Tomcat 9 ocsp via proxy

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Tomcat 9 ocsp via proxy

Усманов Азат Анварович
Hi everyone! Is it possible to specify proxy server address for server-side ocsp checking on tomcat when using apr /tomcat native for tls connections ? Something  apache-like

SSLStaplingForceURL <a href="http://internal-proxy.example.org:port">http://internal-proxy.example.org:port

or  something  nginx-like directive
ssl_stapling_file file;
so the stapled OCSP response will be taken from the specified file instead of querying the OCSP responder specified in the server certificate.

I tried using

SSLStaplingForceURL="<a href="http://internal-proxy.example.org:port">http://internal-proxy.example.org:port"

on both connector and Certificate element with latest tomcat 9.0.12 which resulted in  " {Server/Service/Connector/SSLHostConfig/Certificate} Setting property 'SSLStaplingForceURL' to '<a href="http://192.168.1.6:3131'">http://192.168.1.6:3131' did not find a matching property" in logs. So it looks like tomcat doesn't support this (yet)

Should I put an enhancement request for that?