> For Windows, you are better off using the all-in-one statically-linked > DLL provided by the Tomcat team. ... > In general, the Tomcat team tries to keep on top of the latest news > and releases from both APR and OpenSSL, so you shouldn't have to wait > too long between a newly-published version of APR or OpenSSL and a new > release of tcnative.
I'm fine with that... this week we've seen the new TC-Native released and then tomcat 9 updated Friday and 8.5 updated over the weekend (I think). Pretty darn quick, in any case. > I would question whether or not you really need libtcnative at all. me too. but see below: > Are you going to be using a Tomcat installation without any kind of > load-balancer or reverse-proxy in between it and your users? We're using a load-balancer, but terminating the SSL (TLS) connection at Tomcat rather than at the load-balancer... (we need the client certificate info for authentication. I understand that with a SSL connection terminated at a load balance, the client certificate info can be forwarded to tomcat - but I don't want to fight that battle just now). I'm investigating using tc-native for: improved SSL (TLS) processing compared to the JSSE implementation (I hope) TLS1.3 support HTTP/2 Support (possibly the use of more mainstream certs/truststore format (Windows environment) than the JKS format - (not that using JKS format is a big deal, but I have found Key Store Explorer to be REAL helpful in figuring out problems with keystores or truststores that weren't real obvious using keytool.exe by itself and in adding/removing Issuer or Root certs as new ones come into use or expire). Thanks.,.. On Mon, Feb 11, 2019 at 11:38 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > John, > > On 2/11/19 10:46, John Palmer wrote: > > (I'm new to using TC-native, interested in how to accomplish "In > > security conscious production environments, it is recommended to > > use separate shared dlls for OpenSSL, APR, and libtcnative-1, and > > update them as needed according to security bulletins. " > > For Windows, you are better off using the all-in-one statically-linked > DLL provided by the Tomcat team. If you really want separate ones, > you'll need to build everything yourself. > > I think that quote is easy to misinterpret. The problem is not the > fact that the library is statically-linked and therefore less secure. > The problem is that the native library bundles 3 separate packages: > Apache Portable Runtime (APR), OpenSSL, and Tomcat's native library > (libtcnative). Because they are bundled together, you cannot upgrade > any single one of them independently of the others. > > If APR publishes a fix for a vulnerability, you cannot upgrade just > apr-x.y.z.dll to get that fix. Instead, you'd have to wait for the > Tomcat team to publish an updated bundle that includes that new > version. Save with OpenSSL, etc. > > In general, the Tomcat team tries to keep on top of the latest news > and releases from both APR and OpenSSL, so you shouldn't have to wait > too long between a newly-published version of APR or OpenSSL and a new > release of tcnative. > > If you have the capability of building your own libraries, then you > can always get the latest from the upstream source and stay even more > up-to-date than you would is you wanted for the releases from Tomcat. > > > Apparently I need a concrete example (step-by-step, where to get > > the dlls, where to put them (and make sure tomcat finds them) > > etc... preferably I wouldn't have to compile anything myself. > > If you don't want to compile yourself, you'll need to trust ... > someone else. The Tomcat team only publishes the all-in-one DLL. > > I would question whether or not you really need libtcnative at all. > Are you going to be using a Tomcat installation without any kind of > load-balancer or reverse-proxy in between it and your users? > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhsygACgkQHPApP6U8 > pFj7Rg//f75XYfYrgJSe14KeizoybHnzpDbZ/XDxyZ8ytTBU5hx2YIQBR9ucrYYA > x01ArX6dCU209EBkLnXCThNXqrxv/pOvRo4MUiUw+oUMg5sjNL61cz/DaqwCj4WX > PtzqaYSlUhYmAiRPrdv5zwvmqMR6L8ArHfpTqCw6Tov2fdlyyc9B0Yb+Om98Jn3a > wLj+o24FOMm9Vpuz2EyMuHhslz1xiGK7O7CyiGXGK9ZjigcqFQiR77PtnZYXnlhk > jM0DJKFFo+tMri5zNs7bkAT/2DOhKmlMfD+G3LcTL4PZKbx6r30BqgXNf/b++A+8 > gmOtgLHZmCK9/UcI3TX3pk2IciDZbHaCDa7YOLiFAkzSjSd3QpdxnIDJ/aoiqcz2 > mkTyXEHeErNClzX+P+gkK2oVyz5B28EeQlC0ls2Q0SecI3DeXx+ZgO9MIsofMzyG > lkG1XL9oNYA/6wOaKXMYB/xA0dbiYtpQZsVCR65I0FjJ3cD7pvvez8UjAzrvYObm > LXi0fVCRrlHSDVfRCt5OZ/P3c8l2/1cz3k0jTbA9k+NEq5+tvmErMuEWnXadd5Y2 > aukaVKg3afR6SvGTBpaDS38peyFOFjkR5uJ0+9H4ZKogCqiUqesqVSzh2hhKqIIx > 4wqP1VwtsL/rujLm0p3nr9c3HbamzznpCXXQOy9oOAMbZwmeTag= > =9OOQ > -----END PGP SIGNATURE----- >
