Am 15.01.2026 um 18:11 schrieb [email protected]:
Hi all.
I've compiled the newest version of tomcat native in my tomcat 9.0.113
docker container.
Now authentication with a client certificate fails. This has been
working fine with 1.3.1/2.0.9.
And the same setup still works with the JSSE connector.
As I read in the release notes there have been changes in the
verification of OCSP responses. My assumption, as the certs and client
have not changed, would be that there is something missing or a bug.
Maybe my certs are wrong, but JSSE is not complaining...
Is there anything I can try to debug or get more information within
tomcat?
Thank You
Peter
Find my logs and config below:
▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert
chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key
client.key
* Host tomcat.fritz.box:8843 was resolved.
* IPv6: (none)
* IPv4: 192.168.126.130
* Trying 192.168.126.130:8843...
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
* CAfile: chain.logopk.crt.pem
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 /
X25519MLKEM768 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo;
CN=tomcat.fritz.box
* start date: Jan 14 22:20:04 2026 GMT
* expire date: Apr 14 22:21:04 2026 GMT
* issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA
2025; emailAddress=logo@xxx
* Certificate level 0: Public key type RSA (4096/152 Bits/secBits),
signed using sha512WithRSAEncryption
* Certificate level 1: Public key type RSA (4096/152 Bits/secBits),
signed using sha512WithRSAEncryption
* subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box"
* SSL certificate verified via OpenSSL.
* Established connection to tomcat.fritz.box (192.168.126.130 port
8843) from 192.168.126.1 port 54222
* using HTTP/1.x
GET / HTTP/1.1
Host: tomcat.fritz.box:8843
User-Agent: curl/8.18.0
Accept: */*
* Request completely sent off
* TLSv1.3 (IN), TLS alert, unknown CA (560):
* OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL routines::tlsv1
alert unknown ca, errno 0
* closing connection #0
curl: (56) OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL
routines::tlsv1 alert unknown ca, errno 0
as comparison the same request with native 1.3.1:
▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert
chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key
client.key
* Host tomcat.fritz.box:8843 was resolved.
* IPv6: (none)
* IPv4: 192.168.126.130
* Trying 192.168.126.130:8843...
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
* CAfile: chain.logopk.crt.pem
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 /
X25519MLKEM768 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo;
CN=tomcat.fritz.box
* start date: Jan 14 22:20:04 2026 GMT
* expire date: Apr 14 22:21:04 2026 GMT
* issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA
2025; emailAddress=logo@xxx
* Certificate level 0: Public key type RSA (4096/152 Bits/secBits),
signed using sha512WithRSAEncryption
* Certificate level 1: Public key type RSA (4096/152 Bits/secBits),
signed using sha512WithRSAEncryption
* subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box"
* SSL certificate verified via OpenSSL.
* Established connection to tomcat.fritz.box (192.168.126.130 port
8843) from 192.168.126.1 port 54529
* using HTTP/1.x
GET / HTTP/1.1
Host: tomcat.fritz.box:8843
User-Agent: curl/8.18.0
Accept: */*
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200
< Strict-Transport-Security: max-age=31536000
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 16
< Date: Thu, 15 Jan 2026 17:05:10 GMT
< Server: Apache Tomcat
<
This is Tomcat
* Connection #0 to host tomcat.fritz.box:8843 left intact
testssl.sh:
Certificate Validity (UTC) 89 >= 60 days (2026-01-14 22:20 -->
2026-04-14 22:21)
ETS/"eTLS", visibility info not present
Certificate Revocation List http://crl.fritz.box:8881/step.crl.pem
OCSP URI http://ocsp.fritz.box:8889
OCSP stapling not offered
OCSP must staple extension --
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
allowTrace="false"
maxThreads="150"
SSLEnabled="true"
compression="off"
scheme="https"
server="Apache Tomcat"
secure="true"
defaultSSLHostConfigName="${hostname:-docker.fritz.box}" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
compression="on" />
<SSLHostConfig
hostName="tomcat.fritz.box"
honorCipherOrder="true"
protocols="+TLSv1.2,+TLSv1.3"
certificateVerification="none"
certificateRevocationListFile="${catalina.base}/conf/ssl/
ca-bundle-client.crl"
truststoreFile="${catalina.base}/conf/ssl/cacerts.jks"
truststorePassword="changeit"
ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM"
>
<Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/
tomcat.p12"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="8843"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
server="Apache Tomcat"
allowTrace="false"
maxThreads="150"
SSLEnabled="true"
defaultSSLHostConfigName="${hostname:-docker.fritz.box}" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
compression="on" />
<SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false"
hostName="tomcat.fritz.box"
protocols="+TLSv1.2,+TLSv1.3"
certificateVerification="required"
caCertificateFile="${catalina.base}/conf/ssl/
chain.logopk.crt.pem"
disableCompression="true"
disableSessionTickets="true"
ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM"
certificateRevocationListFile="${catalina.base}/
conf/ssl/ca-bundle-client.crl">
<Certificate certificateKeyFile="${catalina.base}/conf/ssl/
tomcat.key"
certificateFile="${catalina.base}/conf/ssl/tomcat.crt"
certificateChainFile="${catalina.base}/conf/ssl/
int.logopk.crt.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
root@tomcat:/usr/local/tomcat# bin/version.sh
Using CATALINA_BASE: /opt/apache-tomcat.base
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /opt/apache-tomcat.base/temp
Using JRE_HOME: /opt/java/openjdk
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/
tomcat/bin/tomcat-juli.jar
Using CATALINA_OPTS: -XX:NativeMemoryTracking=summary -
Dhostname=docker3.fritz.box -Djava.awt.headless=true -
Djavax.net.ssl.trustStore=/opt/apache-tomcat.base/conf/ssl/cacerts.jks
-Xlog:gc:/opt/apache-tomcat.base/logs/gc.log -
Djava.security.egd=file:/dev/urandom -Dsun.net.inetaddr.ttl=60 -
Djava.library.path=/usr/local/tomcat/native-jni-lib -
Djdk.tls.ephemeralDHKeySize=2048 -
Djdk.tls.rejectClientInitiatedRenegotiation=true -
Djdk.tls.server.enableStatusRequestExtension=true -
Dcom.sun.management.jmxremote -
Dcom.sun.management.jmxremote.port=10001 -
Dcom.sun.management.jmxremote.rmi.port=10002 -
Dcom.sun.management.jmxremote.authenticate=false -
Dcom.sun.management.jmxremote.ssl=false -
Djava.rmi.server.hostname=docker3.fritz.box -
Dcom.sun.management.jmxremote.local.only=false -javaagent:/opt/apache-
tomcat.base/bin/jmx_prometheus_javaagent-0.12.0.jar=8080:/opt/apache-
tomcat.base/bin/tomcat.yaml -XX:+UnlockDiagnosticVMOptions
NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/
java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-
UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-
opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/
java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-
UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Server version: Apache Tomcat/9.0.113
Server built: Dec 2 2025 19:51:24 UTC
Server number: 9.0.113.0
OS Name: Linux
OS Version: 6.12.57+deb13-arm64
Architecture: aarch64
JVM Version: 11.0.29+7
JVM Vendor: Eclipse Adoptium
root@tomcat:/usr/local/tomcat# openssl version
OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025)
tomcat | 15-Jan-2026 14:45:10.675 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded
Apache Tomcat Native library [1.3.4] using APR version [1.7.5].
