# Technical Analysis

## 1. Root Cause

Tomcat failed to reject certain "Unknown”(per OCSP response stated) client certificates, remote attacker could bypass Client-Cert SSL authentication, achieve critical EoP finally.

OCSP Checking result “Unknown” without any other Error, e.g., ocsp response status checking, see below:
```c
// sslutils.c #process_ocsp_response
    if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
        return OCSP_STATUS_UNKNOWN;
    }
```

Tomcat latest release treats those “Unknown” certificates as “Good".

FFM shares same vulnerable logic.

When Client Cert SSL Authentication enabled, remote attacker could achieve **EoP** using the client-certificate principal to perform high confidential operations.

## 2. Trigger Path
For those high security environments (e.g., Finance / Banking / API Gateway), per regulatory guidance, strict OCSP-Checking is mandatory. 
Unfortunately, Tomcat may mistreat 'OCSP_STATUS_UNKNOWN' client certificate as 'Good' under particular circumstances (e.g., Issuer OCSP responder reply 'TryLater'). 

## 3. Impact Analysis
- Tomcat Native (FFM?) accept Not-Good (Non-Production or removed client certificate) Client certificate even if restricted OCSP checking was explicitly enabled with ocsp_soft_fail is “false”.
- Certificate OCSP Checking - Security feature bypass
- EoP via Client-Cert SSL Authentication bypassing

## 4. Why Existing Protections Failed
(Optional but recommended for high-impact vulnerabilities.)

## 5. Patch / Mitigation Analysis
* Workaround:
  - Disable APR+Tomcat Native
  - Disable FFM