Hi all. I've compiled the newest version of tomcat native in my tomcat 9.0.113 docker container.
Now authentication with a client certificate fails. This has been working fine with 1.3.1/2.0.9. And the same setup still works with the JSSE connector. As I read in the release notes there have been changes in the verification of OCSP responses. My assumption, as the certs and client have not changed, would be that there is something missing or a bug. Maybe my certs are wrong, but JSSE is not complaining... Is there anything I can try to debug or get more information within tomcat? Thank You Peter Find my logs and config below: ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key client.key * Host tomcat.fritz.box:8843 was resolved. * IPv6: (none) * IPv4: 192.168.126.130 * Trying 192.168.126.130:8843... * ALPN: curl offers http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * SSL Trust Anchors: * CAfile: chain.logopk.crt.pem * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Request CERT (13): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS handshake, CERT verify (15): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / RSASSA-PSS * ALPN: server accepted http/1.1 * Server certificate: * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; CN=tomcat.fritz.box * start date: Jan 14 22:20:04 2026 GMT * expire date: Apr 14 22:21:04 2026 GMT * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA 2025; emailAddress=logo@xxx * Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha512WithRSAEncryption * Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha512WithRSAEncryption * subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box" * SSL certificate verified via OpenSSL. * Established connection to tomcat.fritz.box (192.168.126.130 port 8843) from 192.168.126.1 port 54222 * using HTTP/1.x > GET / HTTP/1.1 > Host: tomcat.fritz.box:8843 > User-Agent: curl/8.18.0 > Accept: */* > * Request completely sent off * TLSv1.3 (IN), TLS alert, unknown CA (560): * OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL routines::tlsv1 alert unknown ca, errno 0 * closing connection #0 curl: (56) OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL routines::tlsv1 alert unknown ca, errno 0 as comparison the same request with native 1.3.1: ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key client.key * Host tomcat.fritz.box:8843 was resolved. * IPv6: (none) * IPv4: 192.168.126.130 * Trying 192.168.126.130:8843... * ALPN: curl offers http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * SSL Trust Anchors: * CAfile: chain.logopk.crt.pem * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Request CERT (13): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS handshake, CERT verify (15): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / RSASSA-PSS * ALPN: server accepted http/1.1 * Server certificate: * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; CN=tomcat.fritz.box * start date: Jan 14 22:20:04 2026 GMT * expire date: Apr 14 22:21:04 2026 GMT * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA 2025; emailAddress=logo@xxx * Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha512WithRSAEncryption * Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha512WithRSAEncryption * subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box" * SSL certificate verified via OpenSSL. * Established connection to tomcat.fritz.box (192.168.126.130 port 8843) from 192.168.126.1 port 54529 * using HTTP/1.x > GET / HTTP/1.1 > Host: tomcat.fritz.box:8843 > User-Agent: curl/8.18.0 > Accept: */* > * Request completely sent off * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): < HTTP/1.1 200 < Strict-Transport-Security: max-age=31536000 < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < X-XSS-Protection: 1; mode=block < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 16 < Date: Thu, 15 Jan 2026 17:05:10 GMT < Server: Apache Tomcat < This is Tomcat * Connection #0 to host tomcat.fritz.box:8843 left intact testssl.sh: Certificate Validity (UTC) 89 >= 60 days (2026-01-14 22:20 --> 2026-04-14 22:21) ETS/"eTLS", visibility info not present Certificate Revocation List http://crl.fritz.box:8881/step.crl.pem OCSP URI http://ocsp.fritz.box:8889 OCSP stapling not offered OCSP must staple extension -- <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" allowTrace="false" maxThreads="150" SSLEnabled="true" compression="off" scheme="https" server="Apache Tomcat" secure="true" defaultSSLHostConfigName="${hostname:-docker.fritz.box}" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" compression="on" /> <SSLHostConfig hostName="tomcat.fritz.box" honorCipherOrder="true" protocols="+TLSv1.2,+TLSv1.3" certificateVerification="none" certificateRevocationListFile="${catalina.base}/conf/ssl/ca-bundle-client.crl" truststoreFile="${catalina.base}/conf/ssl/cacerts.jks" truststorePassword="changeit" ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" > <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/tomcat.p12" certificateKeystorePassword="changeit" certificateKeyAlias="tomcat" type="RSA" /> </SSLHostConfig> </Connector> <Connector port="8843" protocol="org.apache.coyote.http11.Http11Nio2Protocol" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" server="Apache Tomcat" allowTrace="false" maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="${hostname:-docker.fritz.box}" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" compression="on" /> <SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false" hostName="tomcat.fritz.box" protocols="+TLSv1.2,+TLSv1.3" certificateVerification="required" caCertificateFile="${catalina.base}/conf/ssl/chain.logopk.crt.pem" disableCompression="true" disableSessionTickets="true" ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" certificateRevocationListFile="${catalina.base}/conf/ssl/ca-bundle-client.crl"> <Certificate certificateKeyFile="${catalina.base}/conf/ssl/tomcat.key" certificateFile="${catalina.base}/conf/ssl/tomcat.crt" certificateChainFile="${catalina.base}/conf/ssl/int.logopk.crt.pem" type="RSA" /> </SSLHostConfig> </Connector> root@tomcat:/usr/local/tomcat# bin/version.sh Using CATALINA_BASE: /opt/apache-tomcat.base Using CATALINA_HOME: /usr/local/tomcat Using CATALINA_TMPDIR: /opt/apache-tomcat.base/temp Using JRE_HOME: /opt/java/openjdk Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar Using CATALINA_OPTS: -XX:NativeMemoryTracking=summary -Dhostname=docker3.fritz.box -Djava.awt.headless=true -Djavax.net.ssl.trustStore=/opt/apache-tomcat.base/conf/ssl/cacerts.jks -Xlog:gc:/opt/apache-tomcat.base/logs/gc.log -Djava.security.egd=file:/dev/urandom -Dsun.net.inetaddr.ttl=60 -Djava.library.path=/usr/local/tomcat/native-jni-lib -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.rejectClientInitiatedRenegotiation=true -Djdk.tls.server.enableStatusRequestExtension=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=10001 -Dcom.sun.management.jmxremote.rmi.port=10002 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Djava.rmi.server.hostname=docker3.fritz.box -Dcom.sun.management.jmxremote.local.only=false -javaagent:/opt/apache-tomcat.base/bin/jmx_prometheus_javaagent-0.12.0.jar=8080:/opt/apache-tomcat.base/bin/tomcat.yaml -XX:+UnlockDiagnosticVMOptions NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED Server version: Apache Tomcat/9.0.113 Server built: Dec 2 2025 19:51:24 UTC Server number: 9.0.113.0 OS Name: Linux OS Version: 6.12.57+deb13-arm64 Architecture: aarch64 JVM Version: 11.0.29+7 JVM Vendor: Eclipse Adoptium root@tomcat:/usr/local/tomcat# openssl version OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025) tomcat | 15-Jan-2026 14:45:10.675 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.3.4] using APR version [1.7.5].
