On 20/01/2026 19:52, Rémy Maucherat wrote:
On Tue, Jan 20, 2026 at 8:24 PM Christopher Schultz
<[email protected]> wrote:
Mark,
On 1/19/26 5:30 PM, Mark Thomas wrote:
The proposed Apache Tomcat 11.0.16 release is now available for voting.
The notable changes compared to 11.0.15 include:
- For configuration consistency between OpenSSL and JSSE TLS
implementations, TLSv1.3 cipher suites included in the ciphers
attribute of an SSLHostConfig are now always ignored (previously
they would be ignored with OpenSSL implementations and used with
JSSE implementations) and a warning is logged that the cipher
suite has been ignored.
- Expand OCSP support to JSSE based connections and expand OCSP
configuration options
- Update Commons Daemon to 1.5.1.
- Update Tomcat Native to 2.0.12 and increase the minimum version to
2.0.12 / 1.3.4
For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-11.0.x/docs/changelog.html
Applications that run on Tomcat 9 and earlier will not run on Tomcat 11
without changes. Java EE applications designed for Tomcat 9 and earlier
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat
will automatically convert them to Jakarta EE and copy them to the
webapps directory. Applications using deprecated APIs may require
further changes.
It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-11/v11.0.16/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1575
The tag is:
https://github.com/apache/tomcat/tree/11.0.16
f2a18d2aa892941e91e214f954a5ee31d60093ed
The proposed 11.0.16 release is:
[ ] -1 Broken - do not release
[ ] +1 Stable - go ahead and release as 11.0.16
Question, not a vote: should we re-tag 11 and 9 to include the fix for this?
https://bz.apache.org/bugzilla/show_bug.cgi?id=69932
It's not needed in 9.0. However it might be that the build is not
super reproducible, so I haven't put out the release vote yet,
depending on Mark does with the vote for 11.
I think I have found a significant cause of the crashes with Native +
NIO2 + OpenSSL on shutdown.
With the patch I have made multiple runs of 50 x TestOcspEnabled without
a single failure. Without the patch, it normally fails somewhere between
2 and 5 runs.
Commit to follow shortly.
Once I've back-ported it, I'll tag 11.0.x.
I'd suggest it would be wroth re-tagging 9.0.x to pick up this fix but,
since it isn't a regression (it appears the OCSP tests just made an
existing issue easier to reproduce) there is an argument for not re-tagging.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
