Hi,
Currently we use APCAHE TOMCAT 9.0.69 which supports OpenSSL1.1.1 version. We
would like to know the APACHE TOMCAT version that supports openSSL3.0 with Java
8 version?
Does TOMCAT depend on OS (like RHEL, Windows, etc) for OpenSSL support or does
it package OpenSSL on its own?
Regards
Vivek Singh
-Original Message-
From: Mark Thomas
Sent: 15 February 2023 16:43
To: users@tomcat.apache.org
Subject: Re: Query about support for OpenSSL 1.1.1
On 15/02/2023 10:30, Vivek Naruka (EXT-NSB) wrote:
> Hi Tomcat Support Team,
>
> There is new version of Openssl i.e. Openssl 3.0 available for which tomcat
> provide support in its newly released versions.
> We are using Openssl version 1.1.1 in our project and need to know that if
> tomcat will continue its support towards Openssl 1.1.1 as well till year 2030.
Yes and no.
For Tomcat 9.0.x and earlier, OpenSSL provides the following optional features
via Tomcat Native 1.2.x:
- TLS support when using the HTTP APR/native connector
- an alternative to JSSE to provide TLS support for the HTTP NIO and
NIO2 connectors
For Tomcat 10.1.x and later, the APR/native connector has been removed and
OpenSSL provides the following features via Tomcat Native 2.0.x:
- an alternative to JSSE to provide TLS support for the HTTP NIO and
NIO2 connectors
Tomcat Native 1.2.x currently supports OpenSSL 1.0.2 onwards (including 3.0.x).
The minimum OpenSSL version could be increased to OpenSSL 1.1.1 onwards (along
with a version bump to Tomcat Native 1.3.x) but that work is fairly low
priority. Whether / when that update happens doesn't really change the answer
to your question.
Tomcat Native 2.0.x currently supports OpenSSL 3.0.x onwards.
End of Life for Tomcat 8.5.x has been announced as 31 March 2024.
No End of Life date has been announced for 9.0.x but major Tomcat versions
typically reach End of Life at ~3 year intervals so a reasonable guess for the
End of Life date for Tomcat 9.0.x is 31 March 2027.
Once Tomcat 9.0.x reaches End of Life, there will be no requirement to continue
supporting Tomcat Native 1.2.x so it seems likely that Tomcat Native 1.2.x will
reach End of Life at the same point.
Tomcat 9.x is a special case for End of Life as it is the final version that
supports Java EE. As such, once 9.0.x reaches end of life there will be 9.10.x
but that will pick up all the changes from 10.1.x apart from the switch from
the Java EE API to the Jakarta EE API. This means Tomcat 9.10.x will depend on
Tomcat Native 2.0.x (and OpenSSL 3.0.x).
So, from the ASF's perspective, Tomcat Native 1.2.x (including support for
OpenSSL 1.1.1) is expected to end some around March 2027. It might be as much
as 18 months later but I don't see it extending as far as 2030.
All of that said, there are also downstream distributions of Apache Tomcat
provided by various Linux distributions. If you obtain Tomcat and Tomcat Native
via one of these distributions, it will remain supported by the distribution
for the standard support timescales for that distribution - irrespective of
whether or not the ASF has declared that version to have reached End of Life.
Finally, there are companies that provided commercial support for Tomcat that
may be prepared to offer support beyond that provided by the ASF.
My only word of caution is that if you opt to use such support, you should
assure yourself that the provider has the in-house expertise necessary to
back-port security fixes and produce updated Tomcat releases.
HTH,
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org