Re: (tomcat) branch 9.0.x updated: Drop method

Mon, 22 Sep 2025 23:19:18 -0700 

On 22/09/2025 22:11, Rémy Maucherat wrote:

On Mon, Sep 22, 2025 at 10:51 PM <[email protected]> wrote:


This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
      new bda8247f14 Drop method
bda8247f14 is described below

commit bda8247f142dc27ad56781f68448cbe9c848dce4
Author: remm <[email protected]>
AuthorDate: Mon Sep 22 22:48:09 2025 +0200

     Drop method

     Most likely acceptable since it is present only in 10.1.46.


I went ahead with backporting the more flexible post quantum crypto code since:
- The testsuite is ok and the new code has good test coverage, it will
not break with older stuff.
- The new functionality is not tested by the testsuite due to the lack
of a client for now. Sorry.
- From my testing, likely useful configurations work (example below).
- Not having to rely on the little trick where multiple certificates
were added to one OpenSSL context is better, and also good for JSSE
later. The certificate selection code is also more useful now as well.
- Tomcat 9 is supposed to be maintained for a long time, and not
having post quantum crypto could be a problem.

Example configuration:
     <Connector port="8443" protocol="HTTP/1.1"
                SSLEnabled="true" scheme="https" secure="true">
         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
         <SSLHostConfig groups="MLKEM768, X25519MLKEM768">
             <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                          certificateKeystorePassword="changeit"
                          type="RSA" />
             <Certificate certificateKeystoreFile="conf/localhost-mldsa.jks"
                          certificateKeystorePassword="changeit"
                          type="MLDSA" />
         </SSLHostConfig>
     </Connector>

It does:
- If a strict client wants mlkem only, it can (this group is not
enabled by default, so it needs to have explicit configuration in both
the client and the server).
- Otherwise, hybrid.
- If a client wants the ml-dsa certificate, it works.
- Otherwise it will use the classic rsa certificate.


Very nice. I'll try and find some time to play with this.

and +1 on your reasoning for back-port.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to