On 03/02/2016 16:00, Christopher Schultz wrote: > All, > > On 2/3/16 10:54 AM, Christopher Schultz wrote: >> Mark, > >> On 2/3/16 4:05 AM, Mark Thomas wrote: >>> The proposed Apache Tomcat 8.0.32 release is now available for >>> voting. > >>> The main changes since 8.0.30 are: > >>> - Restore the default for mapperContextRootRedirectEnabled to >>> true > >>> - Update the packaged version of the Tomcat Native Library to >>> 1.2.4 to pick up the Windows binaries that are based on OpenSSL >>> 1.0.2e > >>> - Expand session attribute filtering on load/unload to all >>> managers > >>> It can be obtained from: >>> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.0.32/ >>> The Maven staging repo is: >>> https://repository.apache.org/content/repositories/orgapachetomcat-10 > 6 > >>> > 3/ > > >> The svn tag is: >>> http://svn.apache.org/repos/asf/tomcat/tc8.0.x/tags/TOMCAT_8_0_32/ > >>> The proposed 8.0.32 release is: [ ] Broken - do not release [ ] >>> Stable - go ahead and release as 8.0.32 > >> tcnative bundled with 8.0.32 fails to compile on my system against >> OpenSSL 1.0.1e (Debian). It looks like they may not have >> back-ported some expected changes from 1.0.1[latest]: > >> src/sslcontext.c: In function >> 'Java_org_apache_tomcat_jni_SSLContext_setCertificateRaw': >> src/sslcontext.c:1079:5: error: 'eckey' undeclared (first use in >> this function) src/sslcontext.c:1079:5: note: each undeclared >> identifier is reported only once for each function it appears in >> make[1]: *** [src/sslcontext.lo] Error 1 > >> I'm going to have a look at this. > > This looks like a bug. > > - From sslcontext.c, starting at line 977: > > TCN_IMPLEMENT_CALL(jboolean, SSLContext, > setCertificateRaw)(TCN_STDARGS, jlong ctx, > jbyteArray > javaCert, jbyteArray javaKey, jint idx) > { > #ifdef HAVE_ECC > #if defined(SSL_CTX_set_ecdh_auto) > EC_KEY *eckey = NULL; > #endif > #endif > > > [...] > > #ifdef HAVE_ECC > /* > * TODO try to read the ECDH curve name from somewhere... > */ > #if defined(SSL_CTX_set_ecdh_auto) > SSL_CTX_set_ecdh_auto(c->ctx, 1); > #else > eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); > SSL_CTX_set_tmp_ecdh(c->ctx, eckey); > EC_KEY_free(eckey); > #endif > #endif > > The local variable 'eckey' is defined only if both HAVE_ECC and > SSL_CTX_set_ecdh_auto are defined, but in the lower usage, eckey is > ignored when SSL_CTX_set_ecdh_auto is set and used when it is not set. > > I suspect the intended implementation was to have the upper #ifdef > SSL_CTX_set_ecdh_auto actually be "#ifndef" instead. > > I think we have to re-roll the release since tcnative is broken.
Irrespective of the above, tc-native 1.2.x requires OpenSSL 1.0.2. If you build with 1.0.2 then you should avoid this bug. It looks like the change that introduced that was unnecessary. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
