Summary: | Add support for proxying ocsp requests via ProxyHost and ProxyPort in TomcAt | ||
---|---|---|---|
Product: | Tomcat Native | Reporter: | Azat <usmanov> |
Component: | Library | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | NEW --- | ||
Severity: | enhancement | ||
Priority: | P2 | ||
Version: | 1.2.18 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux |
Description
Azat
2018-11-15 08:56:51 UTC
Moving to correct project Mark,any chance you can do this for upcoming 1.2.20 release? The APR/native connector does not support OCSP stapling. This is being tracked as under bug 56148 I'll note at this point that the Connector attributes proxyHost and proxyPort are NOT intended to provide proxy info for outgoing connections. Those using a Java connector and a JRE that supports OCSP can configure the OCSP requests to go via a proxy by using the standard Java system properties: https://docs.oracle.com/javase/8/docs/api/java/net/doc-files/net-properties.html#Proxies Those using APR/native will need to wait for this enhancement (and bug 56148) When I originally filed this enhancement request I thought that this was the reason for ocsp not working with the tomcat and OpenSSL.But it turned out to be an issue with tomcat native code needing changes as Mark pointed out in his comment #7 on bug 56148. So I guess I just have to wait for it to be fixed. Which actually brings another small question. If 56148 does NOT get fixed before Tomcat 7 EOL date, do I have to file another bug against 8.5 branch or tomcat native for the best chance of ocsp being available on Tomcat with openssl ? I'm not rushing you guys just don't want 56148 being forgotten after tomcat 7 EOL date in case it doesn't get fixed before that. Maybe Mark or someone else can clarify me on that? |