This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new b6b1ca177d Improve OCSP docs
b6b1ca177d is described below
commit b6b1ca177d5923b0e03a22835569b7cb79d6877e
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Nov 28 17:25:57 2025 +0000
Improve OCSP docs
---
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/http.xml | 5 ++++-
webapps/docs/ssl-howto.xml | 29 ++++++++++++++++++++++-------
3 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f316fd2124..af7f4fcad5 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -171,6 +171,10 @@
Manager: Include web application state in the HTML and JSON complete
server status output. (markt)
</add>
+ <add>
+ Documentation: Expand the documentation to better explain when OCSP is
+ supported and when it is not. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="jdbc-pool">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index dad9899416..7c2be18e6f 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1229,7 +1229,10 @@
<p>The NIO and NIO2 connectors use either the JSSE Java SSL implementation or
an OpenSSL implementation. As far as possible, common configuration
attributes
- are used for both JSSE and OpenSSL.</p>
+ are used for both JSSE and OpenSSL. You cannot mix JSSE specific
configuration
+ attributes and OpenSSL specific configuration attributes on the same
+ connector. However, you may use either the JSSE or the OpenSSL configuration
+ style with either the JSSE and OpenSSL implementations.</p>
<p>Each secure connector must define at least one
<strong>SSLHostConfig</strong>. The names of the
diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index 9e5a9cd156..d38135a14e 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -450,20 +450,35 @@ mailing list</a>.</p>
</section>
<section name="Using OCSP Certificates">
- <p>
- Support of the Online Certificate Status Protocol (OCSP) in Apache
Tomcat
- uses OpenSSL. This can be used either through
- <a href="https://tomcat.apache.org/download-native.cgi";>Tomcat
Native</a>
- or the FFM API on Java 22 and newer.
- </p>
+<p>Tomcat supports the Online Certificate Status Protocol (OCSP) to verify the
+status of client provided certificates for a sub-set of connector
+configurations.</p>
+
<p>To use OCSP, you require the following:</p>
<ul>
<li>OCSP-enabled certificates</li>
- <li>Tomcat with an OpenSSL enabled connector</li>
+ <li>Tomcat with an OCSP enabled connector</li>
<li>Configured OCSP responder</li>
</ul>
+<p>OCSP is currently implemented for the following connector
configurations:</p>
+
+<ul>
+ <li>NIO or NIO2 HTTP connector with the
+ <code>org.apache.tomcat.util.net.openssl.OpenSSLImplementation</code>,
+ a Tomcat Native build where OCSP is enabled and using the OpenSSL style
+ configuration.</li>
+ <li>NIO or NIO2 HTTP connector with the
+
<code>org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation</code>,
+ and using the OpenSSL style configuration. This uses FFM so Java 22 or
+ later is also required.</li>
+</ul>
+
+<p>OCSP is not supported if the
+<code>org.apache.tomcat.util.net.jsse.JSSEImplementation</code> is used or if
+the JSSE configuraton style is used.</p>
+
<subsection name="Generating OCSP-Enabled Certificates">
<p>Apache Tomcat requires the OCSP-enabled certificate to have the OCSP
responder location encoded in the certificate. The basic OCSP-related
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
