Am 07.01.26 um 20:00 schrieb Mark Thomas:
The key differences compared to 1.3.1 are:
- The windows binaries in this release have been built with OpenSSL
3.0.18 and APR 1.7.6
- OCSP support is included (but not enabled) by default with various
improvements to the OCSP checks
- Add the ability to configure TLS 1.3 ciphers
The proposed release artifacts can be found at [1],
and the build was done using tag [2].
The Apache Tomcat Native 1.3.4 release is
[X] Stable, go ahead and release
[ ] Broken because of ...
+1 for release
- checked artefacts for completeness
- checked artefact gpg signatures and sha512 hashes
- compared source tarballs against git sources
- checked OpenSSL version in Windows binaries
- checked some consistencies against own jnirelease.sh results
- built it against OpenSSL 3.6.0, 3.5.4 and 3.0.18, each on Platforms
Solaris 10 Sparc, SLES 12 and 15 and RHEL 7, 8, 9 and 10 (Linux on
x86_64). APR was 1.7.6.
OK, but many OpenSSL 3 deprecation warnings
- tested via TC unit tests with tcnative/OpenSSL but only the SSL/TLS
related tests on the above platforms plus Solaris 11 Sparc using TC
11.0.15, 10.1.50 and 9.0.113 with latest patch levels of JDK 8, 11, 17,
21, 25, 26 and 27 from Adoptium Temurin, Amazon Corretto, Azul Zulu,
Oracle, RedHat and OpenJDK where applicable.
No new failures or increased level of failures, only the normal
amount of crashes.
Permission in the source tarball:
The sources are packed with broad group permissions (write allowed) for
the included files. That is normal eg. on a Linux system with
USERGROUPS_ENAB. Each user gets as his default group one with the same
name as the user (eg. mark:mark). And then the broader permissions make
sense. But when extracting such a tarball or zip on a system with a
bigger group, the permissions might be a bit too open. So I would prefer
to distribute artefacts packed with *no* group write permissions for the
files contained in the archive. IMHO this is not a show-stopper.
OpenSSL deprecation warnings (many more than for 2.0.12):
src/ssl.c: In function 'make_dh_params':
src/ssl.c:199:5: warning: 'DH_new' is deprecated: Since OpenSSL 3.0
[-Wdeprecated-declarations]
DH *dh = DH_new();
^~
In file included from /path/to/include/openssl/dsa.h:31:0,
from /path/to/include/openssl/x509.h:37,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/ssl.c:24:
/path/to/include/openssl/dh.h:210:27: note: declared here
OSSL_DEPRECATEDIN_3_0 DH *DH_new(void);
^~~~~~
src/ssl.c:210:5: warning: 'DH_set0_pqg' is deprecated: Since OpenSSL 3.0
[-Wdeprecated-declarations]
if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) {
^~
In file included from /path/to/include/openssl/dsa.h:31:0,
from /path/to/include/openssl/x509.h:37,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/ssl.c:24:
/path/to/include/openssl/dh.h:266:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q,
BIGNUM *g);
^~~~~~~~~~~
src/ssl.c:211:9: warning: 'DH_free' is deprecated: Since OpenSSL 3.0
[-Wdeprecated-declarations]
DH_free(dh);
^~~~~~~
In file included from /path/to/include/openssl/dsa.h:31:0,
from /path/to/include/openssl/x509.h:37,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/ssl.c:24:
/path/to/include/openssl/dh.h:211:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
^~~~~~~
src/ssl.c: In function 'free_dh_params':
src/ssl.c:249:9: warning: 'DH_free' is deprecated: Since OpenSSL 3.0
[-Wdeprecated-declarations]
DH_free(dhparams[n].dh);
^~~~~~~
In file included from /path/to/include/openssl/dsa.h:31:0,
from /path/to/include/openssl/x509.h:37,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/ssl.c:24:
/path/to/include/openssl/dh.h:211:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
^~~~~~~
src/ssl.c: In function 'ssl_init_cleanup':
src/ssl.c:318:9: warning: 'ENGINE_free' is deprecated: Since OpenSSL 3.0
[-Wdeprecated-declarations]
ENGINE_free(tcn_ssl_engine);
^~~~~~~~~~~
In file included from ./include/ssl_private.h:56:0,
from src/ssl.c:24:
/path/to/include/openssl/engine.h:493:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e);
^~~~~~~~~~~
src/ssl.c: In function 'ssl_try_load_engine':
src/ssl.c:346:5: warning: 'ENGINE_by_id' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
ENGINE *e = ENGINE_by_id("dynamic");
^~~~~~
In file included from ./include/ssl_private.h:56:0,
from src/ssl.c:24:
/path/to/include/openssl/engine.h:336:31: note: declared here
OSSL_DEPRECATEDIN_3_0 ENGINE *ENGINE_by_id(const char *id);
^~~~~~~~~~~~
src/ssl.c:348:9: warning: 'ENGINE_ctrl_cmd_string' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
^~
In file included from ./include/ssl_private.h:56:0,
from src/ssl.c:24:
/path/to/include/openssl/engine.h:479:5: note: declared here
int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char
*arg,
^~~~~~~~~~~~~~~~~~~~~~
src/ssl.c:349:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
|| !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
^~
In file included from ./include/ssl_private.h:56:0,
from src/ssl.c:24:
/path/to/include/openssl/engine.h:479:5: note: declared here
int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char
*arg,
^~~~~~~~~~~~~~~~~~~~~~
src/ssl.c:350:13: warning: 'ENGINE_free' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
ENGINE_free(e);
^~~~~~~~~~~
In file included from ./include/ssl_private.h:56:0,
from src/ssl.c:24:
/path/to/include/openssl/engine.h:493:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e);
^~~~~~~~~~~
src/ssl.c: In function 'Java_org_apache_tomcat_jni_SSL_initialize':
src/ssl.c:534:13: warning: 'ENGINE_register_all_complete' is deprecated:
Since OpenSSL 3.0 [-Wdeprecated-declarations]
ENGINE_register_all_complete();
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ./include/ssl_private.h:56:0,
from src/ssl.c:24:
/path/to/include/openssl/engine.h:415:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int ENGINE_register_all_complete(void);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/ssl.c:537:13: warning: 'ENGINE_by_id' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
if ((ee = ENGINE_by_id(J2S(engine))) == NULL
^~
In file included from ./include/ssl_private.h:56:0,
from src/ssl.c:24:
/path/to/include/openssl/engine.h:336:31: note: declared here
OSSL_DEPRECATEDIN_3_0 ENGINE *ENGINE_by_id(const char *id);
^~~~~~~~~~~~
src/ssl.c:543:21: warning: 'ENGINE_ctrl' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
ENGINE_ctrl(ee, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1,
0, 0);
^~~~~~~~~~~
In file included from ./include/ssl_private.h:56:0,
from src/ssl.c:24:
/path/to/include/openssl/engine.h:429:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p,
^~~~~~~~~~~
src/ssl.c:545:17: warning: 'ENGINE_set_default' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL))
^~
In file included from ./include/ssl_private.h:56:0,
from src/ssl.c:24:
/path/to/include/openssl/engine.h:708:27: note: declared here
OSSL_DEPRECATEDIN_3_0 int ENGINE_set_default(ENGINE *e, unsigned int
flags);
^~~~~~~~~~~~~~~~~~
src/ssl.c: In function 'Java_org_apache_tomcat_jni_SSL_getTime':
src/ssl.c:1532:9: warning: 'SSL_SESSION_get_time' is deprecated: Since
OpenSSL 3.4;not Y2038-safe, replace with SSL_SESSION_get_time_ex()
[-Wdeprecated-declarations]
return SSL_get_time(session);
^~~~~~
In file included from ./include/ssl_private.h:38:0,
from src/ssl.c:24:
/path/to/include/openssl/ssl.h:1748:13: note: declared here
__owur long SSL_SESSION_get_time(const SSL_SESSION *s);
^~~~~~~~~~~~~~~~~~~~
src/sslcontext.c: In function
'Java_org_apache_tomcat_jni_SSLContext_setTmpDH':
src/sslcontext.c:807:5: warning: 'PEM_read_bio_DHparams' is deprecated:
Since OpenSSL 3.0 [-Wdeprecated-declarations]
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
^~
In file included from /path/to/include/openssl/ssl.h:37:0,
from ./include/ssl_private.h:38,
from src/sslcontext.c:28:
/path/to/include/openssl/pem.h:76:11: note: declared here
type *PEM_##readname##_##name(INTYPE *out, type **x, \
^
/path/to/include/openssl/pem.h:274:10: note: in expansion of macro
'PEM_read_cb_fnsig'
attr PEM_read_cb_fnsig(name, type, BIO, read_bio);
^~~~~~~~~~~~~~~~~
/path/to/include/openssl/pem.h:338:5: note: in expansion of macro
'DECLARE_PEM_read_bio_attr'
DECLARE_PEM_read_bio_attr(attr, name, type)
\
^~~~~~~~~~~~~~~~~~~~~~~~~
/path/to/include/openssl/pem.h:348:5: note: in expansion of macro
'DECLARE_PEM_read_attr'
DECLARE_PEM_read_attr(attr, name, type)
\
^~~~~~~~~~~~~~~~~~~~~
/path/to/include/openssl/pem.h:479:1: note: in expansion of macro
'DECLARE_PEM_rw_attr'
DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DHparams, DH)
^~~~~~~~~~~~~~~~~~~
src/sslcontext.c:819:9: warning: 'DH_free' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
DH_free(dh);
^~~~~~~
In file included from /path/to/include/openssl/dsa.h:31:0,
from /path/to/include/openssl/x509.h:37,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/sslcontext.c:28:
/path/to/include/openssl/dh.h:211:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
^~~~~~~
src/sslcontext.c:826:5: warning: 'DH_free' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
DH_free(dh);
^~~~~~~
In file included from /path/to/include/openssl/dsa.h:31:0,
from /path/to/include/openssl/x509.h:37,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/sslcontext.c:28:
/path/to/include/openssl/dh.h:211:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
^~~~~~~
src/sslcontext.c: In function
'Java_org_apache_tomcat_jni_SSLContext_setTmpECDHByCurveName':
src/sslcontext.c:850:5: warning: 'EC_KEY_new_by_curve_name' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
ecdh = EC_KEY_new_by_curve_name(i);
^~~~
In file included from /path/to/include/openssl/x509.h:33:0,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/sslcontext.c:28:
/path/to/include/openssl/ec.h:1017:31: note: declared here
OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name(int nid);
^~~~~~~~~~~~~~~~~~~~~~~~
src/sslcontext.c:860:9: warning: 'EC_KEY_free' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
EC_KEY_free(ecdh);
^~~~~~~~~~~
In file included from /path/to/include/openssl/x509.h:33:0,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/sslcontext.c:28:
/path/to/include/openssl/ec.h:1022:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
^~~~~~~~~~~
src/sslcontext.c:866:5: warning: 'EC_KEY_free' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
EC_KEY_free(ecdh);
^~~~~~~~~~~
In file included from /path/to/include/openssl/x509.h:33:0,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/sslcontext.c:28:
/path/to/include/openssl/ec.h:1022:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
^~~~~~~~~~~
src/sslcontext.c: In function
'Java_org_apache_tomcat_jni_SSLContext_setCertificate':
src/sslcontext.c:1084:17: warning: 'ENGINE_load_private_key' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
(c->keys[idx] =
ENGINE_load_private_key(tcn_ssl_engine, key_file,
^
In file included from ./include/ssl_private.h:56:0,
from src/sslcontext.c:28:
/path/to/include/openssl/engine.h:638:11: note: declared here
EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
^~~~~~~~~~~~~~~~~~~~~~~
src/sslcontext.c:1129:9: warning: 'DH_free' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
DH_free(dhparams);
^~~~~~~
In file included from /path/to/include/openssl/dsa.h:31:0,
from /path/to/include/openssl/x509.h:37,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/sslcontext.c:28:
/path/to/include/openssl/dh.h:211:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
^~~~~~~
src/sslcontext.c:1140:9: warning: 'EC_KEY_new_by_curve_name' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
(eckey = EC_KEY_new_by_curve_name(nid))) {
^
In file included from /path/to/include/openssl/x509.h:33:0,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/sslcontext.c:28:
/path/to/include/openssl/ec.h:1017:31: note: declared here
OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name(int nid);
^~~~~~~~~~~~~~~~~~~~~~~~
src/sslcontext.c:1144:5: warning: 'EC_KEY_free' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
EC_KEY_free(eckey);
^~~~~~~~~~~
In file included from /path/to/include/openssl/x509.h:33:0,
from /path/to/include/openssl/ssl.h:32,
from ./include/ssl_private.h:38,
from src/sslcontext.c:28:
/path/to/include/openssl/ec.h:1022:28: note: declared here
OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
^~~~~~~~~~~
src/sslcontext.c:1147:5: warning: 'SSL_CTX_set_tmp_dh_callback' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ./include/ssl_private.h:38:0,
from src/sslcontext.c:28:
/path/to/include/openssl/ssl.h:2271:6: note: declared here
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
^~~~~~~~~~~~~~~~~~~~~~~~~~~
src/sslcontext.c: In function
'Java_org_apache_tomcat_jni_SSLContext_setCertificateRaw':
src/sslcontext.c:1256:5: warning: 'SSL_CTX_set_tmp_dh_callback' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
^~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ./include/ssl_private.h:38:0,
from src/sslcontext.c:28:
/path/to/include/openssl/ssl.h:2271:6: note: declared here
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
^~~~~~~~~~~~~~~~~~~~~~~~~~~
src/sslutils.c: In function 'SSL_dh_GetParamFromFile':
src/sslutils.c:211:5: warning: 'PEM_read_bio_DHparams' is deprecated:
Since OpenSSL 3.0 [-Wdeprecated-declarations]
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
^~
In file included from /path/to/include/openssl/ssl.h:37:0,
from ./include/ssl_private.h:38,
from src/sslutils.c:24:
/path/to/include/openssl/pem.h:76:11: note: declared here
type *PEM_##readname##_##name(INTYPE *out, type **x, \
^
/path/to/include/openssl/pem.h:274:10: note: in expansion of macro
'PEM_read_cb_fnsig'
attr PEM_read_cb_fnsig(name, type, BIO, read_bio);
^~~~~~~~~~~~~~~~~
/path/to/include/openssl/pem.h:338:5: note: in expansion of macro
'DECLARE_PEM_read_bio_attr'
DECLARE_PEM_read_bio_attr(attr, name, type)
\
^~~~~~~~~~~~~~~~~~~~~~~~~
/path/to/include/openssl/pem.h:348:5: note: in expansion of macro
'DECLARE_PEM_read_attr'
DECLARE_PEM_read_attr(attr, name, type)
\
^~~~~~~~~~~~~~~~~~~~~
/path/to/include/openssl/pem.h:479:1: note: in expansion of macro
'DECLARE_PEM_rw_attr'
DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DHparams, DH)
^~~~~~~~~~~~~~~~~~~
src/sslutils.c: In function 'SSL_ec_GetParamFromFile':
src/sslutils.c:224:5: warning: 'PEM_read_bio_ECPKParameters' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
^~~~~
In file included from /path/to/include/openssl/ssl.h:37:0,
from ./include/ssl_private.h:38,
from src/sslutils.c:24:
/path/to/include/openssl/pem.h:76:11: note: declared here
type *PEM_##readname##_##name(INTYPE *out, type **x, \
^
/path/to/include/openssl/pem.h:274:10: note: in expansion of macro
'PEM_read_cb_fnsig'
attr PEM_read_cb_fnsig(name, type, BIO, read_bio);
^~~~~~~~~~~~~~~~~
/path/to/include/openssl/pem.h:338:5: note: in expansion of macro
'DECLARE_PEM_read_bio_attr'
DECLARE_PEM_read_bio_attr(attr, name, type)
\
^~~~~~~~~~~~~~~~~~~~~~~~~
/path/to/include/openssl/pem.h:348:5: note: in expansion of macro
'DECLARE_PEM_read_attr'
DECLARE_PEM_read_attr(attr, name, type)
\
^~~~~~~~~~~~~~~~~~~~~
/path/to/include/openssl/pem.h:471:1: note: in expansion of macro
'DECLARE_PEM_rw_attr'
DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, ECPKParameters, EC_GROUP)
^~~~~~~~~~~~~~~~~~~
src/sslutils.c: In function 'process_ocsp_response':
src/sslutils.c:1061:15: warning: assignment discards 'const' qualifier
from pointer target type [-Wdiscarded-qualifiers]
certStack = OCSP_resp_get0_certs(bs);
^
Thanks a bunch for RM!
Best Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
