This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 21aa14f85a Add check for LibreSSL 3.5+ for OCSP
21aa14f85a is described below
commit 21aa14f85addf5cc4159d4219d525a8c1759a296
Author: remm <[email protected]>
AuthorDate: Wed Jan 14 16:58:28 2026 +0100
Add check for LibreSSL 3.5+ for OCSP
---
.../util/net/openssl/panama/OpenSSLEngine.java | 2 +-
.../util/openssl/openssl_h_Compatibility.java | 26 ++++++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index 69fb642a86..744c998d2b 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -1300,7 +1300,7 @@ public final class OpenSSLEngine extends SSLEngine
implements SSLUtil.ProtocolIn
private static int processOCSPRequest(EngineState state, URL url,
MemorySegment issuer, MemorySegment x509,
MemorySegment /* X509_STORE_CTX */ x509ctx, Arena localArena) {
- if (openssl_h_Compatibility.BORINGSSL) {
+ if (openssl_h_Compatibility.BORINGSSL ||
openssl_h_Compatibility.isLibreSSLPre35()) {
return V_OCSP_CERTSTATUS_UNKNOWN();
}
MemorySegment ocspRequest = MemorySegment.NULL;
diff --git a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
index 69e9311e20..bb9bfd9fe2 100644
--- a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
+++ b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
@@ -34,12 +34,38 @@ public class openssl_h_Compatibility {
public static final boolean OPENSSL3;
public static final boolean BORINGSSL;
public static final boolean LIBRESSL;
+
+ public static final int MAJOR;
+ public static final int MINOR;
+
static {
String versionString = OpenSSL_version(0).getString(0);
OPENSSL = versionString.contains("OpenSSL");
OPENSSL3 = OPENSSL && OpenSSL_version_num() >= 0x3000000fL;
BORINGSSL = versionString.contains("BoringSSL");
LIBRESSL = versionString.contains("LibreSSL");
+ int majorVersion = 0;
+ int minorVersion = 0;
+ try {
+ String[] blocks = versionString.split("\\s");
+ if (blocks.length >= 2) {
+ versionString = blocks[1];
+ }
+ String[] versionNumberStrings = versionString.split("\\.");
+ if (versionNumberStrings.length >= 2) {
+ majorVersion = Integer.parseInt(versionNumberStrings[0]);
+ minorVersion = Integer.parseInt(versionNumberStrings[1]);
+ }
+ } catch (Exception e) {
+ // Ignore, default to 0
+ } finally {
+ MAJOR = majorVersion;
+ MINOR = minorVersion;
+ }
+ }
+
+ public static boolean isLibreSSLPre35() {
+ return LIBRESSL && ((MAJOR == 3 && MINOR < 5) || MAJOR < 3);
}
// OpenSSL 1.1 FIPS_mode
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
