-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 2/3/16 1:01 PM, Mark Thomas wrote: > On 03/02/2016 16:00, Christopher Schultz wrote: >> All, >> >> On 2/3/16 10:54 AM, Christopher Schultz wrote: >>> Mark, >> >>> On 2/3/16 4:05 AM, Mark Thomas wrote: >>>> The proposed Apache Tomcat 8.0.32 release is now available >>>> for voting. >> >>>> The main changes since 8.0.30 are: >> >>>> - Restore the default for mapperContextRootRedirectEnabled >>>> to true >> >>>> - Update the packaged version of the Tomcat Native Library to >>>> 1.2.4 to pick up the Windows binaries that are based on >>>> OpenSSL 1.0.2e >> >>>> - Expand session attribute filtering on load/unload to all >>>> managers >> >>>> It can be obtained from: >>>> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.0.32/ >>>> >>>> The Maven staging repo is: >>>> https://repository.apache.org/content/repositories/orgapachetomcat- 10 >> >>>> 6 >> >>>> >> 3/ >> >> >>> The svn tag is: >>>> http://svn.apache.org/repos/asf/tomcat/tc8.0.x/tags/TOMCAT_8_0_32/ >> >>>> >>>> The proposed 8.0.32 release is: [ ] Broken - do not release [ ] >>>> Stable - go ahead and release as 8.0.32 >> >>> tcnative bundled with 8.0.32 fails to compile on my system >>> against OpenSSL 1.0.1e (Debian). It looks like they may not >>> have back-ported some expected changes from 1.0.1[latest]: >> >>> src/sslcontext.c: In function >>> 'Java_org_apache_tomcat_jni_SSLContext_setCertificateRaw': >>> src/sslcontext.c:1079:5: error: 'eckey' undeclared (first use >>> in this function) src/sslcontext.c:1079:5: note: each >>> undeclared identifier is reported only once for each function >>> it appears in make[1]: *** [src/sslcontext.lo] Error 1 >> >>> I'm going to have a look at this. >> >> This looks like a bug. >> >> - From sslcontext.c, starting at line 977: >> >> TCN_IMPLEMENT_CALL(jboolean, SSLContext, >> setCertificateRaw)(TCN_STDARGS, jlong ctx, jbyteArray javaCert, >> jbyteArray javaKey, jint idx) { #ifdef HAVE_ECC #if >> defined(SSL_CTX_set_ecdh_auto) EC_KEY *eckey = NULL; #endif >> #endif >> >> >> [...] >> >> #ifdef HAVE_ECC /* * TODO try to read the ECDH curve name from >> somewhere... */ #if defined(SSL_CTX_set_ecdh_auto) >> SSL_CTX_set_ecdh_auto(c->ctx, 1); #else eckey = >> EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); >> SSL_CTX_set_tmp_ecdh(c->ctx, eckey); EC_KEY_free(eckey); #endif >> #endif >> >> The local variable 'eckey' is defined only if both HAVE_ECC and >> SSL_CTX_set_ecdh_auto are defined, but in the lower usage, eckey >> is ignored when SSL_CTX_set_ecdh_auto is set and used when it is >> not set. >> >> I suspect the intended implementation was to have the upper >> #ifdef SSL_CTX_set_ecdh_auto actually be "#ifndef" instead. >> >> I think we have to re-roll the release since tcnative is broken. > > Irrespective of the above, tc-native 1.2.x requires OpenSSL 1.0.2. > If you build with 1.0.2 then you should avoid this bug. It looks > like the change that introduced that was unnecessary. Oh, grumble, I forgot we the a whole-point upgrade of tcnative in a stable Tomcat release. :( We probably shouldn't have done that. I'll see about using OpenSSL 1.0.2 and re-test. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlayYNoACgkQ9CaO5/Lv0PCn5wCfUeJBtw9MKdaeV1rlC1WDsbJi vg0AoKsZ7trE5RB5GBw9N0cdjoM5HLTk =PWmb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
