This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 189d5fa55a Improve OCSP docs
189d5fa55a is described below
commit 189d5fa55a085c09c805c06ee765d8f1b9f28d2f
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Nov 28 17:25:57 2025 +0000
Improve OCSP docs
---
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/http.xml | 12 ++++++------
webapps/docs/ssl-howto.xml | 31 ++++++++++++++++++++++++-------
3 files changed, 34 insertions(+), 13 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7c5b6663d2..cb0c2568d6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -171,6 +171,10 @@
Manager: Include web application state in the HTML and JSON complete
server status output. (markt)
</add>
+ <add>
+ Documentation: Expand the documentation to better explain when OCSP is
+ supported and when it is not. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="jdbc-pool">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index da87322a1c..a4004e2a14 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1352,14 +1352,14 @@
respectively, to pass correct information to the servlets.</p>
<p>The NIO and NIO2 connectors use either the JSSE Java SSL implementation or
- an OpenSSL implementation, whereas the APR/native connector uses OpenSSL
only.
+ an OpenSSL implementation whereas the APR/native connector uses OpenSSL only.
Prior to Tomcat 8.5, different configuration attributes were used for JSSE
and
OpenSSL. From Tomcat 8.5 onwards, and as far as possible, common
configuration
- attributes are used for both JSSE and OpenSSL. Also if using the JSSE OpenSSL
- implementation, configuration can be set using either the JSSE or APR
- attributes (note: but not both types within the same configuration). This is
- to aid simpler switching between connector implementations for SSL
- connectors.</p>
+ attributes are used for both JSSE and OpenSSL. You cannot mix JSSE specific
+ configuration attributes and OpenSSL specific configuration attributes on the
+ same NIO or NIO2 connector. However, you may use either the JSSE or the
OpenSSL
+ configuration style with the NIO and NIO2 connectors with either the JSSE or
+ OpenSSL implementations.</p>
<p>Each secure connector must define at least one
<strong>SSLHostConfig</strong>. The names of the
diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml
index 01e51ac7bc..a674d22808 100644
--- a/webapps/docs/ssl-howto.xml
+++ b/webapps/docs/ssl-howto.xml
@@ -454,20 +454,37 @@ mailing list</a>.</p>
</section>
<section name="Using OCSP Certificates">
-<p>To use Online Certificate Status Protocol (OCSP) with Apache Tomcat, ensure
- you have downloaded, installed, and configured the
- <a href="https://tomcat.apache.org/download-native.cgi";>
- Tomcat Native Connector</a>.
-Furthermore, if you use the Windows platform, ensure you download the
-ocsp-enabled connector.</p>
+<p>Tomcat supports the Online Certificate Status Protocol (OCSP) to verify the
+status of client provided certificates for a sub-set of connector
+configurations.</p>
+
<p>To use OCSP, you require the following:</p>
<ul>
<li>OCSP-enabled certificates</li>
- <li>Tomcat with SSL APR connector</li>
+ <li>Tomcat with an OCSP enabled connector</li>
<li>Configured OCSP responder</li>
</ul>
+<p>OCSP is currently implemented for the following connector
configurations:</p>
+
+<ul>
+ <li>NIO or NIO2 HTTP connector with the
+ <code>org.apache.tomcat.util.net.openssl.OpenSSLImplementation</code>,
+ a Tomcat Native build where OCSP is enabled and using the OpenSSL style
+ configuration.</li>
+ <li>NIO or NIO2 HTTP connector with the
+
<code>org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation</code>,
+ and using the OpenSSL style configuration. This uses FFM so Java 22 or
+ later is also required.</li>
+ <li>APR/native HTTP connector with a Tomcat Native build where OCSP is
+ enabled.</li>
+</ul>
+
+<p>OCSP is not supported if the
+<code>org.apache.tomcat.util.net.jsse.JSSEImplementation</code> is used or if
+the JSSE configuraton style is used.</p>
+
<subsection name="Generating OCSP-Enabled Certificates">
<p>Apache Tomcat requires the OCSP-enabled certificate to have the OCSP
responder location encoded in the certificate. The basic OCSP-related
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
