On 15/01/2026 13:30, Mark Thomas wrote:
On 15/01/2026 13:11, Dimitris Soumis wrote:
On Thu, Jan 15, 2026 at 1:26 AM Rémy Maucherat <[email protected]
<mailto:[email protected]>> wrote:
On Wed, Jan 14, 2026 at 9:03 PM Mark Thomas <[email protected]
<mailto:[email protected]>> wrote:
>
> All,
>
> I wanted to provide a progress update as I expected to be in a
position
> to start tagging the January release by now and I'm not.
>
> Most of the release preparation is done:
> - dependencies have been reviewed and updated where necessary
> - i18n sync with POEditor is complete
> - open bugs have been resolved
> - there are a couple of PRs I hoped to merge this time around
that will
> have to wait until Feb but there are for enhancements rather
than bugs
> - The Tomcat Native updates are complete
> - The TLS 1.3 configuration updates are complete
>
> The OCSP protocol updates are where the delay is.
>
> I think everything is working for 10.1.x, 11.0.x and 12.0.x
although I
> do want to complete my usual run of the test suites on Windows,
Linux
> and MacOS before tagging and they might expose a bug or two.
>
> The challenge at the moment is 9.0.x and APR. The TestOscpEnabled
test
> case is seeing a LOT of failures and I don't understand why at
this
> point. It is getting late here so I probably need to start fresh
> tomorrow. Most of the issues seem to be around the client
verifying the
> server certificate which is really odd since that code should
be the
> same regardless of Connector.
>
> I'm expecting the CI builds for 9.0.x to continue to fail for
now but
> hopefully 11.0.x will continue to pass and 10.1.x will start
passing on
> the next run.
>
> I've seen quite a Native few crashes over that last few days.
Nothing
> obviously repeatable at this point but as the test failures get
fixed we
> might start to see a pattern. We'll see.
>
> Hopefully, there will some progress tomorrow and we'll be in a
position
> to start tagging.
>
> If anyone does have some time available to look at the failing
OCSP
> tests with 9.0.x and APR that would be great but please don't
feel you
> have to.
I'll look at it once I finish with my various FFM compat issues ...
Rémy
> Mark
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
<mailto:[email protected]>
> For additional commands, e-mail: [email protected]
<mailto:[email protected]>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
<mailto:[email protected]>
For additional commands, e-mail: [email protected]
<mailto:[email protected]>
I think there are two issues here.
Firstly, removing the truststore file when useOpenSSLTrust is enabled.
Secondly, when the server cert is invalid, the certificate should
point to the revoked one instead of the default CA_CERT_PEM
in TesterSupport.initSsl.
I am attaching a draft patch, fixing those issues and resulting in all
tests passing.
The patch breaks something, as I
see TestOcspTimeout.testTimeoutWithoutSoftFail fails. I will look into
it later.
Thanks. That is really helpful.
I've spent the morning looking at the native crashes and have made some
progress but I could do with a break from that so I'll look at the draft
patch.
Yes. That all makes sense. I've re-worked TesterSupport.initSsl because
the various overloaded methods let you change the server cert for JSSE
configuration style but not OPENSSL. My local change allows the default
certificate file and certificate key file to be overridden as well
(which is what the OCSP tests needs to do).
I also spotted an issue with JSSE vs OpenSSL trust configuration that
I've fixed.
The OCSP tests are passing now with APR. I just need to check I haven't
broken anything else.
Thanks again for tracking down the cause of the failures.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
