Re: [VOTE] Release Apache Tomcat Native 2.0.0
On 30/06/2022 15:58, Mark Thomas wrote: This is the first release of the Tomcat Native 2.0.x branch. The major differences compared to the 1.2.x branch are: The Apache Tomcat Native 2.0.0 release is [ ] Stable, go ahead and release [x] Broken because of ... [1] https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/2.0.0 The URL does not exist Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 2.0.0
Mark, On 7/4/22 07:23, Mark Thomas wrote: On 30/06/2022 17:55, Christopher Schultz wrote: Mark, On 6/30/22 09:58, Mark Thomas wrote: This is the first release of the Tomcat Native 2.0.x branch. The major differences compared to the 1.2.x branch are: - JNI API has been reduced to just that required to support the use of OpenSSL rather than JSSE for TLS connections. The APR/native connector is not supported. This statement is confusing. I think it should say "JNI API has been reduced to just that required to support OpenSSL as a JSSE provider for TLS connections. The API/native connector is no longer supported in this branch." The confusion is over JSSE versus OpenSSL which are not mutually-exclusive. What we are doing AIUI is specifically using OpenSSL through JSSE, instead of going around JSSE and using OpenSSL directly (well, through APR-connections). Ack. I was trying to avoid saying we were using an OpenSSL based JSSE provider as we are not doing that. How about: "The JNI API has been reduced to just that required to support Tomcat's OpenSSL based TLS implementation. The APR/native connector is no longer supported in this branch." That sounds okay. I forgot that OpenSSL isn't supported as an actual JSSE provider. - The minimum supported versions have been increased to OpenSSL 3.0.x, Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 How much do we continue to rely on APR at this point? Usually, the reason to use APR is to take advantage of APRs pooling and e.g. connection-handling capabilities. As we are dropping support for the APR connector, the connection-handling capabilities are no longer required, and the pooling is really only helpful when delayed-cleanup of those pools is necessary. I think we can probably drop the APR dependency -- at least over time. I'm not convinced. We are mostly using APR for the memory management and I don't rate my chances of re-writing the TLS code without it whilst avoiding both bugs and memory leaks. Given the medium / long term direction (the project Panama code Rémy has been working on) I don't think the benefit of fully removing APR is worth the effort. I generally agree with this. The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but can be used with earlier versions as long as the APR/native connector is not used. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The Apache Tomcat Native 2.0.0 release is [ ] Stable, go ahead and release [ ] Broken because of ... Thanks, Mark I will try to do some testing on 8.5.x Tx. I obviously haven't found time for this, yet. :/ -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 2.0.0
On Mon, Jul 4, 2022 at 2:50 PM Mark Thomas wrote: > > Hi all, > > OpenSSL has announced a 3.0.5 release is scheduled for tomorrow that > will include security fixes. Depending on the details of those fixes we > may need a 2.0.1 release. (And a 1.2.x release.) > > We currently have 2 PMC votes for this release so we are 1 vote short. > There is an argument for proceeding with this release anyway (if it gets > another vote) - folks can always build 2.0.0 from source with their > chosen version of OpenSSL. > > My current plan is wait to see if 2.0.0 gets any further votes and to > wait for the details of the OpenSSL security issues and then decide what > to do. +1 Rémy > Mark > > > On 30/06/2022 14:58, Mark Thomas wrote: > > This is the first release of the Tomcat Native 2.0.x branch. The major > > differences compared to the 1.2.x branch are: > > > > - JNI API has been reduced to just that required to support the use of > >OpenSSL rather than JSSE for TLS connections. The APR/native connector > >is not supported. > > > > - The minimum supported versions have been increased to OpenSSL 3.0.x, > >Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 > > > > The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but > > can be used with earlier versions as long as the APR/native connector is > > not used. > > > > The proposed release artefacts can be found at [1], > > and the build was done using tag [2]. > > > > The Apache Tomcat Native 2.0.0 release is > > [ ] Stable, go ahead and release > > [ ] Broken because of ... > > > > Thanks, > > > > Mark > > > > > > [1] > > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/2.0.0 > > > > [2] > > https://gitbox.apache.org/repos/asf?p=tomcat-native.git;a=commit;h=39c19afe4a3df7ea4fda778d82dc25bd494a110c > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 2.0.0
Hi all, OpenSSL has announced a 3.0.5 release is scheduled for tomorrow that will include security fixes. Depending on the details of those fixes we may need a 2.0.1 release. (And a 1.2.x release.) We currently have 2 PMC votes for this release so we are 1 vote short. There is an argument for proceeding with this release anyway (if it gets another vote) - folks can always build 2.0.0 from source with their chosen version of OpenSSL. My current plan is wait to see if 2.0.0 gets any further votes and to wait for the details of the OpenSSL security issues and then decide what to do. Mark On 30/06/2022 14:58, Mark Thomas wrote: This is the first release of the Tomcat Native 2.0.x branch. The major differences compared to the 1.2.x branch are: - JNI API has been reduced to just that required to support the use of OpenSSL rather than JSSE for TLS connections. The APR/native connector is not supported. - The minimum supported versions have been increased to OpenSSL 3.0.x, Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but can be used with earlier versions as long as the APR/native connector is not used. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The Apache Tomcat Native 2.0.0 release is [ ] Stable, go ahead and release [ ] Broken because of ... Thanks, Mark [1] https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/2.0.0 [2] https://gitbox.apache.org/repos/asf?p=tomcat-native.git;a=commit;h=39c19afe4a3df7ea4fda778d82dc25bd494a110c - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 2.0.0
On Mon, Jul 4, 2022 at 1:23 PM Mark Thomas wrote: > > On 30/06/2022 17:55, Christopher Schultz wrote: > > Mark, > > > > On 6/30/22 09:58, Mark Thomas wrote: > >> This is the first release of the Tomcat Native 2.0.x branch. The major > >> differences compared to the 1.2.x branch are: > >> > >> - JNI API has been reduced to just that required to support the use of > >>OpenSSL rather than JSSE for TLS connections. The APR/native connector > >>is not supported. > > > > This statement is confusing. I think it should say "JNI API has been > > reduced to just that required to support OpenSSL as a JSSE provider for > > TLS connections. The API/native connector is no longer supported in this > > branch." > > > > The confusion is over JSSE versus OpenSSL which are not > > mutually-exclusive. What we are doing AIUI is specifically using OpenSSL > > through JSSE, instead of going around JSSE and using OpenSSL directly > > (well, through APR-connections). > > Ack. I was trying to avoid saying we were using an OpenSSL based JSSE > provider as we are not doing that. How about: Yes, some of my coworkers derived a provider from the work I did initially. To be a full provider, we'd lose some of our very useful config capabilities (obviously a provider cannot use SSLHostConfig) and add java.io support (which I considered was useless for Tomcat; although with Loom, maybe it's not so stupid anymore ;) ). > "The JNI API has been reduced to just that required to support Tomcat's > OpenSSL based TLS implementation. The APR/native connector is no longer > supported in this branch." > > > >> - The minimum supported versions have been increased to OpenSSL 3.0.x, > >>Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 > > > > How much do we continue to rely on APR at this point? Usually, the > > reason to use APR is to take advantage of APRs pooling and e.g. > > connection-handling capabilities. As we are dropping support for the APR > > connector, the connection-handling capabilities are no longer required, > > and the pooling is really only helpful when delayed-cleanup of those > > pools is necessary. > > > > I think we can probably drop the APR dependency -- at least over time. > > I'm not convinced. We are mostly using APR for the memory management and > I don't rate my chances of re-writing the TLS code without it whilst > avoiding both bugs and memory leaks. > > Given the medium / long term direction (the project Panama code Rémy has > been working on) I don't think the benefit of fully removing APR is > worth the effort.. I agree. Of course, if someone wants to do it ... Rémy > >> The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but > >> can be used with earlier versions as long as the APR/native connector > >> is not used. > >> > >> The proposed release artefacts can be found at [1], > >> and the build was done using tag [2]. > >> > >> The Apache Tomcat Native 2.0.0 release is > >> [ ] Stable, go ahead and release > >> [ ] Broken because of ... > >> > >> Thanks, > >> > >> Mark > > > > I will try to do some testing on 8.5.x > > Tx. > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 2.0.0
On 03/07/2022 04:46, Igal Sapir wrote: Mark, On Thu, Jun 30, 2022 at 6:58 AM Mark Thomas wrote: This is the first release of the Tomcat Native 2.0.x branch. The major differences compared to the 1.2.x branch are: - JNI API has been reduced to just that required to support the use of OpenSSL rather than JSSE for TLS connections. The APR/native connector is not supported. - The minimum supported versions have been increased to OpenSSL 3.0.x, Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 Is this really intended only for Windows? I have been testing previous versions of Tomcat Native on Ubuntu 20.04 but I am unable to test this version. No. I need to reword the above. The minimum versions of OpenSSL, APR and Java have increased for all platforms. The minimum version of Windows that we support has increased to Windows 7 / Server 2008 R2. On the main branch, Tomcat 10.1, my tests are not running? Config settings seem fine to me: --- ❯ ant echoproperties | grep apr [echoproperties] execute.test.apr=true [echoproperties] test.apr.loc=/workspace/build/tomcat/tomcat-native/tomcat-native-2.0.0/lib --- But no tests are running when I run `ant test`: There are no tests anymore. The functionality that was being tested has been removed. There is a single test left that isn't executed by default as it is more of a development / debugging utility class intended to help find memory leaks. On the 10.0.x no matter what I try - building tcnative seems to identify APR 1.7.0 but the test cases are failing because APR 1.6.5 is loaded, and I did edit ~/natives/apr/lib/libapr-1.la ** per the instructions in native/BUILDING. The filename specified in [1] is libapr-2.la but APR 1.7.0 is still libapr-1.la - did you edit the version number anywhere or is that a typo? That looks like I edited a version number I shouldn't have. I'll fix that. Unfortunately I can not install APR 1.7.0 using the package manager as that version is only available for newer Ubuntu versions. Ack. Thanks for the review. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 2.0.0
On 30/06/2022 17:55, Christopher Schultz wrote: Mark, On 6/30/22 09:58, Mark Thomas wrote: This is the first release of the Tomcat Native 2.0.x branch. The major differences compared to the 1.2.x branch are: - JNI API has been reduced to just that required to support the use of OpenSSL rather than JSSE for TLS connections. The APR/native connector is not supported. This statement is confusing. I think it should say "JNI API has been reduced to just that required to support OpenSSL as a JSSE provider for TLS connections. The API/native connector is no longer supported in this branch." The confusion is over JSSE versus OpenSSL which are not mutually-exclusive. What we are doing AIUI is specifically using OpenSSL through JSSE, instead of going around JSSE and using OpenSSL directly (well, through APR-connections). Ack. I was trying to avoid saying we were using an OpenSSL based JSSE provider as we are not doing that. How about: "The JNI API has been reduced to just that required to support Tomcat's OpenSSL based TLS implementation. The APR/native connector is no longer supported in this branch." - The minimum supported versions have been increased to OpenSSL 3.0.x, Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 How much do we continue to rely on APR at this point? Usually, the reason to use APR is to take advantage of APRs pooling and e.g. connection-handling capabilities. As we are dropping support for the APR connector, the connection-handling capabilities are no longer required, and the pooling is really only helpful when delayed-cleanup of those pools is necessary. I think we can probably drop the APR dependency -- at least over time. I'm not convinced. We are mostly using APR for the memory management and I don't rate my chances of re-writing the TLS code without it whilst avoiding both bugs and memory leaks. Given the medium / long term direction (the project Panama code Rémy has been working on) I don't think the benefit of fully removing APR is worth the effort.. The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but can be used with earlier versions as long as the APR/native connector is not used. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The Apache Tomcat Native 2.0.0 release is [ ] Stable, go ahead and release [ ] Broken because of ... Thanks, Mark I will try to do some testing on 8.5.x Tx. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 2.0.0
Mark, On Thu, Jun 30, 2022 at 6:58 AM Mark Thomas wrote: > This is the first release of the Tomcat Native 2.0.x branch. The major > differences compared to the 1.2.x branch are: > > - JNI API has been reduced to just that required to support the use of >OpenSSL rather than JSSE for TLS connections. The APR/native connector >is not supported. > > - The minimum supported versions have been increased to OpenSSL 3.0.x, >Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 > Is this really intended only for Windows? I have been testing previous versions of Tomcat Native on Ubuntu 20.04 but I am unable to test this version. On the main branch, Tomcat 10.1, my tests are not running? Config settings seem fine to me: --- ❯ ant echoproperties | grep apr [echoproperties] execute.test.apr=true [echoproperties] test.apr.loc=/workspace/build/tomcat/tomcat-native/tomcat-native-2.0.0/lib --- But no tests are running when I run `ant test`: --- test-status: [concat] Testsuites with skipped tests: [concat] Testsuites with failed tests: test: BUILD SUCCESSFUL Total time: 28 seconds --- On the 10.0.x no matter what I try - building tcnative seems to identify APR 1.7.0 but the test cases are failing because APR 1.6.5 is loaded, and I did edit ~/natives/apr/lib/libapr-1.la ** per the instructions in native/BUILDING. The filename specified in [1] is libapr-2.la but APR 1.7.0 is still libapr-1.la - did you edit the version number anywhere or is that a typo? Unfortunately I can not install APR 1.7.0 using the package manager as that version is only available for newer Ubuntu versions. Thank you, Igal [1] https://github.com/apache/tomcat-native/commit/aa3e7f5969c78426d81d7847eb67825d7d54ac1b#diff-67251169106d0b00b8d20d0706735551e276018519b89b6cb6214f3241181ce7R63 > > The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but > can be used with earlier versions as long as the APR/native connector is > not used. > > The proposed release artefacts can be found at [1], > and the build was done using tag [2]. > > The Apache Tomcat Native 2.0.0 release is > [ ] Stable, go ahead and release > [ ] Broken because of ... > > Thanks, > > Mark > > > [1] > > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/2.0.0 > [2] > > https://gitbox.apache.org/repos/asf?p=tomcat-native.git;a=commit;h=39c19afe4a3df7ea4fda778d82dc25bd494a110c > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Re: [VOTE] Release Apache Tomcat Native 2.0.0
On Thu, Jun 30, 2022 at 3:58 PM Mark Thomas wrote: > > This is the first release of the Tomcat Native 2.0.x branch. The major > differences compared to the 1.2.x branch are: > > - JNI API has been reduced to just that required to support the use of >OpenSSL rather than JSSE for TLS connections. The APR/native connector >is not supported. > > - The minimum supported versions have been increased to OpenSSL 3.0.x, >Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 > > The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but > can be used with earlier versions as long as the APR/native connector is > not used. > > The proposed release artefacts can be found at [1], > and the build was done using tag [2]. > > The Apache Tomcat Native 2.0.0 release is > [X] Stable, go ahead and release > [ ] Broken because of ... Works for me with Tomcat 10.1. Rémy > Thanks, > > Mark > > > [1] > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/2.0.0 > [2] > https://gitbox.apache.org/repos/asf?p=tomcat-native.git;a=commit;h=39c19afe4a3df7ea4fda778d82dc25bd494a110c > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 2.0.0
Mark, On 6/30/22 09:58, Mark Thomas wrote: This is the first release of the Tomcat Native 2.0.x branch. The major differences compared to the 1.2.x branch are: - JNI API has been reduced to just that required to support the use of OpenSSL rather than JSSE for TLS connections. The APR/native connector is not supported. This statement is confusing. I think it should say "JNI API has been reduced to just that required to support OpenSSL as a JSSE provider for TLS connections. The API/native connector is no longer supported in this branch." The confusion is over JSSE versus OpenSSL which are not mutually-exclusive. What we are doing AIUI is specifically using OpenSSL through JSSE, instead of going around JSSE and using OpenSSL directly (well, through APR-connections). - The minimum supported versions have been increased to OpenSSL 3.0.x, Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 How much do we continue to rely on APR at this point? Usually, the reason to use APR is to take advantage of APRs pooling and e.g. connection-handling capabilities. As we are dropping support for the APR connector, the connection-handling capabilities are no longer required, and the pooling is really only helpful when delayed-cleanup of those pools is necessary. I think we can probably drop the APR dependency -- at least over time. The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but can be used with earlier versions as long as the APR/native connector is not used. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The Apache Tomcat Native 2.0.0 release is [ ] Stable, go ahead and release [ ] Broken because of ... Thanks, Mark I will try to do some testing on 8.5.x -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 2.0.0
On 30/06/2022 14:58, Mark Thomas wrote: This is the first release of the Tomcat Native 2.0.x branch. The major differences compared to the 1.2.x branch are: - JNI API has been reduced to just that required to support the use of OpenSSL rather than JSSE for TLS connections. The APR/native connector is not supported. - The minimum supported versions have been increased to OpenSSL 3.0.x, Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but can be used with earlier versions as long as the APR/native connector is not used. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The Apache Tomcat Native 2.0.0 release is [X] Stable, go ahead and release [ ] Broken because of ... Tested with Tomcat 10.1.x and all test pass. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[VOTE] Release Apache Tomcat Native 2.0.0
This is the first release of the Tomcat Native 2.0.x branch. The major differences compared to the 1.2.x branch are: - JNI API has been reduced to just that required to support the use of OpenSSL rather than JSSE for TLS connections. The APR/native connector is not supported. - The minimum supported versions have been increased to OpenSSL 3.0.x, Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but can be used with earlier versions as long as the APR/native connector is not used. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The Apache Tomcat Native 2.0.0 release is [ ] Stable, go ahead and release [ ] Broken because of ... Thanks, Mark [1] https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/2.0.0 [2] https://gitbox.apache.org/repos/asf?p=tomcat-native.git;a=commit;h=39c19afe4a3df7ea4fda778d82dc25bd494a110c - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org