On Thu, May 22, 2025 at 4:09 PM Christopher Schultz <ch...@christopherschultz.net> wrote: > > Mark, > > On 5/22/25 3:13 AM, Mark Thomas wrote: > > All, > > > > The last Tomcat Native releases were in July 2024. The Windows binaries > > were built with 3.0.14. > > > > There are some low severity CVEs in 3.0.14 that we don't believe apply > > to Tomcat's usage of OpenSSL but that may trigger a security scanner. > > > > There is a new OpenSSL LTS branch, 3.5.x, that includes support for Post > > Quantum Cryptography. > > > > I'd like to get a new round of Tomcat Native releases made where the > > Windows binaries are built with 3.5.x. > > > > My question is does this need a version bump? I'm thinking not as I'm > > not planning on changing the minimum OpenSSL version and these are > > convenience binaries. > > > > Any objections? > > No objections as long as earlier versions are still supported. OpenSSL > has been getting better about being less incompatible with itself. :)
Seems ok indeed. I read an article the other day about how RusTLS is faster and super scalable compared to OpenSSL (the article noted some progress though and that 3.5 is faster and more scalable than 3.0), but of course the C bindings are "?" and there's no compatibility with OpenSSL at all. > As I already mentioned yesterday (subject: "OpenSSL 3.5"), I just built > libtcnative and ran the whole suite of unit tests against Tomcat 11 > using OpenSSL 3.5 and things went just fine. That was on a *NIX system > which of course has a separate build process, but I just wanted to > reiterate that Tomcat and tcnative both seem perfectly happy with > OpenSSL 3.5 under the covers. Rémy > -chris > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
