On Fri, Jan 16, 2026 at 3:59 PM <[email protected]> wrote: > > Hi Mark, > > I have compiled 1.3.5 - but with the same result. > > >>>> - disable OCSP (set ocspEnabled="false" on the SSLHostConfig) > > this is not available yet in 9.0.113, right? Could that lead to the default > "false" in 9.0.113? > > I did not follow the exact logic: will I have to set this to true or will > this be set automagically if I have an OCSP cert?
I would say you have to use the OpenSSLConfCmd for OCSP to configure it to see if it works for you, because the new flags are not there yet. https://github.com/apache/tomcat/blob/9.0.x/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java#L435 Since strict verification of everything was added, maybe that's the issue and you need to configure "OCSP_VERIFY_FLAGS" to relax it. I think "16" (OCSP_NOVERIFY) means "anything goes" like before. Rémy > Thanks Peter. > > > > Am 16.01.2026 um 11:22 schrieb Mark Thomas <[email protected]>: > > > > On 16/01/2026 09:48, Mark Thomas wrote: > >> On 15/01/2026 20:33, [email protected] <mailto:[email protected]> wrote: > >>> Thank you Mark. > >>> > >>> Do you mind to share some more detail? I can't see a bugzilla... > >> All the discussion is on the dev list. > > > > As are the details for the 1.3.5 release candidate that is now available > > for testing. > > > > Mark > > > >> Mark > >>> > >>>> Am 15.01.2026 um 19:03 schrieb Mark Thomas <[email protected]>: > >>>> > >>>> There is an issue with Tomcat Native 1.3.4, OCSP and the APR/Native > >>>> connector. > >>>> > >>>> Your options are: > >>>> - switch back to 1.3.1 > >>>> - switch to NIO or NIO2 rather than APR > >>>> - disable OCSP (set ocspEnabled="false" on the SSLHostConfig) > >>>> > >>>> Mark > >>>> > >>>> > >>>> On 15/01/2026 17:16, [email protected] <mailto:[email protected]> wrote: > >>>>> BTW: > >>>>> From the release notes: > >>>>> * Add: .gif Add the ability to configure the OCSP checks to soft-fail > >>>>> - i.e. if the responder cannot be contacted or fails to respond in a > >>>>> timely manner the OCSP check will not fail. (markt) > >>>>> * Add: .gif Add a configurable timeout to the writing of OCSP requests > >>>>> and reading of OCSP responses. (markt) > >>>>> * Add: .gif Add the ability to control the OCSP verification flags. > >>>>> (markt) > >>>>> How can I configure the new settings? Or control the OCSP verification > >>>>> flags? > >>>>> Thanks again. > >>>>>> Am 15.01.2026 um 18:11 schrieb [email protected]: > >>>>>> > >>>>>> Hi all. > >>>>>> > >>>>>> I've compiled the newest version of tomcat native in my tomcat 9.0.113 > >>>>>> docker container. > >>>>>> > >>>>>> Now authentication with a client certificate fails. This has been > >>>>>> working fine with 1.3.1/2.0.9. > >>>>>> And the same setup still works with the JSSE connector. > >>>>>> > >>>>>> As I read in the release notes there have been changes in the > >>>>>> verification of OCSP responses. My assumption, as the certs and client > >>>>>> have not changed, would be that there is something missing or a bug. > >>>>>> Maybe my certs are wrong, but JSSE is not complaining... > >>>>>> > >>>>>> Is there anything I can try to debug or get more information within > >>>>>> tomcat? > >>>>>> > >>>>>> Thank You > >>>>>> > >>>>>> Peter > >>>>>> > >>>>>> Find my logs and config below: > >>>>>> > >>>>>> ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert > >>>>>> chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key > >>>>>> client.key > >>>>>> * Host tomcat.fritz.box:8843 was resolved. > >>>>>> * IPv6: (none) > >>>>>> * IPv4: 192.168.126.130 > >>>>>> * Trying 192.168.126.130:8843... > >>>>>> * ALPN: curl offers http/1.1 > >>>>>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): > >>>>>> * SSL Trust Anchors: > >>>>>> * CAfile: chain.logopk.crt.pem > >>>>>> * TLSv1.3 (IN), TLS handshake, Server hello (2): > >>>>>> * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): > >>>>>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): > >>>>>> * TLSv1.3 (IN), TLS handshake, Request CERT (13): > >>>>>> * TLSv1.3 (IN), TLS handshake, Certificate (11): > >>>>>> * TLSv1.3 (IN), TLS handshake, CERT verify (15): > >>>>>> * TLSv1.3 (IN), TLS handshake, Finished (20): > >>>>>> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): > >>>>>> * TLSv1.3 (OUT), TLS handshake, Certificate (11): > >>>>>> * TLSv1.3 (OUT), TLS handshake, CERT verify (15): > >>>>>> * TLSv1.3 (OUT), TLS handshake, Finished (20): > >>>>>> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / > >>>>>> X25519MLKEM768 / RSASSA-PSS > >>>>>> * ALPN: server accepted http/1.1 > >>>>>> * Server certificate: > >>>>>> * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; > >>>>>> CN=tomcat.fritz.box > >>>>>> * start date: Jan 14 22:20:04 2026 GMT > >>>>>> * expire date: Apr 14 22:21:04 2026 GMT > >>>>>> * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA > >>>>>> 2025; emailAddress=logo@xxx > >>>>>> * Certificate level 0: Public key type RSA (4096/152 Bits/ secBits), > >>>>>> signed using sha512WithRSAEncryption > >>>>>> * Certificate level 1: Public key type RSA (4096/152 Bits/ secBits), > >>>>>> signed using sha512WithRSAEncryption > >>>>>> * subjectAltName: "tomcat.fritz.box" matches cert's > >>>>>> "tomcat.fritz.box" > >>>>>> * SSL certificate verified via OpenSSL. > >>>>>> * Established connection to tomcat.fritz.box (192.168.126.130 port > >>>>>> 8843) from 192.168.126.1 port 54222 > >>>>>> * using HTTP/1.x > >>>>>>> GET / HTTP/1.1 > >>>>>>> Host: tomcat.fritz.box:8843 > >>>>>>> User-Agent: curl/8.18.0 > >>>>>>> Accept: */* > >>>>>>> > >>>>>> * Request completely sent off > >>>>>> * TLSv1.3 (IN), TLS alert, unknown CA (560): > >>>>>> * OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL routines::tlsv1 > >>>>>> alert unknown ca, errno 0 > >>>>>> * closing connection #0 > >>>>>> curl: (56) OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL > >>>>>> routines::tlsv1 alert unknown ca, errno 0 > >>>>>> > >>>>>> as comparison the same request with native 1.3.1: > >>>>>> > >>>>>> ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert > >>>>>> chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key > >>>>>> client.key > >>>>>> * Host tomcat.fritz.box:8843 was resolved. > >>>>>> * IPv6: (none) > >>>>>> * IPv4: 192.168.126.130 > >>>>>> * Trying 192.168.126.130:8843... > >>>>>> * ALPN: curl offers http/1.1 > >>>>>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): > >>>>>> * SSL Trust Anchors: > >>>>>> * CAfile: chain.logopk.crt.pem > >>>>>> > >>>>>> * TLSv1.3 (IN), TLS handshake, Server hello (2): > >>>>>> * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): > >>>>>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): > >>>>>> * TLSv1.3 (IN), TLS handshake, Request CERT (13): > >>>>>> * TLSv1.3 (IN), TLS handshake, Certificate (11): > >>>>>> * TLSv1.3 (IN), TLS handshake, CERT verify (15): > >>>>>> * TLSv1.3 (IN), TLS handshake, Finished (20): > >>>>>> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): > >>>>>> * TLSv1.3 (OUT), TLS handshake, Certificate (11): > >>>>>> * TLSv1.3 (OUT), TLS handshake, CERT verify (15): > >>>>>> * TLSv1.3 (OUT), TLS handshake, Finished (20): > >>>>>> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / > >>>>>> X25519MLKEM768 / RSASSA-PSS > >>>>>> * ALPN: server accepted http/1.1 > >>>>>> * Server certificate: > >>>>>> * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; > >>>>>> CN=tomcat.fritz.box > >>>>>> * start date: Jan 14 22:20:04 2026 GMT > >>>>>> * expire date: Apr 14 22:21:04 2026 GMT > >>>>>> * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA > >>>>>> 2025; emailAddress=logo@xxx > >>>>>> * Certificate level 0: Public key type RSA (4096/152 Bits/ secBits), > >>>>>> signed using sha512WithRSAEncryption > >>>>>> * Certificate level 1: Public key type RSA (4096/152 Bits/ secBits), > >>>>>> signed using sha512WithRSAEncryption > >>>>>> * subjectAltName: "tomcat.fritz.box" matches cert's > >>>>>> "tomcat.fritz.box" > >>>>>> * SSL certificate verified via OpenSSL. > >>>>>> * Established connection to tomcat.fritz.box (192.168.126.130 port > >>>>>> 8843) from 192.168.126.1 port 54529 > >>>>>> * using HTTP/1.x > >>>>>>> GET / HTTP/1.1 > >>>>>>> Host: tomcat.fritz.box:8843 > >>>>>>> User-Agent: curl/8.18.0 > >>>>>>> Accept: */* > >>>>>>> > >>>>>> * Request completely sent off > >>>>>> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): > >>>>>> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): > >>>>>> < HTTP/1.1 200 > >>>>>> < Strict-Transport-Security: max-age=31536000 > >>>>>> < X-Frame-Options: DENY > >>>>>> < X-Content-Type-Options: nosniff > >>>>>> < X-XSS-Protection: 1; mode=block > >>>>>> < Content-Type: text/html;charset=ISO-8859-1 > >>>>>> < Content-Length: 16 > >>>>>> < Date: Thu, 15 Jan 2026 17:05:10 GMT > >>>>>> < Server: Apache Tomcat > >>>>>> < > >>>>>> > >>>>>> This is Tomcat > >>>>>> * Connection #0 to host tomcat.fritz.box:8843 left intact > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> testssl.sh: > >>>>>> > >>>>>> Certificate Validity (UTC) 89 >= 60 days (2026-01-14 22:20 --> > >>>>>> 2026-04-14 22:21) > >>>>>> ETS/"eTLS", visibility info not present > >>>>>> Certificate Revocation List http://crl.fritz.box:8881/step.crl.pem > >>>>>> OCSP URI http://ocsp.fritz.box:8889 > >>>>>> OCSP stapling not offered > >>>>>> OCSP must staple extension -- > >>>>>> > >>>>>> > >>>>>> <Connector port="8443" > >>>>>> protocol="org.apache.coyote.http11.Http11Nio2Protocol" > >>>>>> > >>>>>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" > >>>>>> allowTrace="false" > >>>>>> maxThreads="150" > >>>>>> SSLEnabled="true" > >>>>>> compression="off" > >>>>>> scheme="https" > >>>>>> server="Apache Tomcat" > >>>>>> secure="true" > >>>>>> defaultSSLHostConfigName="${hostname:-docker.fritz.box}" > > >>>>>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > >>>>>> compression="on" /> > >>>>>> <SSLHostConfig > >>>>>> hostName="tomcat.fritz.box" > >>>>>> honorCipherOrder="true" > >>>>>> protocols="+TLSv1.2,+TLSv1.3" > >>>>>> certificateVerification="none" > >>>>>> certificateRevocationListFile="${catalina.base}/conf/ > >>>>>> ssl/ ca-bundle-client.crl" > >>>>>> truststoreFile="${catalina.base}/conf/ssl/cacerts.jks" > >>>>>> truststorePassword="changeit" > >>>>>> > >>>>>> ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" > >>>>>> > > >>>>>> <Certificate certificateKeystoreFile="${catalina.base}/conf/ > >>>>>> ssl/ tomcat.p12" > >>>>>> certificateKeystorePassword="changeit" > >>>>>> certificateKeyAlias="tomcat" > >>>>>> type="RSA" /> > >>>>>> </SSLHostConfig> > >>>>>> </Connector> > >>>>>> > >>>>>> <Connector port="8843" > >>>>>> protocol="org.apache.coyote.http11.Http11Nio2Protocol" > >>>>>> > >>>>>> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" > >>>>>> server="Apache Tomcat" > >>>>>> allowTrace="false" > >>>>>> maxThreads="150" > >>>>>> SSLEnabled="true" > >>>>>> defaultSSLHostConfigName="${hostname:- docker.fritz.box}" > >>>>>> > > >>>>>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > >>>>>> compression="on" /> > >>>>>> <SSLHostConfig honorCipherOrder="true" > >>>>>> insecureRenegotiation="false" > >>>>>> hostName="tomcat.fritz.box" > >>>>>> protocols="+TLSv1.2,+TLSv1.3" > >>>>>> certificateVerification="required" > >>>>>> caCertificateFile="${catalina.base}/conf/ssl/ > >>>>>> chain.logopk.crt.pem" > >>>>>> disableCompression="true" > >>>>>> disableSessionTickets="true" > >>>>>> > >>>>>> ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" > >>>>>> certificateRevocationListFile="${catalina.base}/ > >>>>>> conf/ssl/ca-bundle-client.crl"> > >>>>>> <Certificate certificateKeyFile="${catalina.base}/conf/ssl/ > >>>>>> tomcat.key" > >>>>>> certificateFile="${catalina.base}/conf/ssl/ > >>>>>> tomcat.crt" > >>>>>> certificateChainFile="${catalina.base}/conf/ ssl/ > >>>>>> int.logopk.crt.pem" > >>>>>> type="RSA" /> > >>>>>> </SSLHostConfig> > >>>>>> </Connector> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> root@tomcat:/usr/local/tomcat# bin/version.sh > >>>>>> Using CATALINA_BASE: /opt/apache-tomcat.base > >>>>>> Using CATALINA_HOME: /usr/local/tomcat > >>>>>> Using CATALINA_TMPDIR: /opt/apache-tomcat.base/temp > >>>>>> Using JRE_HOME: /opt/java/openjdk > >>>>>> Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/ > >>>>>> local/ tomcat/bin/tomcat-juli.jar > >>>>>> Using CATALINA_OPTS: -XX:NativeMemoryTracking=summary - > >>>>>> Dhostname=docker3.fritz.box -Djava.awt.headless=true - > >>>>>> Djavax.net.ssl.trustStore=/opt/apache-tomcat.base/conf/ssl/ > >>>>>> cacerts.jks -Xlog:gc:/opt/apache-tomcat.base/logs/gc.log - > >>>>>> Djava.security.egd=file:/dev/urandom -Dsun.net.inetaddr.ttl=60 - > >>>>>> Djava.library.path=/usr/local/tomcat/native-jni-lib - > >>>>>> Djdk.tls.ephemeralDHKeySize=2048 - > >>>>>> Djdk.tls.rejectClientInitiatedRenegotiation=true - > >>>>>> Djdk.tls.server.enableStatusRequestExtension=true - > >>>>>> Dcom.sun.management.jmxremote - > >>>>>> Dcom.sun.management.jmxremote.port=10001 - > >>>>>> Dcom.sun.management.jmxremote.rmi.port=10002 - > >>>>>> Dcom.sun.management.jmxremote.authenticate=false - > >>>>>> Dcom.sun.management.jmxremote.ssl=false - > >>>>>> Djava.rmi.server.hostname=docker3.fritz.box - > >>>>>> Dcom.sun.management.jmxremote.local.only=false -javaagent:/opt/ > >>>>>> apache- tomcat.base/bin/jmx_prometheus_javaagent-0.12.0.jar=8080:/ > >>>>>> opt/apache- tomcat.base/bin/tomcat.yaml -XX: > >>>>>> +UnlockDiagnosticVMOptions > >>>>>> NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/ > >>>>>> java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL- > >>>>>> UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add- > >>>>>> opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/ > >>>>>> java.util=ALL-UNNAMED --add-opens=java.base/ java.util.concurrent=ALL- > >>>>>> UNNAMED --add-opens=java.rmi/ sun.rmi.transport=ALL-UNNAMED > >>>>>> Server version: Apache Tomcat/9.0.113 > >>>>>> Server built: Dec 2 2025 19:51:24 UTC > >>>>>> Server number: 9.0.113.0 > >>>>>> OS Name: Linux > >>>>>> OS Version: 6.12.57+deb13-arm64 > >>>>>> Architecture: aarch64 > >>>>>> JVM Version: 11.0.29+7 > >>>>>> JVM Vendor: Eclipse Adoptium > >>>>>> > >>>>>> root@tomcat:/usr/local/tomcat# openssl version > >>>>>> OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025) > >>>>>> > >>>>>> tomcat | 15-Jan-2026 14:45:10.675 INFO [main] > >>>>>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded > >>>>>> Apache Tomcat Native library [1.3.4] using APR version [1.7.5]. > >>>>>> > >>>>>> > >>>> > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: [email protected] > >>>> <mailto:[email protected]> > >>>> For additional commands, e-mail: [email protected] > >>>> <mailto:[email protected]> > >>> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > <mailto:[email protected]> > > For additional commands, e-mail: [email protected] > > <mailto:[email protected]> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
