** Description changed:
[impact]
tomcat9's ssl code includes:
-
from org/apache/tomcat/jni/SSL.java:
- /* Return OpenSSL version number (compile time version, if version <
1.1.0) */
- public static native int version();
+ /* Return OpenSSL version number (compile time version, if version <
1.1.0) */
+ public static native int version();
from org/apache/tomcat/util/net/openssl/OpenSSLEngine.java:
- if (SSL.version() >= 0x1010100f) {
- protocols.add(Constants.SSL_PROTO_TLSv1_3);
- }
+ if (SSL.version() >= 0x1010100f) {
+ protocols.add(Constants.SSL_PROTO_TLSv1_3);
+ }
This leads to a compile-time dependency on OpenSSL versioning, to
provide TLSv1.3 support.
[test case]
- TBD
+ On a Bionic system, install tomcat9 and java jdk (e.g. default-jdk). If
+ needed, install 'libssl1.1'. Then create this java program:
+
+ ubuntu@lp1854072:~$ cat Test.java
+
+ import org.apache.tomcat.jni.SSL;
+
+ class Test {
+ public static void main(String argc[]) {
+ System.loadLibrary("tcnative-1");
+ System.out.format("SSL version 0x%x\n", SSL.version());
+ }
+ }
+
+
+ Compile and run it:
+
+ ubuntu@lp1854072:~$ CP="." ; for j in /usr/share/tomcat9/lib/*.jar
/usr/share/tomcat9/bin/*.jar ; do CP="${j}:$CP" ; done
+ ubuntu@lp1854072:~$ javac -cp $CP:. Test.java
+ ubuntu@lp1854072:~$ java -cp $CP:. Test
+ SSL version 0x1010100f
+
+
+ Note that the SSL version should match the newer libssl version.
+
[regression potential]
as this is a rebuild-only, any regression would likely involve tomcat9
behavior changes due to differing compile-time dependencies.
[other info]
This isn't technically a regression, as before OpenSSL was upgraded to
1.1 in Bionic, tomcat9 correctly didn't provide TLSv1.3 support; but now
that OpenSSL 1.1 is available in Bionic, tomcat9 should support TLSv1.3.
** Also affects: tomcat-native (Ubuntu)
Importance: Undecided
Status: New
** Changed in: tomcat-native (Ubuntu Bionic)
Status: New => In Progress
** Changed in: tomcat-native (Ubuntu Bionic)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: tomcat-native (Ubuntu Bionic)
Importance: Undecided => Medium
** Changed in: tomcat-native (Ubuntu)
Status: New => Fix Released
** No longer affects: tomcat9 (Ubuntu)
** Summary changed:
- tomcat9 needs recompile to use TLSv1.3 from openssl 1.1
+ tomcat-native needs recompile to use TLSv1.3 from openssl 1.1
** No longer affects: tomcat9 (Ubuntu Bionic)
** Tags added: bionic-openssl-1.1 sts sts-sponsor sts-sponsor-ddstreet
** Description changed:
[impact]
tomcat9's ssl code includes:
from org/apache/tomcat/jni/SSL.java:
/* Return OpenSSL version number (compile time version, if version <
1.1.0) */
public static native int version();
from org/apache/tomcat/util/net/openssl/OpenSSLEngine.java:
if (SSL.version() >= 0x1010100f) {
protocols.add(Constants.SSL_PROTO_TLSv1_3);
}
This leads to a compile-time dependency on OpenSSL versioning, to
provide TLSv1.3 support.
[test case]
- On a Bionic system, install tomcat9 and java jdk (e.g. default-jdk). If
- needed, install 'libssl1.1'. Then create this java program:
+ On a Bionic system, install tomcat9 and java jdk (e.g. default-jdk).
+
+ Then create this java program:
ubuntu@lp1854072:~$ cat Test.java
import org.apache.tomcat.jni.SSL;
class Test {
public static void main(String argc[]) {
- System.loadLibrary("tcnative-1");
- System.out.format("SSL version 0x%x\n", SSL.version());
+ System.loadLibrary("tcnative-1");
+ System.out.format("SSL version 0x%x\n", SSL.version());
}
}
-
Compile and run it:
ubuntu@lp1854072:~$ CP="." ; for j in /usr/share/tomcat9/lib/*.jar
/usr/share/tomcat9/bin/*.jar ; do CP="${j}:$CP" ; done
- ubuntu@lp1854072:~$ javac -cp $CP:. Test.java
+ ubuntu@lp1854072:~$ javac -cp $CP:. Test.java
ubuntu@lp1854072:~$ java -cp $CP:. Test
SSL version 0x1010100f
-
Note that the SSL version should match the newer libssl version.
-
[regression potential]
as this is a rebuild-only, any regression would likely involve tomcat9
behavior changes due to differing compile-time dependencies.
[other info]
This isn't technically a regression, as before OpenSSL was upgraded to
1.1 in Bionic, tomcat9 correctly didn't provide TLSv1.3 support; but now
that OpenSSL 1.1 is available in Bionic, tomcat9 should support TLSv1.3.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854072
Title:
tomcat-native needs recompile to use TLSv1.3 from openssl 1.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat-native/+bug/1854072/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
