On 15/02/2023 10:30, Vivek Naruka (EXT-NSB) wrote:
Hi Tomcat Support Team,
There is new version of Openssl i.e. Openssl 3.0 available for which tomcat
provide support in its newly released versions.
We are using Openssl version 1.1.1 in our project and need to know that if
tomcat will continue its support towards Openssl 1.1.1 as well till year 2030.
Yes and no.
For Tomcat 9.0.x and earlier, OpenSSL provides the following optional
features via Tomcat Native 1.2.x:
- TLS support when using the HTTP APR/native connector
- an alternative to JSSE to provide TLS support for the HTTP NIO and
NIO2 connectors
For Tomcat 10.1.x and later, the APR/native connector has been removed
and OpenSSL provides the following features via Tomcat Native 2.0.x:
- an alternative to JSSE to provide TLS support for the HTTP NIO and
NIO2 connectors
Tomcat Native 1.2.x currently supports OpenSSL 1.0.2 onwards (including
3.0.x). The minimum OpenSSL version could be increased to OpenSSL 1.1.1
onwards (along with a version bump to Tomcat Native 1.3.x) but that work
is fairly low priority. Whether / when that update happens doesn't
really change the answer to your question.
Tomcat Native 2.0.x currently supports OpenSSL 3.0.x onwards.
End of Life for Tomcat 8.5.x has been announced as 31 March 2024.
No End of Life date has been announced for 9.0.x but major Tomcat
versions typically reach End of Life at ~3 year intervals so a
reasonable guess for the End of Life date for Tomcat 9.0.x is 31 March 2027.
Once Tomcat 9.0.x reaches End of Life, there will be no requirement to
continue supporting Tomcat Native 1.2.x so it seems likely that Tomcat
Native 1.2.x will reach End of Life at the same point.
Tomcat 9.x is a special case for End of Life as it is the final version
that supports Java EE. As such, once 9.0.x reaches end of life there
will be 9.10.x but that will pick up all the changes from 10.1.x apart
from the switch from the Java EE API to the Jakarta EE API. This means
Tomcat 9.10.x will depend on Tomcat Native 2.0.x (and OpenSSL 3.0.x).
So, from the ASF's perspective, Tomcat Native 1.2.x (including support
for OpenSSL 1.1.1) is expected to end some around March 2027. It might
be as much as 18 months later but I don't see it extending as far as 2030.
All of that said, there are also downstream distributions of Apache
Tomcat provided by various Linux distributions. If you obtain Tomcat and
Tomcat Native via one of these distributions, it will remain supported
by the distribution for the standard support timescales for that
distribution - irrespective of whether or not the ASF has declared that
version to have reached End of Life.
Finally, there are companies that provided commercial support for Tomcat
that may be prepared to offer support beyond that provided by the ASF.
My only word of caution is that if you opt to use such support, you
should assure yourself that the provider has the in-house expertise
necessary to back-port security fixes and produce updated Tomcat releases.
HTH,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
