56148 – support (multiple) ocsp stapling

Bug 56148 - support (multiple) ocsp stapling

Summary: support (multiple) ocsp stapling

Status:	NEW

Alias:	None

Product:	Tomcat 8
Classification:	Unclassified
Component:	Connectors (show other bugs)
Version:	8.5.x-trunk
Hardware:	PC All

Importance:	P2 enhancement (vote)
Target Milestone:	----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-02-17 23:12 UTC by Ralf Hauser
Modified:	2023-06-09 10:05 UTC (History)
CC List:	3 users (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralf Hauser 2014-02-17 23:12:56 UTC

to reduce client (http often without "s") traffic to CAs, etc.

see section "disable Online Certificate Status Protocol (OCSP) checks" in https://calomel.org/firefox_ssl_validation.html 

https://casecurity.org/2013/05/07/an-introduction-to-ocsp-multi-stapling/

for the firefox client side, see 
https://bugzilla.mozilla.org/show_bug.cgi?id=957667

Comment 1 Mark Thomas 2014-02-18 08:47:00 UTC

Support for this in the BIO and NIO connectors is going to have to wait until Java provides the support. I don't see it in Java 8 which means that it is likely to be at least Java 9.

It should be possible to do something for APR/native.

Comment 2 Ralf Hauser 2015-10-27 04:30:12 UTC

see also https://community.letsencrypt.org/t/ocsp-uri-http-ocsp-comodoca-com-why-not-https/2135

Comment 3 Christopher Schultz 2018-06-04 18:40:15 UTC

Looks like Java 9 has OCSP stapling[1]. See slide 47. Looks like you can just set a system preference and magically you get OCSP stapling.

[1] https://cdn.app.compendium.com/uploads/user/e7c690e8-6ff9-102a-ac6d-e4aebca50425/f4a5b21d-66fa-4885-92bf-c4e81c06d916/File/3c93ea22f64e8a22f67d65c46613c466/j1_2015_con6710.pdf

Comment 4 Mark Thomas 2019-06-17 14:01:42 UTC

I can confirm this "just works" if you have a suitably configured certificate (LetsEncrypt in my test), a Java version that supports it (JDK 11.0.3+7 in my test), are using a JSSE based connector (NIO with JSSE in my test) and have set the appropriate system property
(-Djdk.tls.server.enableStatusRequestExtension=true).

Confirmed with SSLLabs.

Next up is testing with an OpenSSL based connector.

Comment 5 Mark Thomas 2019-06-17 14:24:58 UTC

Just switching implementations (no config changes)

NIO-OpenSSL - no stapling
APR-OpenSSL - no stapling

Next step is to look at OpenSSL config and API to see a) if this can be enabled and b) what the options are for doing so.

Comment 6 Mark Thomas 2019-06-17 20:08:33 UTC

This will need code changes in Tomcat Native. A rough outline of what is required is provided by:
https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_tlsext_status_arg.html

Comment 7 Christopher Schultz 2019-06-18 15:40:36 UTC

(In reply to Mark Thomas from comment #4)
> -Djdk.tls.server.enableStatusRequestExtension=true

Is this something that is possible via Tomcat configuration? Or is it only possible via a system property, which may be required to be set quite early-on in the JVM initialization?

Comment 8 Azat 2019-08-13 05:32:07 UTC

(In reply to Mark Thomas from comment #6)
> This will need code changes in Tomcat Native. A rough outline of what is
> required is provided by:
> https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_tlsext_status_arg.html

Hi Мark! What's the current status of this?Any (approximate) timeline on when someone could expect these changes to be implemented  to Tomcat native?

Comment 9 Mark Thomas 2019-08-13 08:58:14 UTC

The current status is what you see here. It will be implemented when someone provides a suitable patch.

Comment 10 Azat 2019-08-28 08:35:41 UTC

(In reply to Mark Thomas from comment #9)
> The current status is what you see here. It will be implemented when someone
> provides a suitable patch.

Ok.Thanks, Mark. I understand that patches from the Tomcat community are welcome, but is this item on your TODO list as well?

Comment 11 Mark Thomas 2019-08-29 09:11:35 UTC

It is on the TODO list but there are quite a few things ahead of it on the list.

Comment 12 Azat 2020-09-29 18:09:00 UTC

(In reply to Mark Thomas from comment #11)
> It is on the TODO list but there are quite a few things ahead of it on the
> list.

Couple of questions to Mark related to this bug:
1) is this enhancement request still on your TODO list?
2) if this issue doesn't get implemented before tomcat 7 EOL date next March what will happen with it? Do I then  need to generate a new bugzilla issue against Tomcat 8.5?

Comment 13 Mark Thomas 2020-09-29 18:24:22 UTC

(In reply to Azat from comment #12)
> (In reply to Mark Thomas from comment #11)
> > It is on the TODO list but there are quite a few things ahead of it on the
> > list.
> 
> Couple of questions to Mark related to this bug:
> 1) is this enhancement request still on your TODO list?

Yes.

> 2) if this issue doesn't get implemented before tomcat 7 EOL date next March
> what will happen with it? Do I then  need to generate a new bugzilla issue
> against Tomcat 8.5?

No. We'll review all the open 7.0.x issues at that point and unless they are Tomcat 7.0.x specific (most aren't) we'll bulk update them to 8.5.x.

Comment 14 Mark Thomas 2021-05-05 11:35:16 UTC

With Tomcat 7 reaching EOL, move the remaining open enhancement requests to
Tomcat 8.

Comment 15 logo 2023-06-09 09:42:40 UTC

Mark,

would you mind updating your plans for this request.

It may be outdated as to Tomcat version, Openssl 1.1.1 vs. 3.1 and usage of Tomcat native.

Nevertheless it would be great to have this working.

I create all my certs with the "OCSP must staple" extension, but for Tomcat I have to work around this bug.

Thank you.

Peter

Comment 16 Mark Thomas 2023-06-09 10:05:32 UTC

Plans haven't changed from comment #6. Patches still welcome. I'm expecting the OpenSSL 3.0.x and 1.1.1 solutions to look broadly similar (but haven't looked at the code).