On Tue, May 31, 2022 at 8:02 PM Mark Thomas <ma...@apache.org> wrote: > > On 31/05/2022 17:59, Rémy Maucherat wrote: > > On Tue, May 31, 2022 at 6:48 PM Mark Thomas <ma...@apache.org> wrote: > > <snip/> > > >> On that topic, I originally made the decision to keep LibreSSL support > >> when I thought that 10.1.x would required Tomcat Native 2.0.x. The plan > >> has since shifted and 10.1.x will ship with Tomcat Native 2.0.x but will > >> still be able to use (a sufficiently recent) Tomcat Native 1.2.x. With > >> that in mind, do we want to keep LibreSSL support in Tomcat Native 2.0.x? > > > > If tomcat-native 2.0 is fully aligned with what the Panama code does > > (so no LibreSSL), it would be better for a future transition to it. > > OTOH, it would force supporting 1.2 for (much) longer. > > Hmm. Tricky. > > If we assume that we need to support Tomcat Native 1.x until EOL of > 9.0.x (due to the o.a.t.u.jni package) the we will be supporting 1.x for > (best guess) until 2028 or so. > > OpenSSL 1.1.1 is EOL 2023-09-11 so there is a 4/5 year gap there. > However, various distributions are committed to supporting OpenSSL 1.1.1 > for much longer. > > Looking at the various timescales, I think we should be helpful to the > downstream distributions where we can but they are going to have to take > on some of the maintenance work for their LTS distributions once OpenSSL > 1.1.1 reaches EOL. > > So that starts to look like 1.3.x (built with OpenSSL 3.0.x) around the > middle of next year. That should be good to Sept 2026. Not sure what > we'd for the last few years of 9.0.x. 1.4.x built on whatever the new > OpenSSL LTS is? > > Then what do we do with LibreSSL? Maintain support in the 1.x branch? > > Given the direction of travel (towards Panama and using OpenSSL > directly) how much effort do we want to put into LibreSSL support? > > Do we want to announce an early EOL for the deprecated parts of the > o.a.t.u.jni package with a view to removing them during the lifetime of > 8.5.x and 9.0.x? That would simplify planning (Tomcat Native 1.2.x would > EOL at the same time). But it would be highly unusual for us to do that > and could cause breakage with a point release. > > What about LibreSSL? Are we looking towards a panama module for LibreSSL > and then some glue code so you can swap between panama modules for > different TLS native libraries? > > Lots of questions there. Nothing jumps out at me as the "obvious" plan. > Thoughts?
Technically right now, the Panama code works with OpenSSL 1.1.1 (but not 1.1.0), since that's what I was using on my Fedora 35 (Fedora 36 now uses OpenSSL 3.0). OTOH, by the time this code is supported, 3.0 (or more) seems like a more realistic target as we're not going to say that it supports EOLed versions. I believe it is possible to support 1.1.1 in tomcat-native 2.0, since all the useful new init and TLS 1.3 capabilities are in place. I'm not sure LibreSSL has these init changes which is why it's a problem to support it with Panama (it's pretty verbose and error prone, also the calls might well go away in OpenSSL eventually since they are not used anymore). Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org