On Wed, Jan 21, 2026 at 1:27 PM Mark Thomas <[email protected]> wrote: > > On 21/01/2026 11:57, Rémy Maucherat wrote: > > On Wed, Jan 21, 2026 at 1:58 AM Mark Thomas <[email protected]> wrote: > >> > >> The proposed Apache Tomcat 11.0.17 release is now available for voting. > >> > >> The notable changes compared to 11.0.15 include: > >> > >> - For configuration consistency between OpenSSL and JSSE TLS > >> implementations, TLSv1.3 cipher suites included in the ciphers > >> attribute of an SSLHostConfig are now always ignored (previously > >> they would be ignored with OpenSSL implementations and used with > >> JSSE implementations) and a warning is logged that the cipher > >> suite has been ignored. > >> > >> - Expand OCSP support to JSSE based connections and expand OCSP > >> configuration options > >> > >> - Update Commons Daemon to 1.5.1. > >> > >> - Update Tomcat Native to 2.0.12 and increase the minimum version to > >> 2.0.12 / 1.3.4 > >> > >> > >> For full details, see the change log: > >> https://nightlies.apache.org/tomcat/tomcat-11.0.x/docs/changelog.html > >> > >> Applications that run on Tomcat 9 and earlier will not run on Tomcat 11 > >> without changes. Java EE applications designed for Tomcat 9 and earlier > >> may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat > >> will automatically convert them to Jakarta EE and copy them to the > >> webapps directory. Applications using deprecated APIs may require > >> further changes. > >> > >> It can be obtained from: > >> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-11/v11.0.17/ > >> > >> The Maven staging repo is: > >> https://repository.apache.org/content/repositories/orgapachetomcat-1577 > >> > >> The tag is: > >> https://github.com/apache/tomcat/tree/11.0.17 > >> c4ac38afc5edd64a71a000955fee47ee6f9c0e27 > >> > >> The proposed 11.0.17 release is: > >> [ ] -1 Broken - do not release > >> [X] +1 Stable - go ahead and release as 11.0.17 > > Thanks for voting. > > > Amazing you were able to find the NIO2 crash issue. > > Tx. It was having a reproducer that made it possible. The OCSP work has > proved its worth even if hardly anyone ever uses it :) > > It looked a lot like a concurrency issue from the crash file but the > challenge was it was always the termination code that failed. I spent a > LONG time experimenting with OpenSSLContext before I thought to look at > OpenSSLEngine.
Since it is the shutdown causing a crash, then I agree it has to be a double free of an attempt to free a null. And OCSP uses conf config unlike most other places which makes this a big suspect. On CI there are still problems with OCSP though (it looks like the same JVM crash ...): https://nightlies.apache.org/tomcat/tomcat-11.0.x/logs/1967/TEST-org.apache.tomcat.util.net.ocsp.TestOcspTimeout.NIO2.txt +1 for generalizing OCSP support. I was kinda thinking it was good enough to have it in the FFM code only since it removes a lot of the native code (Java/JSSE is used for the request and response processing) and it's easy to debug, but ok. Rémy > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
