This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new fc7c9eade8 Better docs for ocspSoftFail
fc7c9eade8 is described below
commit fc7c9eade8c858716be8cb2baab4d498f17004e9
Author: Mark Thomas <[email protected]>
AuthorDate: Thu May 21 10:34:58 2026 +0100
Better docs for ocspSoftFail
---
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/http.xml | 14 ++++++++------
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 180fdce725..a3915907a8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -225,6 +225,10 @@
Documentation: Expand the description of some of the attributes of the
<code>CrawlerSessionManagerValve</code>. (markt)
</add>
+ <fix>
+ Documentation: Clearer description and correct documented default for
+ <code>ocspSoftFail</code>. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index b90fdca461..c72e0d77cc 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1593,12 +1593,14 @@
</attribute>
<attribute name="ocspSoftFail" required="false">
- <p>By default, if an OCSP check fails for any reason the associated TLS
- handhskae will also fail and a TLS connection will not be established. If
- this attribute is set to <code>true</code>, OCSP checks that fail but do
- not return an explicit failure status to Tomcat (e.g. the OCSP check
times
- out) will not cause the TLS handshake to fail.</p>
- <p>If not specified, the default value of <code>false</code> will be
+ <p>If an OCSP responder returns an error, the TLS handshake will always
+ fail and a TLS connection will not be established. If the OCSP responder
+ is unreachable or otherwise unavailable, this setting determines whether
+ the handshake completes or fails. If <code>true</code>, the handskahe
will
+ complete and a TLS connection will be established when the OCSP responder
+ is unavailable. If <code>false</code>, the handshake will fail and no TLS
+ connection will be established.</p>
+ <p>If not specified, the default value of <code>true</code> will be
used.</p>
</attribute>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
