(tomcat) branch 10.1.x updated: Add check for LibreSSL 3.5+ for OCSP

Wed, 14 Jan 2026 08:18:21 -0800 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new a5895e098c Add check for LibreSSL 3.5+ for OCSP
a5895e098c is described below

commit a5895e098c5a8e0bfd00158ae525f0cf92f48643
Author: remm <[email protected]>
AuthorDate: Wed Jan 14 16:58:28 2026 +0100

    Add check for LibreSSL 3.5+ for OCSP
---
 .../util/net/openssl/panama/OpenSSLEngine.java     |  2 +-
 .../util/openssl/openssl_h_Compatibility.java      | 26 ++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index c9e3b4653b..bad194282f 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -1299,7 +1299,7 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
 
     private static int processOCSPRequest(EngineState state, URL url, 
MemorySegment issuer, MemorySegment x509,
             MemorySegment /* X509_STORE_CTX */ x509ctx, Arena localArena) {
-        if (openssl_h_Compatibility.BORINGSSL) {
+        if (openssl_h_Compatibility.BORINGSSL || 
openssl_h_Compatibility.isLibreSSLPre35()) {
             return V_OCSP_CERTSTATUS_UNKNOWN();
         }
         MemorySegment ocspRequest = MemorySegment.NULL;
diff --git a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java 
b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
index 34c5241359..c804d22ae0 100644
--- a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
+++ b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
@@ -33,12 +33,38 @@ public class openssl_h_Compatibility {
     public static final boolean OPENSSL3;
     public static final boolean BORINGSSL;
     public static final boolean LIBRESSL;
+
+    public static final int MAJOR;
+    public static final int MINOR;
+
     static {
         String versionString = OpenSSL_version(0).getString(0);
         OPENSSL = versionString.contains("OpenSSL");
         OPENSSL3 = OPENSSL && OpenSSL_version_num() >= 0x3000000fL;
         BORINGSSL = versionString.contains("BoringSSL");
         LIBRESSL = versionString.contains("LibreSSL");
+        int majorVersion = 0;
+        int minorVersion = 0;
+        try {
+            String[] blocks = versionString.split("\\s");
+            if (blocks.length >= 2) {
+                versionString = blocks[1];
+            }
+            String[] versionNumberStrings = versionString.split("\\.");
+            if (versionNumberStrings.length >= 2) {
+                majorVersion = Integer.parseInt(versionNumberStrings[0]);
+                minorVersion = Integer.parseInt(versionNumberStrings[1]);
+            }
+        } catch (Exception e) {
+            // Ignore, default to 0
+        } finally {
+            MAJOR = majorVersion;
+            MINOR = minorVersion;
+        }
+    }
+
+    public static boolean isLibreSSLPre35() {
+        return LIBRESSL && ((MAJOR == 3 && MINOR < 5) || MAJOR < 3);
     }
 
     // OpenSSL 1.1 FIPS_mode


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to