This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push:
new 86b04fff4 Refactor setting OCSP defaults
86b04fff4 is described below
commit 86b04fff487e3f3a4475c4a61f5c8ebcc472a3ca
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Jan 28 21:41:42 2026 +0000
Refactor setting OCSP defaults
Expected defaults were not applied if a SSL_CONF_CTX was not used
---
native/src/sslconf.c | 6 ------
native/src/sslcontext.c | 6 ++++++
xdocs/miscellaneous/changelog.xml | 8 ++++++++
3 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/native/src/sslconf.c b/native/src/sslconf.c
index e200b4ff5..ea08d7047 100644
--- a/native/src/sslconf.c
+++ b/native/src/sslconf.c
@@ -113,12 +113,6 @@ TCN_IMPLEMENT_CALL(jlong, SSLConf, make)(TCN_STDARGS,
jlong pool,
c->cctx = cctx;
c->pool = p;
- /* OCSP defaults */
- c->no_ocsp_check = OCSP_NO_CHECK_DEFAULT;
- c->ocsp_soft_fail = OCSP_SOFT_FAIL_DEFAULT;
- c->ocsp_timeout = OCSP_TIMEOUT_DEFAULT;
- c->ocsp_verify_flags = OCSP_VERIFY_FLAGS_DEFAULT;
-
/*
* Let us cleanup the SSL_CONF context when the pool is destroyed
*/
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 30ae7deb5..b9c31ea4f 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -414,6 +414,12 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS,
jlong pool,
stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
}
+ /* Configure OCSP defaults here in case there is no SSL_CONF_CTX used. */
+ c->no_ocsp_check = OCSP_NO_CHECK_DEFAULT;
+ c->ocsp_soft_fail = OCSP_SOFT_FAIL_DEFAULT;
+ c->ocsp_timeout = OCSP_TIMEOUT_DEFAULT;
+ c->ocsp_verify_flags = OCSP_VERIFY_FLAGS_DEFAULT;
+
return P2J(c);
init_failed:
return 0;
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index d841ef5da..0fcfa0d9f 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -50,6 +50,14 @@
Fix a potential memory leak if an invalid <code>OpenSSLConf</code> is
provided. Pull request <pr>36</pr> provided by chenjp. (markt)
</fix>
+ <fix>
+ Refactor setting of OCSP configuration defaults as they were only applied
+ if the SSL_CONF_CTX was used. While one was always used wth Tomcat
+ versions aware of the OCSP configuration options, one was not always used
+ with Tomcat versions unaware of the OCSP configuration options leading to
+ OCSP verification being enabled by default when the expected behaviour
was
+ disabled by default. (markt)
+ </fix>
</changelog>
</section>
<section name="2.0.12" rtext="2026-01-12">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
