On Mon, Jul 4, 2022 at 1:23 PM Mark Thomas <ma...@apache.org> wrote: > > On 30/06/2022 17:55, Christopher Schultz wrote: > > Mark, > > > > On 6/30/22 09:58, Mark Thomas wrote: > >> This is the first release of the Tomcat Native 2.0.x branch. The major > >> differences compared to the 1.2.x branch are: > >> > >> - JNI API has been reduced to just that required to support the use of > >> OpenSSL rather than JSSE for TLS connections. The APR/native connector > >> is not supported. > > > > This statement is confusing. I think it should say "JNI API has been > > reduced to just that required to support OpenSSL as a JSSE provider for > > TLS connections. The API/native connector is no longer supported in this > > branch." > > > > The confusion is over JSSE versus OpenSSL which are not > > mutually-exclusive. What we are doing AIUI is specifically using OpenSSL > > through JSSE, instead of going around JSSE and using OpenSSL directly > > (well, through APR-connections). > > Ack. I was trying to avoid saying we were using an OpenSSL based JSSE > provider as we are not doing that. How about:
Yes, some of my coworkers derived a provider from the work I did initially. To be a full provider, we'd lose some of our very useful config capabilities (obviously a provider cannot use SSLHostConfig) and add java.io support (which I considered was useless for Tomcat; although with Loom, maybe it's not so stupid anymore ;) ). > "The JNI API has been reduced to just that required to support Tomcat's > OpenSSL based TLS implementation. The APR/native connector is no longer > supported in this branch." > > > >> - The minimum supported versions have been increased to OpenSSL 3.0.x, > >> Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 > > > > How much do we continue to rely on APR at this point? Usually, the > > reason to use APR is to take advantage of APRs pooling and e.g. > > connection-handling capabilities. As we are dropping support for the APR > > connector, the connection-handling capabilities are no longer required, > > and the pooling is really only helpful when delayed-cleanup of those > > pools is necessary. > > > > I think we can probably drop the APR dependency -- at least over time. > > I'm not convinced. We are mostly using APR for the memory management and > I don't rate my chances of re-writing the TLS code without it whilst > avoiding both bugs and memory leaks. > > Given the medium / long term direction (the project Panama code Rémy has > been working on) I don't think the benefit of fully removing APR is > worth the effort.. I agree. Of course, if someone wants to do it ... Rémy > >> The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but > >> can be used with earlier versions as long as the APR/native connector > >> is not used. > >> > >> The proposed release artefacts can be found at [1], > >> and the build was done using tag [2]. > >> > >> The Apache Tomcat Native 2.0.0 release is > >> [ ] Stable, go ahead and release > >> [ ] Broken because of ... > >> > >> Thanks, > >> > >> Mark > > > > I will try to do some testing on 8.5.x > > Tx. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
