|Summary:||Add support for proxying ocsp requests via ProxyHost and ProxyPort in TomcAt|
|Product:||Tomcat Native||Reporter:||Azat <usmanov>|
|Component:||Library||Assignee:||Tomcat Developers Mailing List <dev>|
Description Azat 2018-11-15 08:56:51 UTC
Please add support for specifying proxyHost and ProxyPort for ocsp requests in Tomcat. I have a webapp which runs on Tomcat 7.0.70 on RHEL 6.9 and Java 7 and using APR/Tomcat native for SSL TLS.Tomcat sits behind proxy. I can't get ocsp stapling working I tried using proxyName and proxyPort in Connector in server xml hoping that this will also proxify ocsp requests, in Tomcat but ssllabs test still shows ocsp Stapling no for my server Given the fact that most of the ocsp responders specified in SSL certificates such as Comodo actually resolve to many changing IP addresses it becomes really hard /impossible to specify any firewall rule to manually proxy ocsp requests since these firewalls typically operate with IP addresses not hostnames. Inability to specify proxy host/port nor specify a file from which the stapled OCSP response could be taken makes OCSP unavailable in many corporate environments where typically internet access is granted via proxy
Comment 1 Mark Thomas 2018-11-30 20:35:54 UTC
Moving to correct project
Comment 2 Azat 2019-01-15 12:29:40 UTC
Mark,any chance you can do this for upcoming 1.2.20 release?
Comment 3 Mark Thomas 2019-06-20 13:46:54 UTC
The APR/native connector does not support OCSP stapling. This is being tracked as under bug 56148
Comment 4 Mark Thomas 2020-08-20 16:19:16 UTC
I'll note at this point that the Connector attributes proxyHost and proxyPort are NOT intended to provide proxy info for outgoing connections. Those using a Java connector and a JRE that supports OCSP can configure the OCSP requests to go via a proxy by using the standard Java system properties: https://docs.oracle.com/javase/8/docs/api/java/net/doc-files/net-properties.html#Proxies Those using APR/native will need to wait for this enhancement (and bug 56148)
Comment 5 Azat 2020-08-22 09:09:39 UTC
When I originally filed this enhancement request I thought that this was the reason for ocsp not working with the tomcat and OpenSSL.But it turned out to be an issue with tomcat native code needing changes as Mark pointed out in his comment #7 on bug 56148. So I guess I just have to wait for it to be fixed. Which actually brings another small question. If 56148 does NOT get fixed before Tomcat 7 EOL date, do I have to file another bug against 8.5 branch or tomcat native for the best chance of ocsp being available on Tomcat with openssl ? I'm not rushing you guys just don't want 56148 being forgotten after tomcat 7 EOL date in case it doesn't get fixed before that. Maybe Mark or someone else can clarify me on that?