https://bz.apache.org/bugzilla/show_bug.cgi?id=57815
--- Comment #5 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to Justin from comment #4) > Thanks for your time and contributions. I would definitely find both the > compile time and run time versions of OpenSSL helpful, at least while such > static restrictions exist. Okay. > Sadly Tomcat Native is not actively maintained in many distributions, e.g. > pulled from Fedora EPEL 6, at 1.1.30 in Fedora EPEL 7 (as of April 16, > 2015). OpenSSL will be more actively maintained, particularly for security > concerns. Might help many to support future protocols and ciphers. Please lobby your distribution for updates. Generally-speaking, Linux distros try to maintain stability and will only back-port security patches, so many improvements are ignored. There may not be a way to change that policy. > Slightly off topic: have you or others considered alternatives to > OpenSSL/LibreSSL? Maybe GnuTLS, NSS, Botan? If you look at the TLS-related tcnative code, you'll notice that is is *very* tightly coupled with the OpenSSL API. Even the Java binding exposes OpenSSL API calls (I'm specifically thinking of the "hasOp" method). LibreSSL's initial goal is library-compatibility, so using that library ought to be relatively easy to do. The others, not so much. If you'd be interested in taking a look at how to implement some of the native functions that are currently implemented as OpenSSL-only, except with GnuTLS, etc., I'd certainly be interested in seeing them. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
