Re: Time for tc-native 1.2.6

Mon, 18 Apr 2016 09:13:54 -0700 

Am 18.04.2016 um 17:28 schrieb jean-frederic clere:

On 04/18/2016 05:03 PM, Rainer Jung wrote:

Hi Mark,

Am 18.04.2016 um 16:37 schrieb Mark Thomas:

I'd like to get the next tc-native release out before the end of the
month so the next round of Tomcat releases can pick it up - particularly
the cert chain from Java keystore fix.

I'm intending to tag in ~24 hours. Please reply if you need me to delay.


Current code status:

a) I tried to keep compatibility with OpenSSL 1.0.2 all the time. Any
breaks would be unintended. At least things compiled here. More eyes and
tests for the changes applied since 1.2.5 are very welcome.

b) it will not compile with against latest OpenSSL 1.1.0 beta, because
to stay compatible with 1.1.0 head we had to use more recent OpenSSL
functions introduced after the last beta

c) it will not compile with the latest OpenSSL 1.1.0 snapshot either,
because I haven't yet found a solution to an API change only introduced
last week

I'll see whether I find a fix for c) so that the release would at least
work with a current OpenSSL 1.1.0 snapshot. Even if not, I think you can
release, because OpenSSL 1.1.0 head still doesn't seem to be API stable,
so we are not at the end of changes anyhows.

Background infoRecently there was another opaqueness change in OpenSSL
1.1.0 head. There's one incompatibility remaining between tcnative head
and OpenSSL 1.1.0 head for which I didn't find an immediate replacement.
So compiling against latest 1.1.0 snapshots will result in a compilation
error in ssl_verify_CRL().

The CRL handling code is very different from what we can find in OpenSSL
example/apps code and it could well be, that we should replace a bigger
part of that code with some pre-cooked cert validation function (call)
in OpenSSL.


Is mod_ssl also affected by those API changes?
Not 2.4, but our code seems to go back to 2.2. The code has significantly changed for 2.4 in r1165056 which is likely the change we will adopt as well. 

Regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to