When using an OCSP responder Tomcat Native did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS.
Acknowledgments: Name: Coty Sutherland (Red Hat)
External References: http://mail-archives.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180721095943.GA24320%40minotaur.apache.org%3E http://tomcat.apache.org/security-native.html#Fixed_in_Apache_Tomcat_Native_Connector_1.2.17 Upstream Patch: http://svn.apache.org/viewvc?view=revision&revision=1832832
Created tomcat-native tracking bugs for this issue: Affects: epel-all [bug 1610616] Affects: fedora-all [bug 1610615]
Solved in #1590816
Re-opening this BZ as dependent product fixes are still pending.
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2018:2470 https://access.redhat.com/errata/RHSA-2018:2470
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2018:2469 https://access.redhat.com/errata/RHSA-2018:2469