Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libtcnative-1-0 for openSUSE:Factory
checked in at 2024-02-13 22:44:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libtcnative-1-0 (Old)
and /work/SRC/openSUSE:Factory/.libtcnative-1-0.new.1815 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libtcnative-1-0"
Tue Feb 13 22:44:46 2024 rev:41 rq:1146440 version:1.2.39
Changes:
--------
--- /work/SRC/openSUSE:Factory/libtcnative-1-0/libtcnative-1-0.changes
2023-11-28 22:18:59.772886218 +0100
+++
/work/SRC/openSUSE:Factory/.libtcnative-1-0.new.1815/libtcnative-1-0.changes
2024-02-13 22:45:14.690461832 +0100
@@ -1,0 +2,12 @@
+Tue Feb 13 09:05:45 UTC 2024 - Pedro Monreal <[email protected]>
+
+- Update to 1.2.39:
+ * Fix: 67061: If the insecure optionalNoCA certificate verification
+ mode is used, disable OCSP if enabled else client certificates
+ from unknown certificate authorities will be rejected.
+ * Update: Update the recommended minimum version of OpenSSL to
+ 3.0.11.
+ * Change the hardcoded libopenssl-1_1-devel to libopenssl-devel
+ for distributions that have the right version
+
+-------------------------------------------------------------------
Old:
----
tomcat-native-1.2.38-src.tar.gz
tomcat-native-1.2.38-src.tar.gz.asc
New:
----
tomcat-native-1.2.39-src.tar.gz
tomcat-native-1.2.39-src.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libtcnative-1-0.spec ++++++
--- /var/tmp/diff_new_pack.yPNe7U/_old 2024-02-13 22:45:15.930506456 +0100
+++ /var/tmp/diff_new_pack.yPNe7U/_new 2024-02-13 22:45:15.930506456 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libtcnative-1-0
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,8 +16,9 @@
#
+%{!?make_build:%global make_build make %{?_smp_mflags}}
Name: libtcnative-1-0
-Version: 1.2.38
+Version: 1.2.39
Release: 0
Summary: Tomcat resources for performance, compatibility, etc
License: Apache-2.0
@@ -31,12 +32,16 @@
BuildRequires: java-devel
BuildRequires: javapackages-tools
BuildRequires: libapr1-devel >= 1.4.3
-BuildRequires: libopenssl-1_1-devel
BuildRequires: pkgconfig
# Upstream compatibility:
Provides: tcnative = %{version}
#Fedora compatibility
Provides: tomcat-native = %{version}
+%if 0%{?suse_version} >= 1550
+BuildRequires: libopenssl-devel >= 3.0.11
+%else
+BuildRequires: libopenssl-1_1-devel
+%endif
%description
The Apache Tomcat Native Library is an optional component for use
@@ -95,7 +100,7 @@
--with-apr=%{_bindir}/apr-1-config \
--with-java-home=%{java_home} \
--with-java-platform=2
-make %{?_smp_mflags}
+%make_build
%install
make -C native install DESTDIR=%{buildroot}
++++++ tomcat-native-1.2.38-src.tar.gz -> tomcat-native-1.2.39-src.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/.gitignore
new/tomcat-native-1.2.39-src/.gitignore
--- old/tomcat-native-1.2.38-src/.gitignore 2023-08-02 10:09:54.000000000
+0200
+++ new/tomcat-native-1.2.39-src/.gitignore 2023-09-28 13:57:56.000000000
+0200
@@ -14,11 +14,15 @@
/native/build/config.sub
/native/build/find_apr.m4
/native/build/install.sh
+/native/build/install-sh
+/native/build/ltmain.sh
/native/build/rules.mk
+/native/aclocal.m4
/native/config.log
/native/config.nice
/native/config.status
/native/configure
+/native/configure~
/native/libtcnative-1.la
/native/libtcnative-2.la
/native/tcnative.pc
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/CHANGELOG.txt
new/tomcat-native-1.2.39-src/CHANGELOG.txt
--- old/tomcat-native-1.2.38-src/CHANGELOG.txt 2023-08-02 10:14:34.000000000
+0200
+++ new/tomcat-native-1.2.39-src/CHANGELOG.txt 2023-09-28 13:58:42.000000000
+0200
@@ -2,296 +2,304 @@
This is the Changelog for Tomcat Native 1.2.
+ Changes in 1.2.39
+
+ o Fix: 67061: If the insecure optionalNoCA certificate verification mode
+ is used, disable OCSP if enabled else client certificates from unknown
+ certificate authorities will be rejected. (markt)
+ o Update: Update the recommended minimum version of OpenSSL to 3.0.11.
+ (markt)
+
Changes in 1.2.38
- * Update: Align default pass phrase prompt with HTTPd. (michaelo)
- * Fix: 66669: Fix memory leak in SNI processing. (markt)
- * Update: Update the recommended minimum version of OpenSSL to 1.1.1v.
+ o Update: Align default pass phrase prompt with HTTPd. (michaelo)
+ o Fix: 66669: Fix memory leak in SNI processing. (markt)
+ o Update: Update the recommended minimum version of OpenSSL to 1.1.1v.
(markt)
Changes in 1.2.37
- * Update: Update the recommended minimum version of APR to 1.7.4.
+ o Update: Update the recommended minimum version of APR to 1.7.4.
(markt)
- * Update: Update the recommended minimum version of OpenSSL to 1.1.1u.
+ o Update: Update the recommended minimum version of OpenSSL to 1.1.1u.
(markt)
Changes in 1.2.36
- * Update: Update the recommended minimum version of APR to 1.7.2.
+ o Update: Update the recommended minimum version of APR to 1.7.2.
(markt)
- * Update: Update the recommended minimum version of OpenSSL to 1.1.1t.
+ o Update: Update the recommended minimum version of OpenSSL to 1.1.1t.
(markt)
Changes in 1.2.35
- * Docs: Document the TLS rengotiation behaviour. (markt)
- * Docs: Add HOWTO-RELEASE.txt that describes the release process.
+ o Docs: Document the TLS rengotiation behaviour. (markt)
+ o Docs: Add HOWTO-RELEASE.txt that describes the release process.
(markt)
- * Update: Update recommended OpenSSL version to 1.1.1q or later. (markt)
+ o Update: Update recommended OpenSSL version to 1.1.1q or later. (markt)
Changes in 1.2.34
- * Code: Refactor library initialization so it is compatible with Tomcat
+ o Code: Refactor library initialization so it is compatible with Tomcat
10.1.x onwards where a number of Java classes have been removed.
(markt)
- * Add: Map the OpenSSL 3.x FIPS behaviour to the OpenSSL 1.x API to
+ o Add: Map the OpenSSL 3.x FIPS behaviour to the OpenSSL 1.x API to
allow clients to determine if the FIPS provider is being used when
Tomcat Native is compiled against OpenSSL 3.x. (markt)
Changes in 1.2.33
- * Fix: 66035: Fix crash when attempting to read TLS session ID after a
+ o Fix: 66035: Fix crash when attempting to read TLS session ID after a
handshake failure. (schultz/markt)
- * Fix: Enable download_deps.sh to be called from any directory. Pull
+ o Fix: Enable download_deps.sh to be called from any directory. Pull
request #12 provided by Dimitrios Soumis. (markt)
- * Update: Update recommended OpenSSL version to 1.1.1o or later. (markt)
+ o Update: Update recommended OpenSSL version to 1.1.1o or later. (markt)
Changes in 1.2.32
- * Update: Update recommended OpenSSL version to 1.1.1n or later. (markt)
- * Fix: Fix release script so it works with the current git layout.
+ o Update: Update recommended OpenSSL version to 1.1.1n or later. (markt)
+ o Fix: Fix release script so it works with the current git layout.
(markt)
Changes in 1.2.31
- * Fix: 65441: Correct previous fix that enabled building to continue
+ o Fix: 65441: Correct previous fix that enabled building to continue
with OpenSSL 3.x. Patch provided by lzsiga. (markt)
- * Fix: 65659: Remove remaining reference to pkg-config which is no
+ o Fix: 65659: Remove remaining reference to pkg-config which is no
longer included in the Tomcat Native distribution. (markt)
Changes in 1.2.30
- * Add: 65181: Additional changes required to provided support for using
+ o Add: 65181: Additional changes required to provided support for using
OpenSSL Engines that use proprietary key formats. Based on a patch
provided by Edin Hodzic. (markt)
- * Fix: 65329: Correct handling of WINVER in make file to use correct
+ o Fix: 65329: Correct handling of WINVER in make file to use correct
constant for Windows 7. Add constants for Windows 8, Windows 8.1 and
Windows 10. Rename WINNT to WIN2k as it is used for Windows 2000
upwards, not Windows NT upwards. (markt)
Changes in 1.2.29 (not released)
- * Fix: Add a patch for APR that fixes an issue where some Windows
+ o Fix: Add a patch for APR that fixes an issue where some Windows
systems in some configurations would only listen on IPv6 addresses on
dual stack systems even though configured to listen on both IPv6 and
IPv4 addresses. (michaelo)
Changes in 1.2.28
- * Fix: Correct a regression in the fix for 65181 that prevented an error
+ o Fix: Correct a regression in the fix for 65181 that prevented an error
message from being displayed if an invalid key file was provided and
no OpenSSL Engine was configured. (markt)
Changes in 1.2.27
- * Add: 65181: Improve support for using OpenSSL Engines that use
+ o Add: 65181: Improve support for using OpenSSL Engines that use
proprietary key formats. Patch provided by Edin Hodzic. (markt)
- * Update: Update recommended OpenSSL version to 1.1.1k or later. (markt)
+ o Update: Update recommended OpenSSL version to 1.1.1k or later. (markt)
Changes in 1.2.26
- * Fix: Enable building to continue against OpenSSL 3.x and 1.1.1.
+ o Fix: Enable building to continue against OpenSSL 3.x and 1.1.1.
(markt)
- * Add: 64942: Expose support for Unix Domain Sockets in APR v1.6 and up.
+ o Add: 64942: Expose support for Unix Domain Sockets in APR v1.6 and up.
(minfrin)
- * Update: Update recommended OpenSSL version to 1.1.1i or later. (markt)
+ o Update: Update recommended OpenSSL version to 1.1.1i or later. (markt)
Changes in 1.2.25
- * Fix: Incomplete name mangling fix for C++ compilers in tcn_api.h.
+ o Fix: Incomplete name mangling fix for C++ compilers in tcn_api.h.
(michaelo)
- * Update: Improve OS-specific header include for native thread id.
+ o Update: Improve OS-specific header include for native thread id.
(michaelo)
- * Fix: Disable keylog callback support for LibreSSL. (michaelo)
- * Add: Add support for SSLContext.addChainCertificateRaw() with LibreSSL
+ o Fix: Disable keylog callback support for LibreSSL. (michaelo)
+ o Add: Add support for SSLContext.addChainCertificateRaw() with LibreSSL
2.9.1 and up. (michaelo)
- * Add: Add support for HP-UX's _lwp_self() in our ssl_thread_id(void).
- (michaelo) Remove default option passed for rpath to linker on HP-UX.
+ o Add: Add support for HP-UX's _lwp_self() in our ssl_thread_id(void).
(michaelo)
- * Add: Add an option to allow the OCSP responder check to be bypassed.
+ Remove default option passed for rpath to linker on HP-UX. (michaelo)
+ o Add: Add an option to allow the OCSP responder check to be bypassed.
Note that if OCSP is enabled, a missing responder is now treated as an
error. (jfclere)
- * Fix: 64429: Fix compilation with LibreSSL. (markt)
+ o Fix: 64429: Fix compilation with LibreSSL. (markt)
Changes in 1.2.24
- * Fix: 63671: libtcnative does not compile with OpenSSL < 1.1.0 and APR
+ o Fix: 63671: libtcnative does not compile with OpenSSL < 1.1.0 and APR
w/o threading support. (michaelo)
- * Fix: Correct configure message for OpenSSL libdir. (michaelo)
- * Update: 64260: Clean up install target. (michaelo)
- * Fix: 64315: configure output for OpenSSL wrong/incomplete sometimes.
+ o Fix: Correct configure message for OpenSSL libdir. (michaelo)
+ o Update: 64260: Clean up install target. (michaelo)
+ o Fix: 64315: configure output for OpenSSL wrong/incomplete sometimes.
(michaelo)
- * Update: Drop obsolete build time workarounds for HP-UX. (michaelo)
- * Add: Add support for FreeBSD's pthread_getthreadid_np() in our
+ o Update: Drop obsolete build time workarounds for HP-UX. (michaelo)
+ o Add: Add support for FreeBSD's pthread_getthreadid_np() in our
ssl_thread_id(void). (michaelo)
- * Update: 63701: Use new OpenSSL initialisation process when building
+ o Update: 63701: Use new OpenSSL initialisation process when building
with OpenSSL 1.1.0 onwards. (mturk)
- * Add: 64316: Introduce tcn_get_thread_id(void) to reduce code
+ o Add: 64316: Introduce tcn_get_thread_id(void) to reduce code
duplication. (michaelo)
- * Fix: Fix linking against OpenSSL in non-standard locations on FreeBSD.
+ o Fix: Fix linking against OpenSSL in non-standard locations on FreeBSD.
(michaelo)
Changes in 1.2.23
- * Fix: Make file fixes to enable building with APR 1.7.x. (markt)
- * Fix: Switch to Windows 7 as the default target. (markt)
- * Update: Update minimum OpenSSL version to 1.0.2r. (markt)
+ o Fix: Make file fixes to enable building with APR 1.7.x. (markt)
+ o Fix: Switch to Windows 7 as the default target. (markt)
+ o Update: Update minimum OpenSSL version to 1.0.2r. (markt)
Changes in 1.2.22
- * Fix: 63159: Unable to complete build when build directory is outside
+ o Fix: 63159: Unable to complete build when build directory is outside
of the source tree. Patch provided by Bob Huemmer. (markt)
- * Fix: 63356: Fix client certificate authentication when a certificate
+ o Fix: 63356: Fix client certificate authentication when a certificate
contains an AIA extension without an OCSP URI. Patch provided by
Milind Takawale. (markt)
- * Fix: 63500: Fix JVM crash on Connector start when a certificate
+ o Fix: 63500: Fix JVM crash on Connector start when a certificate
revocation file or path is specified for OpenSSL. (markt)
- * Add: Add support for TLS key logging when using OpenSSL 1.1.1 or
+ o Add: Add support for TLS key logging when using OpenSSL 1.1.1 or
later. If the environment variable SSLKEYLOGFILE is set then the TLS
keys will be logged to that file. Patch provided by John Kelly.
(markt)
- * Fix: Update build script after migration of soucre repository from
+ o Fix: Update build script after migration of soucre repository from
Subversion to Git. (markt)
Changes in 1.2.21
- * Fix: Correct a possible JVM crash during shutdown caused by a bug in
+ o Fix: Correct a possible JVM crash during shutdown caused by a bug in
the fix for the per connection memory leak included in 1.2.20. (rjung)
Changes in 1.2.20
- * Fix: Update includedir name to tomcat-native instead of apr.
+ o Fix: Update includedir name to tomcat-native instead of apr.
(csutherl)
- * Fix: Fix a minor memory leak. It occurred every time a TLS connector
+ o Fix: Fix a minor memory leak. It occurred every time a TLS connector
was started so the impact was very unlikely to be noticed. (markt)
- * Fix: Fix some minor memory leaks that could occur after error
+ o Fix: Fix some minor memory leaks that could occur after error
conditions during TLS connector initialisation. (markt)
- * Fix: Fix a per connection memory leak when using OpenSSL BIO. This is
+ o Fix: Fix a per connection memory leak when using OpenSSL BIO. This is
typically used when OpenSSL is providing the TLS support for NIO or
NIO2. (markt)
Changes in 1.2.19
- * Fix: 62892: Fix memory leaks in OCSP handling. (jfclere)
- * Fix: 62944: Fix copy/paste error that prevented TLS 1.0 and TLS 1.1
+ o Fix: 62892: Fix memory leaks in OCSP handling. (jfclere)
+ o Fix: 62944: Fix copy/paste error that prevented TLS 1.0 and TLS 1.1
from being used if TLS 1.3 was available. Patch provided by Dean
Rasheed. (markt)
- * Fix: Include OpenSSL licensing information in the Tomcat Native
+ o Fix: Include OpenSSL licensing information in the Tomcat Native
binaries for Windows that are built with OpenSSL. (markt)
- * Update: Update recommended OpenSSL version to 1.0.2q or later. (markt)
+ o Update: Update recommended OpenSSL version to 1.0.2q or later. (markt)
Changes in 1.2.18
- * Fix: 62641: libtool invocations should use --tag=CC. (michaelo)
- * Code: Remove support for Netware as there has not been a supported
+ o Fix: 62641: libtool invocations should use --tag=CC. (michaelo)
+ o Code: Remove support for Netware as there has not been a supported
Netware platform for a number of years. (markt)
- * Add: 62748: Add support for TLS 1.3 when built with OpenSSL 1.1.1 or
+ o Add: 62748: Add support for TLS 1.3 when built with OpenSSL 1.1.1 or
equivalent. (schultz/markt)
- * Add: Expose the API necessary for CLIENT-CERT authentication to be
+ o Add: Expose the API necessary for CLIENT-CERT authentication to be
correctly supported when using Tomcat's JSSE implementation backed by
OpenSSL. (markt)
Changes in 1.2.17
- * Fix: 62094: Certificate verification using CRL with Tomcat APR
+ o Fix: 62094: Certificate verification using CRL with Tomcat APR
connector does not work. (jfclere)
- * Fix: 62122: undefined symbol: SSL_COMP_free_compression_methods.
+ o Fix: 62122: undefined symbol: SSL_COMP_free_compression_methods.
(jfclere)
- * Fix: 62221: OCSP response processing uses always the first entry in
+ o Fix: 62221: OCSP response processing uses always the first entry in
the response. (jfclere)
- * Fix: Further clean-up in the OCSP extension logic. (jfclere)
+ o Fix: Further clean-up in the OCSP extension logic. (jfclere)
Changes in 1.2.16
- * Fix: Further clean-up in the parsing of the OCSP extension. (markt)
+ o Fix: Further clean-up in the parsing of the OCSP extension. (markt)
Changes in 1.2.15
- * Update: Update recommended OpenSSL version to 1.0.2m. (markt)
- * Fix: Correctly calculate field lengths when parsing the OCSP extension
+ o Update: Update recommended OpenSSL version to 1.0.2m. (markt)
+ o Fix: Correctly calculate field lengths when parsing the OCSP extension
so that longer values are read correctly. (markt)
- * Update: Update the recommended APR version to 1.6.3 or later. (markt)
+ o Update: Update the recommended APR version to 1.6.3 or later. (markt)
Changes in 1.2.14
- * Fix: Fix a small memory leak during certificate initialization.
+ o Fix: Fix a small memory leak during certificate initialization.
(rjung)
- * Fix: Replace use of deprecated ASN1_STRING_data with
+ o Fix: Replace use of deprecated ASN1_STRING_data with
ASN1_STRING_get0_data when building against OpenSSL 1.1.0 and newer.
(rjung)
- * Fix: Fix a thread local key leak. Only relevant when doing
+ o Fix: Fix a thread local key leak. Only relevant when doing
SSL.initialize() and Library.terminate() a lot of times. (rjung)
Changes in 1.2.13
- * Fix: Add missing source files to Visual Studio project files. (wrowe)
- * Add: Add support for the OpenSSL SSL_CONF API. (rjung)
- * Add: Add SSLContext.getCiphers(). (rjung)
- * Add: Add method to add a single CA certificate to the list of CA
+ o Fix: Add missing source files to Visual Studio project files. (wrowe)
+ o Add: Add support for the OpenSSL SSL_CONF API. (rjung)
+ o Add: Add SSLContext.getCiphers(). (rjung)
+ o Add: Add method to add a single CA certificate to the list of CA
certificates which are accepted as issuers of client certificates.
(rjung)
- * Fix: Fix an error not announcing the correct CA list for client
+ o Fix: Fix an error not announcing the correct CA list for client
certificates during TLS handshake. (rjung)
- * Fix: Fix renegotiation to obtain a client certificate from a user
+ o Fix: Fix renegotiation to obtain a client certificate from a user
agent. (markt)
- * Fix: 58434: Allow Tomcat Native to be compiled with LibreSSL. Note
+ o Fix: 58434: Allow Tomcat Native to be compiled with LibreSSL. Note
that some features may not be available when using LibreSSL. (markt)
- * Fix: 60290: When building Tomcat Native, don't ignore the value of CC
+ o Fix: 60290: When building Tomcat Native, don't ignore the value of CC
if explicitly set. Patch provided by Michael Osipov. (markt)
- * Fix: 60301: When building Tomcat Native, allow the user to override
+ o Fix: 60301: When building Tomcat Native, allow the user to override
the libtool specified by APR by setting the LIBTOOL environment
variable. (markt)
- * Update: Update build to use APR 1.6.x, with 1.6.2 recommended. (markt)
- * Update: Update recommended OpenSSL version to 1.0.2l. (markt)
+ o Update: Update build to use APR 1.6.x, with 1.6.2 recommended. (markt)
+ o Update: Update recommended OpenSSL version to 1.0.2l. (markt)
Changes in 1.2.12
- * Fix: Correct a regression in the fix for 59797 that triggered a JVM
+ o Fix: Correct a regression in the fix for 59797 that triggered a JVM
crash on shutdown in some Tomcat unit tests when using the APR/native
connector. (markt)
Changes in 1.2.11
- * Fix: 52627: Prevent a crash in File.infoGet() caused by the use of
+ o Fix: 52627: Prevent a crash in File.infoGet() caused by the use of
uninitialised variables. Based on patch by Ilya Maykov. (markt)
- * Fix: 55113: Document the process for creating a static tc-native
+ o Fix: 55113: Document the process for creating a static tc-native
library with a FIPS-enabled OpenSSL and update the nmake make file to
support the process. (markt)
- * Fix: 55114: Clean up building instructions for the native component
+ o Fix: 55114: Clean up building instructions for the native component
and expand the instructions for building for Windows platforms.
(markt)
- * Fix: 55938: Resolve remaining clang-analyzer warnings. Note that the
+ o Fix: 55938: Resolve remaining clang-analyzer warnings. Note that the
use of -1 to indicate the full array in File.(read|write)[Full] has
been removed since it was only partially implemented and the
implementation was faulty. (markt)
- * Fix: 58082: Update unit tests to use JUnit 4. Refactor unit tests into
+ o Fix: 58082: Update unit tests to use JUnit 4. Refactor unit tests into
separate tests and use an external to reference them in the same way
an external is used to reference the main code. (markt)
- * Fix: 59797: Ensure that the per thread error hash maintained by
+ o Fix: 59797: Ensure that the per thread error hash maintained by
OpenSSL is cleaned up as individual threads exit to ensure it does not
grow too large. Patch provided by Nate Clark. (markt)
- * Fix: 59996: Correctly handle building tc-native on a 64-bit system
+ o Fix: 59996: Correctly handle building tc-native on a 64-bit system
when using an OpenSSL distribution that is not in /usr. (csutherl)
- * Fix: 60388: The --disable-maintainer-mode option of the configure
+ o Fix: 60388: The --disable-maintainer-mode option of the configure
script no longer enables the maintainer mode. (ebourg)
- * Update: Update minimum recommended OpenSSL version to 1.0.2k. (markt)
+ o Update: Update minimum recommended OpenSSL version to 1.0.2k. (markt)
Changes in 1.2.10
- * Update: Update minimum recommended OpenSSL version to 1.0.2j. (markt)
+ o Update: Update minimum recommended OpenSSL version to 1.0.2j. (markt)
Changes in 1.2.9
- * Update: Update minimum recommended OpenSSL version to 1.0.2i. (markt)
+ o Update: Update minimum recommended OpenSSL version to 1.0.2i. (markt)
Changes in 1.2.8
- * Fix: 59616: Correct the Windows build files so that OCSP is correctly
+ o Fix: 59616: Correct the Windows build files so that OCSP is correctly
enabled and disabled in the respective Windows binaries. (markt)
- * Fix: Correctly handle OS level EAGAIN return codes during non-blocking
+ o Fix: Correctly handle OS level EAGAIN return codes during non-blocking
TLS I/O. (markt)
- * Fix: Correct a potential performance problem identified by Nate Clark
+ o Fix: Correct a potential performance problem identified by Nate Clark
due to Tomcat Native providing OpenSSL with thread identifiers poorly
suited to the hash function used by OpenSSL when selecting a bucket
for the hash that holds the per thread error data. Tomcat Native on
@@ -300,90 +308,90 @@
Changes in 1.2.7
- * Update: Update minimum recommended OpenSSL version to 1.0.2h. (markt)
+ o Update: Update minimum recommended OpenSSL version to 1.0.2h. (markt)
Changes in 1.2.6
- * Update: Change the OpenSSL version check in configure to be fatal.
+ o Update: Change the OpenSSL version check in configure to be fatal.
(rjung)
- * Update: Use new OpenSSL 1.1.0 protocol version max and min API when
+ o Update: Use new OpenSSL 1.1.0 protocol version max and min API when
creating a new SSL context. (rjung)
- * Update: Improve renegotiation code and make it compatible with OpenSSL
+ o Update: Improve renegotiation code and make it compatible with OpenSSL
1.1.0. (rjung)
- * Code: OpenSSL 1.1.0 compatibility updates. (rjung)
- * Fix: Fix some compiler warnings in native ssl code. (rjung)
- * Add: Add support for using Java keystores for certificate chains.
+ o Code: OpenSSL 1.1.0 compatibility updates. (rjung)
+ o Fix: Fix some compiler warnings in native ssl code. (rjung)
+ o Add: Add support for using Java keystores for certificate chains.
(markt)
- * Update: Remove the explicit CRL check when verifying certificates. The
+ o Update: Remove the explicit CRL check when verifying certificates. The
checks were already part of the internal certification verification
since OpenSSL 0.9.7. Backport from mod_ssl. (rjung)
Changes in 1.2.5
- * Update: Enable OpenSSL version check in configure by default. It can
+ o Update: Enable OpenSSL version check in configure by default. It can
be turned off using --disable-openssl-version-check. (rjung)
- * Fix: 59024: Native function versionString() and for OpenSSL 1.1.0 also
+ o Fix: 59024: Native function versionString() and for OpenSSL 1.1.0 also
version() (both in in ssl.c) now return the OpenSSL run time version,
not the compile time version. (rjung)
- * Code: Track changes in the OpenSSL master branch so it is possible to
+ o Code: Track changes in the OpenSSL master branch so it is possible to
build Tomcat Native with that branch. (billbarker)
Changes in 1.2.4
- * Fix: SSL.getHandshakeCount(), which was unused, now returns the
+ o Fix: SSL.getHandshakeCount(), which was unused, now returns the
handshake completed count rather than the handshake started count.
(remm)
Changes in 1.2.3
- * Fix: Remove Java classes that do not have C implementation code for
+ o Fix: Remove Java classes that do not have C implementation code for
their native methods in the current library. They were used for NPN
support which is superseded by ALPN support in the current code.
(kkolinko)
- * Fix: Fix typo in declaration of a stub method used when the library is
+ o Fix: Fix typo in declaration of a stub method used when the library is
compiled without OpenSSL support. (kkolinko)
- * Fix: Fix the signature of the implementation of the native SSL method
+ o Fix: Fix the signature of the implementation of the native SSL method
newSSL() in the case when OPENSSL is not available. (rjung)
- * Fix: Fix the signature of the implementation of the native SSLSocket
+ o Fix: Fix the signature of the implementation of the native SSLSocket
method getInfoB() to return jbyteArray instead of jobject. This is
consistent with what it actually returns and how the native Java
method is declared. (rjung)
- * Add: Add support for using Java keystores for certificates and keys.
+ o Add: Add support for using Java keystores for certificates and keys.
(jfclere)
- * Code: Remove code that performs a read after a renegotiation that
+ o Code: Remove code that performs a read after a renegotiation that
appears to be unnecessary with OpenSSL 1.0.2. (billbarker)
- * Add: Expose SSL_renegotiate to the Java API. (remm)
+ o Add: Expose SSL_renegotiate to the Java API. (remm)
Changes in 1.2.2
- * Fix: Fix broken debug and maintainer mode build. (rjung)
- * Fix: Forward port additional fixes to the OpenSSL I/O to align it with
+ o Fix: Fix broken debug and maintainer mode build. (rjung)
+ o Fix: Forward port additional fixes to the OpenSSL I/O to align it with
non-OpenSSL I/O. (markt)
Changes in 1.2.1
- * Fix: 58566: Enable Tomcat Native 1.2.x to work with Tomcat releases
+ o Fix: 58566: Enable Tomcat Native 1.2.x to work with Tomcat releases
that do not have the necessary Java code to support SNI. (markt)
- * Update: Minor rework of "buildconf" script. (rjung)
- * Fix: Fix APR dependency version expression in RPM spec file. (rjung)
- * Fix: Fix major library version number in Windows build files, RPM spec
+ o Update: Minor rework of "buildconf" script. (rjung)
+ o Fix: Fix APR dependency version expression in RPM spec file. (rjung)
+ o Fix: Fix major library version number in Windows build files, RPM spec
file and build description. (rjung)
- * Fix: Remove files "KEYS" and "download_deps.sh" from Windows (zip)
+ o Fix: Remove files "KEYS" and "download_deps.sh" from Windows (zip)
source distribution. (rjung)
- * Fix: Fix "unused variable" compiler warning. (rjung)
+ o Fix: Fix "unused variable" compiler warning. (rjung)
Changes in 1.2.0
- * Add: Add support for TLS extension ALPN. (markt)
- * Add: Add support for TLS extension SNI (Server Name Indication).
+ o Add: Add support for TLS extension ALPN. (markt)
+ o Add: Add support for TLS extension SNI (Server Name Indication).
(markt)
- * Add: Add support for OpenSSL BIO. (jfclere)
- * Add: Support wakeable pollsets and add Poll.interrupt() API. (mturk)
- * Add: Add Pool.unmanaged() API. (mturk)
- * Update: APIs SSL.generateRSATempKey() and SSL.loadDSATempKey() have
+ o Add: Add support for OpenSSL BIO. (jfclere)
+ o Add: Support wakeable pollsets and add Poll.interrupt() API. (mturk)
+ o Add: Add Pool.unmanaged() API. (mturk)
+ o Update: APIs SSL.generateRSATempKey() and SSL.loadDSATempKey() have
been removed. (rjung)
- * Update: The minimum required APR version is 1.4.3.
- * Update: The minimum required OpenSSL version is 1.0.2.
+ o Update: The minimum required APR version is 1.4.3.
+ o Update: The minimum required OpenSSL version is 1.0.2.
Changes in 1.1.x
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/HOWTO-RELEASE.txt
new/tomcat-native-1.2.39-src/HOWTO-RELEASE.txt
--- old/tomcat-native-1.2.38-src/HOWTO-RELEASE.txt 2023-08-02
10:09:54.000000000 +0200
+++ new/tomcat-native-1.2.39-src/HOWTO-RELEASE.txt 2023-09-28
13:57:56.000000000 +0200
@@ -23,7 +23,7 @@
Java 8
Apache Ant 1.9 or later
-Apache APR 1.4.3 or later source (1.7.0 or later recommended)
+Apache APR 1.4.3 or later source (1.7.4 or later recommended)
Preparation
@@ -38,7 +38,7 @@
- build.properties.default
- native/build/rpm/tcnative.spec.in
- native/include/tcn_version.h
-- native/os/win32/libtcnative.rc
+- native/os/win32/libtcnative.rc x3
- xdocs/miscellaneous/changelog.xml
Run the release script to check the Java code is aligned with the current 9.0.x
@@ -67,7 +67,7 @@
git tag 1.2.35
git push origin 1.2.35
-# Reset main
+# Reset 1.2.x
git reset --hard HEAD~1
@@ -77,8 +77,8 @@
# Modify version as appropriate
./jnirelease.sh --ver=1.2.35 --with-apr=/path/to/apr/source
-# Switch back to the main branch
-git checkout main
+# Switch back to the 1.2.x branch
+git checkout 1.2.x
Create the binary release for Windows
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/build.properties.default
new/tomcat-native-1.2.39-src/build.properties.default
--- old/tomcat-native-1.2.38-src/build.properties.default 2023-08-02
10:09:54.000000000 +0200
+++ new/tomcat-native-1.2.39-src/build.properties.default 2023-09-28
13:57:56.000000000 +0200
@@ -18,7 +18,7 @@
# ----- Version Control Flags -----
version.major=1
version.minor=2
-version.build=38
+version.build=39
version.patch=0
version.suffix=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/docs/index.html
new/tomcat-native-1.2.39-src/docs/index.html
--- old/tomcat-native-1.2.38-src/docs/index.html 2023-08-02
10:14:34.000000000 +0200
+++ new/tomcat-native-1.2.39-src/docs/index.html 2023-09-28
13:58:42.000000000 +0200
@@ -28,10 +28,10 @@
</div><h3 id="Headlines">Headlines</h3><div class="text">
<ul>
-<li><a href="news/2023.html#20230602">2 June 2023 - <b>TC-Native-1.2.37
+<li><a href="news/2023.html#20230807">7 August 2023 - <b>TC-Native-1.2.38
released</b></a>
<p>The Apache Tomcat team is proud to announce the immediate availability of
-Tomcat Native 1.2.37 Stable.</p>
+Tomcat Native 1.2.38 Stable.</p>
<p>
The sources and the binaries for selected platforms are available from the
<a href="../download-native.cgi">Download page</a>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-1.2.38-src/docs/miscellaneous/changelog.html
new/tomcat-native-1.2.39-src/docs/miscellaneous/changelog.html
--- old/tomcat-native-1.2.38-src/docs/miscellaneous/changelog.html
2023-08-02 10:14:34.000000000 +0200
+++ new/tomcat-native-1.2.39-src/docs/miscellaneous/changelog.html
2023-09-28 13:58:42.000000000 +0200
@@ -3,6 +3,17 @@
<p>
This is the Changelog for Tomcat Native 1.2.
</p>
+</div><h3 id="Changes_in_1.2.39">Changes in 1.2.39</h3><div class="text">
+ <ul class="changelog">
+ <li><img alt="Fix: " class="icon" src="../images/fix.gif">
+ <a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=67061";>67061</a>: If the
insecure optionalNoCA certificate verification
+ mode is used, disable OCSP if enabled else client certificates from
+ unknown certificate authorities will be rejected. (markt)
+ </li>
+ <li><img alt="Update: " class="icon" src="../images/update.gif">
+ Update the recommended minimum version of OpenSSL to 3.0.11. (markt)
+ </li>
+ </ul>
</div><h3 id="Changes_in_1.2.38">Changes in 1.2.38</h3><div class="text">
<ul class="changelog">
<li><img alt="Update: " class="icon" src="../images/update.gif">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/docs/news/2023.html
new/tomcat-native-1.2.39-src/docs/news/2023.html
--- old/tomcat-native-1.2.38-src/docs/news/2023.html 2023-08-02
10:14:34.000000000 +0200
+++ new/tomcat-native-1.2.39-src/docs/news/2023.html 2023-09-28
13:58:42.000000000 +0200
@@ -1,6 +1,11 @@
<!DOCTYPE html SYSTEM "about:legacy-compat">
<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native - News - 2023 News and
Status</title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="http://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-feather.png" alt="The Apache Software Foundation"
style="width: 266px; height: 83px;"></a></div><h1>The Apache Tomcat Native -
News</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></h2><ul><li><a
href="../index.html">Docs Home</a>
</li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li><li><a
href="../news/2021.html">2021</a></li><li><a
href="../news/2020.html">2020</a></li><li><a
href="../news/2019.html">2019</a></li><li><a
href="../news/2018.html">2018</a></li><li><a
href="../news/2017.html">2017</a></li><li><a
href="../news/2016.html">2016</a></li><li><a
href="../news/2015.html">2015</a></li><li><a
href="../news/2014.html">2014</a></li><li><a
href="../news/2013.html">2013</a></li><li><a
href="../news/2012.html">2012</a></li><li><a
href="../news/2011.html">2011</a></li><li><a
href="../news/2010.html">2010</a></li><li><a
href="../news/2009.html">2009</a></li><li><a
href="../news/2008.html">2008</a></li></ul>
</div></nav></div></div><div id="mainRight"><div id="content"><h2>2023 News
and Status</h2><h3 id="2023_News_&_Status">2023 News & Status</h3><div
class="text">
+ <div class="subsection"><h4 id="20230807">7 August 2023 -
TC-Native-1.2.38 released</h4><div class="text">
+ <p>The Apache Tomcat team is proud to announce the immediate
+ availability of Tomcat Native 1.2.38.</p>
+ </div></div>
+
<div class="subsection"><h4 id="20230602">2 June 2023 - TC-Native-1.2.37
released</h4><div class="text">
<p>The Apache Tomcat team is proud to announce the immediate
availability of Tomcat Native 1.2.37.</p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-1.2.38-src/java/org/apache/tomcat/jni/SSL.java
new/tomcat-native-1.2.39-src/java/org/apache/tomcat/jni/SSL.java
--- old/tomcat-native-1.2.38-src/java/org/apache/tomcat/jni/SSL.java
2023-08-02 10:09:54.000000000 +0200
+++ new/tomcat-native-1.2.39-src/java/org/apache/tomcat/jni/SSL.java
2023-09-28 13:57:56.000000000 +0200
@@ -73,7 +73,7 @@
public static final int SSL_PROTOCOL_ALL;
static {
- if (SSL.version() >= 0x1010100f) {
+ if (version() >= 0x1010100f) {
SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 |
SSL_PROTOCOL_TLSV1_2 |
SSL_PROTOCOL_TLSV1_3);
} else {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/jnirelease.sh
new/tomcat-native-1.2.39-src/jnirelease.sh
--- old/tomcat-native-1.2.38-src/jnirelease.sh 2023-08-02 10:09:54.000000000
+0200
+++ new/tomcat-native-1.2.39-src/jnirelease.sh 2023-09-28 13:57:56.000000000
+0200
@@ -175,6 +175,7 @@
echo "WARNING: git subtree is not up to date with"
echo " $TCJAVA_GITBASE"
echo " Either correct now by running"
+ echo " 'git checkout 1.2.x'"
echo " 'git rm -rf java/org/apache/tomcat/jni'"
echo " 'git read-tree --prefix=java/org/apache/tomcat/jni/ -u
tcjava/9.0.x:java/org/apache/tomcat/jni'"
echo " 'git commit'"
@@ -290,5 +291,6 @@
$PERL ${JKWINDIST}/native/build/lineends.pl --cr ${JKWINDIST}/${i}
done
$PERL ${JKWINDIST}/native/build/lineends.pl --cr ${JKWINDIST}/CHANGELOG.txt
+$PERL ${JKWINDIST}/native/build/lineends.pl --nocr
${JKWINDIST}/native/srclib/openssl/openssl-msvcrt-3.0.x.patch
zip -9rqyo ${JKWINDIST}.zip ${JKWINDIST}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/native/BUILDING
new/tomcat-native-1.2.39-src/native/BUILDING
--- old/tomcat-native-1.2.38-src/native/BUILDING 2023-08-02
10:09:54.000000000 +0200
+++ new/tomcat-native-1.2.39-src/native/BUILDING 2023-09-28
13:57:56.000000000 +0200
@@ -95,14 +95,14 @@
Unpack the APR source distribution into native\srclib\apr
Apply apr-enable-ipv6.patch
- > c:\cmsc\setenv.bat /x86
+ > c:\cmsc\setenv.bat x86
> nmake -f NMAKEmakefile BUILD_CPU=x86 APR_DECLARE_STATIC=1
> mkdir WINXP_X86_LIB_RELEASE\include
> mkdir WINXP_X86_LIB_RELEASE\lib
> xcopy /E include WINXP_X86_LIB_RELEASE\include\
> copy WINXP_X86_LIB_RELEASE\apr-1.lib WINXP_X86_LIB_RELEASE\lib
- > c:\cmsc\setenv.bat /x64
+ > c:\cmsc\setenv.bat x64
> nmake -f NMAKEmakefile BUILD_CPU=x64 APR_DECLARE_STATIC=1
> mkdir WINXP_X64_LIB_RELEASE\include
> mkdir WINXP_X64_LIB_RELEASE\lib
@@ -114,7 +114,7 @@
Unpack the OpenSSL source distribution into native\srclib\openssl
Apply openssl-msvcrt.patch
- > c:\cmsc\setenv.bat /x86
+ > c:\cmsc\setenv.bat x86
> perl Configure VC-WIN32
> ms\do_nasm
> nmake -f ms\nt.mak
@@ -124,7 +124,7 @@
> xcopy /E inc32 release-x86\include\
> copy out32\*.lib release-x86\lib\
- > c:\cmsc\setenv.bat /x64
+ > c:\cmsc\setenv.bat x64
> perl Configure VC-WIN64A
> ms\do_win64a
> nmake -f ms\nt.mak clean
@@ -139,57 +139,20 @@
> SET JAVA_HOME=C:\Program Files\Java\jdk1.7.0_71
- > c:\cmsc\setenv.bat /x86
+ > c:\cmsc\setenv.bat x86
> nmake -f NMAKEMakefile WITH_APR=srclib\apr\WINXP_X86_LIB_RELEASE
WITH_OPENSSL=srclib\openssl\release-x86 APR_DECLARE_STATIC=1
- > c:\cmsc\setenv.bat /x64
+ > c:\cmsc\setenv.bat x64
> nmake -f NMAKEMakefile WITH_APR=srclib\apr\WINXP_X64_LIB_RELEASE
WITH_OPENSSL=srclib\openssl\release-x64 APR_DECLARE_STATIC=1
Note: Use ENABLE_OCSP=1 to create OCSP enabled builds
-Windows with FIPS
-=================
+FIPS
+====
-The steps are broadly the same as the non-FIPS build with the following
additions and changes.
+No additional build steps are required. Configure OpenSSL to use the FIPS
+certified provider as the default provider as described in the OpenSSL
+documentation:
-Note: The build process has only been verified with 64-bit Windows. The process
- for 32-bit Windows should be very similar.
-
-1. Build the FIPS object module
-
- This step should be completed immediately before building OpenSSL.
-
- Unpack the openssl-fips-2.0.x.tar.gz distribution into
native\srclib\openssl-fips
- The tar.gz contains symbolic links. Ensure you unpack the archive with a
tool
- that replaces these with the linked file or manually replace the symbolic
- links with associated the linked file before continuing.
-
- > c:\cmsc\setenv.bat /x64
- > set FIPSDIR=%cd%\lib-x64
- > ms\do_fips
-
-2. Modify the OpenSSL build configuration
-
- Add 'fips' to the OpenSSL build configuration
-
- > perl Configure VC-WIN64A fips
-
-3. Test the OpenSSL build
-
- This step should be completed immediately after building OpenSSL.
-
- > SET OPENSSL_FIPS=1
- > openssl md5 openssl.exe
-
- This should fail since MD5 is disabled in FIPS mode.
-
- > SET OPENSSL_FIPS=
- > openssl md5 openssl.exe
-
- This should work.
-
-4. Modify the tc-native build configuration
-
- > c:\cmsc\setenv.bat /x64
- > nmake -f NMAKEMakefile WITH_APR=srclib\apr\WINXP_X64_LIB_RELEASE
WITH_OPENSSL=srclib\openssl\release-x64 WITH_FIPS=srclib\openssl-fips\lib-x64
APR_DECLARE_STATIC=1
+ https://www.openssl.org/docs/man3.0/man7/fips_module.html
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-1.2.38-src/native/include/tcn_version.h
new/tomcat-native-1.2.39-src/native/include/tcn_version.h
--- old/tomcat-native-1.2.38-src/native/include/tcn_version.h 2023-08-02
10:09:54.000000000 +0200
+++ new/tomcat-native-1.2.39-src/native/include/tcn_version.h 2023-09-28
13:57:56.000000000 +0200
@@ -63,7 +63,7 @@
#define TCN_MINOR_VERSION 2
/** patch level */
-#define TCN_PATCH_VERSION 38
+#define TCN_PATCH_VERSION 39
/**
* This symbol is defined for internal, "development" copies of TCN. This
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-1.2.38-src/native/os/win32/libtcnative.rc
new/tomcat-native-1.2.39-src/native/os/win32/libtcnative.rc
--- old/tomcat-native-1.2.38-src/native/os/win32/libtcnative.rc 2023-08-02
10:09:54.000000000 +0200
+++ new/tomcat-native-1.2.39-src/native/os/win32/libtcnative.rc 2023-09-28
13:57:56.000000000 +0200
@@ -20,7 +20,7 @@
"See the License for the specific language governing " \
"permissions and limitations under the License."
-#define TCN_VERSION "1.2.38"
+#define TCN_VERSION "1.2.39"
1000 ICON "apache.ico"
1001 DIALOGEX 0, 0, 252, 51
@@ -36,8 +36,8 @@
END
1 VERSIONINFO
- FILEVERSION 1,2,38,0
- PRODUCTVERSION 1,2,38,0
+ FILEVERSION 1,2,39,0
+ PRODUCTVERSION 1,2,39,0
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/native/src/sslutils.c
new/tomcat-native-1.2.39-src/native/src/sslutils.c
--- old/tomcat-native-1.2.38-src/native/src/sslutils.c 2023-08-02
10:09:54.000000000 +0200
+++ new/tomcat-native-1.2.39-src/native/src/sslutils.c 2023-09-28
13:57:56.000000000 +0200
@@ -329,15 +329,14 @@
con->pha_state = PHA_COMPLETE;
#endif
- if (verify == SSL_CVERIFY_UNSET ||
- verify == SSL_CVERIFY_NONE) {
+ if (verify == SSL_CVERIFY_UNSET || verify == SSL_CVERIFY_NONE) {
return 1;
}
- if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) &&
- (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) {
- ok = 1;
+ if (SSL_VERIFY_ERROR_IS_OPTIONAL(errnum) && (verify ==
SSL_CVERIFY_OPTIONAL_NO_CA)) {
SSL_set_verify_result(ssl, X509_V_OK);
+ // Skip OCSP checks since the CA is optional
+ return 1;
}
/*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/native/srclib/VERSIONS
new/tomcat-native-1.2.39-src/native/srclib/VERSIONS
--- old/tomcat-native-1.2.38-src/native/srclib/VERSIONS 2023-08-02
10:09:54.000000000 +0200
+++ new/tomcat-native-1.2.39-src/native/srclib/VERSIONS 2023-09-28
13:57:56.000000000 +0200
@@ -5,7 +5,7 @@
The following version of the libraries are recommended:
- APR 1.7.4 or later, http://apr.apache.org
-- OpenSSL 1.1.1v or later, http://www.openssl.org
+- OpenSSL 3.0.11 or later, http://www.openssl.org
Older versions should also work but are not as thoroughly tested by the Tomcat
Native team
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-1.2.38-src/native/srclib/openssl/openssl-msvcrt-1.1.1.patch
new/tomcat-native-1.2.39-src/native/srclib/openssl/openssl-msvcrt-1.1.1.patch
---
old/tomcat-native-1.2.38-src/native/srclib/openssl/openssl-msvcrt-1.1.1.patch
2023-08-02 10:09:54.000000000 +0200
+++
new/tomcat-native-1.2.39-src/native/srclib/openssl/openssl-msvcrt-1.1.1.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,74 +0,0 @@
---- Configurations/10-main.conf
-+++ Configurations/10-main.conf
-@@ -1268,7 +1268,7 @@
- # prefer [non-debug] openssl.exe to be free from Micorosoft RTL
- # redistributable.
- bin_cflags => add(picker(debug => "/MDd",
-- release => sub { $disabled{shared} ?
"/MT" : () },
-+ release => "/MD",
- )),
- bin_lflags => add("/subsystem:console /opt:ref"),
- ex_libs => add(sub {
---- crypto/engine/eng_openssl.c
-+++ crypto/engine/eng_openssl.c
-@@ -9,6 +9,7 @@
- */
-
- #include <stdio.h>
-+#include "e_os.h"
- #include <openssl/crypto.h>
- #include "internal/cryptlib.h"
- #include "internal/engine.h"
---- crypto/o_time.c
-+++ crypto/o_time.c
-@@ -41,10 +41,6 @@
- if (gmtime_r(timer, result) == NULL)
- return NULL;
- ts = result;
--#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400
-- if (gmtime_s(result, timer))
-- return NULL;
-- ts = result;
- #else
- ts = gmtime(timer);
- if (ts == NULL)
---- engines/e_capi.c
-+++ engines/e_capi.c
-@@ -15,6 +15,7 @@
- # include <wincrypt.h>
-
- # include <stdio.h>
-+# include "e_os.h"
- # include <string.h>
- # include <stdlib.h>
- # include <malloc.h>
---- test/testutil/basic_output.c
-+++ test/testutil/basic_output.c
-@@ -10,6 +10,7 @@
- #include "../testutil.h"
- #include "output.h"
- #include "tu_local.h"
-+#include "../../e_os.h"
-
- #include <openssl/crypto.h>
- #include <openssl/bio.h>
---- e_os.h
-+++ e_os.h
-@@ -149,7 +149,7 @@
- # endif
- # include <malloc.h>
- # if defined(_MSC_VER) && !defined(_WIN32_WCE) && !defined(_DLL) &&
defined(stdin)
--# if _MSC_VER>=1300 && _MSC_VER<1600
-+# ifdef _WIN64
- # undef stdin
- # undef stdout
- # undef stderr
-@@ -157,7 +157,7 @@
- # define stdin (&__iob_func()[0])
- # define stdout (&__iob_func()[1])
- # define stderr (&__iob_func()[2])
--# elif _MSC_VER<1300 && defined(I_CAN_LIVE_WITH_LNK4049)
-+# else
- # undef stdin
- # undef stdout
- # undef stderr
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-1.2.38-src/native/srclib/openssl/openssl-msvcrt-3.0.x.patch
new/tomcat-native-1.2.39-src/native/srclib/openssl/openssl-msvcrt-3.0.x.patch
---
old/tomcat-native-1.2.38-src/native/srclib/openssl/openssl-msvcrt-3.0.x.patch
2023-08-02 10:09:54.000000000 +0200
+++
new/tomcat-native-1.2.39-src/native/srclib/openssl/openssl-msvcrt-3.0.x.patch
2023-09-28 13:57:56.000000000 +0200
@@ -2,7 +2,7 @@
index 66bc81dfb4..52345e4f33 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
-@@ -1369,7 +1369,7 @@ my %targets = (
+@@ -1379,7 +1379,7 @@ my %targets = (
# prefer [non-debug] openssl.exe to be free from Micorosoft RTL
# redistributable.
bin_cflags => add(picker(debug => "/MDd",
@@ -82,5 +82,6 @@
+#include "e_os.h"
#include "../testutil.h"
+ #include <ctype.h>
#include <openssl/provider.h>
- #include <string.h>
+
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/native/tcnative.spec
new/tomcat-native-1.2.39-src/native/tcnative.spec
--- old/tomcat-native-1.2.38-src/native/tcnative.spec 2023-08-02
10:14:34.000000000 +0200
+++ new/tomcat-native-1.2.39-src/native/tcnative.spec 2023-09-28
13:58:42.000000000 +0200
@@ -21,7 +21,7 @@
Summary: Tomcat Native Java library
Name: tcnative
-Version: 1.2.38
+Version: 1.2.39
Release: 1
License: Apache Software License
Group: System Environment/Libraries
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/xdocs/index.xml
new/tomcat-native-1.2.39-src/xdocs/index.xml
--- old/tomcat-native-1.2.38-src/xdocs/index.xml 2023-08-02
10:09:54.000000000 +0200
+++ new/tomcat-native-1.2.39-src/xdocs/index.xml 2023-09-28
13:57:56.000000000 +0200
@@ -60,10 +60,10 @@
<section name="Headlines">
<ul>
-<li><a href="news/2023.html#20230602">2 June 2023 - <b>TC-Native-1.2.37
+<li><a href="news/2023.html#20230807">7 August 2023 - <b>TC-Native-1.2.38
released</b></a>
<p>The Apache Tomcat team is proud to announce the immediate availability of
-Tomcat Native 1.2.37 Stable.</p>
+Tomcat Native 1.2.38 Stable.</p>
<p>
The sources and the binaries for selected platforms are available from the
<a href="../download-native.cgi">Download page</a>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-1.2.38-src/xdocs/miscellaneous/changelog.xml
new/tomcat-native-1.2.39-src/xdocs/miscellaneous/changelog.xml
--- old/tomcat-native-1.2.38-src/xdocs/miscellaneous/changelog.xml
2023-08-02 10:09:54.000000000 +0200
+++ new/tomcat-native-1.2.39-src/xdocs/miscellaneous/changelog.xml
2023-09-28 13:57:56.000000000 +0200
@@ -30,6 +30,18 @@
This is the Changelog for Tomcat Native 1.2.
</p>
</section>
+<section name="Changes in 1.2.39">
+ <changelog>
+ <fix>
+ <bug>67061</bug>: If the insecure optionalNoCA certificate verification
+ mode is used, disable OCSP if enabled else client certificates from
+ unknown certificate authorities will be rejected. (markt)
+ </fix>
+ <update>
+ Update the recommended minimum version of OpenSSL to 3.0.11. (markt)
+ </update>
+ </changelog>
+</section>
<section name="Changes in 1.2.38">
<changelog>
<update>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-1.2.38-src/xdocs/news/2023.xml
new/tomcat-native-1.2.39-src/xdocs/news/2023.xml
--- old/tomcat-native-1.2.38-src/xdocs/news/2023.xml 2023-08-02
10:09:54.000000000 +0200
+++ new/tomcat-native-1.2.39-src/xdocs/news/2023.xml 2023-09-28
13:57:56.000000000 +0200
@@ -30,6 +30,11 @@
<section name="2023 News & Status">
+ <subsection anchor="20230807" name="7 August 2023 - TC-Native-1.2.38
released">
+ <p>The Apache Tomcat team is proud to announce the immediate
+ availability of Tomcat Native 1.2.38.</p>
+ </subsection>
+
<subsection anchor="20230602" name="2 June 2023 - TC-Native-1.2.37
released">
<p>The Apache Tomcat team is proud to announce the immediate
availability of Tomcat Native 1.2.37.</p>
