Using tomcat with tcnative and apr it is not possible to check certificates with OCSP. In fact having this configuration even using CRL is not a good solution, since there is no way in apache tomcat to reload just the CRL if the CRL gets updated except restarting the service. Furthermore if the CRL is expired, then apache tomcat refuses any further connections to the service.
Having a CRL that is not updated so often is not a viable solution, since this poses several security risks, and people with revoked certificates could use them to login to services.
This patch was produced with a close coupling with the environent that we had. The certificates we procuced have OCSP information, with the OCSP server running without SSL. Therefore the testing was done using this environment (1 ocsp server information to a non-SSL ocsp server), and not all corner cases have been tested thourougly
Stand alone tomcat with apr support, in order to use native OpenSSL calls and also avoid using apache-httpd server as a front-end for handling SSL calls.
cd tomcat-native-1.1.22-src patch -p1 < ./tomcat-native-ocsp-0.3-1.diff