This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 2251fb87e6 Improve OCSP docs
2251fb87e6 is described below
commit 2251fb87e68ca2428325917f4c3aaca0b1a04603
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Nov 28 17:25:57 2025 +0000
Improve OCSP docs
---
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/http.xml | 7 +++++--
webapps/docs/ssl-howto.xml | 29 ++++++++++++++++++++++-------
3 files changed, 31 insertions(+), 9 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b0fe899800..831024fffd 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -317,6 +317,10 @@
Manager: Include web application state in the HTML and JSON complete
server status output. (markt)
</add>
+ <add>
+ Documentation: Expand the documentation to better explain when OCSP is
+ supported and when it is not. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="jdbc-pool">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 674794a5ef..ac1454604f 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1144,9 +1144,12 @@
attributes to the values <code>https</code> and <code>true</code>
respectively, to pass correct information to the servlets.</p>
- <p>The NIO connector use either the JSSE Java SSL implementation or
+ <p>The NIO connector uses either the JSSE Java SSL implementation or
an OpenSSL implementation. As far as possible, common configuration
attributes
- are used for both JSSE and OpenSSL.</p>
+ are used for both JSSE and OpenSSL. You cannot mix JSSE specific
configuration
+ attributes and OpenSSL specific configuration attributes on the same
+ connector. However, you may use either the JSSE or the OpenSSL configuration
+ style with either the JSSE and OpenSSL implementations.</p>
<p>Each secure connector must define at least one
<strong>SSLHostConfig</strong>. The names of the
diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index 43151e1fd4..12db991c4e 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -445,20 +445,35 @@ mailing list</a>.</p>
</section>
<section name="Using OCSP Certificates">
- <p>
- Support of the Online Certificate Status Protocol (OCSP) in Apache
Tomcat
- uses OpenSSL. This can be used either through
- <a href="https://tomcat.apache.org/download-native.cgi";>Tomcat
Native</a>
- or the FFM API on Java 22 and newer.
- </p>
+<p>Tomcat supports the Online Certificate Status Protocol (OCSP) to verify the
+status of client provided certificates for a sub-set of connector
+configurations.</p>
+
<p>To use OCSP, you require the following:</p>
<ul>
<li>OCSP-enabled certificates</li>
- <li>Tomcat with an OpenSSL enabled connector</li>
+ <li>Tomcat with an OCSP enabled connector</li>
<li>Configured OCSP responder</li>
</ul>
+<p>OCSP is currently implemented for the following connector
configurations:</p>
+
+<ul>
+ <li>NIO HTTP connector with the
+ <code>org.apache.tomcat.util.net.openssl.OpenSSLImplementation</code>,
+ a Tomcat Native build where OCSP is enabled and using the OpenSSL style
+ configuration.</li>
+ <li>NIO HTTP connector with the
+
<code>org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation</code>,
+ and using the OpenSSL style configuration. This uses FFM so Java 22 or
+ later is also required.</li>
+</ul>
+
+<p>OCSP is not supported if the
+<code>org.apache.tomcat.util.net.jsse.JSSEImplementation</code> is used or if
+the JSSE configuraton style is used.</p>
+
<subsection name="Generating OCSP-Enabled Certificates">
<p>Apache Tomcat requires the OCSP-enabled certificate to have the OCSP
responder location encoded in the certificate. The basic OCSP-related
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
