From c7e9138d59833ca0b9437fd130d3d9cb2fdf393d Mon Sep 17 00:00:00 2001

From: John Magne <jmagne@mharmsen-rhel7.usersys.redhat.com>

Date: Thu, 20 Sep 2018 21:35:20 -0400

Subject: [PATCH] Fix for Bug 1630469 - CC: tomcatjss: unable to enable OCSP

 checking from peer AIA extension.

    Now the server.xml can be configured to enable ocsp AND leave other settings null, to trigger

    NSS to use the AIA extension to locate the ocsp responder.

    ex:

         .....

         enableOCSP="true"  ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10"

---

 src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java | 7 +++++--

 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java

index b38b091..b91c7a4 100644

--- a/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java

+++ b/src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java

@@ -740,8 +740,11 @@ public class JSSSocketFactory implements

                             "ocspResponderCertNickname");

                     debugWrite("JSSSocketFactory init - ocspResponderCertNickname"

                             + ocspResponderCertNickname + "\n");

-                    if (StringUtils.isNotEmpty(ocspResponderURL) &&

-                            StringUtils.isNotEmpty(ocspResponderCertNickname)) {

+

+                    if ((StringUtils.isNotEmpty(ocspResponderURL) &&

+                         	StringUtils.isNotEmpty(ocspResponderCertNickname))  ||

+                        	(StringUtils.isEmpty(ocspResponderURL)

+                            	&& StringUtils.isEmpty(ocspResponderCertNickname))) {

                         ocspConfigured = true;

                         try {

-- 

1.8.3.1