This is an automated email from the ASF dual-hosted git repository. dsoumis pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 15aa357d018692545e57a9ef397b6da4b2fcc015 Author: Dimitris Soumis <[email protected]> AuthorDate: Tue Oct 7 13:33:14 2025 +0300 If optionalNoCA is configured then OCSP should be disabled. --- java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java index 8aaad4b924..177325fb0c 100644 --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java @@ -531,6 +531,10 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { case REQUIRED -> SSL_VERIFY_FAIL_IF_NO_PEER_CERT(); }; + if (value == OPTIONAL_NO_CA) { + noOcspCheck = true; + } + // Set int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) callback SSL_CTX_set_verify(state.sslCtx, value, SSL_CTX_set_verify$callback.allocate(new OpenSSLEngine.VerifyCallback(), contextArena)); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
