Summary: | libtcnative does not compile with OpenSSL < 1.1.0 and APR w/o threading support | ||
---|---|---|---|
Product: | Tomcat Native | Reporter: | Michael Osipov <michaelo> |
Component: | Library | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | michaelo |
Priority: | P2 | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | HP-UX |
Description
Michael Osipov
2019-08-19 09:58:12 UTC
Fix in 1.2.24 and onwards. I think INVALID would have been a better resolution here. OpenSSL 1.1.0 and earlier are no longer supported. There are probably still OpenSSL 1.1.0 and earlier specific workarounds in the Tomcat Native code base. We should be removing that cruft rather than continuing to fix build issues with unsupported OpenSSL versions. Would keeping 1.0.1 for the FIPS support be incentive not to deprecate/remove support for 1.0.1 completely? It is 1.0.2 that is required for FIPS support (and 1.0.2 is currently the minimum required OpenSSL version for Tomcat Native). Yes, that is a good reason not to start removing the support for 1.0.2/1.1.0 just yet. We need to factor in the timing of OpenSSL 3.0 as we figure out what we want to do with the APR/Native connector in Tomcat 10 and the impact that has on a possible Tomcat Native 2.0 (In reply to Mark Thomas from comment #2) > I think INVALID would have been a better resolution here. OpenSSL 1.1.0 and > earlier are no longer supported. > > There are probably still OpenSSL 1.1.0 and earlier specific workarounds in > the Tomcat Native code base. We should be removing that cruft rather than > continuing to fix build issues with unsupported OpenSSL versions. I concur because many OS vendors still bundle 1.0.2 and provide fixes to those. Only upstream is not supported anymore. E.g., default OpenSSL on RHEL 7 is still 1.0.2, as sad as it sounds. (In reply to Michael Osipov from comment #5) > (In reply to Mark Thomas from comment #2) > > I think INVALID would have been a better resolution here. OpenSSL 1.1.0 and > > earlier are no longer supported. > > > > There are probably still OpenSSL 1.1.0 and earlier specific workarounds in > > the Tomcat Native code base. We should be removing that cruft rather than > > continuing to fix build issues with unsupported OpenSSL versions. > > I concur because many OS vendors still bundle 1.0.2 and provide fixes to > those. Only upstream is not supported anymore. E.g., default OpenSSL on RHEL > 7 is still 1.0.2, as sad as it sounds. Here is the ref: https://access.redhat.com/discussions/4285911 I think that a potentional libtcnative 2.0 can drop pre-1.1.1 support. |