On Wed, Dec 10, 2025 at 6:24 PM Mark Thomas <[email protected]> wrote: > > On 05/12/2025 09:43, Michael Osipov wrote: > > On 2025/12/04 16:38:04 Mark Thomas wrote: > >> Hi all, > >> > >> Just a quick update. > >> > >> Generally, things are moving forward nicely. OCSP protocol is working > >> (at a basic level) for: > >> - pure JSSE > >> - Tomcat Native / OpenSSL with JSSE trust > >> - Tomcat Native / OpenSSL with OpenSSL trust > >> - FFM / OpenSSL with JSSE trust > >> - FFM / OpenSSL with OpenSSL trust > >> > >> I'm starting to look at aligning checks that JSSE and OpenSSL perform > >> and I am starting to reach the limits of what is possible with > >> pre-generated OCSP responses - particularly time based validation. > >> > >> I think I am going to need to re-work the OCSP tests to use a "real" > >> OCSP responder. My plan is to use openssl (since it is required for > >> these tests anyway) and an expanded set of keys/certs we current use for > >> the other TLS tests. > >> > >> We are starting to see dependencies on new Tomcat Native features so > >> some of the changes to 12.0.x will need to wait until the next Tomcat > >> Native release is available. I do plan to commit the changes I can as > >> soon as I am confident that they are stable. > > > > A few remarks on OCSP I noticed mutual TLS auth a few years and never > > understood why Rainer did this. I had instantly to set: <OpenSSLConfCmd > > name="NO_OCSP_CHECK" value="true" /> because it is a custom hack in > > libtcnative to always enable OCSP checks and our OCSP responder was very > > often very slow. I had to read the source code and trace system calls to > > understand what is going on. It would be better to do this what mod_ssl > > does: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslocspenable > > I had already opted to disable OCSP checking by default so you should be > good. > > Thanks again to Rémy and Dimitris who have provided the basis for a lot > of the additional code. > > I now have Tomcat Native and Tomcat trunk patches that work together and > they should be consistent. OCSP testing is extended to include soft > fails (no and slow responders), all 5 variations of TLS config for a > single Connector and the 2017 security issue. > > The additional OCSP checks broke the existing checks in a number of ways > (no nonce, old timestamp) so I think I'm going to have to remove them. > > My plan is to commit the changes to Tomcat Native, produce 2.0.x and > 1.3.x releases and then commit the changes to Tomcat. There might be a > few early changes to Tomcat to account for new OCSP functionality else > we may start to see CI failures as we test latest Tomcat code with > latest Tomcat Native code.
+1, I'll definitely look at the code. Rémy > Before I do that, I want to look at what went wrong with the Windows > binaries for the Commons Daemon 1.5.0 release. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
