Re: [VOTE] Release Apache Tomcat Native 2.0.11

Wed, 17 Dec 2025 17:28:50 -0800 

Am 18.12.25 um 01:26 schrieb Rainer Jung:

Am 17.12.25 um 20:58 schrieb Mark Thomas:

The key differences in version 2.0.11 compared to 2.0.9 are:

- The windows binaries in this release have been built with OpenSSL
   3.5.4 and APR 1.7.6

- OCSP support is included (but not enabled) by default with various
   improvements to the OCSP checks

- Add the ability to configure TLS 1.3 ciphers
The 2.0.x branch is primarily intended for use with Tomcat 10.1.x onwards but can be used with earlier versions as long as the APR/ native connector is not used. 

The proposed release artifacts can be found at [1],
and the build was done using tag [2].

The Apache Tomcat Native 2.0.11 release is
  [ ] Stable, go ahead and release
  [ ] Broken because of ...
I ran those unit tests from TC 9.0.113 and 10.1.50 which are TLS based with the new tcnative versions 2.0.11 and 1.3.2. They fail in TestClientCertTls13 for NIO and NIO2 with the following error: 

Testcase: testClientCertPost[OpenSSL] took 0.104 sec
     Caused an ERROR
Protocol handler initialization failed
org.apache.catalina.LifecycleException: Protocol handler initialization failed     at org.apache.catalina.connector.Connector.initInternal(Connector.java:1084) 
     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:520) 
     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:984) 
     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) 
     at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437)
    at org.apache.catalina.startup.TomcatBaseTest$TomcatWithFastSessionIDs.start(TomcatBaseTest.java:902)     at org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(TestClientCertTls13.java:93) 
Caused by: java.lang.IllegalArgumentException: Error creating SSLContext
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)     at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:78) 
     at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:256)
    at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1497)     at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1510) 
     at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:667)
    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)     at org.apache.catalina.connector.Connector.initInternal(Connector.java:1082) Caused by: java.security.KeyManagementException: Error initializing SSL context     at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:447)     at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:262)     at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) Caused by: java.lang.Exception: Unable to configure permitted SSL ciphers (error:12800067:DSO support routines::could not load the shared library) 
     at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
    at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:332) 

Testcase: testClientCertGet[OpenSSL] took 0.033 sec
     Caused an ERROR
Protocol handler initialization failed
org.apache.catalina.LifecycleException: Protocol handler initialization failed     at org.apache.catalina.connector.Connector.initInternal(Connector.java:1084) 
     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:520) 
     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:984) 
     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) 
     at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437)
    at org.apache.catalina.startup.TomcatBaseTest$TomcatWithFastSessionIDs.start(TomcatBaseTest.java:902)     at org.apache.tomcat.util.net.TestClientCertTls13.testClientCertGet(TestClientCertTls13.java:81) 
Caused by: java.lang.IllegalArgumentException: Error creating SSLContext
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)     at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:78) 
     at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:256)
    at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1497)     at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1510) 
     at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:667)
    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)     at org.apache.catalina.connector.Connector.initInternal(Connector.java:1082) Caused by: java.security.KeyManagementException: Error initializing SSL context     at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:447)     at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:262)     at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) Caused by: java.lang.Exception: Unable to configure permitted SSL ciphers (error:12800067:DSO support routines::could not load the shared library) 
     at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
    at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:332)
Although this looks like an integration issue on my side ("could not load the shared library") the same tests using the same scripts dot not fail for 2.0.9 and for 1.3.1. And other TLS based tests do not fail for the new tcnative versions, only those. Since the tcnative code in sslcontext.c changed in setCipherSuite() it is likely a failure caused by the change. 

Can anyone reproduce this?


I added some debug lines.
- the error "error:12800067:DSO support routines::could not load the shared library" is shown, because "SSL_ERR_clear();" is missing somewhere. If I add that in setCipherSuite, the SSL library error thrown changes to "error:0A0000B9:SSL routines::no cipher match" 

- the error happens in the "if (maxProtoVer >= TLS1_3_VERSION) {" branch.
- the CipherSuite used is "!aNULL:!eNULL:!EXP:ALL" and "!aNULL:!eNULL:!EXP:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA".
- when using those with "openssl ciphers -ciphersuites" I get the same SSL library error on the commandline.
- the code of the openssl commandline binary shows, it is using the same call to SSL_CTX_set_ciphersuites() as our code
- the openssl CLI command works, as soon as I use a list of explicit TLS 1.3 ciphers. It does not work using group names like ALL or AES.
I suspect, the implementation of SSL_CTX_set_ciphersuites() might not resolve cipher group names. 

So it seems our new code is not yet working as expected.

Therefore I vote -1 for 2.0.11 and 1.3.2.

Best regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to