Am 15.01.2026 um 18:11 schrieb [email protected]:
Hi all.
I've compiled the newest version of tomcat native in my tomcat 9.0.113 docker
container.
Now authentication with a client certificate fails. This has been working fine
with 1.3.1/2.0.9.
And the same setup still works with the JSSE connector.
As I read in the release notes there have been changes in the verification of
OCSP responses. My assumption, as the certs and client have not changed, would
be that there is something missing or a bug. Maybe my certs are wrong, but JSSE
is not complaining...
Is there anything I can try to debug or get more information within tomcat?
Thank You
Peter
Find my logs and config below:
▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert chain.logopk.crt.pem
--cert client.crt:xxx --cert-type PEM --key client.key
* Host tomcat.fritz.box:8843 was resolved.
* IPv6: (none)
* IPv4: 192.168.126.130
* Trying 192.168.126.130:8843...
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
* CAfile: chain.logopk.crt.pem
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 /
RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; CN=tomcat.fritz.box
* start date: Jan 14 22:20:04 2026 GMT
* expire date: Apr 14 22:21:04 2026 GMT
* issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA 2025;
emailAddress=logo@xxx
* Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed
using sha512WithRSAEncryption
* Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed
using sha512WithRSAEncryption
* subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box"
* SSL certificate verified via OpenSSL.
* Established connection to tomcat.fritz.box (192.168.126.130 port 8843) from
192.168.126.1 port 54222
* using HTTP/1.x
GET / HTTP/1.1
Host: tomcat.fritz.box:8843
User-Agent: curl/8.18.0
Accept: */*
* Request completely sent off
* TLSv1.3 (IN), TLS alert, unknown CA (560):
* OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL routines::tlsv1 alert
unknown ca, errno 0
* closing connection #0
curl: (56) OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL routines::tlsv1
alert unknown ca, errno 0
as comparison the same request with native 1.3.1:
▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert chain.logopk.crt.pem
--cert client.crt:xxx --cert-type PEM --key client.key
* Host tomcat.fritz.box:8843 was resolved.
* IPv6: (none)
* IPv4: 192.168.126.130
* Trying 192.168.126.130:8843...
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
* CAfile: chain.logopk.crt.pem
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 /
RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; CN=tomcat.fritz.box
* start date: Jan 14 22:20:04 2026 GMT
* expire date: Apr 14 22:21:04 2026 GMT
* issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA 2025;
emailAddress=logo@xxx
* Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed
using sha512WithRSAEncryption
* Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed
using sha512WithRSAEncryption
* subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box"
* SSL certificate verified via OpenSSL.
* Established connection to tomcat.fritz.box (192.168.126.130 port 8843) from
192.168.126.1 port 54529
* using HTTP/1.x
GET / HTTP/1.1
Host: tomcat.fritz.box:8843
User-Agent: curl/8.18.0
Accept: */*
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200
< Strict-Transport-Security: max-age=31536000
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 16
< Date: Thu, 15 Jan 2026 17:05:10 GMT
< Server: Apache Tomcat
<
This is Tomcat
* Connection #0 to host tomcat.fritz.box:8843 left intact
testssl.sh:
Certificate Validity (UTC) 89 >= 60 days (2026-01-14 22:20 --> 2026-04-14
22:21)
ETS/"eTLS", visibility info not present
Certificate Revocation List http://crl.fritz.box:8881/step.crl.pem
OCSP URI http://ocsp.fritz.box:8889
OCSP stapling not offered
OCSP must staple extension --
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
allowTrace="false"
maxThreads="150"
SSLEnabled="true"
compression="off"
scheme="https"
server="Apache Tomcat"
secure="true"
defaultSSLHostConfigName="${hostname:-docker.fritz.box}" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
compression="on" />
<SSLHostConfig
hostName="tomcat.fritz.box"
honorCipherOrder="true"
protocols="+TLSv1.2,+TLSv1.3"
certificateVerification="none"
certificateRevocationListFile="${catalina.base}/conf/ssl/
ca-bundle-client.crl"
truststoreFile="${catalina.base}/conf/ssl/cacerts.jks"
truststorePassword="changeit"
ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM"
>
<Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/
tomcat.p12"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="8843"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
server="Apache Tomcat"
allowTrace="false"
maxThreads="150"
SSLEnabled="true"
defaultSSLHostConfigName="${hostname:-docker.fritz.box}" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
compression="on" />
<SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false"
hostName="tomcat.fritz.box"
protocols="+TLSv1.2,+TLSv1.3"
certificateVerification="required"
caCertificateFile="${catalina.base}/conf/ssl/
chain.logopk.crt.pem"
disableCompression="true"
disableSessionTickets="true"
ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM"
certificateRevocationListFile="${catalina.base}/
conf/ssl/ca-bundle-client.crl">
<Certificate certificateKeyFile="${catalina.base}/conf/ssl/ tomcat.key"
certificateFile="${catalina.base}/conf/ssl/tomcat.crt"
certificateChainFile="${catalina.base}/conf/ssl/
int.logopk.crt.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
root@tomcat:/usr/local/tomcat# bin/version.sh
Using CATALINA_BASE: /opt/apache-tomcat.base
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /opt/apache-tomcat.base/temp
Using JRE_HOME: /opt/java/openjdk
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/
tomcat/bin/tomcat-juli.jar
Using CATALINA_OPTS: -XX:NativeMemoryTracking=summary -
Dhostname=docker3.fritz.box -Djava.awt.headless=true -
Djavax.net.ssl.trustStore=/opt/apache-tomcat.base/conf/ssl/cacerts.jks
-Xlog:gc:/opt/apache-tomcat.base/logs/gc.log -
Djava.security.egd=file:/dev/urandom -Dsun.net.inetaddr.ttl=60 -
Djava.library.path=/usr/local/tomcat/native-jni-lib -
Djdk.tls.ephemeralDHKeySize=2048 -
Djdk.tls.rejectClientInitiatedRenegotiation=true -
Djdk.tls.server.enableStatusRequestExtension=true -
Dcom.sun.management.jmxremote - Dcom.sun.management.jmxremote.port=10001 -
Dcom.sun.management.jmxremote.rmi.port=10002 -
Dcom.sun.management.jmxremote.authenticate=false -
Dcom.sun.management.jmxremote.ssl=false -
Djava.rmi.server.hostname=docker3.fritz.box -
Dcom.sun.management.jmxremote.local.only=false -javaagent:/opt/apache-
tomcat.base/bin/jmx_prometheus_javaagent-0.12.0.jar=8080:/opt/apache-
tomcat.base/bin/tomcat.yaml -XX:+UnlockDiagnosticVMOptions
NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/ java.lang=ALL-UNNAMED
--add-opens=java.base/java.lang.invoke=ALL- UNNAMED
--add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-
opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/
java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL- UNNAMED
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Server version: Apache Tomcat/9.0.113
Server built: Dec 2 2025 19:51:24 UTC
Server number: 9.0.113.0
OS Name: Linux
OS Version: 6.12.57+deb13-arm64
Architecture: aarch64
JVM Version: 11.0.29+7
JVM Vendor: Eclipse Adoptium
root@tomcat:/usr/local/tomcat# openssl version
OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025)
tomcat | 15-Jan-2026 14:45:10.675 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache
Tomcat Native library [1.3.4] using APR version [1.7.5].
