Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libtcnative-2-0 for openSUSE:Factory
checked in at 2026-04-07 16:35:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libtcnative-2-0 (Old)
and /work/SRC/openSUSE:Factory/.libtcnative-2-0.new.21863 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libtcnative-2-0"
Tue Apr 7 16:35:02 2026 rev:2 rq:1344977 version:2.0.14
Changes:
--------
--- /work/SRC/openSUSE:Factory/libtcnative-2-0/libtcnative-2-0.changes
2026-02-09 19:31:11.029788437 +0100
+++
/work/SRC/openSUSE:Factory/.libtcnative-2-0.new.21863/libtcnative-2-0.changes
2026-04-07 16:51:51.463864737 +0200
@@ -1,0 +2,49 @@
+Tue Apr 7 11:09:43 UTC 2026 - Fridrich Strba <[email protected]>
+
+- Upgrade to version 2.0.14
+ * Changes of 2.0.14
+ + Code: Refactor access to ASN1_OCTET_STRING to use setters to
+ fix errors when building against the latest OpenSSL 4.0.x code
+ + Fix: Fix the handling of OCSP requests with multiple responder
+ URIs
+ + Fix: Fix the handling of TRY_AGAIN responses to OCSP requests
+ when soft fail is disabled.
+ * Changes of 2.0.13
+ + Code: Due to various refactorings, the 2.0.x code no longer
+ compiles with LibreSSL. Without a volunteer to maintain
+ LibreSSL support, the LibreSSL code will be removed no earlier
+ than 30 September 2026
+ + Fix: Remove group write permissions from the files in the
+ tar.gz source archive
+ + Code: Refactor the SSL_CONF_CTX clean-up to align it with SSL
+ and SSL_CTX clean-up
+ + Fix: Fix unnecessarily large buffer allocation when filtering
+ out NULL and export ciphers. Pull requests #35 and #37
+ provided by chenjp
+ + Fix: Fix a potential memory leak if an invalid OpenSSLConf is
+ provided. Pull request #36 provided by chenjp. (markt)
+ + Fix: Refactor setting of OCSP configuration defaults as they
+ were only applied if the SSL_CONF_CTX was used. While one was
+ always used with Tomcat versions aware of the OCSP
+ configuration options, one was not always used with Tomcat
+ versions unaware of the OCSP configuration options leading to
+ OCSP verification being enabled by default when the expected
+ behaviour was disabled by default
+ + Code: Improve performance for the rare case of handling large
+ OCSP responses
+ + Fix: 69939: Fix the cause of a crash with OpenSSL 3.0.x when a
+ certificate PEM file does not contain explicit DH parameters
+ + Fix: Refactor extraction of ECDH curve name from the
+ Certificate to avoid deprecated OpenSSL methods.
+ + Fix: Refactor the native implementation of SSL.getTime() to
+ avoid the Y2038 problem in SSL_SESSION_get_time() when running
+ on a version of OpenSSL that includes the new
+ SSL_SESSION_get_time_ex() method.
+- Build against libopenssl-3-devel and not against the meta-package
+ libopenssl-devel. This allows buiding on distributions where the
+ openssl-3 exists, but is not default
+- Added patch:
+ * apr163.patch
+ + Allow building and running against libapr-1 1.6.3
+
+-------------------------------------------------------------------
Old:
----
tomcat-native-2.0.12-src.tar.gz
tomcat-native-2.0.12-src.tar.gz.asc
New:
----
apr163.patch
tomcat-native-2.0.14-src.tar.gz
tomcat-native-2.0.14-src.tar.gz.asc
----------(New B)----------
New:- Added patch:
* apr163.patch
+ Allow building and running against libapr-1 1.6.3
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libtcnative-2-0.spec ++++++
--- /var/tmp/diff_new_pack.MOcR7v/_old 2026-04-07 16:51:53.983969496 +0200
+++ /var/tmp/diff_new_pack.MOcR7v/_new 2026-04-07 16:51:53.995969998 +0200
@@ -18,24 +18,25 @@
%{!?make_build:%global make_build make %{?_smp_mflags}}
Name: libtcnative-2-0
-Version: 2.0.12
+Version: 2.0.14
Release: 0
Summary: Tomcat resources for performance, compatibility, etc
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
URL: https://tomcat.apache.org/native-doc/index.html
-Source0:
https://www.apache.org/dist/tomcat/tomcat-connectors/native/%{version}/source/tomcat-native-%{version}-src.tar.gz
-Source1:
https://www.apache.org/dist/tomcat/tomcat-connectors/native/%{version}/source/tomcat-native-%{version}-src.tar.gz.asc
+Source0:
https://archive.apache.org/dist/tomcat/tomcat-connectors/native/%{version}/source/tomcat-native-%{version}-src.tar.gz
+Source1:
https://archive.apache.org/dist/tomcat/tomcat-connectors/native/%{version}/source/tomcat-native-%{version}-src.tar.gz.asc
# https://www.apache.org/dist/tomcat/tomcat-connectors/KEYS
Source2: %{name}.keyring
+Patch0: apr163.patch
BuildRequires: fdupes
BuildRequires: java-devel >= 11
-BuildRequires: libapr1-devel >= 1.7
-BuildRequires: libopenssl-devel >= 3.0.0
+BuildRequires: libapr1-devel >= 1.6.3
+BuildRequires: libopenssl-3-devel
BuildRequires: pkgconfig
Provides: tcnative = %{version}
Provides: tomcat-native = %{version}
-%if 0%{?suse_version} && 0%{?suse_version} < 1600
+%if 0%{?suse_version} < 1600 && 0%{?sle_version} < 150400
ExclusiveArch: do-not-build
%endif
@@ -49,8 +50,8 @@
Group: Development/Libraries/C and C++
Requires: %{name} = %{version}-%{release}
Requires: glibc-devel
-Requires: libapr1-devel >= 1.7
-Requires: libopenssl-devel >= 3.0.0
+Requires: libapr1-devel >= 1.6.3
+Requires: libopenssl-3-devel
Conflicts: libtcnative-1-0-devel
%description devel
@@ -60,6 +61,7 @@
%prep
%setup -q -n tomcat-native-%{version}-src
+%patch -P 0 -p1
%build
cd native
++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.MOcR7v/_old 2026-04-07 16:51:54.107974688 +0200
+++ /var/tmp/diff_new_pack.MOcR7v/_new 2026-04-07 16:51:54.139976028 +0200
@@ -1,6 +1,6 @@
-mtime: 1770639401
-commit: 3043c6b807106f2af12e065736de105dc0e1b6718d52f11e7cc9ff5a4038f105
+mtime: 1775560667
+commit: c3221c5bc176032471c21c7151adcafeeec88ba9ff30e9732e79725fb54cf804
url: https://src.opensuse.org/java-packages/libtcnative-2-0.git
-revision: 3043c6b807106f2af12e065736de105dc0e1b6718d52f11e7cc9ff5a4038f105
+revision: c3221c5bc176032471c21c7151adcafeeec88ba9ff30e9732e79725fb54cf804
projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj
++++++ apr163.patch ++++++
--- tomcat-native-2.0.12-src/native/build/tcnative.m4 2026-04-07
12:40:54.611849110 +0200
+++ tomcat-native-2.0.12-src/native/build/tcnative.m4 2026-04-07
12:43:50.867607459 +0200
@@ -38,9 +38,9 @@
set $sapr_version
IFS=$tc_save_IFS
decimal_apr_version=`printf %02d%02d%03d ${1} ${2} ${3}`
- if test "${decimal_apr_version}" -lt "0107000"
+ if test "${decimal_apr_version}" -lt "0106003"
then
- AC_MSG_ERROR(Found APR $sapr_version. You need version 1.7.0 or newer
installed.)
+ AC_MSG_ERROR(Found APR $sapr_version. You need version 1.6.3 or newer
installed.)
fi
AC_MSG_NOTICE(APR $sapr_version detected.)
--- tomcat-native-2.0.12-src/native/configure 2026-04-07 12:40:54.610583326
+0200
+++ tomcat-native-2.0.12-src/native/configure 2026-04-07 12:43:33.856315133
+0200
@@ -12469,9 +12469,9 @@
set $sapr_version
IFS=$tc_save_IFS
decimal_apr_version=`printf %02d%02d%03d ${1} ${2} ${3}`
- if test "${decimal_apr_version}" -lt "0107000"
+ if test "${decimal_apr_version}" -lt "0106003"
then
- as_fn_error $? "Found APR $sapr_version. You need version 1.7.0 or newer
installed." "$LINENO" 5
+ as_fn_error $? "Found APR $sapr_version. You need version 1.6.3 or newer
installed." "$LINENO" 5
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: APR $sapr_version detected."
>&5
printf "%s\n" "$as_me: APR $sapr_version detected." >&6;}
--- tomcat-native-2.0.12-src/native/src/jnilib.c 2026-04-07
12:40:54.608429654 +0200
+++ tomcat-native-2.0.12-src/native/src/jnilib.c 2026-04-07
12:44:21.004117648 +0200
@@ -66,8 +66,8 @@
*/
apr_version(&apv);
apvn = apv.major * 1000 + apv.minor * 100 + apv.patch;
- if (apvn < 1700) {
- tcn_Throw(env, "Unsupported APR version %s: this tcnative requires at
least 1.7.0",
+ if (apvn < 1603) {
+ tcn_Throw(env, "Unsupported APR version %s: this tcnative requires at
least 1.6.3",
apr_version_string());
return JNI_ERR;
}
++++++ build.specials.obscpio ++++++
++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore 2026-04-07 13:18:29.000000000 +0200
@@ -0,0 +1 @@
+.osc
++++++ tomcat-native-2.0.12-src.tar.gz -> tomcat-native-2.0.14-src.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/CHANGELOG.txt
new/tomcat-native-2.0.14-src/CHANGELOG.txt
--- old/tomcat-native-2.0.12-src/CHANGELOG.txt 2026-01-06 19:07:33.000000000
+0100
+++ new/tomcat-native-2.0.14-src/CHANGELOG.txt 2026-03-06 15:06:03.000000000
+0100
@@ -3,20 +3,61 @@
This is the Changelog for Apache Tomcat Native 2.0.x. The Tomcat Native
2.0.x branch started from the 1.2.33 tag.
- Changes in 2.0.12
+ 2.0.14
+
+ * Code: Refactor access to ASN1_OCTET_STRING to use setters to fix
+ errors when building against the latest OpenSSL 4.0.x code. (markt)
+ * Fix: Fix the handling of OCSP requests with multiple responder URIs.
+ (jfclere)
+ * Fix: Fix the handling of TRY_AGAIN responses to OCSP requests when
+ soft fail is disabled. (jfclere)
+
+ 2026-02-11 2.0.13
+
+ * Code: Due to various refactorings, the 2.0.x code no longer compiles
+ with LibreSSL. Without a volunteer to maintain LibreSSL support, the
+ LibreSSL code will be removed no earlier than 30 September 2026.
+ (markt)
+ * Fix: Remove group write permissions from the files in the tar.gz
+ source archive. (markt)
+ * Code: Refactor the SSL_CONF_CTX clean-up to align it with SSL and
+ SSL_CTX clean-up. (markt)
+ * Fix: Fix unnecessarily large buffer allocation when filtering out NULL
+ and export ciphers. Pull requests #35 and #37 provided by chenjp.
+ (markt)
+ * Fix: Fix a potential memory leak if an invalid OpenSSLConf is
+ provided. Pull request #36 provided by chenjp. (markt)
+ * Fix: Refactor setting of OCSP configuration defaults as they were only
+ applied if the SSL_CONF_CTX was used. While one was always used with
+ Tomcat versions aware of the OCSP configuration options, one was not
+ always used with Tomcat versions unaware of the OCSP configuration
+ options leading to OCSP verification being enabled by default when the
+ expected behaviour was disabled by default. (markt)
+ * Code: Improve performance for the rare case of handling large OCSP
+ responses. (markt)
+ * Fix: 69939: Fix the cause of a crash with OpenSSL 3.0.x when a
+ certificate PEM file does not contain explicit DH parameters. (markt)
+ * Fix: Refactor extraction of ECDH curve name from the Certificate to
+ avoid deprecated OpenSSL methods.
+ * Fix: Refactor the native implementation of SSL.getTime() to avoid the
+ Y2038 problem in SSL_SESSION_get_time() when running on a version of
+ OpenSSL that includes the new SSL_SESSION_get_time_ex() method.
+ (markt)
+
+ 2026-01-12 2.0.12
* Fix: Refactor the addition of TLS 1.3 cipher suite configuration to
avoid a regression when running a version of Tomcat that pre-dates
this change. (markt)
- Changes in 2.0.11 (not released)
+ not released 2.0.11
* Fix: Fix a reference to an uninitialized variable. (schultz)
* Fix: Correct file names and update versions in native build
instructions. (markt)
* Update: Remove references to deprecated engine configuration. (markt)
- Changes in 2.0.10 (not released)
+ not released 2.0.10
* Update: The Windows binaries are now built with OCSP support enabled
by default. (markt)
@@ -36,7 +77,7 @@
* Update: Use automated configuration of DH parameters rather than
deprecated callback. (markt)
- Changes in 2.0.9
+ 2025-05-29 2.0.9
* Update: Update the Windows build environment to use Visual Studio
2022. (markt)
@@ -45,7 +86,7 @@
* Update: Update the recommended minimum version of APR to 1.7.6.
(markt)
- Changes in 2.0.8
+ 2024-07-24 2.0.8
* Fix: Fix a crash on Windows when SSLContext.setCACertificate() is
invoked with a null value for caCertificateFile and a non-null value
@@ -58,7 +99,7 @@
* Update: Update the recommended minimum version of OpenSSL to 3.0.14.
(markt)
- Changes in 2.0.7
+ 2024-02-08 2.0.7
* Add: 67538: Make use of Ant's <javaversion /> task to enforce the
mininum Java build version. (michaelo)
@@ -81,7 +122,7 @@
* Update: Update the recommended minimum version of OpenSSL to 3.0.13.
(markt)
- Changes in 2.0.6
+ 2023-10-02 2.0.6
* Fix: 67061: If the insecure optionalNoCA certificate verification mode
is used, disable OCSP if enabled else client certificates from unknown
@@ -89,7 +130,7 @@
* Update: Update the recommended minimum version of OpenSSL to 3.0.11.
(markt)
- Changes in 2.0.5
+ 2023-08-07 2.0.5
* Update: 66666: Remove non-reachable functions from ssl.c. (michaelo)
* Update: Align default pass phrase prompt with HTTPd. (michaelo)
@@ -104,32 +145,32 @@
* Update: Update the recommended minimum version of OpenSSL to 3.0.10.
(markt)
- Changes in 2.0.4
+ not released 2.0.4
* Update: Update the recommended minimum version of APR to 1.7.4.
(markt)
* Update: Update the recommended minimum version of OpenSSL to 3.0.9.
(markt)
- Changes in 2.0.3
+ 2023-02-13 2.0.3
* Update: Update the recommended minimum version of APR to 1.7.2.
(markt)
* Update: Update the recommended minimum version of OpenSSL to 3.0.8.
(markt)
- Changes in 2.0.2
+ 2022-11-08 2.0.2
* Update: Update the minimum supported version of LibreSSL to 3.5.2.
Based on pull request #13 provided by orbea. (markt)
* Fix: Fix build when building with rlibtool. Pull request #14 provided
by orbea. (markt)
- Changes in 2.0.1
+ 2022-07-12 2.0.1
* Update: Update recommended OpenSSL version to 3.0.5 or later. (markt)
- Changes in 2.0.0
+ not released 2.0.0
* Update: Update the minimum required version of OpenSSL to 3.0.0 and
make it a madatory dependency. (markt)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/HOWTO-RELEASE.txt
new/tomcat-native-2.0.14-src/HOWTO-RELEASE.txt
--- old/tomcat-native-2.0.12-src/HOWTO-RELEASE.txt 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/HOWTO-RELEASE.txt 2026-03-06
15:04:25.000000000 +0100
@@ -58,6 +58,7 @@
# Edit files to remove / disable dev build flags
# - build.properties.default
# - tcn_version.h
+# - changelog.xml (clear rtext)
# Confirm the previous edits
git diff
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/build.properties.default
new/tomcat-native-2.0.14-src/build.properties.default
--- old/tomcat-native-2.0.12-src/build.properties.default 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/build.properties.default 2026-03-06
15:04:25.000000000 +0100
@@ -18,7 +18,7 @@
# ----- Version Control Flags -----
version.major=2
version.minor=0
-version.build=12
+version.build=14
version.patch=0
version.suffix=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/docs/index.html
new/tomcat-native-2.0.14-src/docs/index.html
--- old/tomcat-native-2.0.12-src/docs/index.html 2026-01-06
19:07:33.000000000 +0100
+++ new/tomcat-native-2.0.14-src/docs/index.html 2026-03-06
15:06:03.000000000 +0100
@@ -1,5 +1,5 @@
<!DOCTYPE html SYSTEM "about:legacy-compat">
-<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="./images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="./images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - Documentation
Index</title><meta name="author" content="Jean-Frederic
Clere"></head><body><div id="wrapper"><header><div id="header"><div><div><div
class="logo noPrint"><a href="https://tomcat.apache.org/";><img alt="Tomcat
Home" src="./images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="./images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library
2.0</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft" class="noprint"><div><nav><div><h2><strong>Links</stro
ng></h2><ul><li><a href="index.html">Docs
Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="miscellaneous/changelog.html">Changelog</a></li><li><a
href="miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="news/2024.html">2024</a></li><li><a
href="news/2023.html">2023</a></li><li><a
href="news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2>Documentation Index</h2><h3
id="Introduction">Introduction</h3><div class="text">
+<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="./images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="./images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - Documentation
Index</title><meta name="author" content="Jean-Frederic
Clere"></head><body><div id="wrapper"><header><div id="header"><div><div><div
class="logo noPrint"><a href="https://tomcat.apache.org/";><img alt="Tomcat
Home" src="./images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="./images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library
2.0</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft" class="noprint"><div><nav><div><h2><strong>Links</stro
ng></h2><ul><li><a href="index.html">Docs
Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="miscellaneous/changelog.html">Changelog</a></li><li><a
href="miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="news/2026.html">2026</a></li><li><a
href="news/2025.html">2025</a></li><li><a
href="news/2024.html">2024</a></li><li><a
href="news/2023.html">2023</a></li><li><a
href="news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2>Documentation Index</h2><h3
id="Introduction">Introduction</h3><div class="text">
<p>
The Apache Tomcat Native Library is an optional component for use with
@@ -10,10 +10,10 @@
</div><h3 id="Headlines">Headlines</h3><div class="text">
<ul>
-<li><a href="news/2025.html#20250529">29 May 2025 - <b>TC-Native-2.0.9
+<li><a href="news/2026.html#20260211">11 February 2026 -
<b>Tomcat-Native-2.0.13
released</b></a>
<p>The Apache Tomcat team is proud to announce the immediate availability of
-Tomcat Native 2.0.9 Stable.</p>
+Tomcat Native 2.0.13 Stable.</p>
<p>
The sources and the binaries for selected platforms are available from the
<a href="../download-native.cgi">Download page</a>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-2.0.12-src/docs/miscellaneous/changelog.html
new/tomcat-native-2.0.14-src/docs/miscellaneous/changelog.html
--- old/tomcat-native-2.0.12-src/docs/miscellaneous/changelog.html
2026-01-06 19:07:33.000000000 +0100
+++ new/tomcat-native-2.0.14-src/docs/miscellaneous/changelog.html
2026-03-06 15:06:02.000000000 +0100
@@ -1,10 +1,74 @@
<!DOCTYPE html SYSTEM "about:legacy-compat">
-<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - Miscellaneous
Documentation - </title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
Miscellaneous Documentation</h1><div style="height: 1px;"></div><div
style="clear: left;"></div></div></div></div></header><div
id="middle"><div><div id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></
h2><ul><li><a href="../index.html">Docs
Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2></h2><h3 id="Preface">Preface</h3><div
class="text">
+<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - Miscellaneous
Documentation - </title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
Miscellaneous Documentation</h1><div style="height: 1px;"></div><div
style="clear: left;"></div></div></div></div></header><div
id="middle"><div><div id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></
h2><ul><li><a href="../index.html">Docs
Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2026.html">2026</a></li><li><a
href="../news/2025.html">2025</a></li><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2></h2><h3 id="Preface">Preface</h3><div
class="text">
<p>
This is the Changelog for Apache Tomcat Native 2.0.x. The Tomcat Native 2.0.x
branch started from the 1.2.33 tag.
</p>
-</div><h3 id="Changes_in_2.0.12">Changes in 2.0.12</h3><div class="text">
+</div><h3 id="2.0.14"><span style="float: right;"></span> 2.0.14</h3><div
class="text">
+ <ul class="changelog">
+ <li><img alt="Code: " class="icon" src="../images/code.gif">
+ Refactor access to ASN1_OCTET_STRING to use setters to fix errors when
+ building against the latest OpenSSL 4.0.x code. (markt)
+ </li>
+ <li><img alt="Fix: " class="icon" src="../images/fix.gif">
+ Fix the handling of OCSP requests with multiple responder URIs. (jfclere)
+ </li>
+ <li><img alt="Fix: " class="icon" src="../images/fix.gif">
+ Fix the handling of <code>TRY_AGAIN</code> responses to OCSP requests
when
+ soft fail is disabled. (jfclere)
+ </li>
+ </ul>
+</div><h3 id="2.0.13"><span style="float: right;">2026-02-11</span>
2.0.13</h3><div class="text">
+ <ul class="changelog">
+ <li><img alt="Code: " class="icon" src="../images/code.gif">
+ Due to various refactorings, the 2.0.x code no longer compiles with
+ LibreSSL. Without a volunteer to maintain LibreSSL support, the LibreSSL
+ code will be removed no earlier than 30 September 2026. (markt)</li>
+ <li><img alt="Fix: " class="icon" src="../images/fix.gif">
+ Remove group write permissions from the files in the tar.gz source
+ archive. (markt)
+ </li>
+ <li><img alt="Code: " class="icon" src="../images/code.gif">
+ Refactor the SSL_CONF_CTX clean-up to align it with SSL and SSL_CTX
+ clean-up. (markt)
+ </li>
+ <li><img alt="Fix: " class="icon" src="../images/fix.gif">
+ Fix unnecessarily large buffer allocation when filtering out NULL and
+ export ciphers. Pull requests <a
href="https://github.com/apache/tomcat-native/pull/35";>#35</a> and <a
href="https://github.com/apache/tomcat-native/pull/37";>#37</a> provided by
+ chenjp. (markt)
+ </li>
+ <li><img alt="Fix: " class="icon" src="../images/fix.gif">
+ Fix a potential memory leak if an invalid <code>OpenSSLConf</code> is
+ provided. Pull request <a
href="https://github.com/apache/tomcat-native/pull/36";>#36</a> provided by
chenjp. (markt)
+ </li>
+ <li><img alt="Fix: " class="icon" src="../images/fix.gif">
+ Refactor setting of OCSP configuration defaults as they were only applied
+ if the SSL_CONF_CTX was used. While one was always used with Tomcat
+ versions aware of the OCSP configuration options, one was not always used
+ with Tomcat versions unaware of the OCSP configuration options leading to
+ OCSP verification being enabled by default when the expected behaviour
was
+ disabled by default. (markt)
+ </li>
+ <li><img alt="Code: " class="icon" src="../images/code.gif">
+ Improve performance for the rare case of handling large OCSP responses.
+ (markt)
+ </li>
+ <li><img alt="Fix: " class="icon" src="../images/fix.gif">
+ <a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=69939";>69939</a>: Fix the
cause of a crash with OpenSSL 3.0.x when a
+ certificate PEM file does not contain explicit DH parameters. (markt)
+ </li>
+ <li><img alt="Fix: " class="icon" src="../images/fix.gif">
+ Refactor extraction of ECDH curve name from the Certificate to avoid
+ deprecated OpenSSL methods.
+ </li>
+ <li><img alt="Fix: " class="icon" src="../images/fix.gif">
+ Refactor the native implementation of <code>SSL.getTime()</code> to avoid
+ the Y2038 problem in <code>SSL_SESSION_get_time()</code> when running on
a
+ version of OpenSSL that includes the new
+ <code>SSL_SESSION_get_time_ex()</code> method. (markt)
+ </li>
+ </ul>
+</div><h3 id="2.0.12"><span style="float: right;">2026-01-12</span>
2.0.12</h3><div class="text">
<ul class="changelog">
<li><img alt="Fix: " class="icon" src="../images/fix.gif">
Refactor the addition of TLS 1.3 cipher suite configuration to avoid a
@@ -12,7 +76,7 @@
(markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.11_(not_released)">Changes in 2.0.11 (not
released)</h3><div class="text">
+</div><h3 id="2.0.11"><span style="float: right;">not released</span>
2.0.11</h3><div class="text">
<ul class="changelog">
<li><img alt="Fix: " class="icon" src="../images/fix.gif">
Fix a reference to an uninitialized variable. (schultz)
@@ -25,7 +89,7 @@
Remove references to deprecated engine configuration. (markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.10_(not_released)">Changes in 2.0.10 (not
released)</h3><div class="text">
+</div><h3 id="2.0.10"><span style="float: right;">not released</span>
2.0.10</h3><div class="text">
<ul class="changelog">
<li><img alt="Update: " class="icon" src="../images/update.gif">
The Windows binaries are now built with OCSP support enabled by default.
@@ -63,7 +127,7 @@
callback. (markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.9">Changes in 2.0.9</h3><div class="text">
+</div><h3 id="2.0.9"><span style="float: right;">2025-05-29</span>
2.0.9</h3><div class="text">
<ul class="changelog">
<li><img alt="Update: " class="icon" src="../images/update.gif">
Update the Windows build environment to use Visual Studio 2022. (markt)
@@ -75,7 +139,7 @@
Update the recommended minimum version of APR to 1.7.6. (markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.8">Changes in 2.0.8</h3><div class="text">
+</div><h3 id="2.0.8"><span style="float: right;">2024-07-24</span>
2.0.8</h3><div class="text">
<ul class="changelog">
<li><img alt="Fix: " class="icon" src="../images/fix.gif">
Fix a crash on Windows when <code>SSLContext.setCACertificate()</code>
@@ -96,7 +160,7 @@
Update the recommended minimum version of OpenSSL to 3.0.14. (markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.7">Changes in 2.0.7</h3><div class="text">
+</div><h3 id="2.0.7"><span style="float: right;">2024-02-08</span>
2.0.7</h3><div class="text">
<ul class="changelog">
<li><img alt="Add: " class="icon" src="../images/add.gif">
<a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=67538";>67538</a>: Make use
of Ant's <code><javaversion /></code>
@@ -135,7 +199,7 @@
Update the recommended minimum version of OpenSSL to 3.0.13. (markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.6">Changes in 2.0.6</h3><div class="text">
+</div><h3 id="2.0.6"><span style="float: right;">2023-10-02</span>
2.0.6</h3><div class="text">
<ul class="changelog">
<li><img alt="Fix: " class="icon" src="../images/fix.gif">
<a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=67061";>67061</a>: If the
insecure optionalNoCA certificate verification
@@ -146,7 +210,7 @@
Update the recommended minimum version of OpenSSL to 3.0.11. (markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.5">Changes in 2.0.5</h3><div class="text">
+</div><h3 id="2.0.5"><span style="float: right;">2023-08-07</span>
2.0.5</h3><div class="text">
<ul class="changelog">
<li><img alt="Update: " class="icon" src="../images/update.gif">
<a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=66666";>66666</a>: Remove
non-reachable functions from ssl.c. (michaelo)
@@ -173,7 +237,7 @@
Update the recommended minimum version of OpenSSL to 3.0.10. (markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.4">Changes in 2.0.4</h3><div class="text">
+</div><h3 id="2.0.4"><span style="float: right;">not released</span>
2.0.4</h3><div class="text">
<ul class="changelog">
<li><img alt="Update: " class="icon" src="../images/update.gif">
Update the recommended minimum version of APR to 1.7.4. (markt)
@@ -182,7 +246,7 @@
Update the recommended minimum version of OpenSSL to 3.0.9. (markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.3">Changes in 2.0.3</h3><div class="text">
+</div><h3 id="2.0.3"><span style="float: right;">2023-02-13</span>
2.0.3</h3><div class="text">
<ul class="changelog">
<li><img alt="Update: " class="icon" src="../images/update.gif">
Update the recommended minimum version of APR to 1.7.2. (markt)
@@ -191,7 +255,7 @@
Update the recommended minimum version of OpenSSL to 3.0.8. (markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.2">Changes in 2.0.2</h3><div class="text">
+</div><h3 id="2.0.2"><span style="float: right;">2022-11-08</span>
2.0.2</h3><div class="text">
<ul class="changelog">
<li><img alt="Update: " class="icon" src="../images/update.gif">
Update the minimum supported version of LibreSSL to 3.5.2. Based on pull
@@ -202,13 +266,13 @@
by orbea. (markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.1">Changes in 2.0.1</h3><div class="text">
+</div><h3 id="2.0.1"><span style="float: right;">2022-07-12</span>
2.0.1</h3><div class="text">
<ul class="changelog">
<li><img alt="Update: " class="icon" src="../images/update.gif">
Update recommended OpenSSL version to 3.0.5 or later. (markt)
</li>
</ul>
-</div><h3 id="Changes_in_2.0.0">Changes in 2.0.0</h3><div class="text">
+</div><h3 id="2.0.0"><span style="float: right;">not released</span>
2.0.0</h3><div class="text">
<ul class="changelog">
<li><img alt="Update: " class="icon" src="../images/update.gif">
Update the minimum required version of OpenSSL to 3.0.0 and make it a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-2.0.12-src/docs/miscellaneous/tls-renegotiation.html
new/tomcat-native-2.0.14-src/docs/miscellaneous/tls-renegotiation.html
--- old/tomcat-native-2.0.12-src/docs/miscellaneous/tls-renegotiation.html
2026-01-06 19:07:33.000000000 +0100
+++ new/tomcat-native-2.0.14-src/docs/miscellaneous/tls-renegotiation.html
2026-03-06 15:06:02.000000000 +0100
@@ -1,5 +1,5 @@
<!DOCTYPE html SYSTEM "about:legacy-compat">
-<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - Miscellaneous
Documentation - </title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
Miscellaneous Documentation</h1><div style="height: 1px;"></div><div
style="clear: left;"></div></div></div></div></header><div
id="middle"><div><div id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></
h2><ul><li><a href="../index.html">Docs
Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2></h2><h3
id="Introduction">Introduction</h3><div class="text">
+<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - Miscellaneous
Documentation - </title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
Miscellaneous Documentation</h1><div style="height: 1px;"></div><div
style="clear: left;"></div></div></div></div></header><div
id="middle"><div><div id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></
h2><ul><li><a href="../index.html">Docs
Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2026.html">2026</a></li><li><a
href="../news/2025.html">2025</a></li><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2></h2><h3
id="Introduction">Introduction</h3><div class="text">
<p>
Historically there have been security issues associated with TLS
renegotiation. This page describes the renegotiation behaviour of the Tomcat
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/docs/news/2022.html
new/tomcat-native-2.0.14-src/docs/news/2022.html
--- old/tomcat-native-2.0.12-src/docs/news/2022.html 2026-01-06
19:07:33.000000000 +0100
+++ new/tomcat-native-2.0.14-src/docs/news/2022.html 2026-03-06
15:06:03.000000000 +0100
@@ -1,5 +1,5 @@
<!DOCTYPE html SYSTEM "about:legacy-compat">
-<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - News - 2022 News
and Status</title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
News</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></h2><ul><li><a
href="../ind
ex.html">Docs Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2025.html">2025</a></li><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2>2022 News and Status</h2><h3
id="2022_News_&_Status">2022 News & Status</h3><div class="text">
+<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - News - 2022 News
and Status</title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
News</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></h2><ul><li><a
href="../ind
ex.html">Docs Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2026.html">2026</a></li><li><a
href="../news/2025.html">2025</a></li><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2>2022 News and Status</h2><h3
id="2022_News_&_Status">2022 News & Status</h3><div class="text">
<div class="subsection"><h4 id="20220811">11 November 2022 -
TC-Native-2.0.2 released</h4><div class="text">
<p>The Apache Tomcat team is proud to announce the immediate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/docs/news/2023.html
new/tomcat-native-2.0.14-src/docs/news/2023.html
--- old/tomcat-native-2.0.12-src/docs/news/2023.html 2026-01-06
19:07:33.000000000 +0100
+++ new/tomcat-native-2.0.14-src/docs/news/2023.html 2026-03-06
15:06:03.000000000 +0100
@@ -1,5 +1,5 @@
<!DOCTYPE html SYSTEM "about:legacy-compat">
-<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - News - 2023 News
and Status</title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
News</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></h2><ul><li><a
href="../ind
ex.html">Docs Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2025.html">2025</a></li><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2>2023 News and Status</h2><h3
id="2023_News_&_Status">2023 News & Status</h3><div class="text">
+<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - News - 2023 News
and Status</title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
News</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></h2><ul><li><a
href="../ind
ex.html">Docs Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2026.html">2026</a></li><li><a
href="../news/2025.html">2025</a></li><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2>2023 News and Status</h2><h3
id="2023_News_&_Status">2023 News & Status</h3><div class="text">
<div class="subsection"><h4 id="20231002">2 October 2023 -
TC-Native-2.0.6 released</h4><div class="text">
<p>The Apache Tomcat team is proud to announce the immediate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/docs/news/2024.html
new/tomcat-native-2.0.14-src/docs/news/2024.html
--- old/tomcat-native-2.0.12-src/docs/news/2024.html 2026-01-06
19:07:33.000000000 +0100
+++ new/tomcat-native-2.0.14-src/docs/news/2024.html 2026-03-06
15:06:03.000000000 +0100
@@ -1,5 +1,5 @@
<!DOCTYPE html SYSTEM "about:legacy-compat">
-<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - News - 2024 News
and Status</title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
News</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></h2><ul><li><a
href="../ind
ex.html">Docs Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2025.html">2025</a></li><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2>2024 News and Status</h2><h3
id="2024_News_&_Status">2024 News & Status</h3><div class="text">
+<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - News - 2024 News
and Status</title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
News</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></h2><ul><li><a
href="../ind
ex.html">Docs Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2026.html">2026</a></li><li><a
href="../news/2025.html">2025</a></li><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2>2024 News and Status</h2><h3
id="2024_News_&_Status">2024 News & Status</h3><div class="text">
<div class="subsection"><h4 id="202400727">27 July 2024 -
TC-Native-2.0.8 released</h4><div class="text">
<p>The Apache Tomcat team is proud to announce the immediate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/docs/news/2025.html
new/tomcat-native-2.0.14-src/docs/news/2025.html
--- old/tomcat-native-2.0.12-src/docs/news/2025.html 2026-01-06
19:07:33.000000000 +0100
+++ new/tomcat-native-2.0.14-src/docs/news/2025.html 2026-03-06
15:06:03.000000000 +0100
@@ -1,5 +1,5 @@
<!DOCTYPE html SYSTEM "about:legacy-compat">
-<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - News - 2025 News
and Status</title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
News</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></h2><ul><li><a
href="../ind
ex.html">Docs Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2025.html">2025</a></li><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2>2025 News and Status</h2><h3
id="2025_News_&_Status">2025 News & Status</h3><div class="text">
+<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - News - 2025 News
and Status</title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
News</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></h2><ul><li><a
href="../ind
ex.html">Docs Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2026.html">2026</a></li><li><a
href="../news/2025.html">2025</a></li><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2>2025 News and Status</h2><h3
id="2025_News_&_Status">2025 News & Status</h3><div class="text">
<div class="subsection"><h4 id="20250529">29 May 2025 - TC-Native-2.0.9
released</h4><div class="text">
<p>The Apache Tomcat team is proud to announce the immediate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/docs/news/2026.html
new/tomcat-native-2.0.14-src/docs/news/2026.html
--- old/tomcat-native-2.0.12-src/docs/news/2026.html 1970-01-01
01:00:00.000000000 +0100
+++ new/tomcat-native-2.0.14-src/docs/news/2026.html 2026-03-06
15:06:03.000000000 +0100
@@ -0,0 +1,16 @@
+<!DOCTYPE html SYSTEM "about:legacy-compat">
+<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><link href="../images/docs-stylesheet.css" rel="stylesheet"
type="text/css"><link href="../images/style.css" rel="stylesheet"
type="text/css"><title>The Apache Tomcat Native Library 2.0 - News - 2026 News
and Status</title></head><body><div id="wrapper"><header><div
id="header"><div><div><div class="logo noPrint"><a
href="https://tomcat.apache.org/";><img alt="Tomcat Home"
src="../images/tomcat.png"></a></div><div style="height: 1px;"></div><div
class="asfLogo noPrint"><a href="http://www.apache.org/"; target="_blank"><img
src="../images/asf-logo.svg" alt="The Apache Software Foundation" style="width:
266px; height: 83px;"></a></div><h1>The Apache Tomcat Native Library 2.0 -
News</h1><div style="height: 1px;"></div><div style="clear:
left;"></div></div></div></div></header><div id="middle"><div><div
id="mainLeft"
class="noprint"><div><nav><div><h2><strong>Links</strong></h2><ul><li><a
href="../ind
ex.html">Docs Home</a></li></ul></div><div><h2><strong>Miscellaneous
Documentation</strong></h2><ul><li><a
href="../miscellaneous/changelog.html">Changelog</a></li><li><a
href="../miscellaneous/tls-renegotiation.html">TLS
renegotiation</a></li></ul></div><div><h2><strong>News</strong></h2><ul><li><a
href="../news/2026.html">2026</a></li><li><a
href="../news/2025.html">2025</a></li><li><a
href="../news/2024.html">2024</a></li><li><a
href="../news/2023.html">2023</a></li><li><a
href="../news/2022.html">2022</a></li></ul></div></nav></div></div><div
id="mainRight"><div id="content"><h2>2026 News and Status</h2><h3
id="2026_News_&_Status">2026 News & Status</h3><div class="text">
+
+ <div class="subsection"><h4 id="20260211">11 February 2026 -
Tomcat-Native-2.0.13 released</h4><div class="text">
+ <p>The Apache Tomcat team is proud to announce the immediate
+ availability of Tomcat Native 2.0.13.</p>
+ </div></div>
+
+ <div class="subsection"><h4 id="20260112">12 January 2026 -
Tomcat-Native-2.0.12 released</h4><div class="text">
+ <p>The Apache Tomcat team is proud to announce the immediate
+ availability of Tomcat Native 2.0.12.</p>
+ </div></div>
+
+ </div></div></div></div></div><footer><div id="footer">
+ Copyright © 2008-2026, The Apache Software Foundation
+ </div></footer></div></body></html>
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-2.0.12-src/java/org/apache/tomcat/jni/SSLConf.java
new/tomcat-native-2.0.14-src/java/org/apache/tomcat/jni/SSLConf.java
--- old/tomcat-native-2.0.12-src/java/org/apache/tomcat/jni/SSLConf.java
2026-01-06 19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/java/org/apache/tomcat/jni/SSLConf.java
2026-03-06 15:04:25.000000000 +0100
@@ -53,7 +53,11 @@
public static native void free(long cctx);
/**
- * Check a command with an SSL_CONF context.
+ * Optionally used to check a command with an SSL_CONF context.
+ * <p>
+ * This call is also used to pass Tomcat specific settings to Tomcat
Native. It must be called for for each Tomcat
+ * specific setting (e.g. {@link
org.apache.tomcat.util.net.openssl.OpenSSLConfCmd#NO_OCSP_CHECK}) before {@link
+ * #assign(long, long)} is called.
*
* @param cctx SSL_CONF context to use.
* @param name command name.
@@ -71,6 +75,10 @@
/**
* Assign an SSL context to an SSL_CONF context. All following calls to
{@link #apply(long, String, String)} will be
* applied to this SSL context.
+ * <p>
+ * For Tomcat specific settings this call applies previous settings set
via calls to {@link
+ * #check(long, String, String)}. Further calls to {@link #check(long,
String, String)} after a call to this method
+ * will have no effect.
*
* @param cctx SSL_CONF context to use.
* @param ctx SSL context to assign to the given SSL_CONF context.
@@ -82,6 +90,8 @@
/**
* Apply a command to an SSL_CONF context.
+ * <p>
+ * This call has no effect for Tomcat specific settings.
*
* @param cctx SSL_CONF context to use.
* @param name command name.
@@ -97,6 +107,8 @@
/**
* Finish commands for an SSL_CONF context.
+ * <p>
+ * This call has no effect for Tomcat specific settings.
*
* @param cctx SSL_CONF context to use.
*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/jnirelease.sh
new/tomcat-native-2.0.14-src/jnirelease.sh
--- old/tomcat-native-2.0.12-src/jnirelease.sh 2026-01-06 19:06:49.000000000
+0100
+++ new/tomcat-native-2.0.14-src/jnirelease.sh 2026-03-06 15:04:25.000000000
+0100
@@ -256,6 +256,9 @@
./buildconf --with-apr=$apr_src_dir || exit 1
cd "$top"
+# Remove write permissions from all but the owner
+chmod -R go-w ${JKJNIDIST}
+
# Create source distribution
tar -cf - ${JKJNIDIST} | gzip -c9 > ${JKJNIDIST}.tar.gz || exit 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-2.0.12-src/native/include/ssl_private.h
new/tomcat-native-2.0.14-src/native/include/ssl_private.h
--- old/tomcat-native-2.0.12-src/native/include/ssl_private.h 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/native/include/ssl_private.h 2026-03-06
15:04:25.000000000 +0100
@@ -49,6 +49,7 @@
#ifndef LIBRESSL_VERSION_NUMBER
#include <openssl/provider.h>
#endif
+#include <openssl/core_names.h>
#ifndef RAND_MAX
#include <limits.h>
@@ -378,7 +379,7 @@
DH *SSL_get_dh_params(unsigned keylen);
EVP_PKEY *SSL_dh_GetParamFromFile(const char *);
#ifdef HAVE_ECC
-EC_GROUP *SSL_ec_GetParamFromFile(const char *);
+int SSL_ec_GetParamFromFile(const char *);
#endif
DH *SSL_callback_tmp_DH(SSL *, int, int);
void SSL_callback_handshake(const SSL *, int, int);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-2.0.12-src/native/include/tcn_version.h
new/tomcat-native-2.0.14-src/native/include/tcn_version.h
--- old/tomcat-native-2.0.12-src/native/include/tcn_version.h 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/native/include/tcn_version.h 2026-03-06
15:04:25.000000000 +0100
@@ -63,7 +63,7 @@
#define TCN_MINOR_VERSION 0
/** patch level */
-#define TCN_PATCH_VERSION 12
+#define TCN_PATCH_VERSION 14
/**
* This symbol is defined for internal, "development" copies of TCN. This
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-2.0.12-src/native/os/win32/libtcnative.rc
new/tomcat-native-2.0.14-src/native/os/win32/libtcnative.rc
--- old/tomcat-native-2.0.12-src/native/os/win32/libtcnative.rc 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/native/os/win32/libtcnative.rc 2026-03-06
15:04:25.000000000 +0100
@@ -19,7 +19,7 @@
"See the License for the specific language governing " \
"permissions and limitations under the License."
-#define TCN_VERSION "2.0.12"
+#define TCN_VERSION "2.0.14"
1000 ICON "apache.ico"
1001 DIALOGEX 0, 0, 252, 51
@@ -35,8 +35,8 @@
END
1 VERSIONINFO
- FILEVERSION 2,0,12,0
- PRODUCTVERSION 2,0,12,0
+ FILEVERSION 2,0,14,0
+ PRODUCTVERSION 2,0,14,0
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/native/src/jnilib.c
new/tomcat-native-2.0.14-src/native/src/jnilib.c
--- old/tomcat-native-2.0.12-src/native/src/jnilib.c 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/native/src/jnilib.c 2026-03-06
15:04:25.000000000 +0100
@@ -452,7 +452,7 @@
return 0;
}
-apr_pool_t *tcn_get_global_pool()
+apr_pool_t *tcn_get_global_pool(void)
{
if (!tcn_global_pool) {
if (apr_pool_create(&tcn_global_pool, NULL) != APR_SUCCESS) {
@@ -463,12 +463,12 @@
return tcn_global_pool;
}
-jclass tcn_get_string_class()
+jclass tcn_get_string_class(void)
{
return jString_class;
}
-JavaVM * tcn_get_java_vm()
+JavaVM * tcn_get_java_vm(void)
{
return tcn_global_vm;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/native/src/ssl.c
new/tomcat-native-2.0.14-src/native/src/ssl.c
--- old/tomcat-native-2.0.12-src/native/src/ssl.c 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/native/src/ssl.c 2026-03-06
15:04:25.000000000 +0100
@@ -990,7 +990,11 @@
session = SSL_get_session(ssl_);
if (session) {
- return SSL_get_time(session);
+#if (OPENSSL_VERSION_NUMBER > 0x302FFFFFL)
+ return SSL_SESSION_get_time_ex(session);
+#else
+ return SSL_SESSION_get_time(session);
+#endif
} else {
tcn_ThrowException(e, "ssl session is null");
return 0;
@@ -1148,7 +1152,7 @@
* no matter what was given in the config.
*/
len = strlen(J2S(cipherList)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
- buf = malloc(len * sizeof(char *));
+ buf = malloc(len * sizeof(char));
if (buf == NULL) {
rv = JNI_FALSE;
goto free_cipherList;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/native/src/sslconf.c
new/tomcat-native-2.0.14-src/native/src/sslconf.c
--- old/tomcat-native-2.0.12-src/native/src/sslconf.c 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/native/src/sslconf.c 2026-03-06
15:04:25.000000000 +0100
@@ -113,12 +113,29 @@
c->cctx = cctx;
c->pool = p;
- /* OCSP defaults */
+ /*
+ * Some Tomcat Native specific settings are also set via this
representation
+ * of the SSL_CONF_CTX. This process is a little bit hacky. The expected
+ * call sequence is:
+ * - SSLConf.make() - create SSL_CONF_CTX and the associated Tomcat Native
+ * object
+ * - SSLConf.check() - MUST be called for each Tomcat specific setting that
+ * needs to be configured. May be called for OpenSSL settings in which
+ * case the setting will be validated.
+ * - SSLConf.assign() - this actually *applies* the Tomcat Native specific
+ * configuration to Tomcat Native as well as linking the SSL_CONF_CTX
+ * object with the SSL_CTX object.
+ * - SSLConf.apply() - called for each OpenSSL setting. Any Tomcat specific
+ * settings used here will be ignored.
+ * - SSLConf.finish() - MUST be called to complete the OpenSSL setting
+ * process.
+ */
+ /* Initialise Tomcat Native specific OCSP defaults */
c->no_ocsp_check = OCSP_NO_CHECK_DEFAULT;
c->ocsp_soft_fail = OCSP_SOFT_FAIL_DEFAULT;
c->ocsp_timeout = OCSP_TIMEOUT_DEFAULT;
c->ocsp_verify_flags = OCSP_VERIFY_FLAGS_DEFAULT;
-
+
/*
* Let us cleanup the SSL_CONF context when the pool is destroyed
*/
@@ -135,11 +152,7 @@
tcn_ssl_conf_ctxt_t *c = J2P(cctx, tcn_ssl_conf_ctxt_t *);
UNREFERENCED_STDARGS;
TCN_ASSERT(c != 0);
- if (c->cctx != NULL) {
- SSL_CONF_CTX_free(c->cctx);
- c->cctx = NULL;
- c->pool = NULL;
- }
+ apr_pool_cleanup_run(c->pool, c, ssl_ctx_config_cleanup);
}
/* Check a command for an SSL_CONF context */
@@ -157,16 +170,20 @@
TCN_ASSERT(c->cctx != 0);
if (!J2S(cmd)) {
tcn_Throw(e, "Can not check null SSL_CONF command");
- return SSL_THROW_RETURN;
+ rc = SSL_THROW_RETURN;
+ goto cleanup;
}
+ /*
+ * Although this is the check method, this sets the Tomcat specific
+ * settings.
+ */
if (!strcmp(J2S(cmd), "NO_OCSP_CHECK")) {
if (!strcasecmp(J2S(value), "false"))
c->no_ocsp_check = 0;
else
c->no_ocsp_check = 1;
- TCN_FREE_CSTRING(cmd);
- TCN_FREE_CSTRING(value);
- return 1;
+ rc = 1;
+ goto cleanup;
}
if (!strcmp(J2S(cmd), "OCSP_SOFT_FAIL")) {
@@ -174,9 +191,8 @@
c->ocsp_soft_fail = 0;
else
c->ocsp_soft_fail = 1;
- TCN_FREE_CSTRING(cmd);
- TCN_FREE_CSTRING(value);
- return 1;
+ rc = 1;
+ goto cleanup;
}
if (!strcmp(J2S(cmd), "OCSP_TIMEOUT")) {
@@ -187,9 +203,8 @@
// Tomcat configures timeout is millisecond. APR uses microseconds.
c->ocsp_timeout = i * 1000;
}
- TCN_FREE_CSTRING(cmd);
- TCN_FREE_CSTRING(value);
- return 1;
+ rc = 1;
+ goto cleanup;
}
if (!strcmp(J2S(cmd), "OCSP_VERIFY_FLAGS")) {
@@ -199,9 +214,8 @@
if (!errno) {
c->ocsp_verify_flags = i;
}
- TCN_FREE_CSTRING(cmd);
- TCN_FREE_CSTRING(value);
- return 1;
+ rc = 1;
+ goto cleanup;
}
SSL_ERR_clear();
@@ -211,35 +225,42 @@
char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
ERR_error_string_n(ec, err, TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Could not determine SSL_CONF command type for '%s'
(%s)", J2S(cmd), err);
- return 0;
+ rc = SSL_THROW_RETURN;
+ goto cleanup;
}
if (value_type == SSL_CONF_TYPE_UNKNOWN) {
tcn_Throw(e, "Invalid SSL_CONF command '%s', type unknown", J2S(cmd));
- return SSL_THROW_RETURN;
+ rc = SSL_THROW_RETURN;
+ goto cleanup;
}
if (value_type == SSL_CONF_TYPE_FILE) {
if (!J2S(value)) {
tcn_Throw(e, "SSL_CONF command '%s' needs a non-empty file
argument", J2S(cmd));
- return SSL_THROW_RETURN;
+ rc = SSL_THROW_RETURN;
+ goto cleanup;
}
if (check_file(c->pool, J2S(value))) {
tcn_Throw(e, "SSL_CONF command '%s' file '%s' does not exist or is
empty", J2S(cmd), J2S(value));
- return SSL_THROW_RETURN;
+ rc = SSL_THROW_RETURN;
+ goto cleanup;
}
}
else if (value_type == SSL_CONF_TYPE_DIR) {
if (!J2S(value)) {
tcn_Throw(e, "SSL_CONF command '%s' needs a non-empty directory
argument", J2S(cmd));
- return SSL_THROW_RETURN;
+ rc = SSL_THROW_RETURN;
+ goto cleanup;
}
if (check_dir(c->pool, J2S(value))) {
tcn_Throw(e, "SSL_CONF command '%s' directory '%s' does not
exist", J2S(cmd), J2S(value));
- return SSL_THROW_RETURN;
+ rc = SSL_THROW_RETURN;
+ goto cleanup;
}
}
+cleanup:
TCN_FREE_CSTRING(cmd);
TCN_FREE_CSTRING(value);
return rc;
@@ -281,7 +302,8 @@
TCN_ASSERT(c->cctx != 0);
if (!J2S(cmd)) {
tcn_Throw(e, "Can not apply null SSL_CONF command");
- return SSL_THROW_RETURN;
+ rc = SSL_THROW_RETURN;
+ goto cleanup;
}
#ifndef HAVE_EXPORT_CIPHERS
if (!strcmp(J2S(cmd), "CipherString")) {
@@ -290,10 +312,11 @@
* no matter what was given in the config.
*/
len = strlen(J2S(value)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
- buf = malloc(len * sizeof(char *));
+ buf = malloc(len * sizeof(char));
if (buf == NULL) {
tcn_Throw(e, "Could not allocate memory to adjust cipher string");
- return SSL_THROW_RETURN;
+ rc = SSL_THROW_RETURN;
+ goto cleanup;
}
memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED,
strlen(SSL_CIPHERS_ALWAYS_DISABLED));
memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(value),
strlen(J2S(value)));
@@ -301,45 +324,36 @@
}
#endif
if (!strcmp(J2S(cmd), "NO_OCSP_CHECK")) {
- if (!strcasecmp(J2S(value), "false"))
- c->no_ocsp_check = 0;
- else
- c->no_ocsp_check = 1;
- TCN_FREE_CSTRING(cmd);
- TCN_FREE_CSTRING(value);
- return 1;
+ /*
+ * Skip as this is a Tomcat specific setting that will have been set
+ * when check() was called.
+ */
+ rc = 1;
+ goto cleanup;
}
if (!strcmp(J2S(cmd), "OCSP_SOFT_FAIL")) {
- if (!strcasecmp(J2S(value), "false"))
- c->ocsp_soft_fail = 0;
- else
- c->ocsp_soft_fail = 1;
- TCN_FREE_CSTRING(cmd);
- TCN_FREE_CSTRING(value);
- return 1;
+ /*
+ * Skip as this is a Tomcat specific setting that will have been set
+ * when check() was called.
+ */
+ rc = 1;
+ goto cleanup;
}
if (!strcmp(J2S(cmd), "OCSP_TIMEOUT")) {
- int i;
- errno = 0;
- i = (int) strtol(J2S(value), NULL, 10);
- if (!errno) {
- // Tomcat configures timeout is millisecond. APR uses microseconds.
- c->ocsp_timeout = i * 1000;
- }
- TCN_FREE_CSTRING(cmd);
- TCN_FREE_CSTRING(value);
- return 1;
+ /*
+ * Skip as this is a Tomcat specific setting that will have been set
+ * when check() was called.
+ */
+ rc = 1;
+ goto cleanup;
}
if (!strcmp(J2S(cmd), "OCSP_VERIFY_FLAGS")) {
- int i;
- errno = 0;
- i = (int) strtol(J2S(value), NULL, 10);
- if (!errno) {
- c->ocsp_verify_flags = i;
- }
- TCN_FREE_CSTRING(cmd);
- TCN_FREE_CSTRING(value);
- return 1;
+ /*
+ * Skip as this is a Tomcat specific setting that will have been set
+ * when check() was called.
+ */
+ rc = 1;
+ goto cleanup;
}
SSL_ERR_clear();
rc = SSL_CONF_cmd(c->cctx, J2S(cmd), buf != NULL ? buf : J2S(value));
@@ -352,8 +366,11 @@
} else {
tcn_Throw(e, "Could not apply SSL_CONF command '%s' with value
'%s'", J2S(cmd), buf != NULL ? buf : J2S(value));
}
- return SSL_THROW_RETURN;
+ rc = SSL_THROW_RETURN;
+ goto cleanup;
}
+
+cleanup:
#ifndef HAVE_EXPORT_CIPHERS
if (buf != NULL) {
free(buf);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/native/src/sslcontext.c
new/tomcat-native-2.0.14-src/native/src/sslcontext.c
--- old/tomcat-native-2.0.12-src/native/src/sslcontext.c 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/native/src/sslcontext.c 2026-03-06
15:04:25.000000000 +0100
@@ -414,6 +414,12 @@
stringClass = (jclass) (*e)->NewGlobalRef(e, sClazz);
}
+ /* Configure OCSP defaults here in case there is no SSL_CONF_CTX used. */
+ c->no_ocsp_check = OCSP_NO_CHECK_DEFAULT;
+ c->ocsp_soft_fail = OCSP_SOFT_FAIL_DEFAULT;
+ c->ocsp_timeout = OCSP_TIMEOUT_DEFAULT;
+ c->ocsp_verify_flags = OCSP_VERIFY_FLAGS_DEFAULT;
+
return P2J(c);
init_failed:
return 0;
@@ -541,7 +547,7 @@
* no matter what was given in the config.
*/
len = strlen(J2S(cipherList)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
- buf = malloc(len * sizeof(char *));
+ buf = malloc(len * sizeof(char));
if (buf == NULL) {
rv = JNI_FALSE;
goto free_cipherList;
@@ -946,9 +952,7 @@
const char *p;
char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
#ifdef HAVE_ECC
- EC_GROUP *ecparams = NULL;
int nid;
- EC_KEY *eckey = NULL;
#endif
EVP_PKEY *evp;
@@ -1026,8 +1030,9 @@
/* XXX Does this also work for pkcs12 or only for PEM files?
* If only for PEM files move above to the PEM handling */
if ((idx == 0) && (evp = SSL_dh_GetParamFromFile(cert_file))) {
- SSL_CTX_set0_tmp_dh_pkey(c->ctx, evp);
- EVP_PKEY_free(evp);
+ if (!SSL_CTX_set0_tmp_dh_pkey(c->ctx, evp)) {
+ EVP_PKEY_free(evp);
+ }
}
#ifdef HAVE_ECC
@@ -1036,14 +1041,10 @@
*/
/* XXX Does this also work for pkcs12 or only for PEM files?
* If only for PEM files move above to the PEM handling */
- if ((ecparams = SSL_ec_GetParamFromFile(cert_file)) &&
- (nid = EC_GROUP_get_curve_name(ecparams)) &&
- (eckey = EC_KEY_new_by_curve_name(nid))) {
- SSL_CTX_set_tmp_ecdh(c->ctx, eckey);
- }
- /* OpenSSL assures us that _free() is NULL-safe */
- EC_KEY_free(eckey);
- EC_GROUP_free(ecparams);
+ nid = SSL_ec_GetParamFromFile(cert_file);
+ if (nid != NID_undef) {
+ SSL_CTX_set1_groups(c->ctx, &nid, 1);
+ }
#endif
SSL_CTX_set_dh_auto(c->ctx, 1);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/native/src/sslutils.c
new/tomcat-native-2.0.14-src/native/src/sslutils.c
--- old/tomcat-native-2.0.12-src/native/src/sslutils.c 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/native/src/sslutils.c 2026-03-06
15:04:25.000000000 +0100
@@ -190,7 +190,7 @@
return NULL;
evp = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL);
BIO_free(bio);
- if (!EVP_PKEY_is_a(evp, "DH")) {
+ if (evp && !EVP_PKEY_is_a(evp, "DH")) {
EVP_PKEY_free(evp);
return NULL;
}
@@ -198,16 +198,41 @@
}
#ifdef HAVE_ECC
-EC_GROUP *SSL_ec_GetParamFromFile(const char *file)
+int SSL_ec_GetParamFromFile(const char *file)
{
- EC_GROUP *group = NULL;
+ EVP_PKEY *evp = NULL;
BIO *bio;
+ char curve_name[80];
if ((bio = BIO_new_file(file, "r")) == NULL)
- return NULL;
- group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
+ return NID_undef;
+ evp = PEM_read_bio_Parameters_ex(bio, NULL, NULL, NULL);
BIO_free(bio);
- return (group);
+ if (evp && !EVP_PKEY_is_a(evp, "EC")) {
+ EVP_PKEY_free(evp);
+ return NID_undef;
+ }
+
+ OSSL_PARAM param[] = {
+ OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
curve_name, sizeof(curve_name)),
+ OSSL_PARAM_construct_end()
+ };
+
+ /* Query the curve name from the EVP_PKEY params object */
+ if (EVP_PKEY_get_params(evp, param) <= 0) {
+ EVP_PKEY_free(evp);
+ return NID_undef; /* Failed to retrieve the curve name */
+ }
+
+ /* Convert the curve name to the NID */
+ int nid = OBJ_sn2nid(curve_name);
+ if (nid == NID_undef) {
+ /* If the short name didn't resolve, try the long name */
+ nid = OBJ_ln2nid(curve_name);
+ }
+
+ EVP_PKEY_free(evp);
+ return nid; /* Returns the curve's NID, or NID_undef on failure */
}
#endif
@@ -591,7 +616,7 @@
if (!err) {
new_nocsp_urls = *nocsp_urls+1;
- if ((new_ocsp_urls = apr_xrealloc(*ocsp_urls,*nocsp_urls,
new_nocsp_urls, p)) == NULL)
+ if ((new_ocsp_urls = apr_xrealloc(*ocsp_urls, *nocsp_urls *
sizeof(char *), new_nocsp_urls * sizeof(char *), p)) == NULL)
err = 1;
}
if (!err) {
@@ -663,23 +688,25 @@
/* the main function that gets the ASN1 encoding string and returns
a pointer to a NULL terminated "array" of char *, that contains
the ocsp_urls */
-static char **decode_OCSP_url(ASN1_OCTET_STRING *os, apr_pool_t *p)
+static char **decode_OCSP_url(ASN1_OCTET_STRING *os, int *numofresponses,
apr_pool_t *p)
{
char **response = NULL;
unsigned char *ocsp_urls;
- int len, numofresponses = 0 ;
+ int len;
+
+ *numofresponses = 0 ;
len = ASN1_STRING_length(os);
- ocsp_urls = apr_palloc(p, len + 1);
- memcpy(ocsp_urls,os->data, len);
+ ocsp_urls = apr_palloc(p, len + 1);
+ memcpy(ocsp_urls, ASN1_STRING_get0_data(os), len);
ocsp_urls[len] = '\0';
if ((response = apr_pcalloc(p, sizeof(char *))) == NULL) {
return NULL;
}
- if (parse_ASN1_Sequence(ocsp_urls, &response, &numofresponses, p) ||
- numofresponses ==0) {
+ if (parse_ASN1_Sequence(ocsp_urls, &response, numofresponses, p) ||
+ *numofresponses ==0) {
response = NULL;
}
return response;
@@ -866,19 +893,20 @@
/* Reads the response from the APR socket to a buffer, and parses the buffer to
return the OCSP response */
-#define ADDLEN 512
+#define BUFFER_SIZE 512
+#define OCSP_MAX_RESPONSE_SIZE 65536
static OCSP_RESPONSE *ocsp_get_resp(apr_pool_t *mp, apr_socket_t *sock)
{
int buflen;
apr_size_t totalread = 0;
apr_size_t readlen;
- char *buf, tmpbuf[ADDLEN];
+ char *buf, tmpbuf[BUFFER_SIZE];
apr_status_t rv = APR_SUCCESS;
apr_pool_t *p;
OCSP_RESPONSE *resp;
apr_pool_create(&p, mp);
- buflen = ADDLEN;
+ buflen = BUFFER_SIZE;
buf = apr_palloc(p, buflen);
if (buf == NULL) {
apr_pool_destroy(p);
@@ -889,13 +917,16 @@
readlen = sizeof(tmpbuf);
rv = apr_socket_recv(sock, tmpbuf, &readlen);
if (rv == APR_SUCCESS) { /* if we have read something .. we can put it
in the buffer*/
- if ((totalread + readlen) >= buflen) {
- buf = apr_xrealloc(buf, buflen, buflen + ADDLEN, p);
+ if ((totalread + readlen) > OCSP_MAX_RESPONSE_SIZE) {
+ apr_pool_destroy(p);
+ return NULL;
+ } else if ((totalread + readlen) >= buflen) {
+ buf = apr_xrealloc(buf, buflen, buflen * 2, p);
if (buf == NULL) {
apr_pool_destroy(p);
return NULL;
}
- buflen += ADDLEN; /* if needed we enlarge the buffer */
+ buflen *= 2; /* if needed we enlarge the buffer */
}
memcpy(buf + totalread, tmpbuf, readlen); /* the copy to the
buffer */
totalread += readlen; /* update the total bytes read */
@@ -911,7 +942,7 @@
}
}
- resp = parse_ocsp_resp(buf, buflen);
+ resp = parse_ocsp_resp(buf, totalread);
apr_pool_destroy(p);
return resp;
}
@@ -1001,7 +1032,7 @@
OCSP_CERTID *certid;
ASN1_GENERALIZEDTIME *thisupd;
ASN1_GENERALIZEDTIME *nextupd;
- STACK_OF(X509) *certStack;
+ const STACK_OF(X509) *certStack;
r = OCSP_response_status(ocsp_resp);
@@ -1017,7 +1048,8 @@
}
certStack = OCSP_resp_get0_certs(bs);
- if (OCSP_basic_verify(bs, certStack, X509_STORE_CTX_get0_store(ctx),
verifyFlags) <= 0) {
+ // Cast to non-const pointer is OK here since OCSP_basic_verify does not
modify the provided certs
+ if (OCSP_basic_verify(bs, (STACK_OF(X509) *)certStack,
X509_STORE_CTX_get0_store(ctx), verifyFlags) <= 0) {
X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_SIGNATURE_FAILURE);
o = OCSP_STATUS_UNKNOWN;
goto clean_bs;
@@ -1060,7 +1092,7 @@
static int ssl_ocsp_request(X509 *cert, X509 *issuer, X509_STORE_CTX *ctx, int
timeout, int verifyFlags)
{
char **ocsp_urls = NULL;
- int nid;
+ int nid, numofresponses;
int rv = OCSP_STATUS_UNKNOWN;
X509_EXTENSION *ext;
ASN1_OCTET_STRING *os;
@@ -1074,36 +1106,47 @@
ext = X509_get_ext(cert,nid);
os = X509_EXTENSION_get_data(ext);
- ocsp_urls = decode_OCSP_url(os, p);
+ ocsp_urls = decode_OCSP_url(os, &numofresponses, p);
}
-
/* if we find the extensions and we can parse it check
the ocsp status. Otherwise, return OCSP_STATUS_UNKNOWN */
- if (ocsp_urls != NULL) {
+ if (ocsp_urls != NULL && numofresponses > 0) {
OCSP_REQUEST *req;
OCSP_RESPONSE *resp = NULL;
- /* for the time being just check for the fist response .. a better
- approach is to iterate for all the possible ocsp urls */
+ int i;
+
req = get_ocsp_request(cert, issuer);
- if (req != NULL) {
- resp = get_ocsp_response(p, ocsp_urls[0], req, timeout);
- if (resp != NULL) {
- rv = process_ocsp_response(req, resp, cert, issuer, ctx,
verifyFlags);
- } else {
- /* Unable to send request / receive response. */
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);
- }
- } else {
+ if (req == NULL) {
/* correct error code for application errors? */
X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
- }
+ } else {
+ /* Iterate through all the possible OCSP URLs until we get a
definitive response */
+ for (i = 0; i < numofresponses; i++) {
+ if (ocsp_urls[i] == NULL) {
+ continue;
+ }
- if (req != NULL) {
- OCSP_REQUEST_free(req);
- }
+ resp = get_ocsp_response(p, ocsp_urls[i], req, timeout);
+ if (resp != NULL) {
+ rv = process_ocsp_response(req, resp, cert, issuer, ctx,
verifyFlags);
+ OCSP_RESPONSE_free(resp);
+ resp = NULL;
+
+ /* If we got a definitive answer (OK or REVOKED), stop
trying */
+ if (rv == OCSP_STATUS_OK || rv == OCSP_STATUS_REVOKED) {
+ break;
+ }
+ /* Otherwise (UNKNOWN), try the next URL */
+ }
+ }
- if (resp != NULL) {
- OCSP_RESPONSE_free(resp);
+ /* If all URLs failed to respond or returned UNKNOWN */
+ if (rv == OCSP_STATUS_UNKNOWN) {
+ /* Unable to send request / receive response from any URL. */
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);
+ }
+
+ OCSP_REQUEST_free(req);
}
}
apr_pool_destroy(p);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/native/srclib/VERSIONS
new/tomcat-native-2.0.14-src/native/srclib/VERSIONS
--- old/tomcat-native-2.0.12-src/native/srclib/VERSIONS 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/native/srclib/VERSIONS 2026-03-06
15:04:25.000000000 +0100
@@ -5,7 +5,7 @@
The following version of the libraries are recommended:
- APR 1.7.6 or later, http://apr.apache.org
-- OpenSSL 3.5.4 or later, http://www.openssl.org
+- OpenSSL 3.5.5 or later, http://www.openssl.org
Older versions should also work but are not as thoroughly tested by the Tomcat
Native team
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/native/tcnative.spec
new/tomcat-native-2.0.14-src/native/tcnative.spec
--- old/tomcat-native-2.0.12-src/native/tcnative.spec 2026-01-06
19:07:36.000000000 +0100
+++ new/tomcat-native-2.0.14-src/native/tcnative.spec 2026-03-06
15:06:06.000000000 +0100
@@ -21,7 +21,7 @@
Summary: Tomcat Native Java library
Name: tcnative
-Version: 2.0.12
+Version: 2.0.14
Release: 1
License: Apache Software License
Group: System Environment/Libraries
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/xdocs/index.xml
new/tomcat-native-2.0.14-src/xdocs/index.xml
--- old/tomcat-native-2.0.12-src/xdocs/index.xml 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/xdocs/index.xml 2026-03-06
15:04:25.000000000 +0100
@@ -42,10 +42,10 @@
<section name="Headlines">
<ul>
-<li><a href="news/2025.html#20250529">29 May 2025 - <b>TC-Native-2.0.9
+<li><a href="news/2026.html#20260211">11 February 2026 -
<b>Tomcat-Native-2.0.13
released</b></a>
<p>The Apache Tomcat team is proud to announce the immediate availability of
-Tomcat Native 2.0.9 Stable.</p>
+Tomcat Native 2.0.13 Stable.</p>
<p>
The sources and the binaries for selected platforms are available from the
<a href="../download-native.cgi">Download page</a>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-2.0.12-src/xdocs/miscellaneous/changelog.xml
new/tomcat-native-2.0.14-src/xdocs/miscellaneous/changelog.xml
--- old/tomcat-native-2.0.12-src/xdocs/miscellaneous/changelog.xml
2026-01-06 19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/xdocs/miscellaneous/changelog.xml
2026-03-06 15:04:25.000000000 +0100
@@ -31,7 +31,73 @@
branch started from the 1.2.33 tag.
</p>
</section>
-<section name="Changes in 2.0.12">
+<section name="2.0.14" rtext="">
+ <changelog>
+ <scode>
+ Refactor access to ASN1_OCTET_STRING to use setters to fix errors when
+ building against the latest OpenSSL 4.0.x code. (markt)
+ </scode>
+ <fix>
+ Fix the handling of OCSP requests with multiple responder URIs. (jfclere)
+ </fix>
+ <fix>
+ Fix the handling of <code>TRY_AGAIN</code> responses to OCSP requests
when
+ soft fail is disabled. (jfclere)
+ </fix>
+ </changelog>
+</section>
+<section name="2.0.13" rtext="2026-02-11">
+ <changelog>
+ <scode>
+ Due to various refactorings, the 2.0.x code no longer compiles with
+ LibreSSL. Without a volunteer to maintain LibreSSL support, the LibreSSL
+ code will be removed no earlier than 30 September 2026. (markt)</scode>
+ <fix>
+ Remove group write permissions from the files in the tar.gz source
+ archive. (markt)
+ </fix>
+ <scode>
+ Refactor the SSL_CONF_CTX clean-up to align it with SSL and SSL_CTX
+ clean-up. (markt)
+ </scode>
+ <fix>
+ Fix unnecessarily large buffer allocation when filtering out NULL and
+ export ciphers. Pull requests <pr>35</pr> and <pr>37</pr> provided by
+ chenjp. (markt)
+ </fix>
+ <fix>
+ Fix a potential memory leak if an invalid <code>OpenSSLConf</code> is
+ provided. Pull request <pr>36</pr> provided by chenjp. (markt)
+ </fix>
+ <fix>
+ Refactor setting of OCSP configuration defaults as they were only applied
+ if the SSL_CONF_CTX was used. While one was always used with Tomcat
+ versions aware of the OCSP configuration options, one was not always used
+ with Tomcat versions unaware of the OCSP configuration options leading to
+ OCSP verification being enabled by default when the expected behaviour
was
+ disabled by default. (markt)
+ </fix>
+ <scode>
+ Improve performance for the rare case of handling large OCSP responses.
+ (markt)
+ </scode>
+ <fix>
+ <bug>69939</bug>: Fix the cause of a crash with OpenSSL 3.0.x when a
+ certificate PEM file does not contain explicit DH parameters. (markt)
+ </fix>
+ <fix>
+ Refactor extraction of ECDH curve name from the Certificate to avoid
+ deprecated OpenSSL methods.
+ </fix>
+ <fix>
+ Refactor the native implementation of <code>SSL.getTime()</code> to avoid
+ the Y2038 problem in <code>SSL_SESSION_get_time()</code> when running on
a
+ version of OpenSSL that includes the new
+ <code>SSL_SESSION_get_time_ex()</code> method. (markt)
+ </fix>
+ </changelog>
+</section>
+<section name="2.0.12" rtext="2026-01-12">
<changelog>
<fix>
Refactor the addition of TLS 1.3 cipher suite configuration to avoid a
@@ -40,7 +106,7 @@
</fix>
</changelog>
</section>
-<section name="Changes in 2.0.11 (not released)">
+<section name="2.0.11" rtext="not released">
<changelog>
<fix>
Fix a reference to an uninitialized variable. (schultz)
@@ -54,7 +120,7 @@
</update>
</changelog>
</section>
-<section name="Changes in 2.0.10 (not released)">
+<section name="2.0.10" rtext="not released">
<changelog>
<update>
The Windows binaries are now built with OCSP support enabled by default.
@@ -93,7 +159,7 @@
</update>
</changelog>
</section>
-<section name="Changes in 2.0.9">
+<section name="2.0.9" rtext="2025-05-29">
<changelog>
<update>
Update the Windows build environment to use Visual Studio 2022. (markt)
@@ -106,7 +172,7 @@
</update>
</changelog>
</section>
-<section name="Changes in 2.0.8">
+<section name="2.0.8" rtext="2024-07-24">
<changelog>
<fix>
Fix a crash on Windows when <code>SSLContext.setCACertificate()</code>
@@ -128,7 +194,7 @@
</update>
</changelog>
</section>
-<section name="Changes in 2.0.7">
+<section name="2.0.7" rtext="2024-02-08">
<changelog>
<add>
<bug>67538</bug>: Make use of Ant's <code><javaversion /></code>
@@ -168,7 +234,7 @@
</update>
</changelog>
</section>
-<section name="Changes in 2.0.6">
+<section name="2.0.6" rtext="2023-10-02">
<changelog>
<fix>
<bug>67061</bug>: If the insecure optionalNoCA certificate verification
@@ -180,7 +246,7 @@
</update>
</changelog>
</section>
-<section name="Changes in 2.0.5">
+<section name="2.0.5" rtext="2023-08-07">
<changelog>
<update>
<bug>66666</bug>: Remove non-reachable functions from ssl.c. (michaelo)
@@ -208,7 +274,7 @@
</update>
</changelog>
</section>
-<section name="Changes in 2.0.4">
+<section name="2.0.4" rtext="not released">
<changelog>
<update>
Update the recommended minimum version of APR to 1.7.4. (markt)
@@ -218,7 +284,7 @@
</update>
</changelog>
</section>
-<section name="Changes in 2.0.3">
+<section name="2.0.3" rtext="2023-02-13">
<changelog>
<update>
Update the recommended minimum version of APR to 1.7.2. (markt)
@@ -228,7 +294,7 @@
</update>
</changelog>
</section>
-<section name="Changes in 2.0.2">
+<section name="2.0.2" rtext="2022-11-08">
<changelog>
<update>
Update the minimum supported version of LibreSSL to 3.5.2. Based on pull
@@ -241,14 +307,14 @@
</changelog>
</section>
-<section name="Changes in 2.0.1">
+<section name="2.0.1" rtext="2022-07-12">
<changelog>
<update>
Update recommended OpenSSL version to 3.0.5 or later. (markt)
</update>
</changelog>
</section>
-<section name="Changes in 2.0.0">
+<section name="2.0.0" rtext="not released">
<changelog>
<update>
Update the minimum required version of OpenSSL to 3.0.0 and make it a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/tomcat-native-2.0.12-src/xdocs/miscellaneous/project.xml
new/tomcat-native-2.0.14-src/xdocs/miscellaneous/project.xml
--- old/tomcat-native-2.0.12-src/xdocs/miscellaneous/project.xml
2026-01-06 19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/xdocs/miscellaneous/project.xml
2026-03-06 15:04:25.000000000 +0100
@@ -35,6 +35,8 @@
</menu>
<menu name="News">
+ <item name="2026" href="../news/2026.html"/>
+ <item name="2025" href="../news/2025.html"/>
<item name="2024" href="../news/2024.html"/>
<item name="2023" href="../news/2023.html"/>
<item name="2022" href="../news/2022.html"/>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/xdocs/news/2026.xml
new/tomcat-native-2.0.14-src/xdocs/news/2026.xml
--- old/tomcat-native-2.0.12-src/xdocs/news/2026.xml 1970-01-01
01:00:00.000000000 +0100
+++ new/tomcat-native-2.0.14-src/xdocs/news/2026.xml 2026-03-06
15:04:25.000000000 +0100
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!DOCTYPE document [
+ <!ENTITY project SYSTEM "project.xml">
+]>
+<document url="2026.html">
+
+ &project;
+
+ <properties>
+ <title>2026 News and Status</title>
+ </properties>
+
+ <body>
+
+ <section name="2026 News & Status">
+
+ <subsection anchor="20260211" name="11 February 2026 -
Tomcat-Native-2.0.13 released">
+ <p>The Apache Tomcat team is proud to announce the immediate
+ availability of Tomcat Native 2.0.13.</p>
+ </subsection>
+
+ <subsection anchor="20260112" name="12 January 2026 -
Tomcat-Native-2.0.12 released">
+ <p>The Apache Tomcat team is proud to announce the immediate
+ availability of Tomcat Native 2.0.12.</p>
+ </subsection>
+
+ </section>
+
+ </body>
+
+</document>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/xdocs/news/project.xml
new/tomcat-native-2.0.14-src/xdocs/news/project.xml
--- old/tomcat-native-2.0.12-src/xdocs/news/project.xml 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/xdocs/news/project.xml 2026-03-06
15:04:25.000000000 +0100
@@ -35,6 +35,7 @@
</menu>
<menu name="News">
+ <item name="2026" href="../news/2026.html"/>
<item name="2025" href="../news/2025.html"/>
<item name="2024" href="../news/2024.html"/>
<item name="2023" href="../news/2023.html"/>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tomcat-native-2.0.12-src/xdocs/project.xml
new/tomcat-native-2.0.14-src/xdocs/project.xml
--- old/tomcat-native-2.0.12-src/xdocs/project.xml 2026-01-06
19:06:49.000000000 +0100
+++ new/tomcat-native-2.0.14-src/xdocs/project.xml 2026-03-06
15:04:25.000000000 +0100
@@ -35,6 +35,8 @@
</menu>
<menu name="News">
+ <item name="2026" href="news/2026.html"/>
+ <item name="2025" href="news/2025.html"/>
<item name="2024" href="news/2024.html"/>
<item name="2023" href="news/2023.html"/>
<item name="2022" href="news/2022.html"/>
