Hi Chris,
Am 08.01.26 um 19:15 schrieb Christopher Schultz:
Rainer,
On 1/8/26 6:58 AM, Rainer Jung wrote:
Am 06.01.26 um 21:22 schrieb Mark Thomas:
The key differences in version 2.0.12 compared to 2.0.9 are:
- The windows binaries in this release have been built with OpenSSL
3.5.4 and APR 1.7.6
- OCSP support is included (but not enabled) by default with various
improvements to the OCSP checks
- Add the ability to configure TLS 1.3 ciphers
The 2.0.x branch is primarily intended for use with Tomcat 10.1.x
onwards but can be used with earlier versions as long as the APR/
native connector is not used.
The proposed release artifacts can be found at [1],
and the build was done using tag [2].
The Apache Tomcat Native 2.0.12 release is
[X] Stable, go ahead and release
[ ] Broken because of ...
+1 for release
- checked artefacts for completeness
- checked artefact gpg signatures and sha512 hashes
- compared source tarballs against git sources
- checked OpenSSL version in Windows binaries
- checked some consistencies against own jnirelease.sh results
- built it against OpenSSL 3.6.0, 3.5.4 and 3.0.18, each on Platforms
Solaris 10 Sparc, SLES 12 and 15 and RHEL 7, 8, 9 and 10 (Linux on
x86_64). APR was 1.7.6.
OK, but a few OpenSSL 3 deprecation warnings
- tested via TC unit tests with tcnative/OpenSSL but only the SSL/TLS
related tests on the above platforms plus Solaris 11 Sparc using TC
11.0.15, 10.1.50 and 9.0.113 with latest patch levels of JDK 8, 11,
17, 21, 25, 26 and 27 from Adoptium Temurin, Amazon Corretto, Azul
Zulu, Oracle, RedHat and OpenJDK where applicable.
No new failures or increased level of failures, only the normal
amount of crashes.
Permission in the source tarball:
The sources are packed with broad group permissions (write allowed)
for the included files. That is normal eg. on a Linux system with
USERGROUPS_ENAB. Each user gets as his default group one with the same
name as the user (eg. mark:mark). And then the broader permissions
make sense. But when extracting such a tarball or zip on a system with
a bigger group, the permissions might be a bit too open. So I would
prefer to distribute artefacts packed with *no* group write
permissions for the files contained in the archive.
+1
I wonder what your UMASK setting is. tar should be using your umask
during extraction unless you specify the -p flag.
Yeah, it is mostly about the -p flag. But also to have safe defaults
independent of extraction tool behavior.
OpenSSL deprecation warnings:
src/ssl.c:993:9: warning: 'SSL_SESSION_get_time' is deprecated: Since
OpenSSL 3.4;not Y2038-safe, replace with SSL_SESSION_get_time_ex() [-
Wdeprecated-declarations]
src/sslcontext.c:1041:9: warning: 'EC_KEY_new_by_curve_name' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
src/7 | OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name(int nid);
src/sslcontext.c:1045:5: warning: 'EC_KEY_free' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
src/2 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
src/sslutils.c:208:5: warning: 'PEM_read_bio_ECPKParameters' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
471 | DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, ECPKParameters,
EC_GROUP)
Thanks a bunch for RM!
Yep, we've been slowly trying to work-around the deprecations, mostly by
using "new improved" techniques. Unfortunately, this often requires
large portions of code to be re-written which causes impedance between
versions, etc.
So we'll get there.
Yeah, for instance 2.x has only 3 deprecated symbols left in use, 1.3
has many more. So quite a progress already in 2.x!
Best regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
