On 2025/12/04 16:38:04 Mark Thomas wrote: > Hi all, > > Just a quick update. > > Generally, things are moving forward nicely. OCSP protocol is working > (at a basic level) for: > - pure JSSE > - Tomcat Native / OpenSSL with JSSE trust > - Tomcat Native / OpenSSL with OpenSSL trust > - FFM / OpenSSL with JSSE trust > - FFM / OpenSSL with OpenSSL trust > > I'm starting to look at aligning checks that JSSE and OpenSSL perform > and I am starting to reach the limits of what is possible with > pre-generated OCSP responses - particularly time based validation. > > I think I am going to need to re-work the OCSP tests to use a "real" > OCSP responder. My plan is to use openssl (since it is required for > these tests anyway) and an expanded set of keys/certs we current use for > the other TLS tests. > > We are starting to see dependencies on new Tomcat Native features so > some of the changes to 12.0.x will need to wait until the next Tomcat > Native release is available. I do plan to commit the changes I can as > soon as I am confident that they are stable.
A few remarks on OCSP I noticed mutual TLS auth a few years and never understood why Rainer did this. I had instantly to set: <OpenSSLConfCmd name="NO_OCSP_CHECK" value="true" /> because it is a custom hack in libtcnative to always enable OCSP checks and our OCSP responder was very often very slow. I had to read the source code and trace system calls to understand what is going on. It would be better to do this what mod_ssl does: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslocspenable Michael --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
