On Thu, Jan 15, 2026 at 1:26 AM Rémy Maucherat <[email protected]> wrote:
> On Wed, Jan 14, 2026 at 9:03 PM Mark Thomas <[email protected]> wrote:
> >
> > All,
> >
> > I wanted to provide a progress update as I expected to be in a position
> > to start tagging the January release by now and I'm not.
> >
> > Most of the release preparation is done:
> > - dependencies have been reviewed and updated where necessary
> > - i18n sync with POEditor is complete
> > - open bugs have been resolved
> > - there are a couple of PRs I hoped to merge this time around that will
> > have to wait until Feb but there are for enhancements rather than bugs
> > - The Tomcat Native updates are complete
> > - The TLS 1.3 configuration updates are complete
> >
> > The OCSP protocol updates are where the delay is.
> >
> > I think everything is working for 10.1.x, 11.0.x and 12.0.x although I
> > do want to complete my usual run of the test suites on Windows, Linux
> > and MacOS before tagging and they might expose a bug or two.
> >
> > The challenge at the moment is 9.0.x and APR. The TestOscpEnabled test
> > case is seeing a LOT of failures and I don't understand why at this
> > point. It is getting late here so I probably need to start fresh
> > tomorrow. Most of the issues seem to be around the client verifying the
> > server certificate which is really odd since that code should be the
> > same regardless of Connector.
> >
> > I'm expecting the CI builds for 9.0.x to continue to fail for now but
> > hopefully 11.0.x will continue to pass and 10.1.x will start passing on
> > the next run.
> >
> > I've seen quite a Native few crashes over that last few days. Nothing
> > obviously repeatable at this point but as the test failures get fixed we
> > might start to see a pattern. We'll see.
> >
> > Hopefully, there will some progress tomorrow and we'll be in a position
> > to start tagging.
> >
> > If anyone does have some time available to look at the failing OCSP
> > tests with 9.0.x and APR that would be great but please don't feel you
> > have to.
>
> I'll look at it once I finish with my various FFM compat issues ...
>
> Rémy
>
> > Mark
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
I think there are two issues here.
Firstly, removing the truststore file when useOpenSSLTrust is enabled.
Secondly, when the server cert is invalid, the certificate should point to
the revoked one instead of the default CA_CERT_PEM
in TesterSupport.initSsl.
I am attaching a draft patch, fixing those issues and resulting in all
tests passing.
The patch breaks something, as I
see TestOcspTimeout.testTimeoutWithoutSoftFail fails. I will look into it
later.
Dimitris
Subject: [PATCH] Fix OCSP tests for APR/OpenSSL connector
---
Index: test/org/apache/tomcat/util/net/TesterSupport.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java b/test/org/apache/tomcat/util/net/TesterSupport.java
--- a/test/org/apache/tomcat/util/net/TesterSupport.java (revision 2064283316b9db52124f72a3c405bcb91f9ac4db)
+++ b/test/org/apache/tomcat/util/net/TesterSupport.java (date 1768479532115)
@@ -99,6 +99,8 @@
public static final String LOCALHOST_EC_KEY_PEM = SSL_DIR + "localhost-ec-key.pem";
public static final String LOCALHOST_RSA_CERT_PEM = SSL_DIR + "localhost-rsa-cert.pem";
public static final String LOCALHOST_RSA_KEY_PEM = SSL_DIR + "localhost-rsa-key.pem";
+ public static final String LOCALHOST_CRL_RSA_CERT_PEM = SSL_DIR + "localhost-crl-rsa-cert.pem";
+ public static final String LOCALHOST_CRL_RSA_KEY_PEM = SSL_DIR + "localhost-crl-rsa-key.pem";
public static final String DB_INDEX = SSL_DIR + "index.db";
public static final String OCSP_RESPONDER_RSA_CERT = SSL_DIR + "ocsp-responder-rsa-cert.pem";
public static final String OCSP_RESPONDER_RSA_KEY = SSL_DIR + "ocsp-responder-rsa-key.pem";
@@ -182,7 +184,7 @@
certificate.setCertificateFile(new File(LOCALHOST_RSA_CERT_PEM).getAbsolutePath());
certificate.setCertificateKeyFile(new File(LOCALHOST_RSA_KEY_PEM).getAbsolutePath());
sslHostConfig.setCaCertificateFile(new File(CA_CERT_PEM).getAbsolutePath());
- sslHostConfig.setTruststoreFile(new File(CA_JKS).getAbsolutePath());
+ sslHostConfig.setTruststoreFile(null);
}
}
Index: test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java b/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java
--- a/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java (revision 2064283316b9db52124f72a3c405bcb91f9ac4db)
+++ b/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java (date 1768479625335)
@@ -38,6 +38,7 @@
import org.apache.catalina.startup.TomcatBaseTest;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.net.SSLHostConfig;
+import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.TesterSupport;
import org.apache.tomcat.util.net.TesterSupport.SimpleServlet;
import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
@@ -126,6 +127,13 @@
TesterSupport.initSsl(tomcat, TesterSupport.LOCALHOST_RSA_JKS, useOpenSSLTrust);
} else {
TesterSupport.initSsl(tomcat, TesterSupport.LOCALHOST_CRL_RSA_JKS, useOpenSSLTrust);
+ if (useOpenSSL && tomcat.getConnector().getProtocolHandlerClassName().contains("Apr")) {
+ SSLHostConfig sslHostConfig = tomcat.getConnector().findSslHostConfigs()[0];
+ SSLHostConfigCertificate certificate = sslHostConfig.getCertificates().iterator().next();
+
+ certificate.setCertificateFile(new File(TesterSupport.LOCALHOST_CRL_RSA_CERT_PEM).getAbsolutePath());
+ certificate.setCertificateKeyFile(new File(TesterSupport.LOCALHOST_CRL_RSA_KEY_PEM).getAbsolutePath());
+ }
}
SSLHostConfig sslHostConfig = tomcat.getConnector().findSslHostConfigs()[0];
switch (verifyClientCert) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
