Hi there,
in BZ 67628 (OpenSSLCipherConfigurationParser#parse() produces
misleading false positive cipher warnings) the following question was
raised:
Am 03.11.23 um 09:30 schrieb bugzi...@apache.org:
https://bz.apache.org/bugzilla/show_bug.cgi?id=67628
--- Comment #9 from Mark Thomas <ma...@apache.org> ---
(In reply to Michael Osipov from comment #8)
Just tested. From a documentation PoV, this is fine now, though I wonder how
many people will run OpenSSL from main instead of the LTS branch.
I suspect very few, if any. I did consider aligning with the most recent LTS
release but concluded it was better to align with main as that reflects the
latest thinking regarding how secure a cipher or family of ciphers is. In
reality, the differences have been minimal in the last few years. If they
become problematic, we can always review which branch we track.
It seems OpenSSL 3.0 has performance degradation in some aspects (due to
changes in locking). It might not be relevant for what our users do with
Tomcat+OpenSSL, but the OpenSSL team invested quite some time to improve
this. Parts are in 3.1, more parts might come in 3.2. Although the
OpenSSL team declared 3.0 an LTS release, due to the performance
situation, some downstreams might switch to a later branch.
I am not directly involved in downstream discussions (except for my
own), but I followed a bit the performance/locking discussion.
Best regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
