This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 6ed9441832 Improve OCSP docs
6ed9441832 is described below
commit 6ed9441832e1faf17b0a1005051dd5c8e6c427ac
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Nov 28 17:25:57 2025 +0000
Improve OCSP docs
---
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/http.xml | 5 ++++-
webapps/docs/ssl-howto.xml | 29 ++++++++++++++++++++++-------
3 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 362cdd2981..dfdb3f0483 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -171,6 +171,10 @@
Manager: Include web application state in the HTML and JSON complete
server status output. (markt)
</add>
+ <add>
+ Documentation: Expand the documentation to better explain when OCSP is
+ supported and when it is not. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="jdbc-pool">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index c3ae4d1bb6..7ff853907d 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1258,7 +1258,10 @@
<p>The NIO and NIO2 connectors use either the JSSE Java SSL implementation or
an OpenSSL implementation. As far as possible, common configuration
attributes
- are used for both JSSE and OpenSSL.</p>
+ are used for both JSSE and OpenSSL. You cannot mix JSSE specific
configuration
+ attributes and OpenSSL specific configuration attributes on the same
+ connector. However, you may use either the JSSE or the OpenSSL configuration
+ style with either the JSSE and OpenSSL implementations.</p>
<p>Each secure connector must define at least one
<strong>SSLHostConfig</strong>. The names of the
diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index 5c95f6a766..df8fcbba25 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -456,20 +456,35 @@ mailing list</a>.</p>
</section>
<section name="Using OCSP Certificates">
-<p>To use Online Certificate Status Protocol (OCSP) with Apache Tomcat, ensure
- you have downloaded, installed, and configured the
- <a href="https://tomcat.apache.org/download-native.cgi";>
- Tomcat Native Connector</a>.
-Furthermore, if you use the Windows platform, ensure you download the
-ocsp-enabled connector.</p>
+<p>Tomcat supports the Online Certificate Status Protocol (OCSP) to verify the
+status of client provided certificates for a sub-set of connector
+configurations.</p>
+
<p>To use OCSP, you require the following:</p>
<ul>
<li>OCSP-enabled certificates</li>
- <li>Tomcat with SSL APR connector</li>
+ <li>Tomcat with an OCSP enabled connector</li>
<li>Configured OCSP responder</li>
</ul>
+<p>OCSP is currently implemented for the following connector
configurations:</p>
+
+<ul>
+ <li>NIO or NIO2 HTTP connector with the
+ <code>org.apache.tomcat.util.net.openssl.OpenSSLImplementation</code>,
+ a Tomcat Native build where OCSP is enabled and using the OpenSSL style
+ configuration.</li>
+ <li>NIO or NIO2 HTTP connector with the
+
<code>org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation</code>,
+ and using the OpenSSL style configuration. This uses FFM so Java 22 or
+ later is also required.</li>
+</ul>
+
+<p>OCSP is not supported if the
+<code>org.apache.tomcat.util.net.jsse.JSSEImplementation</code> is used or if
+the JSSE configuraton style is used.</p>
+
<subsection name="Generating OCSP-Enabled Certificates">
<p>Apache Tomcat requires the OCSP-enabled certificate to have the OCSP
responder location encoded in the certificate. The basic OCSP-related
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
