Am 06.01.26 um 21:22 schrieb Mark Thomas:
The key differences in version 2.0.12 compared to 2.0.9 are:
- The windows binaries in this release have been built with OpenSSL
3.5.4 and APR 1.7.6
- OCSP support is included (but not enabled) by default with various
improvements to the OCSP checks
- Add the ability to configure TLS 1.3 ciphers
The 2.0.x branch is primarily intended for use with Tomcat 10.1.x
onwards but can be used with earlier versions as long as the APR/native
connector is not used.
The proposed release artifacts can be found at [1],
and the build was done using tag [2].
The Apache Tomcat Native 2.0.12 release is
[X] Stable, go ahead and release
[ ] Broken because of ...
+1 for release
- checked artefacts for completeness
- checked artefact gpg signatures and sha512 hashes
- compared source tarballs against git sources
- checked OpenSSL version in Windows binaries
- checked some consistencies against own jnirelease.sh results
- built it against OpenSSL 3.6.0, 3.5.4 and 3.0.18, each on Platforms
Solaris 10 Sparc, SLES 12 and 15 and RHEL 7, 8, 9 and 10 (Linux on
x86_64). APR was 1.7.6.
OK, but a few OpenSSL 3 deprecation warnings
- tested via TC unit tests with tcnative/OpenSSL but only the SSL/TLS
related tests on the above platforms plus Solaris 11 Sparc using TC
11.0.15, 10.1.50 and 9.0.113 with latest patch levels of JDK 8, 11, 17,
21, 25, 26 and 27 from Adoptium Temurin, Amazon Corretto, Azul Zulu,
Oracle, RedHat and OpenJDK where applicable.
No new failures or increased level of failures, only the normal
amount of crashes.
Permission in the source tarball:
The sources are packed with broad group permissions (write allowed) for
the included files. That is normal eg. on a Linux system with
USERGROUPS_ENAB. Each user gets as his default group one with the same
name as the user (eg. mark:mark). And then the broader permissions make
sense. But when extracting such a tarball or zip on a system with a
bigger group, the permissions might be a bit too open. So I would prefer
to distribute artefacts packed with *no* group write permissions for the
files contained in the archive. IMHO this is not a show-stopper.
OpenSSL deprecation warnings:
src/ssl.c:993:9: warning: 'SSL_SESSION_get_time' is deprecated: Since
OpenSSL 3.4;not Y2038-safe, replace with SSL_SESSION_get_time_ex()
[-Wdeprecated-declarations]
src/sslcontext.c:1041:9: warning: 'EC_KEY_new_by_curve_name' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
src/7 | OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name(int nid);
src/sslcontext.c:1045:5: warning: 'EC_KEY_free' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
src/2 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
src/sslutils.c:208:5: warning: 'PEM_read_bio_ECPKParameters' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
471 | DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, ECPKParameters, EC_GROUP)
Thanks a bunch for RM!
Best Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
