The OCSP revocation check in Tomcat native does always choose the first entry in the response from the OCSP responder. The following line in the code is responsible for this selection: ss = OCSP_resp_get0(bs,0); /* we know we have only 1 request */ in /native/src/sslutils.c (from what I can tell all versions, that include this feature) However we experienced weird behaviour with the OCSP revocation check, since our PKI uses pre-produced (and signed) responses, which usually persist of multiple certificate entries (for further performance optimizations I guess, unfortunately I have no insight there). Checking the OCSP RFC (https://tools.ietf.org/html/rfc6960) I don't see anything there suggesting, that this is incorrect behaviour of the OCSP responder. Unfortunately this leads to unpredictable behaviour of the Tomcat and renders the revocation check practically useless in this case.
Small addition, expected behaviour: Use OCSP_resp_find to find the correct certificate in the response
Fixed in trunk will in 1.2.17