This is an automated email from the ASF dual-hosted git repository. dsoumis pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit db70489ff36c61c338dcc7968ccfd9d88f011dbf Author: Dimitris Soumis <[email protected]> AuthorDate: Tue Oct 7 16:41:54 2025 +0300 If we set ok=0 with errnum==X509_V_OK (0), OpenSSL emits a fatal internal_error. Tolerate V_OCSP_CERTSTATUS_UNKNOWN and let the client policy (e.g. NO_FALLBACK) decide. --- java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java index c82bf69247..106dca39f7 100644 --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java @@ -1173,7 +1173,7 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn errnum = X509_STORE_CTX_get_error(x509ctx); } else if (ocspResponse == V_OCSP_CERTSTATUS_UNKNOWN()) { errnum = X509_STORE_CTX_get_error(x509ctx); - if (errnum <= 0) { + if (errnum < 0) { ok = 0; } } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
