You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Bhavesh Mistry <mi...@gmail.com> on 2024/01/05 17:57:42 UTC

OCSP Stapling Configuration and Tomcat 9

Hi All,

According to Tomcat 9 Official documentation, only Tomcat NATIVE Connector
supports it.
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates

But this site claims
https://community.progress.com/s/article/PASOE-OCSP-Stapling-does-not-work
that it works with non-native connectors.   Please let me know if a
non-native connector works or not for OCSP Stamping.

Here is the reference configuration:


   - Update the *protocol *property and add the *sslImplementationName
*property
   as follows:

    <Connector executor="tomcatThreadPool"
               port="${psc.as.https.port}"
               protocol="org.apache.coyote.http11.*Http11NioProtocol*"
               sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"


   - Add the *-Djdk.tls.server.enableStatusRequestExtension=true* JVM
   system property in the *<PASOE_instance>\conf\jvm.properties* file to
   enable OCSP Stapling support for the JVM.
   - It is also recommended to add the -Djdk.tls.ephemeralDHKeySize=2048 JVM
   parameter to the *<PASOE_instance>\conf\jvm.properties* file to prevent
   the use of weak Diffie-Hellman (DH) keys. For more information, please
   refer to the following Oracle

Thanks,

Bhavesh

Re: OCSP Stapling Configuration and Tomcat 9

Posted by Bhavesh Mistry <mi...@gmail.com>.

Hi Chris,

Thanks for the update and confirming that we don't need a native connector
for OCSP stamping to work.   I have not followed any of the instructions
below. I am at the beginning of the journey trying to explore what changes
are needed to support OCSP stamping.  Again, thanks for your support and
reference. I will test it out based on the reference you provided. If I
need any help, I will kindly reach out again.



*Did you follow the instructions from the progress.com
<http://progress.com/> page concerningthe importing of your server's key
and certificate and the CA'sintermediate and root certs?*

Thanks,

Bhavesh

On Fri, Jan 5, 2024 at 11:07 AM Christopher Schultz <
chris@christopherschultz.net> wrote:

> Bhavesh,
>
> On 1/5/24 12:57, Bhavesh Mistry wrote:
> > Hi All,
> >
> > According to Tomcat 9 Official documentation, only Tomcat NATIVE
> Connector
> > supports it.
> >
> https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates
> >
> > But this site claims
> >
> https://community.progress.com/s/article/PASOE-OCSP-Stapling-does-not-work
> > that it works with non-native connectors.   Please let me know if a
> > non-native connector works or not for OCSP Stamping.
> >
> > Here is the reference configuration:
> >
> >
> >     - Update the *protocol *property and add the *sslImplementationName
> > *property
> >     as follows:
> >
> >      <Connector executor="tomcatThreadPool"
> >                 port="${psc.as.https.port}"
> >                 protocol="org.apache.coyote.http11.*Http11NioProtocol*"
> >
>  sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> >
> >
> >     - Add the *-Djdk.tls.server.enableStatusRequestExtension=true* JVM
> >     system property in the *<PASOE_instance>\conf\jvm.properties* file to
> >     enable OCSP Stapling support for the JVM.
> >     - It is also recommended to add the
> -Djdk.tls.ephemeralDHKeySize=2048 JVM
> >     parameter to the *<PASOE_instance>\conf\jvm.properties* file to
> prevent
> >     the use of weak Diffie-Hellman (DH) keys. For more information,
> please
> >     refer to the following Oracle
>
> According to https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 this
> is not complete for the APR connector. I do recall lots of conversation
> about this, and I thought it was working, but Mark is very diligent
> about updating bugs when they are complete, so it's unlikely he
> completed the work and then didn't close the bug.
>
> According to the conversation in that bug, NIO and NIO2 should work if
> you have a recent Java (9 or later ought to work) if you set that system
> property you have listed above.
>
> I have no idea what <PASOE_instance>\conf\jvm.properties is for, but you
> should make absolutely sure that the system property is actually being
> set at JVM launch. You can write a simple servlet or JSP to inspect that
> to verify, or use something like jinfo to inspect a running process's
> system properties.
>
> Did you follow the instructions from the progress.com page concerning
> the importing of your server's key and certificate and the CA's
> intermediate and root certs?
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: OCSP Stapling Configuration and Tomcat 9

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Bhavesh,

On 1/5/24 12:57, Bhavesh Mistry wrote:
> Hi All,
> 
> According to Tomcat 9 Official documentation, only Tomcat NATIVE Connector
> supports it.
> https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates
> 
> But this site claims
> https://community.progress.com/s/article/PASOE-OCSP-Stapling-does-not-work
> that it works with non-native connectors.   Please let me know if a
> non-native connector works or not for OCSP Stamping.
> 
> Here is the reference configuration:
> 
> 
>     - Update the *protocol *property and add the *sslImplementationName
> *property
>     as follows:
> 
>      <Connector executor="tomcatThreadPool"
>                 port="${psc.as.https.port}"
>                 protocol="org.apache.coyote.http11.*Http11NioProtocol*"
>                 sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> 
> 
>     - Add the *-Djdk.tls.server.enableStatusRequestExtension=true* JVM
>     system property in the *<PASOE_instance>\conf\jvm.properties* file to
>     enable OCSP Stapling support for the JVM.
>     - It is also recommended to add the -Djdk.tls.ephemeralDHKeySize=2048 JVM
>     parameter to the *<PASOE_instance>\conf\jvm.properties* file to prevent
>     the use of weak Diffie-Hellman (DH) keys. For more information, please
>     refer to the following Oracle

According to https://bz.apache.org/bugzilla/show_bug.cgi?id=56148 this 
is not complete for the APR connector. I do recall lots of conversation 
about this, and I thought it was working, but Mark is very diligent 
about updating bugs when they are complete, so it's unlikely he 
completed the work and then didn't close the bug.

According to the conversation in that bug, NIO and NIO2 should work if 
you have a recent Java (9 or later ought to work) if you set that system 
property you have listed above.

I have no idea what <PASOE_instance>\conf\jvm.properties is for, but you 
should make absolutely sure that the system property is actually being 
set at JVM launch. You can write a simple servlet or JSP to inspect that 
to verify, or use something like jinfo to inspect a running process's 
system properties.

Did you follow the instructions from the progress.com page concerning 
the importing of your server's key and certificate and the CA's 
intermediate and root certs?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org