Mark,
On 7/4/22 07:23, Mark Thomas wrote:
On 30/06/2022 17:55, Christopher Schultz wrote:
Mark,
On 6/30/22 09:58, Mark Thomas wrote:
This is the first release of the Tomcat Native 2.0.x branch. The
major differences compared to the 1.2.x branch are:
- JNI API has been reduced to just that required to support the use of
OpenSSL rather than JSSE for TLS connections. The APR/native
connector
is not supported.
This statement is confusing. I think it should say "JNI API has been
reduced to just that required to support OpenSSL as a JSSE provider
for TLS connections. The API/native connector is no longer supported
in this branch."
The confusion is over JSSE versus OpenSSL which are not
mutually-exclusive. What we are doing AIUI is specifically using
OpenSSL through JSSE, instead of going around JSSE and using OpenSSL
directly (well, through APR-connections).
Ack. I was trying to avoid saying we were using an OpenSSL based JSSE
provider as we are not doing that. How about:
"The JNI API has been reduced to just that required to support Tomcat's
OpenSSL based TLS implementation. The APR/native connector is no longer
supported in this branch."
That sounds okay. I forgot that OpenSSL isn't supported as an actual
JSSE provider.
- The minimum supported versions have been increased to OpenSSL 3.0.x,
Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2
How much do we continue to rely on APR at this point? Usually, the
reason to use APR is to take advantage of APRs pooling and e.g.
connection-handling capabilities. As we are dropping support for the
APR connector, the connection-handling capabilities are no longer
required, and the pooling is really only helpful when delayed-cleanup
of those pools is necessary.
I think we can probably drop the APR dependency -- at least over time.
I'm not convinced. We are mostly using APR for the memory management and
I don't rate my chances of re-writing the TLS code without it whilst
avoiding both bugs and memory leaks.
Given the medium / long term direction (the project Panama code Rémy has
been working on) I don't think the benefit of fully removing APR is
worth the effort.
I generally agree with this.
The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but
can be used with earlier versions as long as the APR/native connector
is not used.
The proposed release artefacts can be found at [1],
and the build was done using tag [2].
The Apache Tomcat Native 2.0.0 release is
[ ] Stable, go ahead and release
[ ] Broken because of ...
Thanks,
Mark
I will try to do some testing on 8.5.x
Tx.
I obviously haven't found time for this, yet. :/
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
