> For Windows, you are better off using the all-in-one statically-linked
> DLL provided by the Tomcat team.
...
> In general, the Tomcat team tries to keep on top of the latest news
> and releases from both APR and OpenSSL, so you shouldn't have to wait
> too long between a newly-published version of APR or OpenSSL and a new
> release of tcnative.
I'm fine with that... this week we've seen the new TC-Native released and
then tomcat 9 updated Friday and 8.5 updated over the weekend (I think).
Pretty darn quick, in any case.
> I would question whether or not you really need libtcnative at all.
me too. but see below:
> Are you going to be using a Tomcat installation without any kind of
> load-balancer or reverse-proxy in between it and your users?
We're using a load-balancer, but terminating the SSL (TLS) connection at
Tomcat rather than at the load-balancer...
(we need the client certificate info for authentication. I understand that
with a SSL connection terminated at a load balance, the client certificate
info can be forwarded to tomcat - but I don't want to fight that battle
just now).
I'm investigating using tc-native for:
improved SSL (TLS) processing compared to the JSSE implementation (I hope)
TLS1.3 support
HTTP/2 Support
(possibly the use of more mainstream certs/truststore format (Windows
environment) than the JKS format -
(not that using JKS format is a big deal, but I have found Key Store
Explorer to be REAL helpful in figuring out problems with keystores or
truststores that weren't real obvious using keytool.exe by itself
and in adding/removing Issuer or Root certs as new ones come into use or
expire).
Thanks.,..
On Mon, Feb 11, 2019 at 11:38 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> John,
>
> On 2/11/19 10:46, John Palmer wrote:
> > (I'm new to using TC-native, interested in how to accomplish "In
> > security conscious production environments, it is recommended to
> > use separate shared dlls for OpenSSL, APR, and libtcnative-1, and
> > update them as needed according to security bulletins. "
>
> For Windows, you are better off using the all-in-one statically-linked
> DLL provided by the Tomcat team. If you really want separate ones,
> you'll need to build everything yourself.
>
> I think that quote is easy to misinterpret. The problem is not the
> fact that the library is statically-linked and therefore less secure.
> The problem is that the native library bundles 3 separate packages:
> Apache Portable Runtime (APR), OpenSSL, and Tomcat's native library
> (libtcnative). Because they are bundled together, you cannot upgrade
> any single one of them independently of the others.
>
> If APR publishes a fix for a vulnerability, you cannot upgrade just
> apr-x.y.z.dll to get that fix. Instead, you'd have to wait for the
> Tomcat team to publish an updated bundle that includes that new
> version. Save with OpenSSL, etc.
>
> In general, the Tomcat team tries to keep on top of the latest news
> and releases from both APR and OpenSSL, so you shouldn't have to wait
> too long between a newly-published version of APR or OpenSSL and a new
> release of tcnative.
>
> If you have the capability of building your own libraries, then you
> can always get the latest from the upstream source and stay even more
> up-to-date than you would is you wanted for the releases from Tomcat.
>
> > Apparently I need a concrete example (step-by-step, where to get
> > the dlls, where to put them (and make sure tomcat finds them)
> > etc... preferably I wouldn't have to compile anything myself.
>
> If you don't want to compile yourself, you'll need to trust ...
> someone else. The Tomcat team only publishes the all-in-one DLL.
>
> I would question whether or not you really need libtcnative at all.
> Are you going to be using a Tomcat installation without any kind of
> load-balancer or reverse-proxy in between it and your users?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhsygACgkQHPApP6U8
> pFj7Rg//f75XYfYrgJSe14KeizoybHnzpDbZ/XDxyZ8ytTBU5hx2YIQBR9ucrYYA
> x01ArX6dCU209EBkLnXCThNXqrxv/pOvRo4MUiUw+oUMg5sjNL61cz/DaqwCj4WX
> PtzqaYSlUhYmAiRPrdv5zwvmqMR6L8ArHfpTqCw6Tov2fdlyyc9B0Yb+Om98Jn3a
> wLj+o24FOMm9Vpuz2EyMuHhslz1xiGK7O7CyiGXGK9ZjigcqFQiR77PtnZYXnlhk
> jM0DJKFFo+tMri5zNs7bkAT/2DOhKmlMfD+G3LcTL4PZKbx6r30BqgXNf/b++A+8
> gmOtgLHZmCK9/UcI3TX3pk2IciDZbHaCDa7YOLiFAkzSjSd3QpdxnIDJ/aoiqcz2
> mkTyXEHeErNClzX+P+gkK2oVyz5B28EeQlC0ls2Q0SecI3DeXx+ZgO9MIsofMzyG
> lkG1XL9oNYA/6wOaKXMYB/xA0dbiYtpQZsVCR65I0FjJ3cD7pvvez8UjAzrvYObm
> LXi0fVCRrlHSDVfRCt5OZ/P3c8l2/1cz3k0jTbA9k+NEq5+tvmErMuEWnXadd5Y2
> aukaVKg3afR6SvGTBpaDS38peyFOFjkR5uJ0+9H4ZKogCqiUqesqVSzh2hhKqIIx
> 4wqP1VwtsL/rujLm0p3nr9c3HbamzznpCXXQOy9oOAMbZwmeTag=
> =9OOQ
> -END PGP SIGNATURE-
>