On Tue, May 31, 2022 at 9:46 AM Mark Thomas <ma...@apache.org> wrote: > > On 30/05/2022 20:05, Rémy Maucherat wrote: > > On Mon, May 30, 2022 at 6:49 PM Mark Thomas <ma...@apache.org> wrote: > >> > >> Hi all, > >> > >> I have made some progress. I have a trimmed down Tomcat Native 2.0 built > >> with OpenSSL 3.0 working locally with Tomcat 10.1.x. I also have it > >> working with the OpenSSL 3 FIPS provider. > >> > >> I have also been thinking about Tomcat Native 1.2.x and 2.0.x > >> interoperability. > >> > >> Since Native 2.0 is mostly (apart from one new FIPS method) a subset of > >> Native 1.2 it should be relatively easy for 10.1.x to work with Native > >> 2.0.x or 1.2.x. > >> > >> Allowing Native 1.2.x use with Tomcat 10.1.x should make it easier on > >> downstream distributions as it removes the need for them to update to > >> APR 1.7.x and OpenSSL 3.0.x > >> > >> Getting 10.0.x and earlier working with Native 2.0.x is a little > >> trickier although it doable if the limits are: > >> - No APR/Native connector > >> - No application usage of o.a.t.u.jni (as most of the native code is > >> removed) > >> > >> Enabling Native 2.0.x use with Tomcat 10.0.x and earlier opens up the > >> possibility of OpenSSL FIPS that doesn't depend on an unsupported > >> version of OpenSSL. > >> > >> I am currently thinking along the following lines: > >> > >> - release Tomcat Native 1.2.34 that includes: > >> - refactoring the caching of the FileInfo and Sockaddr classes so > >> that are only cached if used > >> - any additional refactoring to allow Native 1.2.x to be used in > >> Tomcat 10.1.x with all the deprecated code removed > >> > >> - make Tomcat Native 1.2.34 the minimum required Tomcat Native version > >> for Tomcat 10.1.x > >> > >> - release Tomcat Native 2.0.0 > >> > >> - make Tomcat Native 2.0.0 the minimum recommended Tomcat Native > >> version for Tomcat 10.1.x > >> > >> - updates as required to Tomcat Native 1.2.x, 2.0.x and Tomcat > >> <=10.0.x to allow Tomcat Native 2.0.x to be used (reasonably) safely > >> with Tomcat <=10.0.x > >> > >> My plan is to do most of this work locally to make sure I haven't missed > >> anything and then start committing and releasing in the order above. > > > > Sounds great. Any subtask for me or do you prefer doing it alone ? > > Thanks for the offer of help. > > I have a lot of the above ready locally already and everything is > inter-related making it hard to extract independent sub-tasks. With all > the inter-dependencies I might miss something so if you could keep that > in mind when reviewing my commits that would be helpful. > > The tasks below, particularly the first and third, are largely > independent. If you have time to look at either of those that would be > great. I'll try and commit the bulk of the initial changes for Tomcat > Native 2.0.x today.
Ok ! About the first item, I don't recall any deprecated call being used for the OpenSSL 3.0 code path when I converted to Panama, but I will review again. About LibreSSL, it is not a good target for the Panama code. First reason is without ifdef then it makes things more complex. Second reason is possible use of extra APIs that would be only in OpenSSL (for example if they ever add the promised high level API for QUIC support). Rémy > Thanks, > > Mark > > >> Additional tasks that don't have the any ordering dependencies (that I > >> can think of) include: > >> > >> - update the Tomcat Native 2.0.x code not to use any of the deprecated > >> OpenSSL APIs > >> > >> - when in FIPS required mode, consider checking individually negotiated > >> ciphers are from the FIPS provider in case the user has multiple > >> providers configured > >> > >> - Get LibreSSL fully working (my understanding that may be wrong is that > >> it isn't currently working) > > > > Rémy > > > >> Mark > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: dev-h...@tomcat.apache.org > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
