You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bhavesh Mistry <mi...@gmail.com> on 2024/01/05 17:57:42 UTC
OCSP Stapling Configuration and Tomcat 9
Hi All,
According to Tomcat 9 Official documentation, only Tomcat NATIVE Connector
supports it.
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates
But this site claims
https://community.progress.com/s/article/PASOE-OCSP-Stapling-does-not-work
that it works with non-native connectors. Please let me know if a
non-native connector works or not for OCSP Stamping.
Here is the reference configuration:
- Update the *protocol *property and add the *sslImplementationName
*property
as follows:
<Connector executor="tomcatThreadPool"
port="${psc.as.https.port}"
protocol="org.apache.coyote.http11.*Http11NioProtocol*"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
- Add the *-Djdk.tls.server.enableStatusRequestExtension=true* JVM
system property in the *<PASOE_instance>\conf\jvm.properties* file to
enable OCSP Stapling support for the JVM.
- It is also recommended to add the -Djdk.tls.ephemeralDHKeySize=2048 JVM
parameter to the *<PASOE_instance>\conf\jvm.properties* file to prevent
the use of weak Diffie-Hellman (DH) keys. For more information, please
refer to the following Oracle
Thanks,
Bhavesh
Re: OCSP Stapling Configuration and Tomcat 9
Posted by Bhavesh Mistry <mi...@gmail.com>.
Hi Chris,
Thanks for the update and confirming that we don't need a native connector
for OCSP stamping to work. I have not followed any of the instructions
below. I am at the beginning of the journey trying to explore what changes
are needed to support OCSP stamping. Again, thanks for your support and
reference. I will test it out based on the reference you provided. If I
need any help, I will kindly reach out again.
*Did you follow the instructions from the progress.com
<http://progress.com/> page concerningthe importing of your server's key
and certificate and the CA'sintermediate and root certs?*
Thanks,
Bhavesh
On Fri, Jan 5, 2024 at 11:07 AM Christopher Schultz <
chris@christopherschultz.net> wrote:
> Bhavesh,
>
> On 1/5/24 12:57, Bhavesh Mistry wrote:
> > Hi All,
> >
> > According to Tomcat 9 Official documentation, only Tomcat NATIVE
> Connector
> > supports it.
> >
> https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates
> >
> > But this site claims
> >
> https://community.progress.com/s/article/PASOE-OCSP-Stapling-does-not-work
> > that it works with non-native connectors. Please let me know if a
> > non-native connector works or not for OCSP Stamping.
> >
> > Here is the reference configuration:
> >
> >
> > - Update the *protocol *property and add the *sslImplementationName
> > *property
> > as follows:
> >
> > <Connector executor="tomcatThreadPool"
> > port="${psc.as.https.port}"
> > protocol="org.apache.coyote.http11.*Http11NioProtocol*"
> >
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> >
> >
> > - Add the *-Djdk.tls.server.enableStatusRequestExtension=true* JVM
> > system property in the *<PASOE_instance>\conf\jvm.properties* file to
> > enable OCSP Stapling support for the JVM.
> > - It is also recommended to add the
> -Djdk.tls.ephemeralDHKeySize=2048 JVM
> > parameter to the *<PASOE_instance>\conf\jvm.properties* file to
> prevent
> > the use of weak Diffie-Hellman (DH) keys. For more information,
> please
> > refer to the following Oracle
>
> According to https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 this
> is not complete for the APR connector. I do recall lots of conversation
> about this, and I thought it was working, but Mark is very diligent
> about updating bugs when they are complete, so it's unlikely he
> completed the work and then didn't close the bug.
>
> According to the conversation in that bug, NIO and NIO2 should work if
> you have a recent Java (9 or later ought to work) if you set that system
> property you have listed above.
>
> I have no idea what <PASOE_instance>\conf\jvm.properties is for, but you
> should make absolutely sure that the system property is actually being
> set at JVM launch. You can write a simple servlet or JSP to inspect that
> to verify, or use something like jinfo to inspect a running process's
> system properties.
>
> Did you follow the instructions from the progress.com page concerning
> the importing of your server's key and certificate and the CA's
> intermediate and root certs?
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: OCSP Stapling Configuration and Tomcat 9
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Bhavesh,
On 1/5/24 12:57, Bhavesh Mistry wrote:
> Hi All,
>
> According to Tomcat 9 Official documentation, only Tomcat NATIVE Connector
> supports it.
> https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates
>
> But this site claims
> https://community.progress.com/s/article/PASOE-OCSP-Stapling-does-not-work
> that it works with non-native connectors. Please let me know if a
> non-native connector works or not for OCSP Stamping.
>
> Here is the reference configuration:
>
>
> - Update the *protocol *property and add the *sslImplementationName
> *property
> as follows:
>
> <Connector executor="tomcatThreadPool"
> port="${psc.as.https.port}"
> protocol="org.apache.coyote.http11.*Http11NioProtocol*"
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>
>
> - Add the *-Djdk.tls.server.enableStatusRequestExtension=true* JVM
> system property in the *<PASOE_instance>\conf\jvm.properties* file to
> enable OCSP Stapling support for the JVM.
> - It is also recommended to add the -Djdk.tls.ephemeralDHKeySize=2048 JVM
> parameter to the *<PASOE_instance>\conf\jvm.properties* file to prevent
> the use of weak Diffie-Hellman (DH) keys. For more information, please
> refer to the following Oracle
According to https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 this
is not complete for the APR connector. I do recall lots of conversation
about this, and I thought it was working, but Mark is very diligent
about updating bugs when they are complete, so it's unlikely he
completed the work and then didn't close the bug.
According to the conversation in that bug, NIO and NIO2 should work if
you have a recent Java (9 or later ought to work) if you set that system
property you have listed above.
I have no idea what <PASOE_instance>\conf\jvm.properties is for, but you
should make absolutely sure that the system property is actually being
set at JVM launch. You can write a simple servlet or JSP to inspect that
to verify, or use something like jinfo to inspect a running process's
system properties.
Did you follow the instructions from the progress.com page concerning
the importing of your server's key and certificate and the CA's
intermediate and root certs?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org