On 30/05/2022 20:05, Rémy Maucherat wrote:
On Mon, May 30, 2022 at 6:49 PM Mark Thomas <ma...@apache.org> wrote:
Hi all,
I have made some progress. I have a trimmed down Tomcat Native 2.0 built
with OpenSSL 3.0 working locally with Tomcat 10.1.x. I also have it
working with the OpenSSL 3 FIPS provider.
I have also been thinking about Tomcat Native 1.2.x and 2.0.x
interoperability.
Since Native 2.0 is mostly (apart from one new FIPS method) a subset of
Native 1.2 it should be relatively easy for 10.1.x to work with Native
2.0.x or 1.2.x.
Allowing Native 1.2.x use with Tomcat 10.1.x should make it easier on
downstream distributions as it removes the need for them to update to
APR 1.7.x and OpenSSL 3.0.x
Getting 10.0.x and earlier working with Native 2.0.x is a little
trickier although it doable if the limits are:
- No APR/Native connector
- No application usage of o.a.t.u.jni (as most of the native code is
removed)
Enabling Native 2.0.x use with Tomcat 10.0.x and earlier opens up the
possibility of OpenSSL FIPS that doesn't depend on an unsupported
version of OpenSSL.
I am currently thinking along the following lines:
- release Tomcat Native 1.2.34 that includes:
- refactoring the caching of the FileInfo and Sockaddr classes so
that are only cached if used
- any additional refactoring to allow Native 1.2.x to be used in
Tomcat 10.1.x with all the deprecated code removed
- make Tomcat Native 1.2.34 the minimum required Tomcat Native version
for Tomcat 10.1.x
- release Tomcat Native 2.0.0
- make Tomcat Native 2.0.0 the minimum recommended Tomcat Native
version for Tomcat 10.1.x
- updates as required to Tomcat Native 1.2.x, 2.0.x and Tomcat
<=10.0.x to allow Tomcat Native 2.0.x to be used (reasonably) safely
with Tomcat <=10.0.x
My plan is to do most of this work locally to make sure I haven't missed
anything and then start committing and releasing in the order above.
Sounds great. Any subtask for me or do you prefer doing it alone ?
Thanks for the offer of help.
I have a lot of the above ready locally already and everything is
inter-related making it hard to extract independent sub-tasks. With all
the inter-dependencies I might miss something so if you could keep that
in mind when reviewing my commits that would be helpful.
The tasks below, particularly the first and third, are largely
independent. If you have time to look at either of those that would be
great. I'll try and commit the bulk of the initial changes for Tomcat
Native 2.0.x today.
Thanks,
Mark
Additional tasks that don't have the any ordering dependencies (that I
can think of) include:
- update the Tomcat Native 2.0.x code not to use any of the deprecated
OpenSSL APIs
- when in FIPS required mode, consider checking individually negotiated
ciphers are from the FIPS provider in case the user has multiple
providers configured
- Get LibreSSL fully working (my understanding that may be wrong is that
it isn't currently working)
Rémy
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
