Am 17.10.2018 um 09:47 schrieb Rainer Jung:
Am 16.10.2018 um 23:01 schrieb Mark Thomas:
Hi,
I've been working on building this with OpenSSL 1.1.1. It wasn't as
simple as I expected as there is quite a lot of clean-up in 1.1.1.
I now have a working build although it required a handful of tweaks to
the OpenSSL source. Some are bugs that have already been fixed in
master. Some look to be, effectively, the result of porting the
openssl-msvcrt.patch
The OpenSSL 1.1.1 based Tomcat Native passes a basic smoke test
(including TLSv1.3 support) and the unit tests pass.
I am now wondering which version of OpenSSL to use to build 1.2.18. I am
leaning towards providing both OpenSSL 1.1.1 and 1.0.2p based builds.
WDYT?
I just learned in the httpd project, that there are subtle changes in
1.1.1 that can break existing code using OpenSSL. The example that hit
us there, was SSL_read() now returning 0 instead of a negative error
code in some situations. The old httpd code only called SSL_get_error()
to check for SSL_ERROR_WANT_READ etc. when SSL_read() returned a
negative value. The old code used a return value of 0 as an indicator
for APR_EOF (connection was closed). That lead eg. to h2 failures when
build against OpenSSL 1.1.1. The current OpenSSL man page for SSL_read()
says negative return value and 0 should be handled the same.
I have not yet looked at tcnative wrt. this observation ut I would hope
running our TC test suite would reveal breakage if it happens. But still
there is an increased risk for the first release.
The example was just meant as an example. I checked tcnative and we
handle 0 and < 0 return from SSL_read() identical. So that problem
shouldn't happen for us.
I like your approach of providing both and I wonder whether we might
flag our support for 1.1.1 as experimental, likely dropping that for the
next release.
I'm also almost certainly going to drop the 1.2.18 tag again (sorry!) so
I can document the build process for 1.1.1 and include the necessary
patches etc. in the src tarball.
Good thing!
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
