-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John,
On 2/11/19 10:46, John Palmer wrote: > (I'm new to using TC-native, interested in how to accomplish "In > security conscious production environments, it is recommended to > use separate shared dlls for OpenSSL, APR, and libtcnative-1, and > update them as needed according to security bulletins. " For Windows, you are better off using the all-in-one statically-linked DLL provided by the Tomcat team. If you really want separate ones, you'll need to build everything yourself. I think that quote is easy to misinterpret. The problem is not the fact that the library is statically-linked and therefore less secure. The problem is that the native library bundles 3 separate packages: Apache Portable Runtime (APR), OpenSSL, and Tomcat's native library (libtcnative). Because they are bundled together, you cannot upgrade any single one of them independently of the others. If APR publishes a fix for a vulnerability, you cannot upgrade just apr-x.y.z.dll to get that fix. Instead, you'd have to wait for the Tomcat team to publish an updated bundle that includes that new version. Save with OpenSSL, etc. In general, the Tomcat team tries to keep on top of the latest news and releases from both APR and OpenSSL, so you shouldn't have to wait too long between a newly-published version of APR or OpenSSL and a new release of tcnative. If you have the capability of building your own libraries, then you can always get the latest from the upstream source and stay even more up-to-date than you would is you wanted for the releases from Tomcat. > Apparently I need a concrete example (step-by-step, where to get > the dlls, where to put them (and make sure tomcat finds them) > etc... preferably I wouldn't have to compile anything myself. If you don't want to compile yourself, you'll need to trust ... someone else. The Tomcat team only publishes the all-in-one DLL. I would question whether or not you really need libtcnative at all. Are you going to be using a Tomcat installation without any kind of load-balancer or reverse-proxy in between it and your users? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhsygACgkQHPApP6U8 pFj7Rg//f75XYfYrgJSe14KeizoybHnzpDbZ/XDxyZ8ytTBU5hx2YIQBR9ucrYYA x01ArX6dCU209EBkLnXCThNXqrxv/pOvRo4MUiUw+oUMg5sjNL61cz/DaqwCj4WX PtzqaYSlUhYmAiRPrdv5zwvmqMR6L8ArHfpTqCw6Tov2fdlyyc9B0Yb+Om98Jn3a wLj+o24FOMm9Vpuz2EyMuHhslz1xiGK7O7CyiGXGK9ZjigcqFQiR77PtnZYXnlhk jM0DJKFFo+tMri5zNs7bkAT/2DOhKmlMfD+G3LcTL4PZKbx6r30BqgXNf/b++A+8 gmOtgLHZmCK9/UcI3TX3pk2IciDZbHaCDa7YOLiFAkzSjSd3QpdxnIDJ/aoiqcz2 mkTyXEHeErNClzX+P+gkK2oVyz5B28EeQlC0ls2Q0SecI3DeXx+ZgO9MIsofMzyG lkG1XL9oNYA/6wOaKXMYB/xA0dbiYtpQZsVCR65I0FjJ3cD7pvvez8UjAzrvYObm LXi0fVCRrlHSDVfRCt5OZ/P3c8l2/1cz3k0jTbA9k+NEq5+tvmErMuEWnXadd5Y2 aukaVKg3afR6SvGTBpaDS38peyFOFjkR5uJ0+9H4ZKogCqiUqesqVSzh2hhKqIIx 4wqP1VwtsL/rujLm0p3nr9c3HbamzznpCXXQOy9oOAMbZwmeTag= =9OOQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
