On 21/01/2026 17:54, Rémy Maucherat wrote:
On Wed, Jan 21, 2026 at 1:27 PM Mark Thomas <[email protected]> wrote:
On 21/01/2026 11:57, Rémy Maucherat wrote:
On Wed, Jan 21, 2026 at 1:58 AM Mark Thomas <[email protected]> wrote:
The proposed Apache Tomcat 11.0.17 release is now available for voting.
The notable changes compared to 11.0.15 include:
- For configuration consistency between OpenSSL and JSSE TLS
implementations, TLSv1.3 cipher suites included in the ciphers
attribute of an SSLHostConfig are now always ignored (previously
they would be ignored with OpenSSL implementations and used with
JSSE implementations) and a warning is logged that the cipher
suite has been ignored.
- Expand OCSP support to JSSE based connections and expand OCSP
configuration options
- Update Commons Daemon to 1.5.1.
- Update Tomcat Native to 2.0.12 and increase the minimum version to
2.0.12 / 1.3.4
For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-11.0.x/docs/changelog.html
Applications that run on Tomcat 9 and earlier will not run on Tomcat 11
without changes. Java EE applications designed for Tomcat 9 and earlier
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat
will automatically convert them to Jakarta EE and copy them to the
webapps directory. Applications using deprecated APIs may require
further changes.
It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-11/v11.0.17/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1577
The tag is:
https://github.com/apache/tomcat/tree/11.0.17
c4ac38afc5edd64a71a000955fee47ee6f9c0e27
The proposed 11.0.17 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.17
Thanks for voting.
Amazing you were able to find the NIO2 crash issue.
Tx. It was having a reproducer that made it possible. The OCSP work has
proved its worth even if hardly anyone ever uses it :)
It looked a lot like a concurrency issue from the crash file but the
challenge was it was always the termination code that failed. I spent a
LONG time experimenting with OpenSSLContext before I thought to look at
OpenSSLEngine.
Since it is the shutdown causing a crash, then I agree it has to be a
double free of an attempt to free a null. And OCSP uses conf config
unlike most other places which makes this a big suspect.
On CI there are still problems with OCSP though (it looks like the
same JVM crash ...):
https://nightlies.apache.org/tomcat/tomcat-11.0.x/logs/1967/TEST-org.apache.tomcat.util.net.ocsp.TestOcspTimeout.NIO2.txt
Different test. I wonder if it is tripping over something else of a
similar nature.
I'll add that to my TODO list.
Mark
+1 for generalizing OCSP support. I was kinda thinking it was good
enough to have it in the FFM code only since it removes a lot of the
native code (Java/JSSE is used for the request and response
processing) and it's easy to debug, but ok.
Rémy
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
