-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 2/3/16 3:19 PM, Christopher Schultz wrote: > Mark, > > On 2/3/16 1:01 PM, Mark Thomas wrote: >> On 03/02/2016 16:00, Christopher Schultz wrote: >>> All, >>> >>> On 2/3/16 10:54 AM, Christopher Schultz wrote: >>>> Mark, >>> >>>> On 2/3/16 4:05 AM, Mark Thomas wrote: >>>>> The proposed Apache Tomcat 8.0.32 release is now available >>>>> for voting. >>> >>>>> The main changes since 8.0.30 are: >>> >>>>> - Restore the default for mapperContextRootRedirectEnabled >>>>> to true >>> >>>>> - Update the packaged version of the Tomcat Native Library >>>>> to 1.2.4 to pick up the Windows binaries that are based on >>>>> OpenSSL 1.0.2e >>> >>>>> - Expand session attribute filtering on load/unload to all >>>>> managers >>> >>>>> It can be obtained from: >>>>> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.0.32/ >>>>> >>>>> > >>>>> The Maven staging repo is: >>>>> https://repository.apache.org/content/repositories/orgapachetomcat - - > >>>>> 10 >>> >>>>> > 6 >>> >>>>> >>> 3/ >>> >>> >>>> The svn tag is: >>>>> http://svn.apache.org/repos/asf/tomcat/tc8.0.x/tags/TOMCAT_8_0_32/ >>> >>>>> >>>>> > >>>>> The proposed 8.0.32 release is: [ ] Broken - do not release [ ] >>>>> Stable - go ahead and release as 8.0.32 >>> >>>> tcnative bundled with 8.0.32 fails to compile on my system >>>> against OpenSSL 1.0.1e (Debian). It looks like they may not >>>> have back-ported some expected changes from 1.0.1[latest]: >>> >>>> src/sslcontext.c: In function >>>> 'Java_org_apache_tomcat_jni_SSLContext_setCertificateRaw': >>>> src/sslcontext.c:1079:5: error: 'eckey' undeclared (first >>>> use in this function) src/sslcontext.c:1079:5: note: each >>>> undeclared identifier is reported only once for each >>>> function it appears in make[1]: *** [src/sslcontext.lo] Error >>>> 1 >>> >>>> I'm going to have a look at this. >>> >>> This looks like a bug. >>> >>> - From sslcontext.c, starting at line 977: >>> >>> TCN_IMPLEMENT_CALL(jboolean, SSLContext, >>> setCertificateRaw)(TCN_STDARGS, jlong ctx, jbyteArray >>> javaCert, jbyteArray javaKey, jint idx) { #ifdef HAVE_ECC #if >>> defined(SSL_CTX_set_ecdh_auto) EC_KEY *eckey = NULL; #endif >>> #endif >>> >>> >>> [...] >>> >>> #ifdef HAVE_ECC /* * TODO try to read the ECDH curve name from >>> somewhere... */ #if defined(SSL_CTX_set_ecdh_auto) >>> SSL_CTX_set_ecdh_auto(c->ctx, 1); #else eckey = >>> EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); >>> SSL_CTX_set_tmp_ecdh(c->ctx, eckey); EC_KEY_free(eckey); #endif >>> #endif >>> >>> The local variable 'eckey' is defined only if both HAVE_ECC and >>> SSL_CTX_set_ecdh_auto are defined, but in the lower usage, >>> eckey is ignored when SSL_CTX_set_ecdh_auto is set and used >>> when it is not set. >>> >>> I suspect the intended implementation was to have the upper >>> #ifdef SSL_CTX_set_ecdh_auto actually be "#ifndef" instead. >>> >>> I think we have to re-roll the release since tcnative is >>> broken. > >> Irrespective of the above, tc-native 1.2.x requires OpenSSL >> 1.0.2. If you build with 1.0.2 then you should avoid this bug. It >> looks like the change that introduced that was unnecessary. > > Oh, grumble, I forgot we the a whole-point upgrade of tcnative in > a stable Tomcat release. :( We probably shouldn't have done that. > > I'll see about using OpenSSL 1.0.2 and re-test. If tcnative requires OpenSSL 1.0.2 or later, then the configure script should complain when it's not available. I've never been able to figure out how to do anything with GNU-style configure scripts, m4, etc. so I can't unfortunately do anything about it. Looks like I get to build OpenSSL from source. Thanks, Debian. At least it's easy on *NIX. Building it on Windows is a bloody nightmare. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlayaegACgkQ9CaO5/Lv0PA+NwCfcqIe29tfa7Xcp09XeaVGgXdG jOMAoMOhGA/MCXlnSN3EvLQCPNEAmO6a =ULQ5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
