You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Mark Claassen <mc...@ocie.net> on 2006/12/08 20:55:43 UTC

RE: Tomcat and OCSP

I asked this on the user list, but perhaps this is a question better for
here.  I have been using Tomcat for a while, but have not been developing
yet really (although I did submit a patch a while ago to the CGIServlet).
However, this OCSP issue has potential to really hit the fan for us and if
there is something that needs to be done, I would like to try.

-----Original Message-----

Now that I see Tomcat 6.0 is on it's way, I was wondering if OCSP is going
to be included?  This is being required by more and more people these days
(like the US government).

If there are no plans to include it yet, how can this issue be escalated?  I
see that OCSP support is bundled into the new JDKs, does this mean that it
would not be too difficult for an enterprising (and desperate) developer to
tackle?

Mark
 
-----Original Message-----
From: Velpi [mailto:velpi@industria.be]
Sent: Monday, July 31, 2006 4:33 AM
To: Tomcat Users List
Subject: Re: Tomcat and OCSP

> Does the new support for OCSP in Java 5.0 have any impact on how 
> certificates are handled in Tomcat?
> http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html
>  
> It looks like it might just work if it is set up right in the java 
> property files.  I checked the mailing list archives and found a few 
> old references to OCSP, but nothing definitive.  Any guidance would be
greatly appreciated.

I'm trying to set this up too. Did you get it up and running properly yet?
(any
hints?)


-- Velpi

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

RE: Tomcat and OCSP

Posted by Mark Claassen <mc...@ocie.net>.

I don't know.  I am looking at the Tomcat 6.0 source, and I see 
    protected void configureClientAuth(SSLServerSocket socket){
        if (wantClientAuth){
            socket.setWantClientAuth(wantClientAuth);
        } else {
            socket.setNeedClientAuth(requireClientAuth);
        }
    }

Since this is using a java.net.ssl.SSLServerSocket, maybe this is set to
work...

Mark
 
-----Original Message-----
From: Filip Hanik - Dev Lists [mailto:devlists@hanik.com] 
Sent: Friday, December 08, 2006 3:48 PM
To: Tomcat Developers List
Subject: Re: Tomcat and OCSP

I would imagine that should be automatic, you just configure the responder
URL for your JVM

http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html#OCSP

Filip

Yoav Shapira wrote:
> Hi,
> Wouldn't you need OCSP revocation handling at the SSL connector 
> processing point?  That's the patch I was thinking of, but I'm not an 
> expert in this area, so I might be off-base.
>
> Yoav
>
> On 12/8/06, Filip Hanik - Dev Lists <de...@hanik.com> wrote:
>> is a patch even required? or is OSCP something you just turn on since 
>> its built into the JDK Mark, do you have anymore details what this 
>> would involve?
>> Filip
>>
>> Yoav Shapira wrote:
>> > Mark,
>> > If you submit a patch for OCSP support, I'll gladly review it, and 
>> > I imagine several other people would be interested as well.
>> >
>> > Yoav
>> >
>> > On 12/8/06, Mark Claassen <mc...@ocie.net> wrote:
>> >> I asked this on the user list, but perhaps this is a question
>> better for
>> >> here.  I have been using Tomcat for a while, but have not been 
>> >> developing yet really (although I did submit a patch a while ago 
>> >> to the CGIServlet).
>> >> However, this OCSP issue has potential to really hit the fan for 
>> >> us and if there is something that needs to be done, I would like 
>> >> to try.
>> >>
>> >> -----Original Message-----
>> >>
>> >> Now that I see Tomcat 6.0 is on it's way, I was wondering if OCSP 
>> >> is going to be included?  This is being required by more and more 
>> >> people these days (like the US government).
>> >>
>> >> If there are no plans to include it yet, how can this issue be 
>> >> escalated?  I see that OCSP support is bundled into the new JDKs, 
>> >> does this mean that it would not be too difficult for an 
>> >> enterprising (and desperate) developer to tackle?
>> >>
>> >> Mark
>> >>
>> >> -----Original Message-----
>> >> From: Velpi [mailto:velpi@industria.be]
>> >> Sent: Monday, July 31, 2006 4:33 AM
>> >> To: Tomcat Users List
>> >> Subject: Re: Tomcat and OCSP
>> >>
>> >> > Does the new support for OCSP in Java 5.0 have any impact on how 
>> >> > certificates are handled in Tomcat?
>> >> > http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.htm
>> >> > l
>> >> >
>> >> > It looks like it might just work if it is set up right in the 
>> >> > java property files.  I checked the mailing list archives and 
>> >> > found a
>> few
>> >> > old references to OCSP, but nothing definitive.  Any guidance
>> would be
>> >> greatly appreciated.
>> >>
>> >> I'm trying to set this up too. Did you get it up and running 
>> >> properly yet?
>> >> (any
>> >> hints?)
>> >>
>> >>
>> >> -- Velpi
>> >>
>> >> ------------------------------------------------------------------
>> >> --- To start a new topic, e-mail: users@tomcat.apache.org To 
>> >> unsubscribe,
>> >> e-mail: users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: users-help@tomcat.apache.org
>> >>
>> >>
>> >> ------------------------------------------------------------------
>> >> --- To start a new topic, e-mail: users@tomcat.apache.org To 
>> >> unsubscribe,
>> >> e-mail: users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: users-help@tomcat.apache.org
>> >>
>> >>
>> >> ------------------------------------------------------------------
>> >> --- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
>> >> additional commands, e-mail: dev-help@tomcat.apache.org
>> >>
>> >>
>> >
>> > -------------------------------------------------------------------
>> > -- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
>> > additional commands, e-mail: dev-help@tomcat.apache.org
>> >
>> >
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
>> additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
commands, e-mail: dev-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Tomcat and OCSP

Posted by Filip Hanik - Dev Lists <de...@hanik.com>.

I would imagine that should be automatic,
you just configure the responder URL for your JVM

http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html#OCSP

Filip

Yoav Shapira wrote:
> Hi,
> Wouldn't you need OCSP revocation handling at the SSL connector
> processing point?  That's the patch I was thinking of, but I'm not an
> expert in this area, so I might be off-base.
>
> Yoav
>
> On 12/8/06, Filip Hanik - Dev Lists <de...@hanik.com> wrote:
>> is a patch even required? or is OSCP something you just turn on since
>> its built into the JDK
>> Mark, do you have anymore details what this would involve?
>> Filip
>>
>> Yoav Shapira wrote:
>> > Mark,
>> > If you submit a patch for OCSP support, I'll gladly review it, and I
>> > imagine several other people would be interested as well.
>> >
>> > Yoav
>> >
>> > On 12/8/06, Mark Claassen <mc...@ocie.net> wrote:
>> >> I asked this on the user list, but perhaps this is a question 
>> better for
>> >> here.  I have been using Tomcat for a while, but have not been
>> >> developing
>> >> yet really (although I did submit a patch a while ago to the
>> >> CGIServlet).
>> >> However, this OCSP issue has potential to really hit the fan for us
>> >> and if
>> >> there is something that needs to be done, I would like to try.
>> >>
>> >> -----Original Message-----
>> >>
>> >> Now that I see Tomcat 6.0 is on it's way, I was wondering if OCSP is
>> >> going
>> >> to be included?  This is being required by more and more people these
>> >> days
>> >> (like the US government).
>> >>
>> >> If there are no plans to include it yet, how can this issue be
>> >> escalated?  I
>> >> see that OCSP support is bundled into the new JDKs, does this mean
>> >> that it
>> >> would not be too difficult for an enterprising (and desperate)
>> >> developer to
>> >> tackle?
>> >>
>> >> Mark
>> >>
>> >> -----Original Message-----
>> >> From: Velpi [mailto:velpi@industria.be]
>> >> Sent: Monday, July 31, 2006 4:33 AM
>> >> To: Tomcat Users List
>> >> Subject: Re: Tomcat and OCSP
>> >>
>> >> > Does the new support for OCSP in Java 5.0 have any impact on how
>> >> > certificates are handled in Tomcat?
>> >> > http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html
>> >> >
>> >> > It looks like it might just work if it is set up right in the java
>> >> > property files.  I checked the mailing list archives and found a 
>> few
>> >> > old references to OCSP, but nothing definitive.  Any guidance 
>> would be
>> >> greatly appreciated.
>> >>
>> >> I'm trying to set this up too. Did you get it up and running properly
>> >> yet?
>> >> (any
>> >> hints?)
>> >>
>> >>
>> >> -- Velpi
>> >>
>> >> ---------------------------------------------------------------------
>> >> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>> >> e-mail: users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: users-help@tomcat.apache.org
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>> >> e-mail: users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: users-help@tomcat.apache.org
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: dev-help@tomcat.apache.org
>> >>
>> >>
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> > For additional commands, e-mail: dev-help@tomcat.apache.org
>> >
>> >
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

RE: Tomcat and OCSP

Posted by Mark Claassen <mc...@ocie.net>.

No, Tomcat uses the regular Java API.  You don't see it, since it is buried
in the SSL Handshake code.  Then, just for fun, if you are using CLIENT-CERT
auth, Tomcat checks all the dates again (but not the trust).

Yeah, I am looking at that now in the JSSESocketFactory.  When I first
checked, I looked in the Tomcat5.0 source, since that is what we are using
now.  I will have to look at that again and see if I just misread something.
Maybe it will just work and all it will take is someone to jump through the
myriad of hoops necessary to test it.  Painful, but I may just be the guy to
do it.

Mark


-----Original Message-----
From: Bill Barker [mailto:wbarker@wilshire.com] 
Sent: Friday, December 08, 2006 4:12 PM
To: 'Tomcat Developers List'
Subject: RE: Tomcat and OCSP

 

> -----Original Message-----
> From: Mark Claassen [mailto:mclaassen@ocie.net]
> Sent: Friday, December 08, 2006 12:49 PM
> To: 'Tomcat Developers List'
> Subject: RE: Tomcat and OCSP
> 
> I am really not sure what is involved...as I have not done all the 
> necessary research.
> 
> My understanding is that the location of the revocation server is 
> built into the certificates themselves somehow.
> 
> Several months ago I looked around, and thought I saw where you did 
> the certificate validation.  I believe it was done manually, not using 
> the standard Java APIs.  (My assumption was that this functionality 
> pre-dated the Java API.)
> 

No, Tomcat uses the regular Java API.  You don't see it, since it is buried
in the SSL Handshake code.  Then, just for fun, if you are using CLIENT-CERT
auth, Tomcat checks all the dates again (but not the trust).

> I was hoping that all that would be involved would be to locate that 
> area and try to use the Java certificate validation APIs instead of 
> these custom ones.  Then, hopefully the OSCP stuff would just work.
> 
> There is a lot of "Hope" in this, but hey, it's Christmas! :)
> 
> Mark
>  
> -----Original Message-----
> From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On Behalf 
> Of Yoav Shapira
> Sent: Friday, December 08, 2006 3:26 PM
> To: Tomcat Developers List
> Subject: Re: Tomcat and OCSP
> 
> Hi,
> Wouldn't you need OCSP revocation handling at the SSL connector 
> processing point?  That's the patch I was thinking of, but I'm not an 
> expert in this area, so I might be off-base.
> 
> Yoav
> 
> On 12/8/06, Filip Hanik - Dev Lists <de...@hanik.com> wrote:
> > is a patch even required? or is OSCP something you just
> turn on since
> > its built into the JDK Mark, do you have anymore details what this 
> > would involve?
> > Filip
> >
> > Yoav Shapira wrote:
> > > Mark,
> > > If you submit a patch for OCSP support, I'll gladly
> review it, and I
> > > imagine several other people would be interested as well.
> > >
> > > Yoav
> > >
> > > On 12/8/06, Mark Claassen <mc...@ocie.net> wrote:
> > >> I asked this on the user list, but perhaps this is a question 
> > >> better for here.  I have been using Tomcat for a while, but have 
> > >> not been developing yet really (although I did submit a patch a 
> > >> while ago to the CGIServlet).
> > >> However, this OCSP issue has potential to really hit the
> fan for us
> > >> and if there is something that needs to be done, I would like to 
> > >> try.
> > >>
> > >> -----Original Message-----
> > >>
> > >> Now that I see Tomcat 6.0 is on it's way, I was
> wondering if OCSP
> > >> is going to be included?  This is being required by more
> and more
> > >> people these days (like the US government).
> > >>
> > >> If there are no plans to include it yet, how can this issue be 
> > >> escalated?  I see that OCSP support is bundled into the
> new JDKs,
> > >> does this mean that it would not be too difficult for an 
> > >> enterprising (and desperate) developer to tackle?
> > >>
> > >> Mark
> > >>
> > >> -----Original Message-----
> > >> From: Velpi [mailto:velpi@industria.be]
> > >> Sent: Monday, July 31, 2006 4:33 AM
> > >> To: Tomcat Users List
> > >> Subject: Re: Tomcat and OCSP
> > >>
> > >> > Does the new support for OCSP in Java 5.0 have any
> impact on how
> > >> > certificates are handled in Tomcat?
> > >> > 
> http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html
> > >> >
> > >> > It looks like it might just work if it is set up right in the 
> > >> > java property files.  I checked the mailing list archives and 
> > >> > found a few old references to OCSP, but nothing
> definitive.  Any
> > >> > guidance would be
> > >> greatly appreciated.
> > >>
> > >> I'm trying to set this up too. Did you get it up and running 
> > >> properly yet?
> > >> (any
> > >> hints?)
> > >>
> > >>
> > >> -- Velpi
> > >>
> > >> 
> -------------------------------------------------------------------
> > >> -- To start a new topic, e-mail: users@tomcat.apache.org To 
> > >> unsubscribe,
> > >> e-mail: users-unsubscribe@tomcat.apache.org
> > >> For additional commands, e-mail: users-help@tomcat.apache.org
> > >>
> > >>
> > >> 
> -------------------------------------------------------------------
> > >> -- To start a new topic, e-mail: users@tomcat.apache.org To 
> > >> unsubscribe,
> > >> e-mail: users-unsubscribe@tomcat.apache.org
> > >> For additional commands, e-mail: users-help@tomcat.apache.org
> > >>
> > >>
> > >> 
> -------------------------------------------------------------------
> > >> -- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> > >> additional commands, e-mail: dev-help@tomcat.apache.org
> > >>
> > >>
> > >
> > > 
> --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> > > additional commands, e-mail: dev-help@tomcat.apache.org
> > >
> > >
> > >
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> > additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 
> 



This message is intended only for the use of the person(s) listed above as
the intended recipient(s), and may contain information that is PRIVILEGED
and CONFIDENTIAL.  If you are not an intended recipient, you may not read,
copy, or distribute this message or any attachment. If you received this
communication in error, please notify us immediately by e-mail and then
delete all copies of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent
through the Internet is not secure. Do not send confidential or sensitive
information, such as social security numbers, account numbers, personal
identification numbers and passwords, to us via ordinary (unencrypted)
e-mail.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
commands, e-mail: dev-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

RE: Tomcat and OCSP

Posted by Bill Barker <wb...@wilshire.com>.

 

> -----Original Message-----
> From: Mark Claassen [mailto:mclaassen@ocie.net] 
> Sent: Friday, December 08, 2006 12:49 PM
> To: 'Tomcat Developers List'
> Subject: RE: Tomcat and OCSP
> 
> I am really not sure what is involved...as I have not done 
> all the necessary
> research.
> 
> My understanding is that the location of the revocation 
> server is built into
> the certificates themselves somehow.
> 
> Several months ago I looked around, and thought I saw where 
> you did the
> certificate validation.  I believe it was done manually, not using the
> standard Java APIs.  (My assumption was that this 
> functionality pre-dated
> the Java API.)
> 

No, Tomcat uses the regular Java API.  You don't see it, since it is buried
in the SSL Handshake code.  Then, just for fun, if you are using CLIENT-CERT
auth, Tomcat checks all the dates again (but not the trust).

> I was hoping that all that would be involved would be to 
> locate that area
> and try to use the Java certificate validation APIs instead 
> of these custom
> ones.  Then, hopefully the OSCP stuff would just work.
> 
> There is a lot of "Hope" in this, but hey, it's Christmas! :)
> 
> Mark
>  
> -----Original Message-----
> From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On 
> Behalf Of Yoav
> Shapira
> Sent: Friday, December 08, 2006 3:26 PM
> To: Tomcat Developers List
> Subject: Re: Tomcat and OCSP
> 
> Hi,
> Wouldn't you need OCSP revocation handling at the SSL 
> connector processing
> point?  That's the patch I was thinking of, but I'm not an 
> expert in this
> area, so I might be off-base.
> 
> Yoav
> 
> On 12/8/06, Filip Hanik - Dev Lists <de...@hanik.com> wrote:
> > is a patch even required? or is OSCP something you just 
> turn on since 
> > its built into the JDK Mark, do you have anymore details what this 
> > would involve?
> > Filip
> >
> > Yoav Shapira wrote:
> > > Mark,
> > > If you submit a patch for OCSP support, I'll gladly 
> review it, and I 
> > > imagine several other people would be interested as well.
> > >
> > > Yoav
> > >
> > > On 12/8/06, Mark Claassen <mc...@ocie.net> wrote:
> > >> I asked this on the user list, but perhaps this is a question 
> > >> better for here.  I have been using Tomcat for a while, but have 
> > >> not been developing yet really (although I did submit a patch a 
> > >> while ago to the CGIServlet).
> > >> However, this OCSP issue has potential to really hit the 
> fan for us 
> > >> and if there is something that needs to be done, I would like to 
> > >> try.
> > >>
> > >> -----Original Message-----
> > >>
> > >> Now that I see Tomcat 6.0 is on it's way, I was 
> wondering if OCSP 
> > >> is going to be included?  This is being required by more 
> and more 
> > >> people these days (like the US government).
> > >>
> > >> If there are no plans to include it yet, how can this issue be 
> > >> escalated?  I see that OCSP support is bundled into the 
> new JDKs, 
> > >> does this mean that it would not be too difficult for an 
> > >> enterprising (and desperate) developer to tackle?
> > >>
> > >> Mark
> > >>
> > >> -----Original Message-----
> > >> From: Velpi [mailto:velpi@industria.be]
> > >> Sent: Monday, July 31, 2006 4:33 AM
> > >> To: Tomcat Users List
> > >> Subject: Re: Tomcat and OCSP
> > >>
> > >> > Does the new support for OCSP in Java 5.0 have any 
> impact on how 
> > >> > certificates are handled in Tomcat?
> > >> > 
> http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html
> > >> >
> > >> > It looks like it might just work if it is set up right in the 
> > >> > java property files.  I checked the mailing list archives and 
> > >> > found a few old references to OCSP, but nothing 
> definitive.  Any 
> > >> > guidance would be
> > >> greatly appreciated.
> > >>
> > >> I'm trying to set this up too. Did you get it up and running 
> > >> properly yet?
> > >> (any
> > >> hints?)
> > >>
> > >>
> > >> -- Velpi
> > >>
> > >> 
> -------------------------------------------------------------------
> > >> -- To start a new topic, e-mail: users@tomcat.apache.org To 
> > >> unsubscribe,
> > >> e-mail: users-unsubscribe@tomcat.apache.org
> > >> For additional commands, e-mail: users-help@tomcat.apache.org
> > >>
> > >>
> > >> 
> -------------------------------------------------------------------
> > >> -- To start a new topic, e-mail: users@tomcat.apache.org To 
> > >> unsubscribe,
> > >> e-mail: users-unsubscribe@tomcat.apache.org
> > >> For additional commands, e-mail: users-help@tomcat.apache.org
> > >>
> > >>
> > >> 
> -------------------------------------------------------------------
> > >> -- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> > >> additional commands, e-mail: dev-help@tomcat.apache.org
> > >>
> > >>
> > >
> > > 
> --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> > > additional commands, e-mail: dev-help@tomcat.apache.org
> > >
> > >
> > >
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> > additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> additional
> commands, e-mail: dev-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 
> 



This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

RE: Tomcat and OCSP

Posted by Mark Claassen <mc...@ocie.net>.

I am really not sure what is involved...as I have not done all the necessary
research.

My understanding is that the location of the revocation server is built into
the certificates themselves somehow.

Several months ago I looked around, and thought I saw where you did the
certificate validation.  I believe it was done manually, not using the
standard Java APIs.  (My assumption was that this functionality pre-dated
the Java API.)

I was hoping that all that would be involved would be to locate that area
and try to use the Java certificate validation APIs instead of these custom
ones.  Then, hopefully the OSCP stuff would just work.

There is a lot of "Hope" in this, but hey, it's Christmas! :)

Mark
 
-----Original Message-----
From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On Behalf Of Yoav
Shapira
Sent: Friday, December 08, 2006 3:26 PM
To: Tomcat Developers List
Subject: Re: Tomcat and OCSP

Hi,
Wouldn't you need OCSP revocation handling at the SSL connector processing
point?  That's the patch I was thinking of, but I'm not an expert in this
area, so I might be off-base.

Yoav

On 12/8/06, Filip Hanik - Dev Lists <de...@hanik.com> wrote:
> is a patch even required? or is OSCP something you just turn on since 
> its built into the JDK Mark, do you have anymore details what this 
> would involve?
> Filip
>
> Yoav Shapira wrote:
> > Mark,
> > If you submit a patch for OCSP support, I'll gladly review it, and I 
> > imagine several other people would be interested as well.
> >
> > Yoav
> >
> > On 12/8/06, Mark Claassen <mc...@ocie.net> wrote:
> >> I asked this on the user list, but perhaps this is a question 
> >> better for here.  I have been using Tomcat for a while, but have 
> >> not been developing yet really (although I did submit a patch a 
> >> while ago to the CGIServlet).
> >> However, this OCSP issue has potential to really hit the fan for us 
> >> and if there is something that needs to be done, I would like to 
> >> try.
> >>
> >> -----Original Message-----
> >>
> >> Now that I see Tomcat 6.0 is on it's way, I was wondering if OCSP 
> >> is going to be included?  This is being required by more and more 
> >> people these days (like the US government).
> >>
> >> If there are no plans to include it yet, how can this issue be 
> >> escalated?  I see that OCSP support is bundled into the new JDKs, 
> >> does this mean that it would not be too difficult for an 
> >> enterprising (and desperate) developer to tackle?
> >>
> >> Mark
> >>
> >> -----Original Message-----
> >> From: Velpi [mailto:velpi@industria.be]
> >> Sent: Monday, July 31, 2006 4:33 AM
> >> To: Tomcat Users List
> >> Subject: Re: Tomcat and OCSP
> >>
> >> > Does the new support for OCSP in Java 5.0 have any impact on how 
> >> > certificates are handled in Tomcat?
> >> > http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html
> >> >
> >> > It looks like it might just work if it is set up right in the 
> >> > java property files.  I checked the mailing list archives and 
> >> > found a few old references to OCSP, but nothing definitive.  Any 
> >> > guidance would be
> >> greatly appreciated.
> >>
> >> I'm trying to set this up too. Did you get it up and running 
> >> properly yet?
> >> (any
> >> hints?)
> >>
> >>
> >> -- Velpi
> >>
> >> -------------------------------------------------------------------
> >> -- To start a new topic, e-mail: users@tomcat.apache.org To 
> >> unsubscribe,
> >> e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >> -------------------------------------------------------------------
> >> -- To start a new topic, e-mail: users@tomcat.apache.org To 
> >> unsubscribe,
> >> e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >> -------------------------------------------------------------------
> >> -- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> >> additional commands, e-mail: dev-help@tomcat.apache.org
> >>
> >>
> >
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> > additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> additional commands, e-mail: dev-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
commands, e-mail: dev-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Tomcat and OCSP

Posted by Yoav Shapira <yo...@apache.org>.

Hi,
Wouldn't you need OCSP revocation handling at the SSL connector
processing point?  That's the patch I was thinking of, but I'm not an
expert in this area, so I might be off-base.

Yoav

On 12/8/06, Filip Hanik - Dev Lists <de...@hanik.com> wrote:
> is a patch even required? or is OSCP something you just turn on since
> its built into the JDK
> Mark, do you have anymore details what this would involve?
> Filip
>
> Yoav Shapira wrote:
> > Mark,
> > If you submit a patch for OCSP support, I'll gladly review it, and I
> > imagine several other people would be interested as well.
> >
> > Yoav
> >
> > On 12/8/06, Mark Claassen <mc...@ocie.net> wrote:
> >> I asked this on the user list, but perhaps this is a question better for
> >> here.  I have been using Tomcat for a while, but have not been
> >> developing
> >> yet really (although I did submit a patch a while ago to the
> >> CGIServlet).
> >> However, this OCSP issue has potential to really hit the fan for us
> >> and if
> >> there is something that needs to be done, I would like to try.
> >>
> >> -----Original Message-----
> >>
> >> Now that I see Tomcat 6.0 is on it's way, I was wondering if OCSP is
> >> going
> >> to be included?  This is being required by more and more people these
> >> days
> >> (like the US government).
> >>
> >> If there are no plans to include it yet, how can this issue be
> >> escalated?  I
> >> see that OCSP support is bundled into the new JDKs, does this mean
> >> that it
> >> would not be too difficult for an enterprising (and desperate)
> >> developer to
> >> tackle?
> >>
> >> Mark
> >>
> >> -----Original Message-----
> >> From: Velpi [mailto:velpi@industria.be]
> >> Sent: Monday, July 31, 2006 4:33 AM
> >> To: Tomcat Users List
> >> Subject: Re: Tomcat and OCSP
> >>
> >> > Does the new support for OCSP in Java 5.0 have any impact on how
> >> > certificates are handled in Tomcat?
> >> > http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html
> >> >
> >> > It looks like it might just work if it is set up right in the java
> >> > property files.  I checked the mailing list archives and found a few
> >> > old references to OCSP, but nothing definitive.  Any guidance would be
> >> greatly appreciated.
> >>
> >> I'm trying to set this up too. Did you get it up and running properly
> >> yet?
> >> (any
> >> hints?)
> >>
> >>
> >> -- Velpi
> >>
> >> ---------------------------------------------------------------------
> >> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> >> e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> >> e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: dev-help@tomcat.apache.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Tomcat and OCSP

Posted by Filip Hanik - Dev Lists <de...@hanik.com>.

is a patch even required? or is OSCP something you just turn on since 
its built into the JDK
Mark, do you have anymore details what this would involve?
Filip

Yoav Shapira wrote:
> Mark,
> If you submit a patch for OCSP support, I'll gladly review it, and I
> imagine several other people would be interested as well.
>
> Yoav
>
> On 12/8/06, Mark Claassen <mc...@ocie.net> wrote:
>> I asked this on the user list, but perhaps this is a question better for
>> here.  I have been using Tomcat for a while, but have not been 
>> developing
>> yet really (although I did submit a patch a while ago to the 
>> CGIServlet).
>> However, this OCSP issue has potential to really hit the fan for us 
>> and if
>> there is something that needs to be done, I would like to try.
>>
>> -----Original Message-----
>>
>> Now that I see Tomcat 6.0 is on it's way, I was wondering if OCSP is 
>> going
>> to be included?  This is being required by more and more people these 
>> days
>> (like the US government).
>>
>> If there are no plans to include it yet, how can this issue be 
>> escalated?  I
>> see that OCSP support is bundled into the new JDKs, does this mean 
>> that it
>> would not be too difficult for an enterprising (and desperate) 
>> developer to
>> tackle?
>>
>> Mark
>>
>> -----Original Message-----
>> From: Velpi [mailto:velpi@industria.be]
>> Sent: Monday, July 31, 2006 4:33 AM
>> To: Tomcat Users List
>> Subject: Re: Tomcat and OCSP
>>
>> > Does the new support for OCSP in Java 5.0 have any impact on how
>> > certificates are handled in Tomcat?
>> > http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html
>> >
>> > It looks like it might just work if it is set up right in the java
>> > property files.  I checked the mailing list archives and found a few
>> > old references to OCSP, but nothing definitive.  Any guidance would be
>> greatly appreciated.
>>
>> I'm trying to set this up too. Did you get it up and running properly 
>> yet?
>> (any
>> hints?)
>>
>>
>> -- Velpi
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>> e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>> e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

RE: Tomcat and OCSP

Posted by Mark Claassen <mc...@ocie.net>.

Since you say that, I am assuming that OCSP is so far not included in Tomcat
6.0.

Any hints on where to start would be greatly appreciated.

Mark

P.S.  I am doing the download target in the build right now and I am getting
this:
downloadgz:
      [get] Getting:
http://archive.apache.org/dist/jakarta/commons/collections/source/commons-co
llections-3.1-src.tar.gz
      [get] To: C:\usr\share\java\file.tar.gz
   [gunzip] Expanding C:\usr\share\java\file.tar.gz to
C:\usr\share\java\file.tar

BUILD FAILED
C:\dsi\Netbeans\GeneralProjects\Tomcat6\apache-tomcat-6.0.2-src\build.xml:55
3: The following error occurred while executing this line:
C:\dsi\Netbeans\GeneralProjects\Tomcat6\apache-tomcat-6.0.2-src\build.xml:51
8: Problem expanding gzip invalid block type

 
-----Original Message-----
From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On Behalf Of Yoav
Shapira
Sent: Friday, December 08, 2006 3:03 PM
To: Tomcat Developers List
Subject: Re: Tomcat and OCSP

Mark,
If you submit a patch for OCSP support, I'll gladly review it, and I imagine
several other people would be interested as well.

Yoav

On 12/8/06, Mark Claassen <mc...@ocie.net> wrote:
> I asked this on the user list, but perhaps this is a question better 
> for here.  I have been using Tomcat for a while, but have not been 
> developing yet really (although I did submit a patch a while ago to the
CGIServlet).
> However, this OCSP issue has potential to really hit the fan for us 
> and if there is something that needs to be done, I would like to try.
>
> -----Original Message-----
>
> Now that I see Tomcat 6.0 is on it's way, I was wondering if OCSP is 
> going to be included?  This is being required by more and more people 
> these days (like the US government).
>
> If there are no plans to include it yet, how can this issue be 
> escalated?  I see that OCSP support is bundled into the new JDKs, does 
> this mean that it would not be too difficult for an enterprising (and 
> desperate) developer to tackle?
>
> Mark
>
> -----Original Message-----
> From: Velpi [mailto:velpi@industria.be]
> Sent: Monday, July 31, 2006 4:33 AM
> To: Tomcat Users List
> Subject: Re: Tomcat and OCSP
>
> > Does the new support for OCSP in Java 5.0 have any impact on how 
> > certificates are handled in Tomcat?
> > http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html
> >
> > It looks like it might just work if it is set up right in the java 
> > property files.  I checked the mailing list archives and found a few 
> > old references to OCSP, but nothing definitive.  Any guidance would 
> > be
> greatly appreciated.
>
> I'm trying to set this up too. Did you get it up and running properly yet?
> (any
> hints?)
>
>
> -- Velpi
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For 
> additional commands, e-mail: dev-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
commands, e-mail: dev-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Tomcat and OCSP

Posted by Yoav Shapira <yo...@apache.org>.

Mark,
If you submit a patch for OCSP support, I'll gladly review it, and I
imagine several other people would be interested as well.

Yoav

On 12/8/06, Mark Claassen <mc...@ocie.net> wrote:
> I asked this on the user list, but perhaps this is a question better for
> here.  I have been using Tomcat for a while, but have not been developing
> yet really (although I did submit a patch a while ago to the CGIServlet).
> However, this OCSP issue has potential to really hit the fan for us and if
> there is something that needs to be done, I would like to try.
>
> -----Original Message-----
>
> Now that I see Tomcat 6.0 is on it's way, I was wondering if OCSP is going
> to be included?  This is being required by more and more people these days
> (like the US government).
>
> If there are no plans to include it yet, how can this issue be escalated?  I
> see that OCSP support is bundled into the new JDKs, does this mean that it
> would not be too difficult for an enterprising (and desperate) developer to
> tackle?
>
> Mark
>
> -----Original Message-----
> From: Velpi [mailto:velpi@industria.be]
> Sent: Monday, July 31, 2006 4:33 AM
> To: Tomcat Users List
> Subject: Re: Tomcat and OCSP
>
> > Does the new support for OCSP in Java 5.0 have any impact on how
> > certificates are handled in Tomcat?
> > http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html
> >
> > It looks like it might just work if it is set up right in the java
> > property files.  I checked the mailing list archives and found a few
> > old references to OCSP, but nothing definitive.  Any guidance would be
> greatly appreciated.
>
> I'm trying to set this up too. Did you get it up and running properly yet?
> (any
> hints?)
>
>
> -- Velpi
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org