Hi Mark, I have compiled 1.3.5 - but with the same result.
>>>> - disable OCSP (set ocspEnabled="false" on the SSLHostConfig) this is not available yet in 9.0.113, right? Could that lead to the default "false" in 9.0.113? I did not follow the exact logic: will I have to set this to true or will this be set automagically if I have an OCSP cert? Thanks Peter. > Am 16.01.2026 um 11:22 schrieb Mark Thomas <[email protected]>: > > On 16/01/2026 09:48, Mark Thomas wrote: >> On 15/01/2026 20:33, [email protected] <mailto:[email protected]> wrote: >>> Thank you Mark. >>> >>> Do you mind to share some more detail? I can't see a bugzilla... >> All the discussion is on the dev list. > > As are the details for the 1.3.5 release candidate that is now available for > testing. > > Mark > >> Mark >>> >>>> Am 15.01.2026 um 19:03 schrieb Mark Thomas <[email protected]>: >>>> >>>> There is an issue with Tomcat Native 1.3.4, OCSP and the APR/Native >>>> connector. >>>> >>>> Your options are: >>>> - switch back to 1.3.1 >>>> - switch to NIO or NIO2 rather than APR >>>> - disable OCSP (set ocspEnabled="false" on the SSLHostConfig) >>>> >>>> Mark >>>> >>>> >>>> On 15/01/2026 17:16, [email protected] <mailto:[email protected]> wrote: >>>>> BTW: >>>>> From the release notes: >>>>> * Add: .gif Add the ability to configure the OCSP checks to soft-fail >>>>> - i.e. if the responder cannot be contacted or fails to respond in a >>>>> timely manner the OCSP check will not fail. (markt) >>>>> * Add: .gif Add a configurable timeout to the writing of OCSP requests >>>>> and reading of OCSP responses. (markt) >>>>> * Add: .gif Add the ability to control the OCSP verification flags. >>>>> (markt) >>>>> How can I configure the new settings? Or control the OCSP verification >>>>> flags? >>>>> Thanks again. >>>>>> Am 15.01.2026 um 18:11 schrieb [email protected]: >>>>>> >>>>>> Hi all. >>>>>> >>>>>> I've compiled the newest version of tomcat native in my tomcat 9.0.113 >>>>>> docker container. >>>>>> >>>>>> Now authentication with a client certificate fails. This has been >>>>>> working fine with 1.3.1/2.0.9. >>>>>> And the same setup still works with the JSSE connector. >>>>>> >>>>>> As I read in the release notes there have been changes in the >>>>>> verification of OCSP responses. My assumption, as the certs and client >>>>>> have not changed, would be that there is something missing or a bug. >>>>>> Maybe my certs are wrong, but JSSE is not complaining... >>>>>> >>>>>> Is there anything I can try to debug or get more information within >>>>>> tomcat? >>>>>> >>>>>> Thank You >>>>>> >>>>>> Peter >>>>>> >>>>>> Find my logs and config below: >>>>>> >>>>>> ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert >>>>>> chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key >>>>>> client.key >>>>>> * Host tomcat.fritz.box:8843 was resolved. >>>>>> * IPv6: (none) >>>>>> * IPv4: 192.168.126.130 >>>>>> * Trying 192.168.126.130:8843... >>>>>> * ALPN: curl offers http/1.1 >>>>>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >>>>>> * SSL Trust Anchors: >>>>>> * CAfile: chain.logopk.crt.pem >>>>>> * TLSv1.3 (IN), TLS handshake, Server hello (2): >>>>>> * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): >>>>>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): >>>>>> * TLSv1.3 (IN), TLS handshake, Request CERT (13): >>>>>> * TLSv1.3 (IN), TLS handshake, Certificate (11): >>>>>> * TLSv1.3 (IN), TLS handshake, CERT verify (15): >>>>>> * TLSv1.3 (IN), TLS handshake, Finished (20): >>>>>> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): >>>>>> * TLSv1.3 (OUT), TLS handshake, Certificate (11): >>>>>> * TLSv1.3 (OUT), TLS handshake, CERT verify (15): >>>>>> * TLSv1.3 (OUT), TLS handshake, Finished (20): >>>>>> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 >>>>>> / RSASSA-PSS >>>>>> * ALPN: server accepted http/1.1 >>>>>> * Server certificate: >>>>>> * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; >>>>>> CN=tomcat.fritz.box >>>>>> * start date: Jan 14 22:20:04 2026 GMT >>>>>> * expire date: Apr 14 22:21:04 2026 GMT >>>>>> * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA >>>>>> 2025; emailAddress=logo@xxx >>>>>> * Certificate level 0: Public key type RSA (4096/152 Bits/ secBits), >>>>>> signed using sha512WithRSAEncryption >>>>>> * Certificate level 1: Public key type RSA (4096/152 Bits/ secBits), >>>>>> signed using sha512WithRSAEncryption >>>>>> * subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box" >>>>>> * SSL certificate verified via OpenSSL. >>>>>> * Established connection to tomcat.fritz.box (192.168.126.130 port 8843) >>>>>> from 192.168.126.1 port 54222 >>>>>> * using HTTP/1.x >>>>>>> GET / HTTP/1.1 >>>>>>> Host: tomcat.fritz.box:8843 >>>>>>> User-Agent: curl/8.18.0 >>>>>>> Accept: */* >>>>>>> >>>>>> * Request completely sent off >>>>>> * TLSv1.3 (IN), TLS alert, unknown CA (560): >>>>>> * OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL routines::tlsv1 >>>>>> alert unknown ca, errno 0 >>>>>> * closing connection #0 >>>>>> curl: (56) OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL >>>>>> routines::tlsv1 alert unknown ca, errno 0 >>>>>> >>>>>> as comparison the same request with native 1.3.1: >>>>>> >>>>>> ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert >>>>>> chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key >>>>>> client.key >>>>>> * Host tomcat.fritz.box:8843 was resolved. >>>>>> * IPv6: (none) >>>>>> * IPv4: 192.168.126.130 >>>>>> * Trying 192.168.126.130:8843... >>>>>> * ALPN: curl offers http/1.1 >>>>>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >>>>>> * SSL Trust Anchors: >>>>>> * CAfile: chain.logopk.crt.pem >>>>>> >>>>>> * TLSv1.3 (IN), TLS handshake, Server hello (2): >>>>>> * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): >>>>>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): >>>>>> * TLSv1.3 (IN), TLS handshake, Request CERT (13): >>>>>> * TLSv1.3 (IN), TLS handshake, Certificate (11): >>>>>> * TLSv1.3 (IN), TLS handshake, CERT verify (15): >>>>>> * TLSv1.3 (IN), TLS handshake, Finished (20): >>>>>> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): >>>>>> * TLSv1.3 (OUT), TLS handshake, Certificate (11): >>>>>> * TLSv1.3 (OUT), TLS handshake, CERT verify (15): >>>>>> * TLSv1.3 (OUT), TLS handshake, Finished (20): >>>>>> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 >>>>>> / RSASSA-PSS >>>>>> * ALPN: server accepted http/1.1 >>>>>> * Server certificate: >>>>>> * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; >>>>>> CN=tomcat.fritz.box >>>>>> * start date: Jan 14 22:20:04 2026 GMT >>>>>> * expire date: Apr 14 22:21:04 2026 GMT >>>>>> * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA >>>>>> 2025; emailAddress=logo@xxx >>>>>> * Certificate level 0: Public key type RSA (4096/152 Bits/ secBits), >>>>>> signed using sha512WithRSAEncryption >>>>>> * Certificate level 1: Public key type RSA (4096/152 Bits/ secBits), >>>>>> signed using sha512WithRSAEncryption >>>>>> * subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box" >>>>>> * SSL certificate verified via OpenSSL. >>>>>> * Established connection to tomcat.fritz.box (192.168.126.130 port 8843) >>>>>> from 192.168.126.1 port 54529 >>>>>> * using HTTP/1.x >>>>>>> GET / HTTP/1.1 >>>>>>> Host: tomcat.fritz.box:8843 >>>>>>> User-Agent: curl/8.18.0 >>>>>>> Accept: */* >>>>>>> >>>>>> * Request completely sent off >>>>>> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): >>>>>> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): >>>>>> < HTTP/1.1 200 >>>>>> < Strict-Transport-Security: max-age=31536000 >>>>>> < X-Frame-Options: DENY >>>>>> < X-Content-Type-Options: nosniff >>>>>> < X-XSS-Protection: 1; mode=block >>>>>> < Content-Type: text/html;charset=ISO-8859-1 >>>>>> < Content-Length: 16 >>>>>> < Date: Thu, 15 Jan 2026 17:05:10 GMT >>>>>> < Server: Apache Tomcat >>>>>> < >>>>>> >>>>>> This is Tomcat >>>>>> * Connection #0 to host tomcat.fritz.box:8843 left intact >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> testssl.sh: >>>>>> >>>>>> Certificate Validity (UTC) 89 >= 60 days (2026-01-14 22:20 --> >>>>>> 2026-04-14 22:21) >>>>>> ETS/"eTLS", visibility info not present >>>>>> Certificate Revocation List http://crl.fritz.box:8881/step.crl.pem >>>>>> OCSP URI http://ocsp.fritz.box:8889 >>>>>> OCSP stapling not offered >>>>>> OCSP must staple extension -- >>>>>> >>>>>> >>>>>> <Connector port="8443" >>>>>> protocol="org.apache.coyote.http11.Http11Nio2Protocol" >>>>>> >>>>>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" >>>>>> allowTrace="false" >>>>>> maxThreads="150" >>>>>> SSLEnabled="true" >>>>>> compression="off" >>>>>> scheme="https" >>>>>> server="Apache Tomcat" >>>>>> secure="true" >>>>>> defaultSSLHostConfigName="${hostname:-docker.fritz.box}" > >>>>>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" >>>>>> compression="on" /> >>>>>> <SSLHostConfig >>>>>> hostName="tomcat.fritz.box" >>>>>> honorCipherOrder="true" >>>>>> protocols="+TLSv1.2,+TLSv1.3" >>>>>> certificateVerification="none" >>>>>> certificateRevocationListFile="${catalina.base}/conf/ ssl/ >>>>>> ca-bundle-client.crl" >>>>>> truststoreFile="${catalina.base}/conf/ssl/cacerts.jks" >>>>>> truststorePassword="changeit" >>>>>> >>>>>> ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" >>>>>> > >>>>>> <Certificate certificateKeystoreFile="${catalina.base}/conf/ ssl/ >>>>>> tomcat.p12" >>>>>> certificateKeystorePassword="changeit" >>>>>> certificateKeyAlias="tomcat" >>>>>> type="RSA" /> >>>>>> </SSLHostConfig> >>>>>> </Connector> >>>>>> >>>>>> <Connector port="8843" >>>>>> protocol="org.apache.coyote.http11.Http11Nio2Protocol" >>>>>> >>>>>> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" >>>>>> server="Apache Tomcat" >>>>>> allowTrace="false" >>>>>> maxThreads="150" >>>>>> SSLEnabled="true" >>>>>> defaultSSLHostConfigName="${hostname:- docker.fritz.box}" > >>>>>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" >>>>>> compression="on" /> >>>>>> <SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false" >>>>>> hostName="tomcat.fritz.box" >>>>>> protocols="+TLSv1.2,+TLSv1.3" >>>>>> certificateVerification="required" >>>>>> caCertificateFile="${catalina.base}/conf/ssl/ >>>>>> chain.logopk.crt.pem" >>>>>> disableCompression="true" >>>>>> disableSessionTickets="true" >>>>>> >>>>>> ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" >>>>>> certificateRevocationListFile="${catalina.base}/ >>>>>> conf/ssl/ca-bundle-client.crl"> >>>>>> <Certificate certificateKeyFile="${catalina.base}/conf/ssl/ >>>>>> tomcat.key" >>>>>> certificateFile="${catalina.base}/conf/ssl/ >>>>>> tomcat.crt" >>>>>> certificateChainFile="${catalina.base}/conf/ ssl/ >>>>>> int.logopk.crt.pem" >>>>>> type="RSA" /> >>>>>> </SSLHostConfig> >>>>>> </Connector> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> root@tomcat:/usr/local/tomcat# bin/version.sh >>>>>> Using CATALINA_BASE: /opt/apache-tomcat.base >>>>>> Using CATALINA_HOME: /usr/local/tomcat >>>>>> Using CATALINA_TMPDIR: /opt/apache-tomcat.base/temp >>>>>> Using JRE_HOME: /opt/java/openjdk >>>>>> Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/ local/ >>>>>> tomcat/bin/tomcat-juli.jar >>>>>> Using CATALINA_OPTS: -XX:NativeMemoryTracking=summary - >>>>>> Dhostname=docker3.fritz.box -Djava.awt.headless=true - >>>>>> Djavax.net.ssl.trustStore=/opt/apache-tomcat.base/conf/ssl/ cacerts.jks >>>>>> -Xlog:gc:/opt/apache-tomcat.base/logs/gc.log - >>>>>> Djava.security.egd=file:/dev/urandom -Dsun.net.inetaddr.ttl=60 - >>>>>> Djava.library.path=/usr/local/tomcat/native-jni-lib - >>>>>> Djdk.tls.ephemeralDHKeySize=2048 - >>>>>> Djdk.tls.rejectClientInitiatedRenegotiation=true - >>>>>> Djdk.tls.server.enableStatusRequestExtension=true - >>>>>> Dcom.sun.management.jmxremote - Dcom.sun.management.jmxremote.port=10001 >>>>>> - Dcom.sun.management.jmxremote.rmi.port=10002 - >>>>>> Dcom.sun.management.jmxremote.authenticate=false - >>>>>> Dcom.sun.management.jmxremote.ssl=false - >>>>>> Djava.rmi.server.hostname=docker3.fritz.box - >>>>>> Dcom.sun.management.jmxremote.local.only=false -javaagent:/opt/ apache- >>>>>> tomcat.base/bin/jmx_prometheus_javaagent-0.12.0.jar=8080:/ opt/apache- >>>>>> tomcat.base/bin/tomcat.yaml -XX: +UnlockDiagnosticVMOptions >>>>>> NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/ >>>>>> java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL- >>>>>> UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add- >>>>>> opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/ >>>>>> java.util=ALL-UNNAMED --add-opens=java.base/ java.util.concurrent=ALL- >>>>>> UNNAMED --add-opens=java.rmi/ sun.rmi.transport=ALL-UNNAMED >>>>>> Server version: Apache Tomcat/9.0.113 >>>>>> Server built: Dec 2 2025 19:51:24 UTC >>>>>> Server number: 9.0.113.0 >>>>>> OS Name: Linux >>>>>> OS Version: 6.12.57+deb13-arm64 >>>>>> Architecture: aarch64 >>>>>> JVM Version: 11.0.29+7 >>>>>> JVM Vendor: Eclipse Adoptium >>>>>> >>>>>> root@tomcat:/usr/local/tomcat# openssl version >>>>>> OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025) >>>>>> >>>>>> tomcat | 15-Jan-2026 14:45:10.675 INFO [main] >>>>>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded >>>>>> Apache Tomcat Native library [1.3.4] using APR version [1.7.5]. >>>>>> >>>>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> <mailto:[email protected]> >>>> For additional commands, e-mail: [email protected] >>>> <mailto:[email protected]> >>> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > <mailto:[email protected]> > For additional commands, e-mail: [email protected] > <mailto:[email protected]>
