Hi, During the past weeks, I examined the state of the Panama project and what it could do. I know Mark had a look at it three years ago, and it was not ready yet. This does not appear to be the case anymore and I could produce a wrapper for OpenSSL and a fully functional implementation of the OpenSSLContext/OpenSSLEngine that does not use tomcat-native.
The result is here: https://github.com/rmaucher/openssl-panama-foreign The readme has instructions on how to use it (as with early Graal, this involves building an entire JVM :) ). Some comments on this: - OCSP is not implemented yet. - This uses OpenSSL 1.1.1, earlier API incompatible versions won't work (but 3.0 will, most likely), and alternate OpenSSL clones won't either. - The code generated by jextract is HUGE, and this causes problems. Although right now it feels better to have the full API on hand, this generation is configurable and it should be possible to trim it down to what is actually used. - Panama is integrated (as an earlier version of the API) in Java 17. While this could be a legitimate target, I prefer basing the work on the current API version for now. The target is to have Panama stable in Java 21 LTS, so two years from now this should actually be supportable. So this still leaves years of support for tomcat-native. For up to date background info on Panama, I found this nice video: https://www.youtube.com/watch?v=B8k9QGvPxC0&t=141s I think this could be integrated in Tomcat as a module like "modules/jdbc-pool". Here, likely "modules/openssl-panama". Comments ? Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
