Re: Query about support for OpenSSL 1.1.1
On 21/02/2023 10:08, Vivek Naruka (EXT-NSB) wrote: Hi, Currently we use APCAHE TOMCAT 9.0.69 which supports OpenSSL1.1.1 version. It is not that simple. Tomcat 9.0.x can be used with Tomcat Native 1.2.x which provides: - TLS support when using the HTTP APR/native connector - an alternative to JSSE to provide TLS support for the HTTP NIO and NIO2 connectors Tomcat 9.0.x can be used with Tomcat Native 2.0.x which provides: - an alternative to JSSE to provide TLS support for the HTTP NIO and NIO2 connectors - (the APR/native connector is NOT available with Tomcat Native 2.0.x) Tomcat Native 1.2.x can be compiled with any current OpenSSL version (1.1.1, 3.0.x, 3.1.x) Tomcat Native 2.0.x requires OpenSSL 3.0.x onwards. We would like to know the APACHE TOMCAT version that supports openSSL3.0 with Java 8 version? Tomcat 8.5.x - requires minimum of Java 7 - can use Tomcat Native 1.2.x (which can be compiled with OpenSSL 3.0) - can use Tomcat Native 2.0.x (which can be compiled with OpenSSL 3.0) Tomcat 9.0.x - requires minimum of Java 8 - can use Tomcat Native 1.2.x (which can be compiled with OpenSSL 3.0) - can use Tomcat Native 2.0.x (which can be compiled with OpenSSL 3.0) Tomcat 10.1.x - requires minimum of Java 11 so fails to meet your requirements Tomcat 11.0.x - requires minimum of Java 17 (may rise to 21) so fails to meet your requirements Does TOMCAT depend on OS (like RHEL, Windows, etc) for OpenSSL support or does it package OpenSSL on its own? Tomcat does not depend (directly) on OpenSSL. Tomcat depends on Tomcat Native to provide OpenSSL functionality. Tomcat Native and OpenSSL support are optional. Tomcat will run quite happily without them. Tomcat Native can be compiled with OpenSSL provided statically or dynamically. The Tomcat Native binaries for Windows are compiled with OpenSSL provided statically. The Tomcat team only provide source for other platforms. It is expected that users compile it themselves. By default, the compilation process will use the OpenSSL version provided by the OS but that can be overridden if desired. Mark Regards Vivek Singh -Original Message- From: Mark Thomas Sent: 15 February 2023 16:43 To: users@tomcat.apache.org Subject: Re: Query about support for OpenSSL 1.1.1 On 15/02/2023 10:30, Vivek Naruka (EXT-NSB) wrote: Hi Tomcat Support Team, There is new version of Openssl i.e. Openssl 3.0 available for which tomcat provide support in its newly released versions. We are using Openssl version 1.1.1 in our project and need to know that if tomcat will continue its support towards Openssl 1.1.1 as well till year 2030. Yes and no. For Tomcat 9.0.x and earlier, OpenSSL provides the following optional features via Tomcat Native 1.2.x: - TLS support when using the HTTP APR/native connector - an alternative to JSSE to provide TLS support for the HTTP NIO and NIO2 connectors For Tomcat 10.1.x and later, the APR/native connector has been removed and OpenSSL provides the following features via Tomcat Native 2.0.x: - an alternative to JSSE to provide TLS support for the HTTP NIO and NIO2 connectors Tomcat Native 1.2.x currently supports OpenSSL 1.0.2 onwards (including 3.0.x). The minimum OpenSSL version could be increased to OpenSSL 1.1.1 onwards (along with a version bump to Tomcat Native 1.3.x) but that work is fairly low priority. Whether / when that update happens doesn't really change the answer to your question. Tomcat Native 2.0.x currently supports OpenSSL 3.0.x onwards. End of Life for Tomcat 8.5.x has been announced as 31 March 2024. No End of Life date has been announced for 9.0.x but major Tomcat versions typically reach End of Life at ~3 year intervals so a reasonable guess for the End of Life date for Tomcat 9.0.x is 31 March 2027. Once Tomcat 9.0.x reaches End of Life, there will be no requirement to continue supporting Tomcat Native 1.2.x so it seems likely that Tomcat Native 1.2.x will reach End of Life at the same point. Tomcat 9.x is a special case for End of Life as it is the final version that supports Java EE. As such, once 9.0.x reaches end of life there will be 9.10.x but that will pick up all the changes from 10.1.x apart from the switch from the Java EE API to the Jakarta EE API. This means Tomcat 9.10.x will depend on Tomcat Native 2.0.x (and OpenSSL 3.0.x). So, from the ASF's perspective, Tomcat Native 1.2.x (including support for OpenSSL 1.1.1) is expected to end some around March 2027. It might be as much as 18 months later but I don't see it extending as far as 2030. All of that said, there are also downstream distributions of Apache Tomcat provided by various Linux distributions. If you obtain Tomcat and Tomcat Native via one of these distributions, it will remain supported by the distribution for the standard support timescales for that distribution - irrespective of whether or not the ASF has declared that version to have
RE: Query about support for OpenSSL 1.1.1
Hi, Currently we use APCAHE TOMCAT 9.0.69 which supports OpenSSL1.1.1 version. We would like to know the APACHE TOMCAT version that supports openSSL3.0 with Java 8 version? Does TOMCAT depend on OS (like RHEL, Windows, etc) for OpenSSL support or does it package OpenSSL on its own? Regards Vivek Singh -Original Message- From: Mark Thomas Sent: 15 February 2023 16:43 To: users@tomcat.apache.org Subject: Re: Query about support for OpenSSL 1.1.1 On 15/02/2023 10:30, Vivek Naruka (EXT-NSB) wrote: > Hi Tomcat Support Team, > > There is new version of Openssl i.e. Openssl 3.0 available for which tomcat > provide support in its newly released versions. > We are using Openssl version 1.1.1 in our project and need to know that if > tomcat will continue its support towards Openssl 1.1.1 as well till year 2030. Yes and no. For Tomcat 9.0.x and earlier, OpenSSL provides the following optional features via Tomcat Native 1.2.x: - TLS support when using the HTTP APR/native connector - an alternative to JSSE to provide TLS support for the HTTP NIO and NIO2 connectors For Tomcat 10.1.x and later, the APR/native connector has been removed and OpenSSL provides the following features via Tomcat Native 2.0.x: - an alternative to JSSE to provide TLS support for the HTTP NIO and NIO2 connectors Tomcat Native 1.2.x currently supports OpenSSL 1.0.2 onwards (including 3.0.x). The minimum OpenSSL version could be increased to OpenSSL 1.1.1 onwards (along with a version bump to Tomcat Native 1.3.x) but that work is fairly low priority. Whether / when that update happens doesn't really change the answer to your question. Tomcat Native 2.0.x currently supports OpenSSL 3.0.x onwards. End of Life for Tomcat 8.5.x has been announced as 31 March 2024. No End of Life date has been announced for 9.0.x but major Tomcat versions typically reach End of Life at ~3 year intervals so a reasonable guess for the End of Life date for Tomcat 9.0.x is 31 March 2027. Once Tomcat 9.0.x reaches End of Life, there will be no requirement to continue supporting Tomcat Native 1.2.x so it seems likely that Tomcat Native 1.2.x will reach End of Life at the same point. Tomcat 9.x is a special case for End of Life as it is the final version that supports Java EE. As such, once 9.0.x reaches end of life there will be 9.10.x but that will pick up all the changes from 10.1.x apart from the switch from the Java EE API to the Jakarta EE API. This means Tomcat 9.10.x will depend on Tomcat Native 2.0.x (and OpenSSL 3.0.x). So, from the ASF's perspective, Tomcat Native 1.2.x (including support for OpenSSL 1.1.1) is expected to end some around March 2027. It might be as much as 18 months later but I don't see it extending as far as 2030. All of that said, there are also downstream distributions of Apache Tomcat provided by various Linux distributions. If you obtain Tomcat and Tomcat Native via one of these distributions, it will remain supported by the distribution for the standard support timescales for that distribution - irrespective of whether or not the ASF has declared that version to have reached End of Life. Finally, there are companies that provided commercial support for Tomcat that may be prepared to offer support beyond that provided by the ASF. My only word of caution is that if you opt to use such support, you should assure yourself that the provider has the in-house expertise necessary to back-port security fixes and produce updated Tomcat releases. HTH, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Query about support for OpenSSL 1.1.1
On 15/02/2023 10:30, Vivek Naruka (EXT-NSB) wrote: Hi Tomcat Support Team, There is new version of Openssl i.e. Openssl 3.0 available for which tomcat provide support in its newly released versions. We are using Openssl version 1.1.1 in our project and need to know that if tomcat will continue its support towards Openssl 1.1.1 as well till year 2030. Yes and no. For Tomcat 9.0.x and earlier, OpenSSL provides the following optional features via Tomcat Native 1.2.x: - TLS support when using the HTTP APR/native connector - an alternative to JSSE to provide TLS support for the HTTP NIO and NIO2 connectors For Tomcat 10.1.x and later, the APR/native connector has been removed and OpenSSL provides the following features via Tomcat Native 2.0.x: - an alternative to JSSE to provide TLS support for the HTTP NIO and NIO2 connectors Tomcat Native 1.2.x currently supports OpenSSL 1.0.2 onwards (including 3.0.x). The minimum OpenSSL version could be increased to OpenSSL 1.1.1 onwards (along with a version bump to Tomcat Native 1.3.x) but that work is fairly low priority. Whether / when that update happens doesn't really change the answer to your question. Tomcat Native 2.0.x currently supports OpenSSL 3.0.x onwards. End of Life for Tomcat 8.5.x has been announced as 31 March 2024. No End of Life date has been announced for 9.0.x but major Tomcat versions typically reach End of Life at ~3 year intervals so a reasonable guess for the End of Life date for Tomcat 9.0.x is 31 March 2027. Once Tomcat 9.0.x reaches End of Life, there will be no requirement to continue supporting Tomcat Native 1.2.x so it seems likely that Tomcat Native 1.2.x will reach End of Life at the same point. Tomcat 9.x is a special case for End of Life as it is the final version that supports Java EE. As such, once 9.0.x reaches end of life there will be 9.10.x but that will pick up all the changes from 10.1.x apart from the switch from the Java EE API to the Jakarta EE API. This means Tomcat 9.10.x will depend on Tomcat Native 2.0.x (and OpenSSL 3.0.x). So, from the ASF's perspective, Tomcat Native 1.2.x (including support for OpenSSL 1.1.1) is expected to end some around March 2027. It might be as much as 18 months later but I don't see it extending as far as 2030. All of that said, there are also downstream distributions of Apache Tomcat provided by various Linux distributions. If you obtain Tomcat and Tomcat Native via one of these distributions, it will remain supported by the distribution for the standard support timescales for that distribution - irrespective of whether or not the ASF has declared that version to have reached End of Life. Finally, there are companies that provided commercial support for Tomcat that may be prepared to offer support beyond that provided by the ASF. My only word of caution is that if you opt to use such support, you should assure yourself that the provider has the in-house expertise necessary to back-port security fixes and produce updated Tomcat releases. HTH, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
