code.uoa.gr
The following patch has been accepted and merged into the mainline Tomcat-native tree, as of tc-native version 1.1.23. However, you can apply it for earlier versions of Tomcat.
Note: there is a problem with the way this is implemented in tc-native versions 1.1.23 and 1.1.24, see Bugzilla ticket #53937. You can also download the patch from the local repository.

The Problem

Using tomcat with tcnative and apr it is not possible to check certificates with OCSP. In fact having this configuration even using CRL is not a good solution, since there is no way in apache tomcat to reload just the CRL if the CRL gets updated except restarting the service. Furthermore if the CRL is expired, then apache tomcat refuses any further connections to the service.

Having a CRL that is not updated so often is not a viable solution, since this poses several security risks, and people with revoked certificates could use them to login to services.

The Solutions

  • Don't use this configuration. Put apache httpd as a frontend to tomcat and have httpd deal with all these issues. (At the time of writing you must have httpd from the trunk)
  • Use the following patch after reading the info.

The patch

This patch was produced with a close coupling with the environent that we had. The certificates we procuced have OCSP information, with the OCSP server running without SSL. Therefore the testing was done using this environment (1 ocsp server information to a non-SSL ocsp server), and not all corner cases have been tested thourougly

Configuration

Stand alone tomcat with apr support, in order to use native OpenSSL calls and also avoid using apache-httpd server as a front-end for handling SSL calls.

Installation Instructions

TODO

  • Support https queries for the OCSP request
  • If the certificate has more tha one OCSP responders query all of them until an answer is found