(tomcat) 03/07: If we set ok=0 with errnum==X509_V_OK (0), OpenSSL emits a fatal internal_error. Tolerate V_OCSP_CERTSTATUS_UNKNOWN and let the client policy (e.g. NO_FALLBACK) decide.

[dsoumis]

This is an automated email from the ASF dual-hosted git repository.

dsoumis pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 92f5cb578502e60fb248e6539155984a3d2fa123
Author: Dimitris Soumis <jimsou...@gmail.com>
AuthorDate: Tue Oct 7 16:41:54 2025 +0300

    If we set ok=0 with errnum==X509_V_OK (0), OpenSSL emits a fatal 
internal_error.
    Tolerate V_OCSP_CERTSTATUS_UNKNOWN and let the client policy (e.g. 
NO_FALLBACK) decide.
---
 java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index 9be5826962..6779194041 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -1173,7 +1173,7 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
                         errnum = X509_STORE_CTX_get_error(x509ctx);
                     } else if (ocspResponse == V_OCSP_CERTSTATUS_UNKNOWN()) {
                         errnum = X509_STORE_CTX_get_error(x509ctx);
-                        if (errnum <= 0) {
+                        if (errnum < 0) {
                             ok = 0;
                         }
                     }


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org