Salesforce

PASOE: OCSP Stapling does not work

Printable View
« Go Back

Information

 
TitlePASOE: OCSP Stapling does not work
URL NamePASOE-OCSP-Stapling-does-not-work
Article Number000229187
EnvironmentProduct: OpenEdge
Version: 12.2 and later
OS: All supported platforms
Other: PASOE
Question/Problem Description
OCSP Stapling does not work when PASOE is configured to use the APR OpenSSL implementation for the HTTPS Connector.
Steps to Reproduce
Clarifying Information
According to the following Apache Tomcat documentation, the APR OpenSSL implementation for the HTTPS Connector needs to be configured for OCSP support: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Using_OCSP_Certificates

When using the SSLC command (e.g. the OpenEdge OpenSSL binary) within a Proenv session to verify if OCSP Stapling is working, it shows the following OCSP response: 
OCSP response: no response sent

The SSLC command used to verify that OCSP Stapling is working is similar to the following: 
sslc s_client -connect <hostname>:<port> -tls1_2 -tlsextdebug -status

The expected result from the SSLC command should contain an OCSP response similar to the following: 
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)

OCSP Stapling is also failing with a standalone Tomcat installation.

OCSP Stapling is working when using the same server certificate with Apache HTTP Server.
Error Message
Defect Number
Enhancement Number
Cause
The Apache Tomcat documentation seems to be focused on OCSP support for client certificates as supposed to server certificates. Furthermore, OCSP Stapling on the server side is not going to work with neither the APR OpenSSL implementation nor the NIO OpenSSL implementation due to the following Apache Tomcat bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=56148
 
Apache seems to be treating this as an enhancement request as opposed to a real bug. It is therefore not clear if this issue will be fixed in the near future.
Resolution
The only solution at the time of this writing is to use the NIO JSSE implementation for the HTTPS Connector by following these steps:
  • Open the <PASOE instance>\conf\server.xml file.
  • Search for the HTTPS Connector, for example:
    <Connector executor="tomcatThreadPool"
               port="${psc.as.https.port}" 
               protocol="HTTP/1.1"
  • Update the protocol property and add the sslImplementationName property as follows:
    <Connector executor="tomcatThreadPool"
               port="${psc.as.https.port}" 
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
  • Add the -Djdk.tls.server.enableStatusRequestExtension=true JVM system property in the <PASOE_instance>\conf\jvm.properties file to enable OCSP Stapling support for the JVM.
  • It is also recommended to add the -Djdk.tls.ephemeralDHKeySize=2048 JVM parameter to the <PASOE_instance>\conf\jvm.properties file to the prevent the use of weak Diffie-Hellman (DH) keys. For more information, please refer to the following Oracle documentation: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys .
 
Note: When using the certificateKeystoreFile property within the HTTPS Connector, also make sure that the PEM file which has the signed certificate contains the complete certificate chain before it is imported into the keystore (e.g. tomcat-keystore-chain.p12), otherwise OCSP Stapling will not work. For example, the signed certificate PEM file would contain something similar to the following: 
-----BEGIN RSA PRIVATE KEY-----
<content of private key>
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
<content of signed server certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<content of intermediate certificate>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<content of root certificate>
-----END CERTIFICATE-----
If the certificateFile, certificateChainFile, certificateKeyFile and certificateKeyPassword properties are being used for the HTTPS Connector instead of the certificateKeyAlias, certificateKeystoreFile, certificateKeystorePassword and certificateKeystoreType properties, then make sure that the whole certificate chain is defined in the PEM file that is specified for the certificateChainFile property.
Workaround
Notes
References to Other Documentation:
Apache Tomcat 9 Configuration Reference: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
Apache Tomcat 9, SSL/TLS Configuration How-To: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

Progress Article(s):
How to configure and test a PASOE instance for secure communications?
Keyword Phrase
Last Modified Date3/1/2023 5:15 PM
Powered by