On 30/06/2022 17:55, Christopher Schultz wrote:
Mark,
On 6/30/22 09:58, Mark Thomas wrote:
This is the first release of the Tomcat Native 2.0.x branch. The major
differences compared to the 1.2.x branch are:
- JNI API has been reduced to just that required to support the use of
OpenSSL rather than JSSE for TLS connections. The APR/native connector
is not supported.
This statement is confusing. I think it should say "JNI API has been
reduced to just that required to support OpenSSL as a JSSE provider for
TLS connections. The API/native connector is no longer supported in this
branch."
The confusion is over JSSE versus OpenSSL which are not
mutually-exclusive. What we are doing AIUI is specifically using OpenSSL
through JSSE, instead of going around JSSE and using OpenSSL directly
(well, through APR-connections).
Ack. I was trying to avoid saying we were using an OpenSSL based JSSE
provider as we are not doing that. How about:
"The JNI API has been reduced to just that required to support Tomcat's
OpenSSL based TLS implementation. The APR/native connector is no longer
supported in this branch."
- The minimum supported versions have been increased to OpenSSL 3.0.x,
Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2
How much do we continue to rely on APR at this point? Usually, the
reason to use APR is to take advantage of APRs pooling and e.g.
connection-handling capabilities. As we are dropping support for the APR
connector, the connection-handling capabilities are no longer required,
and the pooling is really only helpful when delayed-cleanup of those
pools is necessary.
I think we can probably drop the APR dependency -- at least over time.
I'm not convinced. We are mostly using APR for the memory management and
I don't rate my chances of re-writing the TLS code without it whilst
avoiding both bugs and memory leaks.
Given the medium / long term direction (the project Panama code Rémy has
been working on) I don't think the benefit of fully removing APR is
worth the effort..
The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but
can be used with earlier versions as long as the APR/native connector
is not used.
The proposed release artefacts can be found at [1],
and the build was done using tag [2].
The Apache Tomcat Native 2.0.0 release is
[ ] Stable, go ahead and release
[ ] Broken because of ...
Thanks,
Mark
I will try to do some testing on 8.5.x
Tx.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
