Bug 62911

Summary: Add support for proxying ocsp requests via ProxyHost and ProxyPort in TomcAt
Product: Tomcat Native Reporter: Azat <usmanov>
Component: LibraryAssignee: Tomcat Developers Mailing List <dev>
Status: NEW ---    
Severity: enhancement    
Priority: P2    
Version: 1.2.18   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Azat 2018-11-15 08:56:51 UTC
Please add support for specifying proxyHost and ProxyPort for ocsp requests in Tomcat.

I have a webapp which runs on Tomcat 7.0.70  on RHEL 6.9 and Java 7 and using APR/Tomcat native for SSL TLS.Tomcat sits behind proxy.
I can't  get ocsp stapling working   
I tried using  proxyName and proxyPort  in Connector in server xml  hoping that this will also proxify ocsp requests, in Tomcat  but ssllabs test still shows ocsp Stapling  no for my server 

 Given the fact that most of the ocsp responders specified in SSL certificates such as Comodo actually resolve to many changing IP addresses it becomes really hard /impossible to specify any firewall rule to manually proxy ocsp requests since these firewalls typically operate with IP addresses not hostnames. Inability to specify proxy host/port nor specify a file from which the stapled OCSP response could be taken makes OCSP unavailable  in many corporate environments  where  typically  internet access is granted via proxy
Comment 1 Mark Thomas 2018-11-30 20:35:54 UTC
Moving to correct project
Comment 2 Azat 2019-01-15 12:29:40 UTC
Mark,any chance you can do this for  upcoming 1.2.20 release?
Comment 3 Mark Thomas 2019-06-20 13:46:54 UTC
The APR/native connector does not support OCSP stapling. This is being tracked as under bug 56148