Am 21.01.26 um 19:08 schrieb Mark Thomas:
On 21/01/2026 17:54, Rémy Maucherat wrote:
On Wed, Jan 21, 2026 at 1:27 PM Mark Thomas <[email protected]> wrote:
On 21/01/2026 11:57, Rémy Maucherat wrote:
On Wed, Jan 21, 2026 at 1:58 AM Mark Thomas <[email protected]> wrote:
The proposed Apache Tomcat 11.0.17 release is now available for
voting.
The notable changes compared to 11.0.15 include:
- For configuration consistency between OpenSSL and JSSE TLS
implementations, TLSv1.3 cipher suites included in the ciphers
attribute of an SSLHostConfig are now always ignored (previously
they would be ignored with OpenSSL implementations and used with
JSSE implementations) and a warning is logged that the cipher
suite has been ignored.
- Expand OCSP support to JSSE based connections and expand OCSP
configuration options
- Update Commons Daemon to 1.5.1.
- Update Tomcat Native to 2.0.12 and increase the minimum version to
2.0.12 / 1.3.4
For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-11.0.x/docs/changelog.html
Applications that run on Tomcat 9 and earlier will not run on
Tomcat 11
without changes. Java EE applications designed for Tomcat 9 and
earlier
may be placed in the $CATALINA_BASE/webapps-javaee directory and
Tomcat
will automatically convert them to Jakarta EE and copy them to the
webapps directory. Applications using deprecated APIs may require
further changes.
It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-11/v11.0.17/
The Maven staging repo is:
https://repository.apache.org/content/repositories/
orgapachetomcat-1577
The tag is:
https://github.com/apache/tomcat/tree/11.0.17
c4ac38afc5edd64a71a000955fee47ee6f9c0e27
The proposed 11.0.17 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.17
Thanks for voting.
Amazing you were able to find the NIO2 crash issue.
Tx. It was having a reproducer that made it possible. The OCSP work has
proved its worth even if hardly anyone ever uses it :)
It looked a lot like a concurrency issue from the crash file but the
challenge was it was always the termination code that failed. I spent a
LONG time experimenting with OpenSSLContext before I thought to look at
OpenSSLEngine.
Since it is the shutdown causing a crash, then I agree it has to be a
double free of an attempt to free a null. And OCSP uses conf config
unlike most other places which makes this a big suspect.
On CI there are still problems with OCSP though (it looks like the
same JVM crash ...):
https://nightlies.apache.org/tomcat/tomcat-11.0.x/logs/1967/TEST-
org.apache.tomcat.util.net.ocsp.TestOcspTimeout.NIO2.txt
Different test. I wonder if it is tripping over something else of a
similar nature.
I'll add that to my TODO list.
Mark
A big applause from my side to finding that problem.
Tests on my platform and JVM vendor and version zoo look promising. No
crashes yet (I had those for years in various crypto related tests).
Neither with tcnative 1.3.5 nor with 2.0.12, and also not with those
versions plus he small cleanup commit applied today.
But it is still relatively early in the procedure to test all
combinations. I will report back once that result is more firm (or
proves wrong).
Some new tests are failing (not crashing), maybe related to using Java
8. Probably not a show stopper. I will summarize once I have a more
complete picture.
Thanks a lot and best regards,
Rainer
Thanks and regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
