Bug 62911 - Add support for proxying ocsp requests via ProxyHost and ProxyPort in TomcAt
Summary: Add support for proxying ocsp requests via ProxyHost and ProxyPort in TomcAt
Status: NEW
Alias: None
Product: Tomcat Native
Classification: Unclassified
Component: Library (show other bugs)
Version: 1.2.18
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2018-11-15 08:56 UTC by Azat
Modified: 2020-08-22 09:09 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Azat 2018-11-15 08:56:51 UTC
Please add support for specifying proxyHost and ProxyPort for ocsp requests in Tomcat.

I have a webapp which runs on Tomcat 7.0.70  on RHEL 6.9 and Java 7 and using APR/Tomcat native for SSL TLS.Tomcat sits behind proxy.
I can't  get ocsp stapling working   
I tried using  proxyName and proxyPort  in Connector in server xml  hoping that this will also proxify ocsp requests, in Tomcat  but ssllabs test still shows ocsp Stapling  no for my server 

 Given the fact that most of the ocsp responders specified in SSL certificates such as Comodo actually resolve to many changing IP addresses it becomes really hard /impossible to specify any firewall rule to manually proxy ocsp requests since these firewalls typically operate with IP addresses not hostnames. Inability to specify proxy host/port nor specify a file from which the stapled OCSP response could be taken makes OCSP unavailable  in many corporate environments  where  typically  internet access is granted via proxy
Comment 1 Mark Thomas 2018-11-30 20:35:54 UTC
Moving to correct project
Comment 2 Azat 2019-01-15 12:29:40 UTC
Mark,any chance you can do this for  upcoming 1.2.20 release?
Comment 3 Mark Thomas 2019-06-20 13:46:54 UTC
The APR/native connector does not support OCSP stapling. This is being tracked as under bug 56148
Comment 4 Mark Thomas 2020-08-20 16:19:16 UTC
I'll note at this point that the Connector attributes proxyHost and proxyPort are NOT intended to provide proxy info for outgoing connections.

Those using a Java connector and a JRE that supports OCSP can configure the OCSP requests to go via a proxy by using the standard Java system properties:

Those using APR/native will need to wait for this enhancement (and bug 56148)
Comment 5 Azat 2020-08-22 09:09:39 UTC
When I originally filed this enhancement request I thought that this was the reason for ocsp not working with the tomcat and OpenSSL.But it turned out to be an issue with tomcat native code needing changes as Mark pointed out in his comment #7 on bug 56148.  So I guess I just have to wait for  it to be fixed.  Which actually brings another small question. If 56148 does NOT get fixed before Tomcat 7 EOL date, do I have to file another bug against 8.5 branch or tomcat native  for the best chance of ocsp being available on Tomcat with openssl ? I'm not rushing you guys just don't want 56148 being forgotten after  tomcat 7 EOL date in case it doesn't get fixed before that. Maybe Mark or someone else can clarify me on that?