OK, I see. For the moment I will go back to 1.3.1. However how could I possibly see what is wrong? Is there a log?
BTW: I have no issues with OCSP verification in Apache, NGINX or haproxy. Thanks Peter > Am 16.01.2026 um 16:30 schrieb Rémy Maucherat <[email protected]>: > > On Fri, Jan 16, 2026 at 3:59 PM <[email protected]> wrote: >> >> Hi Mark, >> >> I have compiled 1.3.5 - but with the same result. >> >>>>>> - disable OCSP (set ocspEnabled="false" on the SSLHostConfig) >> >> this is not available yet in 9.0.113, right? Could that lead to the default >> "false" in 9.0.113? >> >> I did not follow the exact logic: will I have to set this to true or will >> this be set automagically if I have an OCSP cert? > > I would say you have to use the OpenSSLConfCmd for OCSP to configure > it to see if it works for you, because the new flags are not there > yet. > https://github.com/apache/tomcat/blob/9.0.x/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java#L435 > > Since strict verification of everything was added, maybe that's the > issue and you need to configure "OCSP_VERIFY_FLAGS" to relax it. I > think "16" (OCSP_NOVERIFY) means "anything goes" like before. > > Rémy > >> Thanks Peter. >> >> >>> Am 16.01.2026 um 11:22 schrieb Mark Thomas <[email protected]>: >>> >>> On 16/01/2026 09:48, Mark Thomas wrote: >>>> On 15/01/2026 20:33, [email protected] <mailto:[email protected]> wrote: >>>>> Thank you Mark. >>>>> >>>>> Do you mind to share some more detail? I can't see a bugzilla... >>>> All the discussion is on the dev list. >>> >>> As are the details for the 1.3.5 release candidate that is now available >>> for testing. >>> >>> Mark >>> >>>> Mark >>>>> >>>>>> Am 15.01.2026 um 19:03 schrieb Mark Thomas <[email protected]>: >>>>>> >>>>>> There is an issue with Tomcat Native 1.3.4, OCSP and the APR/Native >>>>>> connector. >>>>>> >>>>>> Your options are: >>>>>> - switch back to 1.3.1 >>>>>> - switch to NIO or NIO2 rather than APR >>>>>> - disable OCSP (set ocspEnabled="false" on the SSLHostConfig) >>>>>> >>>>>> Mark >>>>>> >>>>>> >>>>>> On 15/01/2026 17:16, [email protected] <mailto:[email protected]> wrote: >>>>>>> BTW: >>>>>>> From the release notes: >>>>>>> * Add: .gif Add the ability to configure the OCSP checks to soft-fail >>>>>>> - i.e. if the responder cannot be contacted or fails to respond in a >>>>>>> timely manner the OCSP check will not fail. (markt) >>>>>>> * Add: .gif Add a configurable timeout to the writing of OCSP requests >>>>>>> and reading of OCSP responses. (markt) >>>>>>> * Add: .gif Add the ability to control the OCSP verification flags. >>>>>>> (markt) >>>>>>> How can I configure the new settings? Or control the OCSP verification >>>>>>> flags? >>>>>>> Thanks again. >>>>>>>> Am 15.01.2026 um 18:11 schrieb [email protected]: >>>>>>>> >>>>>>>> Hi all. >>>>>>>> >>>>>>>> I've compiled the newest version of tomcat native in my tomcat 9.0.113 >>>>>>>> docker container. >>>>>>>> >>>>>>>> Now authentication with a client certificate fails. This has been >>>>>>>> working fine with 1.3.1/2.0.9. >>>>>>>> And the same setup still works with the JSSE connector. >>>>>>>> >>>>>>>> As I read in the release notes there have been changes in the >>>>>>>> verification of OCSP responses. My assumption, as the certs and client >>>>>>>> have not changed, would be that there is something missing or a bug. >>>>>>>> Maybe my certs are wrong, but JSSE is not complaining... >>>>>>>> >>>>>>>> Is there anything I can try to debug or get more information within >>>>>>>> tomcat? >>>>>>>> >>>>>>>> Thank You >>>>>>>> >>>>>>>> Peter >>>>>>>> >>>>>>>> Find my logs and config below: >>>>>>>> >>>>>>>> ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert >>>>>>>> chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key >>>>>>>> client.key >>>>>>>> * Host tomcat.fritz.box:8843 was resolved. >>>>>>>> * IPv6: (none) >>>>>>>> * IPv4: 192.168.126.130 >>>>>>>> * Trying 192.168.126.130:8843... >>>>>>>> * ALPN: curl offers http/1.1 >>>>>>>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >>>>>>>> * SSL Trust Anchors: >>>>>>>> * CAfile: chain.logopk.crt.pem >>>>>>>> * TLSv1.3 (IN), TLS handshake, Server hello (2): >>>>>>>> * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): >>>>>>>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): >>>>>>>> * TLSv1.3 (IN), TLS handshake, Request CERT (13): >>>>>>>> * TLSv1.3 (IN), TLS handshake, Certificate (11): >>>>>>>> * TLSv1.3 (IN), TLS handshake, CERT verify (15): >>>>>>>> * TLSv1.3 (IN), TLS handshake, Finished (20): >>>>>>>> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): >>>>>>>> * TLSv1.3 (OUT), TLS handshake, Certificate (11): >>>>>>>> * TLSv1.3 (OUT), TLS handshake, CERT verify (15): >>>>>>>> * TLSv1.3 (OUT), TLS handshake, Finished (20): >>>>>>>> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / >>>>>>>> X25519MLKEM768 / RSASSA-PSS >>>>>>>> * ALPN: server accepted http/1.1 >>>>>>>> * Server certificate: >>>>>>>> * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; >>>>>>>> CN=tomcat.fritz.box >>>>>>>> * start date: Jan 14 22:20:04 2026 GMT >>>>>>>> * expire date: Apr 14 22:21:04 2026 GMT >>>>>>>> * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA >>>>>>>> 2025; emailAddress=logo@xxx >>>>>>>> * Certificate level 0: Public key type RSA (4096/152 Bits/ secBits), >>>>>>>> signed using sha512WithRSAEncryption >>>>>>>> * Certificate level 1: Public key type RSA (4096/152 Bits/ secBits), >>>>>>>> signed using sha512WithRSAEncryption >>>>>>>> * subjectAltName: "tomcat.fritz.box" matches cert's >>>>>>>> "tomcat.fritz.box" >>>>>>>> * SSL certificate verified via OpenSSL. >>>>>>>> * Established connection to tomcat.fritz.box (192.168.126.130 port >>>>>>>> 8843) from 192.168.126.1 port 54222 >>>>>>>> * using HTTP/1.x >>>>>>>>> GET / HTTP/1.1 >>>>>>>>> Host: tomcat.fritz.box:8843 >>>>>>>>> User-Agent: curl/8.18.0 >>>>>>>>> Accept: */* >>>>>>>>> >>>>>>>> * Request completely sent off >>>>>>>> * TLSv1.3 (IN), TLS alert, unknown CA (560): >>>>>>>> * OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL routines::tlsv1 >>>>>>>> alert unknown ca, errno 0 >>>>>>>> * closing connection #0 >>>>>>>> curl: (56) OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL >>>>>>>> routines::tlsv1 alert unknown ca, errno 0 >>>>>>>> >>>>>>>> as comparison the same request with native 1.3.1: >>>>>>>> >>>>>>>> ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert >>>>>>>> chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key >>>>>>>> client.key >>>>>>>> * Host tomcat.fritz.box:8843 was resolved. >>>>>>>> * IPv6: (none) >>>>>>>> * IPv4: 192.168.126.130 >>>>>>>> * Trying 192.168.126.130:8843... >>>>>>>> * ALPN: curl offers http/1.1 >>>>>>>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >>>>>>>> * SSL Trust Anchors: >>>>>>>> * CAfile: chain.logopk.crt.pem >>>>>>>> >>>>>>>> * TLSv1.3 (IN), TLS handshake, Server hello (2): >>>>>>>> * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): >>>>>>>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): >>>>>>>> * TLSv1.3 (IN), TLS handshake, Request CERT (13): >>>>>>>> * TLSv1.3 (IN), TLS handshake, Certificate (11): >>>>>>>> * TLSv1.3 (IN), TLS handshake, CERT verify (15): >>>>>>>> * TLSv1.3 (IN), TLS handshake, Finished (20): >>>>>>>> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): >>>>>>>> * TLSv1.3 (OUT), TLS handshake, Certificate (11): >>>>>>>> * TLSv1.3 (OUT), TLS handshake, CERT verify (15): >>>>>>>> * TLSv1.3 (OUT), TLS handshake, Finished (20): >>>>>>>> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / >>>>>>>> X25519MLKEM768 / RSASSA-PSS >>>>>>>> * ALPN: server accepted http/1.1 >>>>>>>> * Server certificate: >>>>>>>> * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; >>>>>>>> CN=tomcat.fritz.box >>>>>>>> * start date: Jan 14 22:20:04 2026 GMT >>>>>>>> * expire date: Apr 14 22:21:04 2026 GMT >>>>>>>> * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA >>>>>>>> 2025; emailAddress=logo@xxx >>>>>>>> * Certificate level 0: Public key type RSA (4096/152 Bits/ secBits), >>>>>>>> signed using sha512WithRSAEncryption >>>>>>>> * Certificate level 1: Public key type RSA (4096/152 Bits/ secBits), >>>>>>>> signed using sha512WithRSAEncryption >>>>>>>> * subjectAltName: "tomcat.fritz.box" matches cert's >>>>>>>> "tomcat.fritz.box" >>>>>>>> * SSL certificate verified via OpenSSL. >>>>>>>> * Established connection to tomcat.fritz.box (192.168.126.130 port >>>>>>>> 8843) from 192.168.126.1 port 54529 >>>>>>>> * using HTTP/1.x >>>>>>>>> GET / HTTP/1.1 >>>>>>>>> Host: tomcat.fritz.box:8843 >>>>>>>>> User-Agent: curl/8.18.0 >>>>>>>>> Accept: */* >>>>>>>>> >>>>>>>> * Request completely sent off >>>>>>>> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): >>>>>>>> * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): >>>>>>>> < HTTP/1.1 200 >>>>>>>> < Strict-Transport-Security: max-age=31536000 >>>>>>>> < X-Frame-Options: DENY >>>>>>>> < X-Content-Type-Options: nosniff >>>>>>>> < X-XSS-Protection: 1; mode=block >>>>>>>> < Content-Type: text/html;charset=ISO-8859-1 >>>>>>>> < Content-Length: 16 >>>>>>>> < Date: Thu, 15 Jan 2026 17:05:10 GMT >>>>>>>> < Server: Apache Tomcat >>>>>>>> < >>>>>>>> >>>>>>>> This is Tomcat >>>>>>>> * Connection #0 to host tomcat.fritz.box:8843 left intact >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> testssl.sh: >>>>>>>> >>>>>>>> Certificate Validity (UTC) 89 >= 60 days (2026-01-14 22:20 --> >>>>>>>> 2026-04-14 22:21) >>>>>>>> ETS/"eTLS", visibility info not present >>>>>>>> Certificate Revocation List http://crl.fritz.box:8881/step.crl.pem >>>>>>>> OCSP URI http://ocsp.fritz.box:8889 >>>>>>>> OCSP stapling not offered >>>>>>>> OCSP must staple extension -- >>>>>>>> >>>>>>>> >>>>>>>> <Connector port="8443" >>>>>>>> protocol="org.apache.coyote.http11.Http11Nio2Protocol" >>>>>>>> >>>>>>>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" >>>>>>>> allowTrace="false" >>>>>>>> maxThreads="150" >>>>>>>> SSLEnabled="true" >>>>>>>> compression="off" >>>>>>>> scheme="https" >>>>>>>> server="Apache Tomcat" >>>>>>>> secure="true" >>>>>>>> defaultSSLHostConfigName="${hostname:-docker.fritz.box}" > >>>>>>>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" >>>>>>>> compression="on" /> >>>>>>>> <SSLHostConfig >>>>>>>> hostName="tomcat.fritz.box" >>>>>>>> honorCipherOrder="true" >>>>>>>> protocols="+TLSv1.2,+TLSv1.3" >>>>>>>> certificateVerification="none" >>>>>>>> certificateRevocationListFile="${catalina.base}/conf/ >>>>>>>> ssl/ ca-bundle-client.crl" >>>>>>>> truststoreFile="${catalina.base}/conf/ssl/cacerts.jks" >>>>>>>> truststorePassword="changeit" >>>>>>>> >>>>>>>> ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" >>>>>>>> > >>>>>>>> <Certificate certificateKeystoreFile="${catalina.base}/conf/ >>>>>>>> ssl/ tomcat.p12" >>>>>>>> certificateKeystorePassword="changeit" >>>>>>>> certificateKeyAlias="tomcat" >>>>>>>> type="RSA" /> >>>>>>>> </SSLHostConfig> >>>>>>>> </Connector> >>>>>>>> >>>>>>>> <Connector port="8843" >>>>>>>> protocol="org.apache.coyote.http11.Http11Nio2Protocol" >>>>>>>> >>>>>>>> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" >>>>>>>> server="Apache Tomcat" >>>>>>>> allowTrace="false" >>>>>>>> maxThreads="150" >>>>>>>> SSLEnabled="true" >>>>>>>> defaultSSLHostConfigName="${hostname:- docker.fritz.box}" > >>>>>>>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" >>>>>>>> compression="on" /> >>>>>>>> <SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false" >>>>>>>> hostName="tomcat.fritz.box" >>>>>>>> protocols="+TLSv1.2,+TLSv1.3" >>>>>>>> certificateVerification="required" >>>>>>>> caCertificateFile="${catalina.base}/conf/ssl/ >>>>>>>> chain.logopk.crt.pem" >>>>>>>> disableCompression="true" >>>>>>>> disableSessionTickets="true" >>>>>>>> >>>>>>>> ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" >>>>>>>> certificateRevocationListFile="${catalina.base}/ >>>>>>>> conf/ssl/ca-bundle-client.crl"> >>>>>>>> <Certificate certificateKeyFile="${catalina.base}/conf/ssl/ >>>>>>>> tomcat.key" >>>>>>>> certificateFile="${catalina.base}/conf/ssl/ >>>>>>>> tomcat.crt" >>>>>>>> certificateChainFile="${catalina.base}/conf/ ssl/ >>>>>>>> int.logopk.crt.pem" >>>>>>>> type="RSA" /> >>>>>>>> </SSLHostConfig> >>>>>>>> </Connector> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> root@tomcat:/usr/local/tomcat# bin/version.sh >>>>>>>> Using CATALINA_BASE: /opt/apache-tomcat.base >>>>>>>> Using CATALINA_HOME: /usr/local/tomcat >>>>>>>> Using CATALINA_TMPDIR: /opt/apache-tomcat.base/temp >>>>>>>> Using JRE_HOME: /opt/java/openjdk >>>>>>>> Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/ >>>>>>>> local/ tomcat/bin/tomcat-juli.jar >>>>>>>> Using CATALINA_OPTS: -XX:NativeMemoryTracking=summary - >>>>>>>> Dhostname=docker3.fritz.box -Djava.awt.headless=true - >>>>>>>> Djavax.net.ssl.trustStore=/opt/apache-tomcat.base/conf/ssl/ >>>>>>>> cacerts.jks -Xlog:gc:/opt/apache-tomcat.base/logs/gc.log - >>>>>>>> Djava.security.egd=file:/dev/urandom -Dsun.net.inetaddr.ttl=60 - >>>>>>>> Djava.library.path=/usr/local/tomcat/native-jni-lib - >>>>>>>> Djdk.tls.ephemeralDHKeySize=2048 - >>>>>>>> Djdk.tls.rejectClientInitiatedRenegotiation=true - >>>>>>>> Djdk.tls.server.enableStatusRequestExtension=true - >>>>>>>> Dcom.sun.management.jmxremote - >>>>>>>> Dcom.sun.management.jmxremote.port=10001 - >>>>>>>> Dcom.sun.management.jmxremote.rmi.port=10002 - >>>>>>>> Dcom.sun.management.jmxremote.authenticate=false - >>>>>>>> Dcom.sun.management.jmxremote.ssl=false - >>>>>>>> Djava.rmi.server.hostname=docker3.fritz.box - >>>>>>>> Dcom.sun.management.jmxremote.local.only=false -javaagent:/opt/ >>>>>>>> apache- tomcat.base/bin/jmx_prometheus_javaagent-0.12.0.jar=8080:/ >>>>>>>> opt/apache- tomcat.base/bin/tomcat.yaml -XX: >>>>>>>> +UnlockDiagnosticVMOptions >>>>>>>> NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/ >>>>>>>> java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL- >>>>>>>> UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add- >>>>>>>> opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/ >>>>>>>> java.util=ALL-UNNAMED --add-opens=java.base/ java.util.concurrent=ALL- >>>>>>>> UNNAMED --add-opens=java.rmi/ sun.rmi.transport=ALL-UNNAMED >>>>>>>> Server version: Apache Tomcat/9.0.113 >>>>>>>> Server built: Dec 2 2025 19:51:24 UTC >>>>>>>> Server number: 9.0.113.0 >>>>>>>> OS Name: Linux >>>>>>>> OS Version: 6.12.57+deb13-arm64 >>>>>>>> Architecture: aarch64 >>>>>>>> JVM Version: 11.0.29+7 >>>>>>>> JVM Vendor: Eclipse Adoptium >>>>>>>> >>>>>>>> root@tomcat:/usr/local/tomcat# openssl version >>>>>>>> OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025) >>>>>>>> >>>>>>>> tomcat | 15-Jan-2026 14:45:10.675 INFO [main] >>>>>>>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded >>>>>>>> Apache Tomcat Native library [1.3.4] using APR version [1.7.5]. >>>>>>>> >>>>>>>> >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: [email protected] >>>>>> <mailto:[email protected]> >>>>>> For additional commands, e-mail: [email protected] >>>>>> <mailto:[email protected]> >>>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> <mailto:[email protected]> >>> For additional commands, e-mail: [email protected] >>> <mailto:[email protected]> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
