On Mon, May 30, 2022 at 6:49 PM Mark Thomas <ma...@apache.org> wrote: > > Hi all, > > I have made some progress. I have a trimmed down Tomcat Native 2.0 built > with OpenSSL 3.0 working locally with Tomcat 10.1.x. I also have it > working with the OpenSSL 3 FIPS provider. > > I have also been thinking about Tomcat Native 1.2.x and 2.0.x > interoperability. > > Since Native 2.0 is mostly (apart from one new FIPS method) a subset of > Native 1.2 it should be relatively easy for 10.1.x to work with Native > 2.0.x or 1.2.x. > > Allowing Native 1.2.x use with Tomcat 10.1.x should make it easier on > downstream distributions as it removes the need for them to update to > APR 1.7.x and OpenSSL 3.0.x > > Getting 10.0.x and earlier working with Native 2.0.x is a little > trickier although it doable if the limits are: > - No APR/Native connector > - No application usage of o.a.t.u.jni (as most of the native code is > removed) > > Enabling Native 2.0.x use with Tomcat 10.0.x and earlier opens up the > possibility of OpenSSL FIPS that doesn't depend on an unsupported > version of OpenSSL. > > I am currently thinking along the following lines: > > - release Tomcat Native 1.2.34 that includes: > - refactoring the caching of the FileInfo and Sockaddr classes so > that are only cached if used > - any additional refactoring to allow Native 1.2.x to be used in > Tomcat 10.1.x with all the deprecated code removed > > - make Tomcat Native 1.2.34 the minimum required Tomcat Native version > for Tomcat 10.1.x > > - release Tomcat Native 2.0.0 > > - make Tomcat Native 2.0.0 the minimum recommended Tomcat Native > version for Tomcat 10.1.x > > - updates as required to Tomcat Native 1.2.x, 2.0.x and Tomcat > <=10.0.x to allow Tomcat Native 2.0.x to be used (reasonably) safely > with Tomcat <=10.0.x > > My plan is to do most of this work locally to make sure I haven't missed > anything and then start committing and releasing in the order above.
Sounds great. Any subtask for me or do you prefer doing it alone ? > Additional tasks that don't have the any ordering dependencies (that I > can think of) include: > > - update the Tomcat Native 2.0.x code not to use any of the deprecated > OpenSSL APIs > > - when in FIPS required mode, consider checking individually negotiated > ciphers are from the FIPS provider in case the user has multiple > providers configured > > - Get LibreSSL fully working (my understanding that may be wrong is that > it isn't currently working) Rémy > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
