Thank you Mark. Do you mind to share some more detail? I can't see a bugzilla...
> Am 15.01.2026 um 19:03 schrieb Mark Thomas <[email protected]>: > > There is an issue with Tomcat Native 1.3.4, OCSP and the APR/Native connector. > > Your options are: > - switch back to 1.3.1 > - switch to NIO or NIO2 rather than APR > - disable OCSP (set ocspEnabled="false" on the SSLHostConfig) > > Mark > > > On 15/01/2026 17:16, [email protected] <mailto:[email protected]> wrote: >> BTW: >> From the release notes: >> * Add: .gif Add the ability to configure the OCSP checks to soft-fail >> - i.e. if the responder cannot be contacted or fails to respond in a >> timely manner the OCSP check will not fail. (markt) >> * Add: .gif Add a configurable timeout to the writing of OCSP requests >> and reading of OCSP responses. (markt) >> * Add: .gif Add the ability to control the OCSP verification flags. >> (markt) >> How can I configure the new settings? Or control the OCSP verification flags? >> Thanks again. >>> Am 15.01.2026 um 18:11 schrieb [email protected]: >>> >>> Hi all. >>> >>> I've compiled the newest version of tomcat native in my tomcat 9.0.113 >>> docker container. >>> >>> Now authentication with a client certificate fails. This has been working >>> fine with 1.3.1/2.0.9. >>> And the same setup still works with the JSSE connector. >>> >>> As I read in the release notes there have been changes in the verification >>> of OCSP responses. My assumption, as the certs and client have not changed, >>> would be that there is something missing or a bug. Maybe my certs are >>> wrong, but JSSE is not complaining... >>> >>> Is there anything I can try to debug or get more information within tomcat? >>> >>> Thank You >>> >>> Peter >>> >>> Find my logs and config below: >>> >>> ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert >>> chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key client.key >>> * Host tomcat.fritz.box:8843 was resolved. >>> * IPv6: (none) >>> * IPv4: 192.168.126.130 >>> * Trying 192.168.126.130:8843... >>> * ALPN: curl offers http/1.1 >>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >>> * SSL Trust Anchors: >>> * CAfile: chain.logopk.crt.pem >>> * TLSv1.3 (IN), TLS handshake, Server hello (2): >>> * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): >>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): >>> * TLSv1.3 (IN), TLS handshake, Request CERT (13): >>> * TLSv1.3 (IN), TLS handshake, Certificate (11): >>> * TLSv1.3 (IN), TLS handshake, CERT verify (15): >>> * TLSv1.3 (IN), TLS handshake, Finished (20): >>> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): >>> * TLSv1.3 (OUT), TLS handshake, Certificate (11): >>> * TLSv1.3 (OUT), TLS handshake, CERT verify (15): >>> * TLSv1.3 (OUT), TLS handshake, Finished (20): >>> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / >>> RSASSA-PSS >>> * ALPN: server accepted http/1.1 >>> * Server certificate: >>> * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; >>> CN=tomcat.fritz.box >>> * start date: Jan 14 22:20:04 2026 GMT >>> * expire date: Apr 14 22:21:04 2026 GMT >>> * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA 2025; >>> emailAddress=logo@xxx >>> * Certificate level 0: Public key type RSA (4096/152 Bits/secBits), >>> signed using sha512WithRSAEncryption >>> * Certificate level 1: Public key type RSA (4096/152 Bits/secBits), >>> signed using sha512WithRSAEncryption >>> * subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box" >>> * SSL certificate verified via OpenSSL. >>> * Established connection to tomcat.fritz.box (192.168.126.130 port 8843) >>> from 192.168.126.1 port 54222 >>> * using HTTP/1.x >>>> GET / HTTP/1.1 >>>> Host: tomcat.fritz.box:8843 >>>> User-Agent: curl/8.18.0 >>>> Accept: */* >>>> >>> * Request completely sent off >>> * TLSv1.3 (IN), TLS alert, unknown CA (560): >>> * OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL routines::tlsv1 alert >>> unknown ca, errno 0 >>> * closing connection #0 >>> curl: (56) OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL >>> routines::tlsv1 alert unknown ca, errno 0 >>> >>> as comparison the same request with native 1.3.1: >>> >>> ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert >>> chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key client.key >>> * Host tomcat.fritz.box:8843 was resolved. >>> * IPv6: (none) >>> * IPv4: 192.168.126.130 >>> * Trying 192.168.126.130:8843... >>> * ALPN: curl offers http/1.1 >>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >>> * SSL Trust Anchors: >>> * CAfile: chain.logopk.crt.pem >>> >>> * TLSv1.3 (IN), TLS handshake, Server hello (2): >>> * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): >>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): >>> * TLSv1.3 (IN), TLS handshake, Request CERT (13): >>> * TLSv1.3 (IN), TLS handshake, Certificate (11): >>> * TLSv1.3 (IN), TLS handshake, CERT verify (15): >>> * TLSv1.3 (IN), TLS handshake, Finished (20): >>> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): >>> * TLSv1.3 (OUT), TLS handshake, Certificate (11): >>> * TLSv1.3 (OUT), TLS handshake, CERT verify (15): >>> * TLSv1.3 (OUT), TLS handshake, Finished (20): >>> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / >>> RSASSA-PSS >>> * ALPN: server accepted http/1.1 >>> * Server certificate: >>> * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; >>> CN=tomcat.fritz.box >>> * start date: Jan 14 22:20:04 2026 GMT >>> * expire date: Apr 14 22:21:04 2026 GMT >>> * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA 2025; >>> emailAddress=logo@xxx >>> * Certificate level 0: Public key type RSA (4096/152 Bits/secBits), >>> signed using sha512WithRSAEncryption >>> * Certificate level 1: Public key type RSA (4096/152 Bits/secBits), >>> signed using sha512WithRSAEncryption >>> * subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box" >>> * SSL certificate verified via OpenSSL. >>> * Established connection to tomcat.fritz.box (192.168.126.130 port 8843) >>> from 192.168.126.1 port 54529 >>> * using HTTP/1.x >>>> GET / HTTP/1.1 >>>> Host: tomcat.fritz.box:8843 >>>> User-Agent: curl/8.18.0 >>>> Accept: */* >>>> >>> * Request completely sent off >>> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): >>> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): >>> < HTTP/1.1 200 >>> < Strict-Transport-Security: max-age=31536000 >>> < X-Frame-Options: DENY >>> < X-Content-Type-Options: nosniff >>> < X-XSS-Protection: 1; mode=block >>> < Content-Type: text/html;charset=ISO-8859-1 >>> < Content-Length: 16 >>> < Date: Thu, 15 Jan 2026 17:05:10 GMT >>> < Server: Apache Tomcat >>> < >>> >>> This is Tomcat >>> * Connection #0 to host tomcat.fritz.box:8843 left intact >>> >>> >>> >>> >>> >>> testssl.sh: >>> >>> Certificate Validity (UTC) 89 >= 60 days (2026-01-14 22:20 --> 2026-04-14 >>> 22:21) >>> ETS/"eTLS", visibility info not present >>> Certificate Revocation List http://crl.fritz.box:8881/step.crl.pem >>> OCSP URI http://ocsp.fritz.box:8889 >>> OCSP stapling not offered >>> OCSP must staple extension -- >>> >>> >>> <Connector port="8443" >>> protocol="org.apache.coyote.http11.Http11Nio2Protocol" >>> >>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" >>> allowTrace="false" >>> maxThreads="150" >>> SSLEnabled="true" >>> compression="off" >>> scheme="https" >>> server="Apache Tomcat" >>> secure="true" >>> defaultSSLHostConfigName="${hostname:-docker.fritz.box}" > >>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" >>> compression="on" /> >>> <SSLHostConfig >>> hostName="tomcat.fritz.box" >>> honorCipherOrder="true" >>> protocols="+TLSv1.2,+TLSv1.3" >>> certificateVerification="none" >>> certificateRevocationListFile="${catalina.base}/conf/ssl/ >>> ca-bundle-client.crl" >>> truststoreFile="${catalina.base}/conf/ssl/cacerts.jks" >>> truststorePassword="changeit" >>> >>> ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" >>> > >>> <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/ >>> tomcat.p12" >>> certificateKeystorePassword="changeit" >>> certificateKeyAlias="tomcat" >>> type="RSA" /> >>> </SSLHostConfig> >>> </Connector> >>> >>> <Connector port="8843" >>> protocol="org.apache.coyote.http11.Http11Nio2Protocol" >>> >>> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" >>> server="Apache Tomcat" >>> allowTrace="false" >>> maxThreads="150" >>> SSLEnabled="true" >>> defaultSSLHostConfigName="${hostname:-docker.fritz.box}" > >>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" >>> compression="on" /> >>> <SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false" >>> hostName="tomcat.fritz.box" >>> protocols="+TLSv1.2,+TLSv1.3" >>> certificateVerification="required" >>> caCertificateFile="${catalina.base}/conf/ssl/ >>> chain.logopk.crt.pem" >>> disableCompression="true" >>> disableSessionTickets="true" >>> >>> ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" >>> certificateRevocationListFile="${catalina.base}/ >>> conf/ssl/ca-bundle-client.crl"> >>> <Certificate certificateKeyFile="${catalina.base}/conf/ssl/ >>> tomcat.key" >>> certificateFile="${catalina.base}/conf/ssl/tomcat.crt" >>> certificateChainFile="${catalina.base}/conf/ssl/ >>> int.logopk.crt.pem" >>> type="RSA" /> >>> </SSLHostConfig> >>> </Connector> >>> >>> >>> >>> >>> root@tomcat:/usr/local/tomcat# bin/version.sh >>> Using CATALINA_BASE: /opt/apache-tomcat.base >>> Using CATALINA_HOME: /usr/local/tomcat >>> Using CATALINA_TMPDIR: /opt/apache-tomcat.base/temp >>> Using JRE_HOME: /opt/java/openjdk >>> Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/ >>> tomcat/bin/tomcat-juli.jar >>> Using CATALINA_OPTS: -XX:NativeMemoryTracking=summary - >>> Dhostname=docker3.fritz.box -Djava.awt.headless=true - >>> Djavax.net.ssl.trustStore=/opt/apache-tomcat.base/conf/ssl/cacerts.jks >>> -Xlog:gc:/opt/apache-tomcat.base/logs/gc.log - >>> Djava.security.egd=file:/dev/urandom -Dsun.net.inetaddr.ttl=60 - >>> Djava.library.path=/usr/local/tomcat/native-jni-lib - >>> Djdk.tls.ephemeralDHKeySize=2048 - >>> Djdk.tls.rejectClientInitiatedRenegotiation=true - >>> Djdk.tls.server.enableStatusRequestExtension=true - >>> Dcom.sun.management.jmxremote - Dcom.sun.management.jmxremote.port=10001 - >>> Dcom.sun.management.jmxremote.rmi.port=10002 - >>> Dcom.sun.management.jmxremote.authenticate=false - >>> Dcom.sun.management.jmxremote.ssl=false - >>> Djava.rmi.server.hostname=docker3.fritz.box - >>> Dcom.sun.management.jmxremote.local.only=false -javaagent:/opt/apache- >>> tomcat.base/bin/jmx_prometheus_javaagent-0.12.0.jar=8080:/opt/apache- >>> tomcat.base/bin/tomcat.yaml -XX:+UnlockDiagnosticVMOptions >>> NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/ >>> java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL- UNNAMED >>> --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add- >>> opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/ >>> java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL- >>> UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED >>> Server version: Apache Tomcat/9.0.113 >>> Server built: Dec 2 2025 19:51:24 UTC >>> Server number: 9.0.113.0 >>> OS Name: Linux >>> OS Version: 6.12.57+deb13-arm64 >>> Architecture: aarch64 >>> JVM Version: 11.0.29+7 >>> JVM Vendor: Eclipse Adoptium >>> >>> root@tomcat:/usr/local/tomcat# openssl version >>> OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025) >>> >>> tomcat | 15-Jan-2026 14:45:10.675 INFO [main] >>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache >>> Tomcat Native library [1.3.4] using APR version [1.7.5]. >>> >>> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > <mailto:[email protected]> > For additional commands, e-mail: [email protected] > <mailto:[email protected]>
