This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new f4c5d54ce0 Add doc and jextract helpers
f4c5d54ce0 is described below
commit f4c5d54ce045e87a2ec3a1c70b93d3716a3e2f94
Author: remm <r...@apache.org>
AuthorDate: Thu Jul 11 10:34:22 2024 +0200
Add doc and jextract helpers
---
res/openssl/README.md | 42 +++++
res/openssl/addlicense.sh | 22 +++
res/openssl/license.header | 17 ++
res/openssl/openssl-tomcat.conf | 370 ++++++++++++++++++++++++++++++++++++++
res/openssl/openssl.h | 31 ++++
webapps/docs/config/listeners.xml | 65 ++++++-
6 files changed, 545 insertions(+), 2 deletions(-)
diff --git a/res/openssl/README.md b/res/openssl/README.md
new file mode 100644
index 0000000000..5fd1eba39e
--- /dev/null
+++ b/res/openssl/README.md
@@ -0,0 +1,42 @@
+# OpenSSL support for Apache Tomcat
+
+## Building
+
+The OpenSSL API support classes can be built using jextract from Java 22+.
+
+jextract is now available in its own standalone repository. Clone
+`https://github.com/openjdk/jextract` in some location and
+checkout the branch that supports Java 22. Please refer to the
+instructions from the repository for building. It should be the
+`panama` branch.
+
+This step is only useful to be able to use additional native APIs from OpenSSL
+or stdlib.
+
+Find include paths using `gcc -xc -E -v -`, on Fedora it is
+`/usr/lib/gcc/x86_64-redhat-linux/12/include`. Edit `openssl-tomcat.conf`
+accordingly to set the appropriate path.
+
+```
+export JEXTRACT_HOME=<pathto>/jextract/build/jextract
+$JEXTRACT_HOME/bin/jextract @openssl-tomcat.conf openssl.h
+```
+Note: The build path for the JDK will be different on other platforms.
+
+The code included was generated using OpenSSL 3.0. As long as things remain
+API compatible, the generated code will still work.
+
+The `openssl-tomcat.conf` will generate a trimmed down OpenSSL API. When
+developing new features, the full API can be generated instead using:
+```
+$JEXTRACT_HOME/bin/jextract --source -t org.apache.tomcat.util.openssl -lssl
-I /usr/lib/gcc/x86_64-redhat-linux/12/include openssl.h --output src/main/java
+```
+
+The `openssl.conf` file lists all the API calls and constants that can be
+generated using jextract, as a reference to what is available. Some macros are
+not supported and have to be reproduced in code.
+
+Before committing updated generated files, they need to have the license header
+added. The `addlicense.sh` script can do that and process all Java source files
+in the `src/main/java/org/apache/tomcat/util/openssl` directory.
+
diff --git a/res/openssl/addlicense.sh b/res/openssl/addlicense.sh
new file mode 100755
index 0000000000..4ab5e3894b
--- /dev/null
+++ b/res/openssl/addlicense.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+for generated in ../../java/org/apache/tomcat/util/openssl/*.java; do
+ cat license.header $generated >> $generated.$$
+ mv $generated.$$ $generated
+ echo Updated $generated
+done
diff --git a/res/openssl/license.header b/res/openssl/license.header
new file mode 100644
index 0000000000..4b326ae5c2
--- /dev/null
+++ b/res/openssl/license.header
@@ -0,0 +1,17 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
diff --git a/res/openssl/openssl-tomcat.conf b/res/openssl/openssl-tomcat.conf
new file mode 100644
index 0000000000..0d75c2654d
--- /dev/null
+++ b/res/openssl/openssl-tomcat.conf
@@ -0,0 +1,370 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+-t org.apache.tomcat.util.openssl
+-lssl
+# Configure include path
+-I /usr/lib/gcc/x86_64-redhat-linux/12/include
+--output ../../java
+
+#### Extracted from: /usr/include/openssl/asn1.h
+
+--include-function ASN1_STRING_get0_data # header:
/usr/include/openssl/asn1.h
+--include-function ASN1_STRING_length # header:
/usr/include/openssl/asn1.h
+
+#### Extracted from: /usr/include/openssl/bio.h
+
+--include-function BIO_ctrl # header:
/usr/include/openssl/bio.h
+--include-function BIO_ctrl_pending # header:
/usr/include/openssl/bio.h
+--include-function BIO_free # header:
/usr/include/openssl/bio.h
+--include-function BIO_new # header:
/usr/include/openssl/bio.h
+--include-function BIO_new_bio_pair # header:
/usr/include/openssl/bio.h
+--include-function BIO_new_file # header:
/usr/include/openssl/bio.h
+--include-function BIO_read # header:
/usr/include/openssl/bio.h
+--include-function BIO_s_bio # header:
/usr/include/openssl/bio.h
+--include-function BIO_s_file # header:
/usr/include/openssl/bio.h
+--include-function BIO_s_mem # header:
/usr/include/openssl/bio.h
+--include-function BIO_write # header:
/usr/include/openssl/bio.h
+--include-constant BIO_CLOSE # header:
/usr/include/openssl/bio.h
+--include-constant BIO_CTRL_RESET # header:
/usr/include/openssl/bio.h
+--include-constant BIO_C_SET_FILENAME # header:
/usr/include/openssl/bio.h
+--include-constant BIO_FP_READ # header:
/usr/include/openssl/bio.h
+
+#### Extracted from: /usr/include/openssl/bn.h
+
+--include-function BN_get_rfc2409_prime_1024 # header:
/usr/include/openssl/bn.h
+--include-function BN_get_rfc2409_prime_768 # header:
/usr/include/openssl/bn.h
+--include-function BN_get_rfc3526_prime_1536 # header:
/usr/include/openssl/bn.h
+--include-function BN_get_rfc3526_prime_2048 # header:
/usr/include/openssl/bn.h
+--include-function BN_get_rfc3526_prime_3072 # header:
/usr/include/openssl/bn.h
+--include-function BN_get_rfc3526_prime_4096 # header:
/usr/include/openssl/bn.h
+--include-function BN_get_rfc3526_prime_6144 # header:
/usr/include/openssl/bn.h
+--include-function BN_get_rfc3526_prime_8192 # header:
/usr/include/openssl/bn.h
+--include-function BN_new # header:
/usr/include/openssl/bn.h
+--include-function BN_set_word # header:
/usr/include/openssl/bn.h
+
+#### Extracted from: /usr/include/openssl/crypto.h
+
+--include-function CRYPTO_free # header:
/usr/include/openssl/crypto.h
+--include-function OpenSSL_version # header:
/usr/include/openssl/crypto.h
+--include-function OpenSSL_version_num # header:
/usr/include/openssl/crypto.h
+--include-constant OPENSSL_INIT_ENGINE_ALL_BUILTIN # deprecated header:
/usr/include/openssl/crypto.h
+
+#### Extracted from: /usr/include/openssl/dh.h
+
+--include-function DH_free # deprecated header:
/usr/include/openssl/dh.h
+--include-function DH_new # deprecated header:
/usr/include/openssl/dh.h
+--include-function DH_set0_pqg # deprecated header:
/usr/include/openssl/dh.h
+
+#### Extracted from: /usr/include/openssl/ec.h
+
+--include-function d2i_ECPKParameters # header:
/usr/include/openssl/ec.h
+--include-function EC_GROUP_free # header:
/usr/include/openssl/ec.h
+--include-function EC_GROUP_get_curve_name # header:
/usr/include/openssl/ec.h
+--include-function EC_KEY_free # deprecated
header: /usr/include/openssl/ec.h
+--include-function EC_KEY_new_by_curve_name # deprecated
header: /usr/include/openssl/ec.h
+
+#### Extracted from: /usr/include/openssl/engine.h
+
+--include-function ENGINE_by_id # deprecated
header: /usr/include/openssl/engine.h
+--include-function ENGINE_ctrl_cmd_string # deprecated
header: /usr/include/openssl/engine.h
+--include-function ENGINE_free # deprecated
header: /usr/include/openssl/engine.h
+--include-function ENGINE_load_private_key # deprecated
header: /usr/include/openssl/engine.h
+--include-function ENGINE_register_all_complete # deprecated
header: /usr/include/openssl/engine.h
+--include-function ENGINE_set_default # deprecated
header: /usr/include/openssl/engine.h
+--include-constant ENGINE_METHOD_ALL # deprecated
header: /usr/include/openssl/engine.h
+
+#### Extracted from: /usr/include/openssl/err.h
+
+--include-function ERR_clear_error # header:
/usr/include/openssl/err.h
+--include-function ERR_error_string # header:
/usr/include/openssl/err.h
+--include-function ERR_error_string_n # header:
/usr/include/openssl/err.h
+--include-function ERR_get_error # header:
/usr/include/openssl/err.h
+--include-function ERR_peek_last_error # header:
/usr/include/openssl/err.h
+--include-constant ERR_REASON_MASK # header:
/usr/include/openssl/err.h
+
+#### Extracted from: /usr/include/openssl/evp.h
+
+--include-function EVP_MD_fetch # header:
/usr/include/openssl/evp.h
+--include-function EVP_MD_free # header:
/usr/include/openssl/evp.h
+--include-function EVP_MD_get0_provider # header:
/usr/include/openssl/evp.h
+--include-function EVP_PKEY_get_base_id # header:
/usr/include/openssl/evp.h
+--include-function EVP_PKEY_get_bits # header:
/usr/include/openssl/evp.h
+--include-function EVP_PKEY_free # header:
/usr/include/openssl/evp.h
+--include-constant EVP_PKEY_DSA # header:
/usr/include/openssl/evp.h
+--include-constant EVP_PKEY_NONE # header:
/usr/include/openssl/evp.h
+--include-constant EVP_PKEY_RSA # header:
/usr/include/openssl/evp.h
+
+#### Extracted from: /usr/include/openssl/obj_mac.h
+
+--include-constant NID_info_access
# header: /usr/include/openssl/obj_mac.h
+
+#### Extracted from: /usr/include/openssl/ocsp.h
+
+--include-function OCSP_BASICRESP_free # header:
/usr/include/openssl/ocsp.h
+--include-function OCSP_CERTID_free # header:
/usr/include/openssl/ocsp.h
+--include-function OCSP_REQUEST_free # header:
/usr/include/openssl/ocsp.h
+--include-function OCSP_REQUEST_new # header:
/usr/include/openssl/ocsp.h
+--include-function OCSP_RESPONSE_free # header:
/usr/include/openssl/ocsp.h
+--include-function OCSP_cert_to_id # header:
/usr/include/openssl/ocsp.h
+--include-function OCSP_request_add0_id # header:
/usr/include/openssl/ocsp.h
+--include-function OCSP_response_get1_basic # header:
/usr/include/openssl/ocsp.h
+--include-function OCSP_response_status # header:
/usr/include/openssl/ocsp.h
+--include-function OCSP_resp_find # header:
/usr/include/openssl/ocsp.h
+--include-function OCSP_resp_get0 # header:
/usr/include/openssl/ocsp.h
+--include-function OCSP_single_get0_status # header:
/usr/include/openssl/ocsp.h
+--include-function d2i_OCSP_RESPONSE # header:
/usr/include/openssl/ocsp.h
+--include-function i2d_OCSP_REQUEST # header:
/usr/include/openssl/ocsp.h
+--include-constant OCSP_RESPONSE_STATUS_SUCCESSFUL # header:
/usr/include/openssl/ocsp.h
+--include-constant V_OCSP_CERTSTATUS_GOOD # header:
/usr/include/openssl/ocsp.h
+--include-constant V_OCSP_CERTSTATUS_REVOKED # header:
/usr/include/openssl/ocsp.h
+--include-constant V_OCSP_CERTSTATUS_UNKNOWN # header:
/usr/include/openssl/ocsp.h
+
+#### Extracted from: /usr/include/openssl/opensslconf-x86_64.h
+
+--include-constant OPENSSL_API_COMPAT # header:
/usr/include/openssl/opensslconf-x86_64.h
+--include-constant OPENSSL_FILE # header:
/usr/include/openssl/opensslconf-x86_64.h
+--include-constant OPENSSL_LINE # header:
/usr/include/openssl/opensslconf-x86_64.h
+--include-constant OPENSSL_MIN_API # header:
/usr/include/openssl/opensslconf-x86_64.h
+
+#### Extracted from: /usr/include/openssl/pem.h
+
+--include-function PEM_ASN1_read_bio # header:
/usr/include/openssl/pem.h
+--include-function PEM_read_bio_DHparams # deprecated header:
/usr/include/openssl/pem.h
+--include-function PEM_read_bio_ECPKParameters # deprecated header:
/usr/include/openssl/pem.h
+--include-function PEM_read_bio_Parameters # header:
/usr/include/openssl/pem.h
+--include-function PEM_read_bio_PrivateKey # header:
/usr/include/openssl/pem.h
+--include-function PEM_read_bio_X509_AUX # header:
/usr/include/openssl/pem.h
+--include-constant PEM_STRING_ECPARAMETERS # header:
/usr/include/openssl/pem.h
+
+#### Extracted from: /usr/include/openssl/pemerr.h
+
+--include-constant PEM_R_NO_START_LINE # header:
/usr/include/openssl/pemerr.h
+
+#### Extracted from: /usr/include/openssl/pkcs12.h
+
+--include-function PKCS12_free # header:
/usr/include/openssl/pkcs12.h
+--include-function PKCS12_parse # header:
/usr/include/openssl/pkcs12.h
+--include-function PKCS12_verify_mac # header:
/usr/include/openssl/pkcs12.h
+--include-function d2i_PKCS12_bio # header:
/usr/include/openssl/pkcs12.h
+
+#### Extracted from: /usr/include/openssl/provider.h
+
+--include-function OSSL_PROVIDER_get0_name # header:
/usr/include/openssl/provider.h
+
+#### Extracted from: /usr/include/openssl/rand.h
+
+--include-function RAND_load_file # header:
/usr/include/openssl/rand.h
+--include-function RAND_seed # header:
/usr/include/openssl/rand.h
+
+#### Extracted from: /usr/include/openssl/ssl.h
+
+--include-function OPENSSL_init_ssl # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CIPHER_get_auth_nid # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CIPHER_get_kx_nid # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CIPHER_get_name # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CONF_CTX_finish # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CONF_CTX_free # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CONF_CTX_new # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CONF_CTX_set_flags # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CONF_CTX_set_ssl_ctx # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CONF_cmd # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CONF_cmd_value_type # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_add_client_CA # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_check_private_key # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_clear_options # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_ctrl # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_free # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_get_cert_store # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_get_ciphers # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_get_client_CA_list # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_get_options # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_get_timeout # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_load_verify_locations # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_new # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_alpn_select_cb # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_cert_verify_callback # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_cipher_list # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_ciphersuites # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_client_CA_list # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_default_passwd_cb # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_default_verify_paths # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_options # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_session_id_context # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_timeout # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_tmp_dh_callback # deprecated
header: /usr/include/openssl/ssl.h
+--include-function SSL_CTX_set_verify # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_set0_tmp_dh_pkey # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_use_certificate # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_use_certificate_chain_file # header:
/usr/include/openssl/ssl.h
+--include-function SSL_CTX_use_PrivateKey # header:
/usr/include/openssl/ssl.h
+--include-function SSL_SESSION_get_id # header:
/usr/include/openssl/ssl.h
+--include-function SSL_SESSION_get_time # header:
/usr/include/openssl/ssl.h
+--include-function SSL_add_file_cert_subjects_to_stack # header:
/usr/include/openssl/ssl.h
+--include-function SSL_do_handshake # header:
/usr/include/openssl/ssl.h
+--include-function SSL_free # header:
/usr/include/openssl/ssl.h
+--include-function SSL_get_ciphers # header:
/usr/include/openssl/ssl.h
+--include-function SSL_get_current_cipher # header:
/usr/include/openssl/ssl.h
+--include-function SSL_get_ex_data_X509_STORE_CTX_idx # header:
/usr/include/openssl/ssl.h
+--include-function SSL_get_options # header:
/usr/include/openssl/ssl.h
+--include-function SSL_get_peer_cert_chain # header:
/usr/include/openssl/ssl.h
+--include-function SSL_get_privatekey # header:
/usr/include/openssl/ssl.h
+--include-function SSL_get_session # header:
/usr/include/openssl/ssl.h
+--include-function SSL_get_shutdown # header:
/usr/include/openssl/ssl.h
+--include-function SSL_get_version # header:
/usr/include/openssl/ssl.h
+--include-function SSL_get0_alpn_selected # header:
/usr/include/openssl/ssl.h
+--include-function SSL_get1_peer_certificate # header:
/usr/include/openssl/ssl.h
+--include-function SSL_in_init # header:
/usr/include/openssl/ssl.h
+--include-function SSL_load_client_CA_file # header:
/usr/include/openssl/ssl.h
+--include-function SSL_new # header:
/usr/include/openssl/ssl.h
+--include-function SSL_pending # header:
/usr/include/openssl/ssl.h
+--include-function SSL_read # header:
/usr/include/openssl/ssl.h
+--include-function SSL_renegotiate # header:
/usr/include/openssl/ssl.h
+--include-function SSL_renegotiate_pending # header:
/usr/include/openssl/ssl.h
+--include-function SSL_set_accept_state # header:
/usr/include/openssl/ssl.h
+--include-function SSL_set_bio # header:
/usr/include/openssl/ssl.h
+--include-function SSL_set_cipher_list # header:
/usr/include/openssl/ssl.h
+--include-function SSL_set_connect_state # header:
/usr/include/openssl/ssl.h
+--include-function SSL_set_info_callback # header:
/usr/include/openssl/ssl.h
+--include-function SSL_set_options # header:
/usr/include/openssl/ssl.h
+--include-function SSL_set_verify # header:
/usr/include/openssl/ssl.h
+--include-function SSL_set_verify_result # header:
/usr/include/openssl/ssl.h
+--include-function SSL_shutdown # header:
/usr/include/openssl/ssl.h
+--include-function SSL_verify_client_post_handshake # header:
/usr/include/openssl/ssl.h
+--include-function SSL_write # header:
/usr/include/openssl/ssl.h
+--include-function TLS_server_method # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CB_HANDSHAKE_DONE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CONF_FLAG_CERTIFICATE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CONF_FLAG_FILE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CONF_FLAG_SERVER # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CONF_FLAG_SHOW_ERRORS # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CONF_TYPE_DIR # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CONF_TYPE_FILE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CONF_TYPE_UNKNOWN # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_CHAIN_CERT # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_GET_SESS_CACHE_MODE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_GET_SESS_CACHE_SIZE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_ACCEPT # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_ACCEPT_GOOD # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_ACCEPT_RENEGOTIATE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_CACHE_FULL # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_CB_HIT # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_CONNECT # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_CONNECT_GOOD # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_CONNECT_RENEGOTIATE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_HIT # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_MISSES # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_NUMBER # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SESS_TIMEOUTS # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SET_DH_AUTO # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SET_GROUPS # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SET_MAX_PROTO_VERSION # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SET_MIN_PROTO_VERSION # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SET_SESS_CACHE_MODE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SET_SESS_CACHE_SIZE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SET_TLSEXT_TICKET_KEYS # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SET_TMP_DH #
deprecated header: /usr/include/openssl/ssl.h
+--include-constant SSL_CTRL_SET_TMP_ECDH #
deprecated header: /usr/include/openssl/ssl.h
+--include-constant SSL_ERROR_NONE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_ALL # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_CIPHER_SERVER_PREFERENCE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_NO_COMPRESSION # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_NO_SSLv2 # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_NO_SSLv3 # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_NO_TICKET # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_NO_TLSv1 # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_NO_TLSv1_1 # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_NO_TLSv1_2 # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_NO_TLSv1_3 # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_SINGLE_DH_USE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_OP_SINGLE_ECDH_USE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_RECEIVED_SHUTDOWN # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_SENT_SHUTDOWN # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_SESS_CACHE_OFF # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_SESS_CACHE_SERVER # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_VERIFY_FAIL_IF_NO_PEER_CERT # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_VERIFY_NONE # header:
/usr/include/openssl/ssl.h
+--include-constant SSL_VERIFY_PEER # header:
/usr/include/openssl/ssl.h
+
+#### Extracted from: /usr/include/openssl/ssl2.h
+
+--include-constant SSL2_VERSION # header:
/usr/include/openssl/ssl2.h
+
+#### Extracted from: /usr/include/openssl/ssl3.h
+
+--include-constant SSL3_VERSION # header:
/usr/include/openssl/ssl3.h
+
+#### Extracted from: /usr/include/openssl/tls1.h
+
+--include-constant SSL_TLSEXT_ERR_NOACK #
header: /usr/include/openssl/tls1.h
+--include-constant SSL_TLSEXT_ERR_OK #
header: /usr/include/openssl/tls1.h
+--include-constant TLS1_1_VERSION #
header: /usr/include/openssl/tls1.h
+--include-constant TLS1_2_VERSION #
header: /usr/include/openssl/tls1.h
+--include-constant TLS1_3_VERSION #
header: /usr/include/openssl/tls1.h
+--include-constant TLS1_VERSION #
header: /usr/include/openssl/tls1.h
+
+#### Extracted from: /usr/include/openssl/stack.h
+
+--include-function OPENSSL_sk_num # header:
/usr/include/openssl/stack.h
+--include-function OPENSSL_sk_value # header:
/usr/include/openssl/stack.h
+
+#### Extracted from: /usr/include/openssl/types.h
+
+--include-typedef pem_password_cb
+
+#### Extracted from: /usr/include/openssl/x509.h
+
+--include-function i2d_X509 # header:
/usr/include/openssl/x509.h
+--include-function d2i_X509 # header:
/usr/include/openssl/x509.h
+--include-function d2i_X509_bio # header:
/usr/include/openssl/x509.h
+--include-function X509_EXTENSION_get_data # header:
/usr/include/openssl/x509.h
+--include-function X509_free # header:
/usr/include/openssl/x509.h
+--include-function X509_get_ext # header:
/usr/include/openssl/x509.h
+--include-function X509_get_ext_by_NID # header:
/usr/include/openssl/x509.h
+--include-constant X509_FILETYPE_PEM # header:
/usr/include/openssl/x509.h
+
+#### Extracted from: /usr/include/openssl/x509v3.h
+
+--include-function X509_check_issued # header:
/usr/include/openssl/x509v3.h
+
+#### Extracted from: /usr/include/openssl/x509_vfy.h
+
+--include-function X509_LOOKUP_ctrl # header:
/usr/include/openssl/x509_vfy.h
+--include-function X509_LOOKUP_file # header:
/usr/include/openssl/x509_vfy.h
+--include-function X509_LOOKUP_hash_dir # header:
/usr/include/openssl/x509_vfy.h
+--include-function X509_STORE_add_lookup # header:
/usr/include/openssl/x509_vfy.h
+--include-function X509_STORE_CTX_get_current_cert # header:
/usr/include/openssl/x509_vfy.h
+--include-function X509_STORE_CTX_get_error # header:
/usr/include/openssl/x509_vfy.h
+--include-function X509_STORE_CTX_get_error_depth # header:
/usr/include/openssl/x509_vfy.h
+--include-function X509_STORE_CTX_get_ex_data # header:
/usr/include/openssl/x509_vfy.h
+--include-function X509_STORE_CTX_get0_current_issuer # header:
/usr/include/openssl/x509_vfy.h
+--include-function X509_STORE_CTX_get0_untrusted # header:
/usr/include/openssl/x509_vfy.h
+--include-function X509_STORE_CTX_set_error # header:
/usr/include/openssl/x509_vfy.h
+--include-function X509_STORE_set_flags # header:
/usr/include/openssl/x509_vfy.h
+--include-constant X509_L_ADD_DIR #
header: /usr/include/openssl/x509_vfy.h
+--include-constant X509_L_FILE_LOAD #
header: /usr/include/openssl/x509_vfy.h
+--include-constant X509_V_ERR_APPLICATION_VERIFICATION #
header: /usr/include/openssl/x509_vfy.h
+--include-constant X509_V_ERR_CERT_UNTRUSTED #
header: /usr/include/openssl/x509_vfy.h
+--include-constant X509_V_ERR_CRL_HAS_EXPIRED #
header: /usr/include/openssl/x509_vfy.h
+--include-constant X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT #
header: /usr/include/openssl/x509_vfy.h
+--include-constant X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN #
header: /usr/include/openssl/x509_vfy.h
+--include-constant X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY #
header: /usr/include/openssl/x509_vfy.h
+--include-constant X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE #
header: /usr/include/openssl/x509_vfy.h
+--include-constant X509_V_FLAG_CRL_CHECK #
header: /usr/include/openssl/x509_vfy.h
+--include-constant X509_V_FLAG_CRL_CHECK_ALL #
header: /usr/include/openssl/x509_vfy.h
+--include-constant X509_V_OK #
header: /usr/include/openssl/x509_vfy.h
+
diff --git a/res/openssl/openssl.h b/res/openssl/openssl.h
new file mode 100644
index 0000000000..e31fad9e1b
--- /dev/null
+++ b/res/openssl/openssl.h
@@ -0,0 +1,31 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <openssl/opensslv.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs12.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509v3.h>
+#include <openssl/dh.h>
+#include <openssl/bn.h>
+#include <openssl/engine.h>
+#include <openssl/ocsp.h>
+#include <openssl/provider.h>
diff --git a/webapps/docs/config/listeners.xml
b/webapps/docs/config/listeners.xml
index 0036bd623c..88b0cc614a 100644
--- a/webapps/docs/config/listeners.xml
+++ b/webapps/docs/config/listeners.xml
@@ -83,8 +83,8 @@
<subsection name="APR Lifecycle Listener -
org.apache.catalina.core.AprLifecycleListener">
<p>The <strong>APR Lifecycle Listener</strong> checks for the presence of
- the APR/native library and loads the library if it is present. For more
- information see the <a href="../apr.html">APR/native guide</a>.</p>
+ the Apache Tomcat Native library and loads the library if it is present.
+ For more information see the <a href="../apr.html">APR/native
guide</a>.</p>
<p>This listener must only be nested within <a
href="server.html">Server</a>
elements.</p>
@@ -372,6 +372,67 @@
</subsection>
+ <subsection name="OpenSSL Lifecycle Listener -
org.apache.catalina.core.OpenSSLLifecycleListener">
+
+ <p>The <strong>OpenSSL Lifecycle Listener</strong> checks for the presence
+ of the OpenSSL library and loads the library if it is present. This
+ uses the FFM API from Java 22 instead of additional native code. When
+ enabled and successfully loaded, NIO and NIO2 connector will then make use
+ of OpenSSL for TLS functionality. This is a functional replacement to the
+ <strong>APR Lifecycle Listener</strong> described above.</p>
+
+ <p>This listener must only be nested within <a
href="server.html">Server</a>
+ elements.</p>
+
+ <p>The following additional attributes are supported by the <strong>OpenSSL
+ Lifecycle Listener</strong>:</p>
+
+ <attributes>
+
+ <attribute name="SSLEngine" required="false">
+ <p>Name of the SSLEngine to use, for OpenSSL 1.x.</p>
+ <p>See the <a href="http://www.openssl.org/";>Official OpenSSL
website</a>
+ for more details on supported SSL hardware engines and manufacturers.
+ </p>
+ </attribute>
+
+ <attribute name="SSLRandomSeed" required="false">
+ <p>Entropy source used to seed the SSLEngine's PRNG. The default value
+ is <code>builtin</code>. On development systems, you may want to set
+ this to <code>/dev/urandom</code> to allow quicker start times.</p>
+ </attribute>
+
+ <attribute name="FIPSMode" required="false">
+ <p>The behaviour of this attribute depends on whether Tomcat Native has
+ been compiled against OpenSSL 1.x or OpenSSL 3.x.</p>
+ <p>For OpenSSL 1.x: Set to <code>on</code> to request that OpenSSL be
in
+ FIPS mode (if OpenSSL is already in FIPS mode, it will remain in FIPS
+ mode).
+ Set to <code>enter</code> to force OpenSSL to enter FIPS mode (an
+ error will occur if OpenSSL is already in FIPS mode).
+ Set to <code>require</code> to require that OpenSSL <i>already</i> be
+ in FIPS mode (an error will occur if OpenSSL is not already in FIPS
+ mode).</p>
+ <p>For OpenSSL 3.x: <code>on</code>, <code>enter</code> and
+ <code>require</code> all behave the same way. If the FIPS provider is
+ the default provider, it will be used. If the FIPS provider is not the
+ default provider, an error will occur.</p>
+ <p>FIPS mode <em>requires you to have a FIPS-capable OpenSSL
library</em>.
+ If this attribute is set to anything other than <code>off</code>, the
+ <b>SSLEngine</b> must be enabled as well.</p>
+ <p>The default value is <code>off</code>.</p>
+ </attribute>
+
+ <attribute name="useOpenSSL" required="false">
+ <p>This attribute controls the auto-selection of the OpenSSL JSSE
+ implementation. The default is <code>true</code> which will use OpenSSL
+ if the FFM API is available.</p>
+ </attribute>
+
+ </attributes>
+
+ </subsection>
+
<subsection name="Properties Role Mapping Listener -
org.apache.catalina.core.PropertiesRoleMappingListener">
<p>The <strong>Properties Role Mapping Listener</strong> populates the
context's role mapping
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
