** Description changed:
[impact]
tomcat9's ssl code includes:
from org/apache/tomcat/jni/SSL.java:
/* Return OpenSSL version number (compile time version, if version <
1.1.0) */
public static native int version();
from org/apache/tomcat/util/net/openssl/OpenSSLEngine.java:
if (SSL.version() >= 0x1010100f) {
protocols.add(Constants.SSL_PROTO_TLSv1_3);
}
This leads to a compile-time dependency on OpenSSL versioning, to
provide TLSv1.3 support.
[test case]
- On a Bionic system, install tomcat9 and java jdk (e.g. default-jdk).
-
- Then create this java program:
-
- ubuntu@lp1854072:~$ cat Test.java
-
- import org.apache.tomcat.jni.SSL;
-
- class Test {
- public static void main(String argc[]) {
- System.loadLibrary("tcnative-1");
- System.out.format("SSL version 0x%x\n", SSL.version());
- }
- }
-
- Compile and run it:
-
- ubuntu@lp1854072:~$ CP="." ; for j in /usr/share/tomcat9/lib/*.jar
/usr/share/tomcat9/bin/*.jar ; do CP="${j}:$CP" ; done
- ubuntu@lp1854072:~$ javac -cp $CP:. Test.java
- ubuntu@lp1854072:~$ java -cp $CP:. Test
- SSL version 0x1010100f
-
- Note that the SSL version should match the newer libssl version.
+ TBD - checking with bug reporter
[regression potential]
as this is a rebuild-only, any regression would likely involve tomcat9
behavior changes due to differing compile-time dependencies.
[other info]
This isn't technically a regression, as before OpenSSL was upgraded to
1.1 in Bionic, tomcat9 correctly didn't provide TLSv1.3 support; but now
that OpenSSL 1.1 is available in Bionic, tomcat9 should support TLSv1.3.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854072
Title:
tomcat-native needs recompile to use TLSv1.3 from openssl 1.1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat-native/+bug/1854072/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
