This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 1.3.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/1.3.x by this push:
new f6a0ea7d0 Refactor setting OCSP defaults
f6a0ea7d0 is described below
commit f6a0ea7d0cb91298bb73c50af29a1b2f40c938df
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Jan 28 21:41:42 2026 +0000
Refactor setting OCSP defaults
Expected defaults were not applied if a SSL_CONF_CTX was not used
---
native/src/sslconf.c | 6 ------
native/src/sslcontext.c | 6 ++++++
xdocs/miscellaneous/changelog.xml | 8 ++++++++
3 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/native/src/sslconf.c b/native/src/sslconf.c
index 8e9374042..50d8a092f 100644
--- a/native/src/sslconf.c
+++ b/native/src/sslconf.c
@@ -115,12 +115,6 @@ TCN_IMPLEMENT_CALL(jlong, SSLConf, make)(TCN_STDARGS,
jlong pool,
c->cctx = cctx;
c->pool = p;
- /* OCSP defaults */
- c->no_ocsp_check = OCSP_NO_CHECK_DEFAULT;
- c->ocsp_soft_fail = OCSP_SOFT_FAIL_DEFAULT;
- c->ocsp_timeout = OCSP_TIMEOUT_DEFAULT;
- c->ocsp_verify_flags = OCSP_VERIFY_FLAGS_DEFAULT;
-
/*
* Let us cleanup the SSL_CONF context when the pool is destroyed
*/
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index e832590a7..f9510c377 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -415,6 +415,12 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
}
+ /* Configure OCSP defaults here in case there is no SSL_CONF_CTX used. */
+ c->no_ocsp_check = OCSP_NO_CHECK_DEFAULT;
+ c->ocsp_soft_fail = OCSP_SOFT_FAIL_DEFAULT;
+ c->ocsp_timeout = OCSP_TIMEOUT_DEFAULT;
+ c->ocsp_verify_flags = OCSP_VERIFY_FLAGS_DEFAULT;
+
return P2J(c);
init_failed:
return 0;
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index 1e9004353..5413a77be 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -46,6 +46,14 @@
Fix a potential memory leak if an invalid <code>OpenSSLConf</code> is
provided. Pull request <pr>36</pr> provided by chenjp. (markt)
</fix>
+ <fix>
+ Refactor setting of OCSP configuration defaults as they were only applied
+ if the SSL_CONF_CTX was used. While one was always used wth Tomcat
+ versions aware of the OCSP configuration options, one was not always used
+ with Tomcat versions unaware of the OCSP configuration options leading to
+ OCSP verification being enabled by default when the expected behaviour
was
+ disabled by default. (markt)
+ </fix>
</changelog>
</section>
<section name="1.3.5" rtext="2026-01-19">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
