Re: [VOTE] Release Apache Tomcat Native 2.0.11

Thu, 18 Dec 2025 04:59:21 -0800 

Am 18.12.25 um 13:47 schrieb Mark Thomas:

On 18/12/2025 12:31, Rainer Jung wrote:

Am 18.12.25 um 12:18 schrieb Mark Thomas:

On 18/12/2025 01:28, Rainer Jung wrote:

Am 18.12.25 um 01:26 schrieb Rainer Jung:
- the error "error:12800067:DSO support routines::could not load the shared library" is shown, because "SSL_ERR_clear();" is missing somewhere. If I add that in setCipherSuite, the SSL library error thrown changes to "error:0A0000B9:SSL routines::no cipher match" 

We should definitely add the call to SSL_ERR_clear()


- the error happens in the "if (maxProtoVer >= TLS1_3_VERSION) {" 
branch.



- the CipherSuite used is "!aNULL:!eNULL:!EXP:ALL" and "!aNULL:! 
eNULL:! EXP:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA".



Where are those coming from? Have you modified the tests / Tomcat to 
use different default ciphers?



No modification, except for debug output. I think the part "!aNULL:! 
eNULL:!EXP:" comes from prefixing SSL_CIPHERS_ALWAYS_DISABLED in case 
of "#ifndef HAVE_EXPORT_CIPHERS" in the tcnative code for 
setCipherSuite(). I do not know, where the ALL comes from. A couple of 
classes underneath test/org/apache/tomcat/util/net/ use it, but not 
obviously related to the falling test.


OK. I am making progress.


"ALL" comes from line 77 of o.a.t.u.n.openssl.OpenSSLEngine and should 
succeed.



I can only trigger a failure if I specify a protocol of TLSv1.3 and then 
list only TLSv1.2 ciphers. Previously, that would have defaulted to 
using the default TLsv1.3 cipher list. Now it fails.



I don't think we can (easily) distinguish between a list of just TLSv1.2 
ciphers and a list of unsupported TLSv1.3 ciphers.


I'm currently leaning towards calling this working as designed.


What I can't figure out is what is triggering the test failures you are 
seeing.


Ah! I have a theory. Which Tomcat version are you using for testing?



I was analyzing it using 9.0.113 but I think I also saw it for 10.1.50. 
JVM was from various 1.8.0 vendor for TC 9 and at least adopt 11 for 
10.1.50 (I then stopped testing).


Best regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to