL library version >= 1.0.2... ok
> checking for OpenSSL DSA support... yes
>    adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
>    setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
>    adding "-DHAVE_OPENSSL" to CFLAGS
>    setting TCNATIVE_LIBS to ""
>    setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  -lpthread"
> checking for apr_pollset_wakeup in -lapr-1... yes
>    adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
> configure: creating ./config.status
> config.status: creating tcnative.pc
> config.status: creating Makefile
> config.status: executing default commands
> configure: WARNING: unrecognized options: --enable-ocsp
>
>
>
> ________________________________
> От: Mark Thomas <[hidden email]>
> Отправлено: 15 октября 2018 г. 15:01:58
> Кому: [hidden email]
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> On 14/10/18 18:45, Усманов Азат Анварович wrote:
>> Hello everyone! I have  an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
>> so that
>> When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
>> I did search the mailing list and found this question
>> https://www.mail-archive.com/users@.../msg129303.html
>> but that user  is using  JSSE implementation for TLS not APR
>>   documentation for tomcat7 does have an example
>>
>> Connector port="8443"
>>     protocol="org.apache.coyote.http11.Http11AprProtocol"
>>     secure="true" scheme="https"
>>     SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>>     SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>>     SSLCACertificateFile="/path/to/ca.pem"
>>     SSLVerifyClient="require"
>>     SSLVerifyDepth="10"
>>     clientAuth="true"/>
>>
>>
>> but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
>
> If you build an OCSP enabled version of the APR/native connector, OCSP
> stapling should just happen without any additional configuration.
> Assuming you use an appropriate certificate etc.
>
> Mark
Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

markt
On 17/10/18 15:02, Усманов Азат Анварович wrote:

> Unfortunately, I still got the same issue with the slash
>  openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
> OCSP Request Data:
>     Version: 1 (0x0)
>     Requestor List:
>         Certificate ID:
>           Hash Algorithm: sha1
>           Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>           Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>           Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
>     Request Extensions:
>         OCSP Nonce:
>             0410A42C073C3EA560D427D719BA3A8EC5FB
> Error querying OCSP responder
> 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=301

That is http so you could use Wireshark or similar to do a network trace
and see exactly what is going on there.

Mark


>
>
>
> ________________________________
> От: Rainer Jung <[hidden email]>
> Отправлено: 17 октября 2018 г. 16:41:27
> Кому: Tomcat Users List; Усманов Азат Анварович
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> Redirect when accessing http://ocsp.comodoca.com could simply be a
> trailing slash redirect (Location: http://ocsp.comodoca.com/). You
> better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).
>
> Regards,
>
> Rainer
>
> Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:
>> SSLLabs  test still shows "OCSP stapling no" even with the latest version openssl
>>
>> I've tried to test it manually and got an error
>>
>>
>>   openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR                                                                                                                                                             _ieml_ru.crt -text -url http://ocsp.comodoca.com
>> OCSP Request Data:
>>      Version: 1 (0x0)
>>      Requestor List:
>>          Certificate ID:
>>            Hash Algorithm: sha1
>>            Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>>            Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>>            Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
>>      Request Extensions:
>>          OCSP Nonce:
>>              041002914B015477EC5C503D4FD630D616F3
>> Error querying OCSP responder
>> 140179572442880:error:27076072:OCSP routines:parse_http_line1:server response er                                                                                                                                                             ror:crypto/ocsp/ocsp_ht.c:260:Code=301
>>
>> Not sure what might be the problem?
>> 301 looks like a http error  Moved Permamently   which is strange  because
>> i tried to access   http://ocsp.comodoca.com via wget
>>
>>   wget  http://ocsp.comodoca.com
>> --2018-10-17 16:03:12--  http://ocsp.comodoca.com/
>> Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
>> Запрос Proxy послан, ожидается ответ... 200 OK
>> Длина: 5 [application/ocsp-response]
>> Saving to: «index.html.7»
>>
>> 100%[===================================================================================================================================================================================================>] 5           --.-K/s   в 0s
>>
>> 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
>>
>> [root] ~# less index.html.7
>> 0^C
>> ^A^A
>> index.html.7 (END)
>> any ideas what might be the problem?
>>
>>
>> ________________________________
>> От: Усманов Азат Анварович <[hidden email]>
>> Отправлено: 15 октября 2018 г. 18:20:14
>> Кому: [hidden email]
>> Тема: Re: OCSP stapling in tomcat 7 with APR
>>
>> how do I make sure ocsp is enabled on tomcat native
>>
>> when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning
>>
>>
>>    ./configure  --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
>> configure: WARNING: unrecognized options: --enable-ocsp
>> checking build system type... x86_64-pc-linux-gnu
>> checking host system type... x86_64-pc-linux-gnu
>> checking target system type... x86_64-pc-linux-gnu
>> checking for a BSD-compatible install... /usr/bin/install -c
>> checking for working mkdir -p... yes
>> Tomcat Native Version: 1.2.17
>> checking for chosen layout... tcnative
>> checking for APR... yes
>> configure: APR 1.6.5 detected.
>>    setting CC to "gcc"
>>    setting CPP to "gcc -E"
>>    setting LIBTOOL to "/usr/local/apr/build-1/libtool"
>> checking JAVA_HOME... /usr/java/jdk1.7.0_79
>>    adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
>> checking for JDK os include directory...  linux
>>    adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
>> checking for gcc... gcc
>> checking whether the C compiler works... yes
>> checking for C compiler default output file name... a.out
>> checking for suffix of executables...
>> checking whether we are cross compiling... no
>> checking for suffix of object files... o
>> checking whether we are using the GNU C compiler... yes
>> checking whether gcc accepts -g... yes
>> checking for gcc option to accept ISO C89... none needed
>> checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
>> checking OpenSSL library version >= 1.0.2... ok
>> checking for OpenSSL DSA support... yes
>>    adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
>>    setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
>>    adding "-DHAVE_OPENSSL" to CFLAGS
>>    setting TCNATIVE_LIBS to ""
>>    setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  -lpthread"
>> checking for apr_pollset_wakeup in -lapr-1... yes
>>    adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
>> configure: creating ./config.status
>> config.status: creating tcnative.pc
>> config.status: creating Makefile
>> config.status: executing default commands
>> configure: WARNING: unrecognized options: --enable-ocsp
>>
>>
>>
>> ________________________________
>> От: Mark Thomas <[hidden email]>
>> Отправлено: 15 октября 2018 г. 15:01:58
>> Кому: [hidden email]
>> Тема: Re: OCSP stapling in tomcat 7 with APR
>>
>> On 14/10/18 18:45, Усманов Азат Анварович wrote:
>>> Hello everyone! I have  an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
>>> so that
>>> When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
>>> I did search the mailing list and found this question
>>> https://www.mail-archive.com/users@.../msg129303.html
>>> but that user  is using  JSSE implementation for TLS not APR
>>>   documentation for tomcat7 does have an example
>>>
>>> Connector port="8443"
>>>     protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>     secure="true" scheme="https"
>>>     SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>>>     SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>>>     SSLCACertificateFile="/path/to/ca.pem"
>>>     SSLVerifyClient="require"
>>>     SSLVerifyDepth="10"
>>>     clientAuth="true"/>
>>>
>>>
>>> but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
>>
>> If you build an OCSP enabled version of the APR/native connector, OCSP
>> stapling should just happen without any additional configuration.
>> Assuming you use an appropriate certificate etc.
>>
>> Mark
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

Усманов Азат Анварович
Hi !turns out to be a proxy issue  because once I modify the openssl ocp command  to include my proxy 192.168.1.6 and port  I get the correct response

openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt  -CAfile issuer.crt -host 192.168.1.6:3131 -path http://ocsp.comodoca.com/ -text

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
          Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
          Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
    Produced At: Oct 14 07:35:10 2018 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
      Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
      Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
    Cert Status: good
    This Update: Oct 14 07:35:10 2018 GMT
    Next Update: Oct 21 07:35:10 2018 GMT

    Signature Algorithm: sha256WithRSAEncryption
         28:c0:93:7d:9b:4d:96:16:37:f4:1f:fc:ca:8c:32:b1:bb:22:
         be:d8:33:14:9b:e9:75:18:b2:a5:20:77:ef:f9:6c:48:1c:72:
         8f:db:87:4a:30:50:04:72:9d:75:0f:ce:09:82:b7:56:bf:aa:
         62:fe:50:b7:10:96:82:b6:53:0f:a0:c8:b1:49:bf:0e:88:19:
         bf:41:64:21:8f:8f:9a:f3:1a:e5:3b:36:d0:96:7e:01:89:c4:
         a2:c3:19:3c:fa:fa:e7:ad:df:4e:76:37:32:72:ba:95:23:4e:
         c6:09:c8:a6:a1:28:63:5f:e6:6a:62:55:e3:a2:a8:29:47:4b:
         70:a2:6b:e3:07:0a:a0:b2:28:79:61:24:f8:ab:9a:ff:bf:b6:
         ff:2b:ca:0e:f1:a8:cc:2a:ae:a5:4a:90:40:14:64:b1:ca:10:
         ca:44:a3:f9:00:af:d7:55:0b:5b:0e:0f:d9:8b:3a:c9:a2:41:
         4e:e5:23:23:9a:36:dc:28:c3:a8:4d:1c:08:c7:64:87:a5:0c:
         d7:08:57:a8:62:85:73:d5:f7:14:a2:c7:07:e9:57:e9:e1:1a:
         21:d0:d9:56:62:06:0f:05:bc:19:b7:c8:63:5a:a8:97:28:f3:
         1b:5b:30:3c:d6:31:ec:f5:cb:cd:f8:7e:61:cd:2b:ea:19:1c:
         17:8c:a4:9a
Response verify OK
/home/idis/STAR_ieml_ru.crt: good
        This Update: Oct 14 07:35:10 2018 GMT
        Next Update: Oct 21 07:35:10 2018 GMT


now the question is how to tell tomcat to use proxy when making ocsp requests
  I have  tried to put proxyName   and proxyPort to the Connector definition that didn't do anything to ocsp support (ssllabs still says no for ocsp  )
Any suggestions?





________________________________
От: Mark Thomas <[hidden email]>
Отправлено: 17 октября 2018 г. 18:43:39
Кому: Tomcat Users List
Тема: Re: OCSP stapling in tomcat 7 with APR

On 17/10/18 15:02, Усманов Азат Анварович wrote:

> Unfortunately, I still got the same issue with the slash
>  openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
> OCSP Request Data:
>     Version: 1 (0x0)
>     Requestor List:
>         Certificate ID:
>           Hash Algorithm: sha1
>           Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>           Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>           Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
>     Request Extensions:
>         OCSP Nonce:
>             0410A42C073C3EA560D427D719BA3A8EC5FB
> Error querying OCSP responder
> 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=301

That is http so you could use Wireshark or similar to do a network trace
and see exactly what is going on there.

Mark


>
>
>
> ________________________________
> От: Rainer Jung <[hidden email]>
> Отправлено: 17 октября 2018 г. 16:41:27
> Кому: Tomcat Users List; Усманов Азат Анварович
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> Redirect when accessing http://ocsp.comodoca.com could simply be a
> trailing slash redirect (Location: http://ocsp.comodoca.com/). You
> better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).
>
> Regards,
>
> Rainer
>
> Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:
>> SSLLabs  test still shows "OCSP stapling no" even with the latest version openssl
>>
>> I've tried to test it manually and got an error
>>
>>
>>   openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR                                                                                                                                                             _ieml_ru.crt -text -url http://ocsp.comodoca.com
>> OCSP Request Data:
>>      Version: 1 (0x0)
>>      Requestor List:
>>          Certificate ID:
>>            Hash Algorithm: sha1
>>            Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>>            Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>>            Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
>>      Request Extensions:
>>          OCSP Nonce:
>>              041002914B015477EC5C503D4FD630D616F3
>> Error querying OCSP responder
>> 140179572442880:error:27076072:OCSP routines:parse_http_line1:server response er                                                                                                                                                             ror:crypto/ocsp/ocsp_ht.c:260:Code=301
>>
>> Not sure what might be the problem?
>> 301 looks like a http error  Moved Permamently   which is strange  because
>> i tried to access   http://ocsp.comodoca.com via wget
>>
>>   wget  http://ocsp.comodoca.com
>> --2018-10-17 16:03:12--  http://ocsp.comodoca.com/
>> Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
>> Запрос Proxy послан, ожидается ответ... 200 OK
>> Длина: 5 [application/ocsp-response]
>> Saving to: «index.html.7»
>>
>> 100%[===================================================================================================================================================================================================>] 5           --.-K/s   в 0s
>>
>> 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
>>
>> [root] ~# less index.html.7
>> 0^C
>> ^A^A
>> index.html.7 (END)
>> any ideas what might be the problem?
>>
>>
>> ________________________________
>> От: Усманов Азат Анварович <[hidden email]>
>> Отправлено: 15 октября 2018 г. 18:20:14
>> Кому: [hidden email]
>> Тема: Re: OCSP stapling in tomcat 7 with APR
>>
>> how do I make sure ocsp is enabled on tomcat native
>>
>> when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning
>>
>>
>>    ./configure  --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
>> configure: WARNING: unrecognized options: --enable-ocsp
>> checking build system type... x86_64-pc-linux-gnu
>> checking host system type... x86_64-pc-linux-gnu
>> checking target system type... x86_64-pc-linux-gnu
>> checking for a BSD-compatible install... /usr/bin/install -c
>> checking for working mkdir -p... yes
>> Tomcat Native Version: 1.2.17
>> checking for chosen layout... tcnative
>> checking for APR... yes
>> configure: APR 1.6.5 detected.
>>    setting CC to "gcc"
>>    setting CPP to "gcc -E"
>>    setting LIBTOOL to "/usr/local/apr/build-1/libtool"
>> checking JAVA_HOME... /usr/java/jdk1.7.0_79
>>    adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
>> checking for JDK os include directory...  linux
>>    adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
>> checking for gcc... gcc
>> checking whether the C compiler works... yes
>> checking for C compiler default output file name... a.out
>> checking for suffix of executables...
>> checking whether we are cross compiling... no
>> checking for suffix of object files... o
>> checking whether we are using the GNU C compiler... yes
>> checking whether gcc accepts -g... yes
>> checking for gcc option to accept ISO C89... none needed
>> checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
>> checking OpenSSL library version >= 1.0.2... ok
>> checking for OpenSSL DSA support... yes
>>    adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
>>    setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
>>    adding "-DHAVE_OPENSSL" to CFLAGS
>>    setting TCNATIVE_LIBS to ""
>>    setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  -lpthread"
>> checking for apr_pollset_wakeup in -lapr-1... yes
>>    adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
>> configure: creating ./config.status
>> config.status: creating tcnative.pc
>> config.status: creating Makefile
>> config.status: executing default commands
>> configure: WARNING: unrecognized options: --enable-ocsp
>>
>>
>>
>> ________________________________
>> От: Mark Thomas <[hidden email]>
>> Отправлено: 15 октября 2018 г. 15:01:58
>> Кому: [hidden email]
>> Тема: Re: OCSP stapling in tomcat 7 with APR
>>
>> On 14/10/18 18:45, Усманов Азат Анварович wrote:
>>> Hello everyone! I have  an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
>>> so that
>>> When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
>>> I did search the mailing list and found this question
>>> https://www.mail-archive.com/users@.../msg129303.html
>>> but that user  is using  JSSE implementation for TLS not APR
>>>   documentation for tomcat7 does have an example
>>>
>>> Connector port="8443"
>>>     protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>     secure="true" scheme="https"
>>>     SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>>>     SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>>>     SSLCACertificateFile="/path/to/ca.pem"
>>>     SSLVerifyClient="require"
>>>     SSLVerifyDepth="10"
>>>     clientAuth="true"/>
>>>
>>>
>>> but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
>>
>> If you build an OCSP enabled version of the APR/native connector, OCSP
>> stapling should just happen without any additional configuration.
>> Assuming you use an appropriate certificate etc.
>>
>> Mark
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

Усманов Азат Анварович
Hi everyone! I did manage to run ocsp check manually without a proxy (some network issue),still no success with tomcat ocsp or ssllabs  however.

openssl ocsp  -no_nonce -header Host=ocsp.comodoca.com -issuer issuer.crt  -cert /home/idis/STAR_ieml_ru.crt -url http://ocsp.comodoca.com/ -CAfile issuer.crt
Response verify OK
/home/idis/STAR_ieml_ru.crt: good
        This Update: Oct 21 07:35:07 2018 GMT
        Next Update: Oct 28 07:35:07 2018 GMT





 openssl s_client -connect localhost:8443 -tls1_2 -tlsextdebug  -status
CONNECTED(00000005)
TLS server extension "renegotiation info" (id=65281), len=1
0000 - 00                                                .
TLS server extension "server name" (id=0), len=0
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "extended master secret" (id=23), len=0
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
OCSP response: no response sent
---
Certificate chain
 0 s:OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.ieml.ru
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgIRAPB4y44vTlpni/uQZalhG1cwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTcwNjI5MDAwMDAwWhcNMTkwODI5MjM1OTU5WjBWMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp
bGRjYXJkMRIwEAYDVQQDDAkqLmllbWwucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDDPvJ/lpxUzUyI6xAI4vm+fJG76JPJ3PjVPWshE6DQ8FSOX1tz
x/77d7DHH3o73I1fZL26o8feq1tscHg5Hn/L4S+N3pPAqz3Q6Q98O3r6lzJtK5Yz
gfWCEx6tFNvuQ96G2rN6b+wwpbo42e+Ml9HejTH3F3tdgkZ9++jq2/xge/82tRfm
F7OdKpOl0HJhjyKb4ehck032lACLLzKaiVXwuvm0PFeNVMfGli6esVjvf6qUvXIe
dxfgJu5emAdFwAWSwJYQ61sUPt/o4G5SLFx4xaDaA0W5cK8Wtd2BGe12kDVstVft
hP7KKj/giXFQSIrC5JmIE4wr8c4yiHBcrwdjAgMBAAGjggHPMIIByzAfBgNVHSME
GDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUs+5Z8D1kBsszi2+H
fbGGs7WeS7EwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw
KzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG
Z4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG
CCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMB0GA1UdEQQWMBSC
CSouaWVtbC5ydYIHaWVtbC5ydTANBgkqhkiG9w0BAQsFAAOCAQEAQTfwPlwQrEDN
Xm8cFJHnn7HhA0/fs/eaJ8SiSqZtUbPZar8V1fd0uIHElwQGTdxLBPktyAVBE7Ro
tP1QCU7Al6y0LMba1+aGIxGhVE7Ub7ntwPIPMs8Q68YZIC7oHBMtr6Qn34HF1lI0
CWHJqwWCv4UWwtwZcy4ab5tS+Nv1qd4O4fok9T/LTQCY5rbyCnhWfiRNMihLX2tk
/Cc5UvwUkS81c1A5sHgCLuqKPL7zCmJbcaFKPYTZEN2EUaKhT1jq06cmDfyXP6cq
4rmuaMxMxgsmDL4emO9LP9IfKmL3IvFngpkgAuNks/RiILFRuBv/EcF8C+FI46g5
PqY0SNxCGA==
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.ieml.ru

issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4966 bytes and written 314 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 81DDFBC7755B21C63C5B1C5397D05EBB7EA8DA0022634CADC848CEECBE1F51DA
    Session-ID-ctx:
    Master-Key: 1CF1F4658FC6CD3A8B12579B7DDE4314D1A2E29BC1DED5F605C5D71467C41022FB68902C5198560FE2251519D400602C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 14400 (seconds)
    TLS session ticket:
    0000 - f8 1f af d2 64 6e 20 f1-89 e6 2c 38 5a 6e 81 92   ....dn ...,8Zn..
    0010 - 1d 05 10 4f 52 f8 80 98-8c 07 dc 9e 98 9d 55 64   ...OR.........Ud
    0020 - bd 43 11 8d 8a bb 80 ee-0f ea dd 94 fc 95 76 08   .C............v.
    0030 - 25 7c 3e dc 7a 2b 0c be-04 4e 56 13 0c 4d ae ef   %|>.z+...NV..M..
    0040 - 8a 97 3a 60 dd 08 5c 04-78 32 cb ca 46 7a cb 1c   ..:`..\.x2..Fz..
    0050 - f9 69 bc 85 d1 ac bc 7e-93 93 dd b9 02 dc f5 5a   .i.....~.......Z
    0060 - df 4a 70 0c 34 e0 37 cd-09 a7 e4 3e 77 ce 93 e2   .Jp.4.7....>w...
    0070 - 9b cf a4 40 01 9f e2 36-6f 76 d1 6a 80 0f 4a 78   ...@...6ov.j..Jx
    0080 - a4 ee 93 80 aa 4c 21 af-61 19 5b 6a 49 52 3d e0   .....L!.a.[jIR=.
    0090 - c2 6f f1 4e 9c 4e 3d e4-91 2e e3 6a ea 52 ea a9   .o.N.N=....j.R..
    00a0 - 8e cc 33 f4 e7 aa 2a 04-93 26 a8 36 4e 01 b0 12   ..3...*..&.6N...
    00b0 - ca d2 df 64 0b 98 2b 57-7f be 68 8a 0d 43 26 06   ...d..+W..h..C&.

    Start Time: 1540313457
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes


Any idea how to identify which command tomcat sends to ocsp_responder ?


________________________________
От: Усманов Азат Анварович <[hidden email]>
Отправлено: 19 октября 2018 г. 15:29:54
Кому: Tomcat Users List
Тема: Re: OCSP stapling in tomcat 7 with APR

Hi !turns out to be a proxy issue  because once I modify the openssl ocp command  to include my proxy 192.168.1.6 and port  I get the correct response

openssl ocsp -no_nonce -header Host=ocsp.comodoca.com -issuer issuer.crt -cert /home/idis/STAR_ieml_ru.crt  -CAfile issuer.crt -host 192.168.1.6:3131 -path http://ocsp.comodoca.com/ -text

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
          Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
          Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
    Produced At: Oct 14 07:35:10 2018 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
      Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
      Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
    Cert Status: good
    This Update: Oct 14 07:35:10 2018 GMT
    Next Update: Oct 21 07:35:10 2018 GMT

    Signature Algorithm: sha256WithRSAEncryption
         28:c0:93:7d:9b:4d:96:16:37:f4:1f:fc:ca:8c:32:b1:bb:22:
         be:d8:33:14:9b:e9:75:18:b2:a5:20:77:ef:f9:6c:48:1c:72:
         8f:db:87:4a:30:50:04:72:9d:75:0f:ce:09:82:b7:56:bf:aa:
         62:fe:50:b7:10:96:82:b6:53:0f:a0:c8:b1:49:bf:0e:88:19:
         bf:41:64:21:8f:8f:9a:f3:1a:e5:3b:36:d0:96:7e:01:89:c4:
         a2:c3:19:3c:fa:fa:e7:ad:df:4e:76:37:32:72:ba:95:23:4e:
         c6:09:c8:a6:a1:28:63:5f:e6:6a:62:55:e3:a2:a8:29:47:4b:
         70:a2:6b:e3:07:0a:a0:b2:28:79:61:24:f8:ab:9a:ff:bf:b6:
         ff:2b:ca:0e:f1:a8:cc:2a:ae:a5:4a:90:40:14:64:b1:ca:10:
         ca:44:a3:f9:00:af:d7:55:0b:5b:0e:0f:d9:8b:3a:c9:a2:41:
         4e:e5:23:23:9a:36:dc:28:c3:a8:4d:1c:08:c7:64:87:a5:0c:
         d7:08:57:a8:62:85:73:d5:f7:14:a2:c7:07:e9:57:e9:e1:1a:
         21:d0:d9:56:62:06:0f:05:bc:19:b7:c8:63:5a:a8:97:28:f3:
         1b:5b:30:3c:d6:31:ec:f5:cb:cd:f8:7e:61:cd:2b:ea:19:1c:
         17:8c:a4:9a
Response verify OK
/home/idis/STAR_ieml_ru.crt: good
        This Update: Oct 14 07:35:10 2018 GMT
        Next Update: Oct 21 07:35:10 2018 GMT


now the question is how to tell tomcat to use proxy when making ocsp requests
  I have  tried to put proxyName   and proxyPort to the Connector definition that didn't do anything to ocsp support (ssllabs still says no for ocsp  )
Any suggestions?





________________________________
От: Mark Thomas <[hidden email]>
Отправлено: 17 октября 2018 г. 18:43:39
Кому: Tomcat Users List
Тема: Re: OCSP stapling in tomcat 7 with APR

On 17/10/18 15:02, Усманов Азат Анварович wrote:

> Unfortunately, I still got the same issue with the slash
>  openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR_ieml_ru.crt -text -url http://ocsp.comodoca.com/
> OCSP Request Data:
>     Version: 1 (0x0)
>     Requestor List:
>         Certificate ID:
>           Hash Algorithm: sha1
>           Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>           Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>           Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
>     Request Extensions:
>         OCSP Nonce:
>             0410A42C073C3EA560D427D719BA3A8EC5FB
> Error querying OCSP responder
> 139868527687424:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=301

That is http so you could use Wireshark or similar to do a network trace
and see exactly what is going on there.

Mark


>
>
>
> ________________________________
> От: Rainer Jung <[hidden email]>
> Отправлено: 17 октября 2018 г. 16:41:27
> Кому: Tomcat Users List; Усманов Азат Анварович
> Тема: Re: OCSP stapling in tomcat 7 with APR
>
> Redirect when accessing http://ocsp.comodoca.com could simply be a
> trailing slash redirect (Location: http://ocsp.comodoca.com/). You
> better use http://ocsp.comodoca.com/ (note the slash at the end of the URL).
>
> Regards,
>
> Rainer
>
> Am 17.10.2018 um 15:09 schrieb Усманов Азат Анварович:
>> SSLLabs  test still shows "OCSP stapling no" even with the latest version openssl
>>
>> I've tried to test it manually and got an error
>>
>>
>>   openssl ocsp -issuer /home/idis/authorities.crt  -cert /home/idis/STAR                                                                                                                                                             _ieml_ru.crt -text -url http://ocsp.comodoca.com
>> OCSP Request Data:
>>      Version: 1 (0x0)
>>      Requestor List:
>>          Certificate ID:
>>            Hash Algorithm: sha1
>>            Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
>>            Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
>>            Serial Number: F078CB8E2F4E5A678BFB9065A9611B57
>>      Request Extensions:
>>          OCSP Nonce:
>>              041002914B015477EC5C503D4FD630D616F3
>> Error querying OCSP responder
>> 140179572442880:error:27076072:OCSP routines:parse_http_line1:server response er                                                                                                                                                             ror:crypto/ocsp/ocsp_ht.c:260:Code=301
>>
>> Not sure what might be the problem?
>> 301 looks like a http error  Moved Permamently   which is strange  because
>> i tried to access   http://ocsp.comodoca.com via wget
>>
>>   wget  http://ocsp.comodoca.com
>> --2018-10-17 16:03:12--  http://ocsp.comodoca.com/
>> Устанавливается соединение с 192.168.1.2:3128... соединение установлено.
>> Запрос Proxy послан, ожидается ответ... 200 OK
>> Длина: 5 [application/ocsp-response]
>> Saving to: «index.html.7»
>>
>> 100%[===================================================================================================================================================================================================>] 5           --.-K/s   в 0s
>>
>> 2018-10-17 16:03:12 (488 KB/s) - «index.html.7» saved [5/5]
>>
>> [root] ~# less index.html.7
>> 0^C
>> ^A^A
>> index.html.7 (END)
>> any ideas what might be the problem?
>>
>>
>> ________________________________
>> От: Усманов Азат Анварович <[hidden email]>
>> Отправлено: 15 октября 2018 г. 18:20:14
>> Кому: [hidden email]
>> Тема: Re: OCSP stapling in tomcat 7 with APR
>>
>> how do I make sure ocsp is enabled on tomcat native
>>
>> when I try to pass --enable-ocsp to tomcat native configure i get unrecognized option warning
>>
>>
>>    ./configure  --with-apr=/usr/local/apr --with-java-home=/usr/java/jdk1.7.0_79 -with-ssl=/usr/local/openssl --enable-ocsp
>> configure: WARNING: unrecognized options: --enable-ocsp
>> checking build system type... x86_64-pc-linux-gnu
>> checking host system type... x86_64-pc-linux-gnu
>> checking target system type... x86_64-pc-linux-gnu
>> checking for a BSD-compatible install... /usr/bin/install -c
>> checking for working mkdir -p... yes
>> Tomcat Native Version: 1.2.17
>> checking for chosen layout... tcnative
>> checking for APR... yes
>> configure: APR 1.6.5 detected.
>>    setting CC to "gcc"
>>    setting CPP to "gcc -E"
>>    setting LIBTOOL to "/usr/local/apr/build-1/libtool"
>> checking JAVA_HOME... /usr/java/jdk1.7.0_79
>>    adding "-I/usr/java/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
>> checking for JDK os include directory...  linux
>>    adding "-I/usr/java/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
>> checking for gcc... gcc
>> checking whether the C compiler works... yes
>> checking for C compiler default output file name... a.out
>> checking for suffix of executables...
>> checking whether we are cross compiling... no
>> checking for suffix of object files... o
>> checking whether we are using the GNU C compiler... yes
>> checking whether gcc accepts -g... yes
>> checking for gcc option to accept ISO C89... none needed
>> checking for OpenSSL library... using openssl from /usr/local/openssl/${exec_prefix}/lib and /usr/local/openssl/include
>> checking OpenSSL library version >= 1.0.2... ok
>> checking for OpenSSL DSA support... yes
>>    adding "-I/usr/local/openssl/include" to TCNATIVE_PRIV_INCLUDES
>>    setting TCNATIVE_LDFLAGS to "-L/usr/local/openssl/lib -Wl,-rpath,/usr/local/openssl/lib -lssl -lcrypto"
>>    adding "-DHAVE_OPENSSL" to CFLAGS
>>    setting TCNATIVE_LIBS to ""
>>    setting TCNATIVE_LIBS to " /usr/local/apr/lib/libapr-1.la -lrt -lcrypt  -lpthread"
>> checking for apr_pollset_wakeup in -lapr-1... yes
>>    adding "-DHAVE_POLLSET_WAKEUP" to CFLAGS
>> configure: creating ./config.status
>> config.status: creating tcnative.pc
>> config.status: creating Makefile
>> config.status: executing default commands
>> configure: WARNING: unrecognized options: --enable-ocsp
>>
>>
>>
>> ________________________________
>> От: Mark Thomas <[hidden email]>
>> Отправлено: 15 октября 2018 г. 15:01:58
>> Кому: [hidden email]
>> Тема: Re: OCSP stapling in tomcat 7 with APR
>>
>> On 14/10/18 18:45, Усманов Азат Анварович wrote:
>>> Hello everyone! I have  an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat
>>> so that
>>> When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
>>> I did search the mailing list and found this question
>>> https://www.mail-archive.com/users@.../msg129303.html
>>> but that user  is using  JSSE implementation for TLS not APR
>>>   documentation for tomcat7 does have an example
>>>
>>> Connector port="8443"
>>>     protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>     secure="true" scheme="https"
>>>     SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
>>>     SSLCertificateKeyFile="/path/to/ocsp-cert.key"
>>>     SSLCACertificateFile="/path/to/ca.pem"
>>>     SSLVerifyClient="require"
>>>     SSLVerifyDepth="10"
>>>     clientAuth="true"/>
>>>
>>>
>>> but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
>>
>> If you build an OCSP enabled version of the APR/native connector, OCSP
>> stapling should just happen without any additional configuration.
>> Assuming you use an appropriate certificate etc.
>>
>> Mark
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Усманов,

On 10/23/18 13:04, Усманов Азат Анварович wrote:
> Hi everyone! I did manage to run ocsp check manually without a
> proxy (some network issue),still no success with tomcat ocsp or
> ssllabs  however.
>
> openssl ocsp  -no_nonce -header Host=ocsp.comodoca.com -issuer
> issuer.crt  -cert /home/idis/STAR_ieml_ru.crt -url
> http://ocsp.comodoca.com/ -CAfile issuer.crt Response verify OK
> /home/idis/STAR_ieml_ru.crt: good This Update: Oct 21 07:35:07 2018
> GMT Next Update: Oct 28 07:35:07 2018 GMT

I'm a little lost: are you trying to get your local responder working
for testing, or are you trying to get your server to connect to
Comodo's OCSP service?

It looks like the above worked correctly.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPhF4ACgkQHPApP6U8
pFjmtQ//RciGyhtAFGuWlFxdCJy7OLzE1eZ0EfjE/9sRlI4UhtSqbG2eetrLGYDh
SOpBZ5HaWN6zIShGvy36TtViTtCqsldkFvg8WD51DtVz7Mv36bNm/uXXzn5mk7GQ
k7/AM22KWPewUWoyz8+XgVLnAbJw3zr3paBIBqqm5YXiNOONpK01UqGITs+kzrlr
n+dwpit4tAx3u1rYOOefQLoFqmSGx36hic4+SiQNHrqdzLCYkyoMjQ5sCTA/YEV8
22ev/86AjE9i3//+1k8yZDdtHo0dIbXhecvyyT6U3TCZVE5r8eBUMTc1U2oyGWYK
3exqAfUCg7TaGifV3haKCIGF0mwbt1zYRDwz0P2SMk4PvOTT5rnDwTAmaxJaT/Og
zeTM1lYgYGwNUFR67Iyfc5Yq9b5bjGjRWVymkS2cdH1q/IBPiIPtv8k7PqC72nEM
EvTvqWNTF5njhA/8wqFnOZEfmQtA3KJy+HXncH7SaJvq5DtIkivEsvleg5FZ4yR4
tZpU3bCcjq1ZfWvfd+XoEYMV+cq80I5Ypov0GFqa2wBiba8lhxa39KrMEC00Tvz7
/J9vtsCXO3baI2onTfEjRFIxDWkjip4VIJbvFWMAoNlnnJ4W5GoGXFax831Wczh/
0tVojP3fJ8FFD2rLSU99Y7Azp9r+NpM6KEDlmAoSJsB1snjZDDY=
=9Yca
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OCSP stapling in tomcat 7 with APR

Усманов Азат Анварович
Hi Chris!My main goal is for Tomcat to connect to Cómodo ,to get server side OCSP stapling working,I was only testing with OpenSSL OCSP command to make sure that Cómodo OCSP is reachable in the first place.
________________________________
От: Christopher Schultz <[hidden email]>
Отправлено: 23 октября 2018 г. 23:28:14
Кому: [hidden email]
Тема: Re: OCSP stapling in tomcat 7 with APR

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Усманов,

On 10/23/18 13:04, Усманов Азат Анварович wrote:
> Hi everyone! I did manage to run ocsp check manually without a
> proxy (some network issue),still no success with tomcat ocsp or
> ssllabs  however.
>
> openssl ocsp  -no_nonce -header Host=ocsp.comodoca.com -issuer
> issuer.crt  -cert /home/idis/STAR_ieml_ru.crt -url
> http://ocsp.comodoca.com/ -CAfile issuer.crt Response verify OK
> /home/idis/STAR_ieml_ru.crt: good This Update: Oct 21 07:35:07 2018
> GMT Next Update: Oct 28 07:35:07 2018 GMT

I'm a little lost: are you trying to get your local responder working
for testing, or are you trying to get your server to connect to
Comodo's OCSP service?

It looks like the above worked correctly.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPhF4ACgkQHPApP6U8
pFjmtQ//RciGyhtAFGuWlFxdCJy7OLzE1eZ0EfjE/9sRlI4UhtSqbG2eetrLGYDh
SOpBZ5HaWN6zIShGvy36TtViTtCqsldkFvg8WD51DtVz7Mv36bNm/uXXzn5mk7GQ
k7/AM22KWPewUWoyz8+XgVLnAbJw3zr3paBIBqqm5YXiNOONpK01UqGITs+kzrlr
n+dwpit4tAx3u1rYOOefQLoFqmSGx36hic4+SiQNHrqdzLCYkyoMjQ5sCTA/YEV8
22ev/86AjE9i3//+1k8yZDdtHo0dIbXhecvyyT6U3TCZVE5r8eBUMTc1U2oyGWYK
3exqAfUCg7TaGifV3haKCIGF0mwbt1zYRDwz0P2SMk4PvOTT5rnDwTAmaxJaT/Og
zeTM1lYgYGwNUFR67Iyfc5Yq9b5bjGjRWVymkS2cdH1q/IBPiIPtv8k7PqC72nEM
EvTvqWNTF5njhA/8wqFnOZEfmQtA3KJy+HXncH7SaJvq5DtIkivEsvleg5FZ4yR4
tZpU3bCcjq1ZfWvfd+XoEYMV+cq80I5Ypov0GFqa2wBiba8lhxa39KrMEC00Tvz7
/J9vtsCXO3baI2onTfEjRFIxDWkjip4VIJbvFWMAoNlnnJ4W5GoGXFax831Wczh/
0tVojP3fJ8FFD2rLSU99Y7Azp9r+NpM6KEDlmAoSJsB1snjZDDY=
=9Yca
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]