Refactor setting OCSP defaults

Expected defaults were not applied if a SSL_CONF_CTX was not used

Author: markt-asf

native/src/sslconf.c

@@ -113,12 +113,6 @@ TCN_IMPLEMENT_CALL(jlong, SSLConf, make)(TCN_STDARGS, jlong pool,
     c->cctx = cctx;
     c->pool = p;
 
-    /* OCSP defaults */
-    c->no_ocsp_check     = OCSP_NO_CHECK_DEFAULT;
-    c->ocsp_soft_fail    = OCSP_SOFT_FAIL_DEFAULT;
-    c->ocsp_timeout      = OCSP_TIMEOUT_DEFAULT;
-    c->ocsp_verify_flags = OCSP_VERIFY_FLAGS_DEFAULT;
-
     /*
      * Let us cleanup the SSL_CONF context when the pool is destroyed
      */

native/src/sslcontext.c

@@ -414,6 +414,12 @@ TCN_IMPLEMENT_CALL(jlong, SSLContext, make)(TCN_STDARGS, jlong pool,
         stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
     }
 
+    /* Configure OCSP defaults here in case there is no SSL_CONF_CTX used. */
+    c->no_ocsp_check     = OCSP_NO_CHECK_DEFAULT;
+    c->ocsp_soft_fail    = OCSP_SOFT_FAIL_DEFAULT;
+    c->ocsp_timeout      = OCSP_TIMEOUT_DEFAULT;
+    c->ocsp_verify_flags = OCSP_VERIFY_FLAGS_DEFAULT;
+
     return P2J(c);
 init_failed:
     return 0;

xdocs/miscellaneous/changelog.xml

@@ -50,6 +50,14 @@
       Fix a potential memory leak if an invalid <code>OpenSSLConf</code> is
       provided. Pull request <pr>36</pr> provided by chenjp. (markt)
     </fix>
+    <fix>
+      Refactor setting of OCSP configuration defaults as they were only applied
+      if the SSL_CONF_CTX was used. While one was always used wth Tomcat
+      versions aware of the OCSP configuration options, one was not always used
+      with Tomcat versions unaware of the OCSP configuration options leading to
+      OCSP verification being enabled by default when the expected behaviour was
+      disabled by default. (markt)
+    </fix>
   </changelog>
 </section>
 <section name="2.0.12" rtext="2026-01-12">