Am 12.06.26 um 11:49 schrieb Mark Thomas:
The key differences compared to 1.3.7 are:
- Windows binaries built with OpenSSL 3.0.21
- Fix post handshake authentication when using TLS 1.3
- Fix a small number of small memory leaks
The proposed release artifacts can be found at [1],
and the build was done using tag [2].
The Apache Tomcat Native 1.3.8 release is
[X] Stable, go ahead and release
[ ] Broken because of ...
+1 for release
- checked artefacts for completeness
- checked artefact gpg signatures and sha512 hashes
- compared source tarballs against git sources
- checked OpenSSL version in Windows binaries
- checked some consistencies against own jnirelease.sh results
- built it against OpenSSL 3.6.3, 3.5.7 and 3.0.21, each on the
Platforms SLES 12 and 15 and RHEL 7, 8, 9 and 10 (all x86_64). APR was
1.7.6. Not tried with OpenSSL 4.
- some build warnings, mostly but not all are OpenSSL deprecations; see
below A)
- tested via TC unit tests with tcnative/OpenSSL but only the SSL/TLS
related tests on the above platforms using yesterdays head of TC 11.0.x,
10.1.x and 9.0.x with latest patch levels of JDK 8, 11, 17, 21, 25, 26
and 27 (where applicable) from Adoptium Temurin, Amazon Corretto, Azul
Zulu, Oracle, RedHat and OpenJDK (only a few vendor-version combinations
were tested).
- Only few crashes, most of them for RHEL 10
- Permission in the source tarball fine
A) Compilation warnings
:::::::::::::::::::::::
Non-OpenSSL related:
os/unix/system.c: In function 'Java_org_apache_tomcat_jni_OS_syslog':
os/unix/system.c:437:18: warning: '%s' directive argument is null
[-Wformat-overflow=]
437 | syslog (id, "%s", J2S(msg));
| ^~
os/unix/system.c:437:18: warning: '%s' directive argument is null
[-Wformat-overflow=]
OpenSSL deprecations:
src/ssl.c: In function 'make_dh_params':
src/ssl.c:199:5: warning: 'DH_new' is deprecated: Since OpenSSL 3.0
[-Wdeprecated-declarations]
199 | DH *dh = DH_new();
| ^~
In file included from /path/to/openssl/include/openssl/dsa.h:31,
from /path/to/openssl/include/openssl/x509.h:39,
from /path/to/openssl/include/openssl/ssl.h:34,
from ./include/ssl_private.h:38,
from src/ssl.c:24:
/path/to/openssl/include/openssl/dh.h:210:27: note: declared here
210 | OSSL_DEPRECATEDIN_3_0 DH *DH_new(void);
| ^~~~~~
src/ssl.c:210:5: warning: 'DH_set0_pqg' is deprecated: Since OpenSSL 3.0
[-Wdeprecated-declarations]
210 | if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) {
| ^~
/path/to/openssl/include/openssl/dh.h:266:27: note: declared here
266 | OSSL_DEPRECATEDIN_3_0 int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM
*q, BIGNUM *g);
| ^~~~~~~~~~~
src/ssl.c:211:9: warning: 'DH_free' is deprecated: Since OpenSSL 3.0
[-Wdeprecated-declarations]
211 | DH_free(dh);
| ^~~~~~~
/path/to/openssl/include/openssl/dh.h:211:28: note: declared here
211 | OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
| ^~~~~~~
src/ssl.c: In function 'free_dh_params':
src/ssl.c:249:9: warning: 'DH_free' is deprecated: Since OpenSSL 3.0
[-Wdeprecated-declarations]
249 | DH_free(dhparams[n].dh);
| ^~~~~~~
/path/to/openssl/include/openssl/dh.h:211:28: note: declared here
211 | OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
| ^~~~~~~
src/ssl.c: In function 'ssl_init_cleanup':
src/ssl.c:318:9: warning: 'ENGINE_free' is deprecated: Since OpenSSL 3.0
[-Wdeprecated-declarations]
318 | ENGINE_free(tcn_ssl_engine);
| ^~~~~~~~~~~
In file included from ./include/ssl_private.h:56:
/path/to/openssl/include/openssl/engine.h:493:27: note: declared here
493 | OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e);
| ^~~~~~~~~~~
src/ssl.c: In function 'ssl_try_load_engine':
src/ssl.c:346:5: warning: 'ENGINE_by_id' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
346 | ENGINE *e = ENGINE_by_id("dynamic");
| ^~~~~~
/path/to/openssl/include/openssl/engine.h:336:31: note: declared here
336 | OSSL_DEPRECATEDIN_3_0 ENGINE *ENGINE_by_id(const char *id);
| ^~~~~~~~~~~~
src/ssl.c:348:9: warning: 'ENGINE_ctrl_cmd_string' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
348 | if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
| ^~
/path/to/openssl/include/openssl/engine.h:479:5: note: declared here
479 | int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name,
const char *arg,
| ^~~~~~~~~~~~~~~~~~~~~~
src/ssl.c:349:13: warning: 'ENGINE_ctrl_cmd_string' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
349 | || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
| ^~
/path/to/openssl/include/openssl/engine.h:479:5: note: declared here
479 | int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name,
const char *arg,
| ^~~~~~~~~~~~~~~~~~~~~~
src/ssl.c:350:13: warning: 'ENGINE_free' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
350 | ENGINE_free(e);
| ^~~~~~~~~~~
/path/to/openssl/include/openssl/engine.h:493:27: note: declared here
493 | OSSL_DEPRECATEDIN_3_0 int ENGINE_free(ENGINE *e);
| ^~~~~~~~~~~
src/ssl.c: In function 'Java_org_apache_tomcat_jni_SSL_initialize':
src/ssl.c:534:13: warning: 'ENGINE_register_all_complete' is deprecated:
Since OpenSSL 3.0 [-Wdeprecated-declarations]
534 | ENGINE_register_all_complete();
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/engine.h:415:27: note: declared here
415 | OSSL_DEPRECATEDIN_3_0 int ENGINE_register_all_complete(void);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/ssl.c:537:13: warning: 'ENGINE_by_id' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
537 | if ((ee = ENGINE_by_id(J2S(engine))) == NULL
| ^~
/path/to/openssl/include/openssl/engine.h:336:31: note: declared here
336 | OSSL_DEPRECATEDIN_3_0 ENGINE *ENGINE_by_id(const char *id);
| ^~~~~~~~~~~~
src/ssl.c:543:21: warning: 'ENGINE_ctrl' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
543 | ENGINE_ctrl(ee,
ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
| ^~~~~~~~~~~
/path/to/openssl/include/openssl/engine.h:429:27: note: declared here
429 | OSSL_DEPRECATEDIN_3_0 int ENGINE_ctrl(ENGINE *e, int cmd, long
i, void *p,
| ^~~~~~~~~~~
src/ssl.c:545:17: warning: 'ENGINE_set_default' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
545 | if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL))
| ^~
/path/to/openssl/include/openssl/engine.h:710:27: note: declared here
710 | OSSL_DEPRECATEDIN_3_0 int ENGINE_set_default(ENGINE *e,
unsigned int flags);
| ^~~~~~~~~~~~~~~~~~
src/ssl.c: In function 'Java_org_apache_tomcat_jni_SSL_getTime':
src/ssl.c:1551:9: warning: 'SSL_SESSION_get_time' is deprecated: Since
OpenSSL 3.4;not Y2038-safe, replace with SSL_SESSION_get_time_ex()
[-Wdeprecated-declarations]
1551 | return SSL_get_time(session);
| ^~~~~~
/path/to/openssl/include/openssl/ssl.h:1759:13: note: declared here
1759 | __owur long SSL_SESSION_get_time(const SSL_SESSION *s);
| ^~~~~~~~~~~~~~~~~~~~
src/sslcontext.c: In function
'Java_org_apache_tomcat_jni_SSLContext_setTmpDH':
src/sslcontext.c:813:5: warning: 'PEM_read_bio_DHparams' is deprecated:
Since OpenSSL 3.0 [-Wdeprecated-declarations]
813 | dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
| ^~
In file included from /path/to/openssl/include/openssl/ssl.h:39,
from ./include/ssl_private.h:38,
from src/sslcontext.c:28:
/path/to/openssl/include/openssl/pem.h:76:11: note: declared here
76 | type *PEM_##readname##_##name(INTYPE *out, type **x, \
| ^~~~
/path/to/openssl/include/openssl/pem.h:274:10: note: in expansion of
macro 'PEM_read_cb_fnsig'
274 | attr PEM_read_cb_fnsig(name, type, BIO, read_bio);
| ^~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/pem.h:338:5: note: in expansion of
macro 'DECLARE_PEM_read_bio_attr'
338 | DECLARE_PEM_read_bio_attr(attr, name, type) \
| ^~~~~~~~~~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/pem.h:348:5: note: in expansion of
macro 'DECLARE_PEM_read_attr'
348 | DECLARE_PEM_read_attr(attr, name, type) \
| ^~~~~~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/pem.h:479:1: note: in expansion of
macro 'DECLARE_PEM_rw_attr'
479 | DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DHparams, DH)
| ^~~~~~~~~~~~~~~~~~~
src/sslcontext.c:825:9: warning: 'DH_free' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
825 | DH_free(dh);
| ^~~~~~~
In file included from /path/to/openssl/include/openssl/dsa.h:31,
from /path/to/openssl/include/openssl/x509.h:39,
from /path/to/openssl/include/openssl/ssl.h:34:
/path/to/openssl/include/openssl/dh.h:211:28: note: declared here
211 | OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
| ^~~~~~~
src/sslcontext.c:832:5: warning: 'DH_free' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
832 | DH_free(dh);
| ^~~~~~~
/path/to/openssl/include/openssl/dh.h:211:28: note: declared here
211 | OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
| ^~~~~~~
src/sslcontext.c: In function
'Java_org_apache_tomcat_jni_SSLContext_setTmpECDHByCurveName':
src/sslcontext.c:856:5: warning: 'EC_KEY_new_by_curve_name' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
856 | ecdh = EC_KEY_new_by_curve_name(i);
| ^~~~
In file included from /path/to/openssl/include/openssl/x509.h:35:
/path/to/openssl/include/openssl/ec.h:1009:31: note: declared here
1009 | OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name(int nid);
| ^~~~~~~~~~~~~~~~~~~~~~~~
src/sslcontext.c:866:9: warning: 'EC_KEY_free' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
866 | EC_KEY_free(ecdh);
| ^~~~~~~~~~~
/path/to/openssl/include/openssl/ec.h:1014:28: note: declared here
1014 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
| ^~~~~~~~~~~
src/sslcontext.c:872:5: warning: 'EC_KEY_free' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
872 | EC_KEY_free(ecdh);
| ^~~~~~~~~~~
/path/to/openssl/include/openssl/ec.h:1014:28: note: declared here
1014 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
| ^~~~~~~~~~~
src/sslcontext.c: In function
'Java_org_apache_tomcat_jni_SSLContext_setCertificate':
src/sslcontext.c:1090:17: warning: 'ENGINE_load_private_key' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1090 | (c->keys[idx] =
ENGINE_load_private_key(tcn_ssl_engine, key_file,
| ^
In file included from ./include/ssl_private.h:56:
/path/to/openssl/include/openssl/engine.h:640:11: note: declared here
640 | EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
| ^~~~~~~~~~~~~~~~~~~~~~~
src/sslcontext.c:1135:9: warning: 'DH_free' is deprecated: Since OpenSSL
3.0 [-Wdeprecated-declarations]
1135 | DH_free(dhparams);
| ^~~~~~~
/path/to/openssl/include/openssl/dh.h:211:28: note: declared here
211 | OSSL_DEPRECATEDIN_3_0 void DH_free(DH *dh);
| ^~~~~~~
src/sslcontext.c:1146:9: warning: 'EC_KEY_new_by_curve_name' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1146 | (eckey = EC_KEY_new_by_curve_name(nid))) {
| ^
/path/to/openssl/include/openssl/ec.h:1009:31: note: declared here
1009 | OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name(int nid);
| ^~~~~~~~~~~~~~~~~~~~~~~~
src/sslcontext.c:1150:5: warning: 'EC_KEY_free' is deprecated: Since
OpenSSL 3.0 [-Wdeprecated-declarations]
1150 | EC_KEY_free(eckey);
| ^~~~~~~~~~~
/path/to/openssl/include/openssl/ec.h:1014:28: note: declared here
1014 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
| ^~~~~~~~~~~
src/sslcontext.c:1153:5: warning: 'SSL_CTX_set_tmp_dh_callback' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1153 | SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/ssl.h:2282:6: note: declared here
2282 | void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
src/sslcontext.c: In function
'Java_org_apache_tomcat_jni_SSLContext_setCertificateRaw':
src/sslcontext.c:1262:5: warning: 'SSL_CTX_set_tmp_dh_callback' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
1262 | SSL_CTX_set_tmp_dh_callback(c->ctx, SSL_callback_tmp_DH);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/ssl.h:2282:6: note: declared here
2282 | void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
src/sslutils.c: In function 'SSL_dh_GetParamFromFile':
src/sslutils.c:211:5: warning: 'PEM_read_bio_DHparams' is deprecated:
Since OpenSSL 3.0 [-Wdeprecated-declarations]
211 | dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
| ^~
In file included from /path/to/openssl/include/openssl/ssl.h:39,
from ./include/ssl_private.h:38,
from src/sslutils.c:24:
/path/to/openssl/include/openssl/pem.h:76:11: note: declared here
76 | type *PEM_##readname##_##name(INTYPE *out, type **x, \
| ^~~~
/path/to/openssl/include/openssl/pem.h:274:10: note: in expansion of
macro 'PEM_read_cb_fnsig'
274 | attr PEM_read_cb_fnsig(name, type, BIO, read_bio);
| ^~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/pem.h:338:5: note: in expansion of
macro 'DECLARE_PEM_read_bio_attr'
338 | DECLARE_PEM_read_bio_attr(attr, name, type) \
| ^~~~~~~~~~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/pem.h:348:5: note: in expansion of
macro 'DECLARE_PEM_read_attr'
348 | DECLARE_PEM_read_attr(attr, name, type) \
| ^~~~~~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/pem.h:479:1: note: in expansion of
macro 'DECLARE_PEM_rw_attr'
479 | DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DHparams, DH)
| ^~~~~~~~~~~~~~~~~~~
src/sslutils.c: In function 'SSL_ec_GetParamFromFile':
src/sslutils.c:224:5: warning: 'PEM_read_bio_ECPKParameters' is
deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
224 | group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
| ^~~~~
/path/to/openssl/include/openssl/pem.h:76:11: note: declared here
76 | type *PEM_##readname##_##name(INTYPE *out, type **x, \
| ^~~~
/path/to/openssl/include/openssl/pem.h:274:10: note: in expansion of
macro 'PEM_read_cb_fnsig'
274 | attr PEM_read_cb_fnsig(name, type, BIO, read_bio);
| ^~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/pem.h:338:5: note: in expansion of
macro 'DECLARE_PEM_read_bio_attr'
338 | DECLARE_PEM_read_bio_attr(attr, name, type) \
| ^~~~~~~~~~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/pem.h:348:5: note: in expansion of
macro 'DECLARE_PEM_read_attr'
348 | DECLARE_PEM_read_attr(attr, name, type) \
| ^~~~~~~~~~~~~~~~~~~~~
/path/to/openssl/include/openssl/pem.h:471:1: note: in expansion of
macro 'DECLARE_PEM_rw_attr'
471 | DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, ECPKParameters,
EC_GROUP)
| ^~~~~~~~~~~~~~~~~~~
Thanks for RM!
Best Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
