Mark,
On 5/22/25 3:13 AM, Mark Thomas wrote:
All,
The last Tomcat Native releases were in July 2024. The Windows binaries
were built with 3.0.14.
There are some low severity CVEs in 3.0.14 that we don't believe apply
to Tomcat's usage of OpenSSL but that may trigger a security scanner.
There is a new OpenSSL LTS branch, 3.5.x, that includes support for Post
Quantum Cryptography.
I'd like to get a new round of Tomcat Native releases made where the
Windows binaries are built with 3.5.x.
My question is does this need a version bump? I'm thinking not as I'm
not planning on changing the minimum OpenSSL version and these are
convenience binaries.
Any objections?
No objections as long as earlier versions are still supported. OpenSSL
has been getting better about being less incompatible with itself. :)
As I already mentioned yesterday (subject: "OpenSSL 3.5"), I just built
libtcnative and ran the whole suite of unit tests against Tomcat 11
using OpenSSL 3.5 and things went just fine. That was on a *NIX system
which of course has a separate build process, but I just wanted to
reiterate that Tomcat and tcnative both seem perfectly happy with
OpenSSL 3.5 under the covers.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
