Tomcat Native 2.0 Update

Mon, 30 May 2022 09:49:11 -0700 

Hi all,
I have made some progress. I have a trimmed down Tomcat Native 2.0 built with OpenSSL 3.0 working locally with Tomcat 10.1.x. I also have it working with the OpenSSL 3 FIPS provider. 


I have also been thinking about Tomcat Native 1.2.x and 2.0.x 
interoperability.



Since Native 2.0 is mostly (apart from one new FIPS method) a subset of 
Native 1.2 it should be relatively easy for 10.1.x to work with Native 
2.0.x or 1.2.x.



Allowing Native 1.2.x use with Tomcat 10.1.x should make it easier on 
downstream distributions as it removes the need for them to update to 
APR 1.7.x and OpenSSL 3.0.x



Getting 10.0.x and earlier working with Native 2.0.x is a little 
trickier although it doable if the limits are:

- No APR/Native connector
- No application usage of o.a.t.u.jni (as most of the native code is
  removed)


Enabling Native 2.0.x use with Tomcat 10.0.x and earlier opens up the 
possibility of OpenSSL FIPS that doesn't depend on an unsupported 
version of OpenSSL.


I am currently thinking along the following lines:

- release Tomcat Native 1.2.34 that includes:
  - refactoring the caching of the FileInfo and Sockaddr classes so
    that are only cached if used
  - any additional refactoring to allow Native 1.2.x to be used in
    Tomcat 10.1.x with all the deprecated code removed

- make Tomcat Native 1.2.34 the minimum required Tomcat Native version
  for Tomcat 10.1.x

- release Tomcat Native 2.0.0

- make Tomcat Native 2.0.0 the minimum recommended Tomcat Native
  version for Tomcat 10.1.x

- updates as required to Tomcat Native 1.2.x, 2.0.x and Tomcat
  <=10.0.x to allow Tomcat Native 2.0.x to be used (reasonably) safely
  with Tomcat <=10.0.x


My plan is to do most of this work locally to make sure I haven't missed 
anything and then start committing and releasing in the order above.



Additional tasks that don't have the any ordering dependencies (that I 
can think of) include:


- update the Tomcat Native 2.0.x code not to use any of the deprecated
  OpenSSL APIs

- when in FIPS required mode, consider checking individually negotiated
  ciphers are from the FIPS provider in case the user has multiple
  providers configured

- Get LibreSSL fully working (my understanding that may be wrong is that
  it isn't currently working)

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to