(tomcat) 01/07: If optionalNoCA is configured then OCSP should be disabled.

dsoumis Sat, 18 Oct 2025 00:26:26 -0700

This is an automated email from the ASF dual-hosted git repository.

dsoumis pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


commit b239b1eddefc4dcebffa76f199c300f1194d4c17
Author: Dimitris Soumis <[email protected]>
AuthorDate: Tue Oct 7 13:33:14 2025 +0300

    If optionalNoCA is configured then OCSP should be disabled.
---
 java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 8aaad4b924..177325fb0c 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -531,6 +531,10 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                 case REQUIRED -> SSL_VERIFY_FAIL_IF_NO_PEER_CERT();
             };
 
+            if (value == OPTIONAL_NO_CA) {
+                noOcspCheck = true;
+            }
+
             // Set int verify_callback(int preverify_ok, X509_STORE_CTX 
*x509_ctx) callback
             SSL_CTX_set_verify(state.sslCtx, value,
                     SSL_CTX_set_verify$callback.allocate(new 
OpenSSLEngine.VerifyCallback(), contextArena));


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(tomcat) 01/07: If optionalNoCA is configured then OCSP should be disabled.

Reply via email to