Bug 56148 - support (multiple) ocsp stapling
Summary: support (multiple) ocsp stapling
Status: NEW
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Connectors (show other bugs)
Version: unspecified
Hardware: PC All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-17 23:12 UTC by Ralf Hauser
Modified: 2019-08-29 09:11 UTC (History)
3 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf Hauser 2014-02-17 23:12:56 UTC
to reduce client (http often without "s") traffic to CAs, etc.

see section "disable Online Certificate Status Protocol (OCSP) checks" in https://calomel.org/firefox_ssl_validation.html 

https://casecurity.org/2013/05/07/an-introduction-to-ocsp-multi-stapling/

for the firefox client side, see 
https://bugzilla.mozilla.org/show_bug.cgi?id=957667
Comment 1 Mark Thomas 2014-02-18 08:47:00 UTC
Support for this in the BIO and NIO connectors is going to have to wait until Java provides the support. I don't see it in Java 8 which means that it is likely to be at least Java 9.

It should be possible to do something for APR/native.
Comment 3 Christopher Schultz 2018-06-04 18:40:15 UTC
Looks like Java 9 has OCSP stapling[1]. See slide 47. Looks like you can just set a system preference and magically you get OCSP stapling.

[1] https://cdn.app.compendium.com/uploads/user/e7c690e8-6ff9-102a-ac6d-e4aebca50425/f4a5b21d-66fa-4885-92bf-c4e81c06d916/File/3c93ea22f64e8a22f67d65c46613c466/j1_2015_con6710.pdf
Comment 4 Mark Thomas 2019-06-17 14:01:42 UTC
I can confirm this "just works" if you have a suitably configured certificate (LetsEncrypt in my test), a Java version that supports it (JDK 11.0.3+7 in my test), are using a JSSE based connector (NIO with JSSE in my test) and have set the appropriate system property
(-Djdk.tls.server.enableStatusRequestExtension=true).

Confirmed with SSLLabs.

Next up is testing with an OpenSSL based connector.
Comment 5 Mark Thomas 2019-06-17 14:24:58 UTC
Just switching implementations (no config changes)

NIO-OpenSSL - no stapling
APR-OpenSSL - no stapling

Next step is to look at OpenSSL config and API to see a) if this can be enabled and b) what the options are for doing so.
Comment 6 Mark Thomas 2019-06-17 20:08:33 UTC
This will need code changes in Tomcat Native. A rough outline of what is required is provided by:
https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_tlsext_status_arg.html
Comment 7 Christopher Schultz 2019-06-18 15:40:36 UTC
(In reply to Mark Thomas from comment #4)
> -Djdk.tls.server.enableStatusRequestExtension=true

Is this something that is possible via Tomcat configuration? Or is it only possible via a system property, which may be required to be set quite early-on in the JVM initialization?
Comment 8 Azat 2019-08-13 05:32:07 UTC
(In reply to Mark Thomas from comment #6)
> This will need code changes in Tomcat Native. A rough outline of what is
> required is provided by:
> https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_tlsext_status_arg.html

Hi Мark! What's the current status of this?Any (approximate) timeline on when someone could expect these changes to be implemented  to Tomcat native?
Comment 9 Mark Thomas 2019-08-13 08:58:14 UTC
The current status is what you see here. It will be implemented when someone provides a suitable patch.
Comment 10 Azat 2019-08-28 08:35:41 UTC
(In reply to Mark Thomas from comment #9)
> The current status is what you see here. It will be implemented when someone
> provides a suitable patch.

Ok.Thanks, Mark. I understand that patches from the Tomcat community are welcome, but is this item on your TODO list as well?
Comment 11 Mark Thomas 2019-08-29 09:11:35 UTC
It is on the TODO list but there are quite a few things ahead of it on the list.