Preface

This is the Changelog for Apache Tomcat Native 2.0.x. The Tomcat Native 2.0.x branch started from the 1.2.33 tag.

Changes in 2.0.12

  • Fix: Refactor the addition of TLS 1.3 cipher suite configuration to avoid a regression when running a version of Tomcat that pre-dates this change. (markt)

Changes in 2.0.11 (not released)

  • Fix: Fix a reference to an uninitialized variable. (schultz)
  • Fix: Correct file names and update versions in native build instructions. (markt)
  • Update: Remove references to deprecated engine configuration. (markt)

Changes in 2.0.10 (not released)

  • Update: The Windows binaries are now built with OCSP support enabled by default. (markt)
  • Add: Include a nonce with OCSP requests and check the nonce, if any, in the OCSP response. (markt)
  • Add: Expand verification of OCSP responses. (markt)
  • Add: Add the ability to configure the OCSP checks to soft-fail - i.e. if the responder cannot be contacted or fails to respond in a timely manner the OCSP check will not fail. (markt)
  • Add: Add a configurable timeout to the writing of OCSP requests and reading of OCSP responses. (markt)
  • Add: Add the ability to control the OCSP verification flags. (markt)
  • Add: Configure TLS 1.3 connections from the provided ciphers list as well as connections using TLS 1.2 and earlier. Pull request provided by gastush. (markt)
  • Update: Remove out of date options from make file. (markt)
  • Update: Use automated configuration of DH parameters rather than deprecated callback. (markt)

Changes in 2.0.9

  • Update: Update the Windows build environment to use Visual Studio 2022. (markt)
  • Update: Update the recommended minimum version of OpenSSL to 3.5.0. (markt)
  • Update: Update the recommended minimum version of APR to 1.7.6. (markt)

Changes in 2.0.8

  • Fix: Fix a crash on Windows when SSLContext.setCACertificate() is invoked with a null value for caCertificateFile and a non-null value for caCertificatePath until properly addressed with https://github.com/openssl/openssl/issues/24416. (michaelo)
  • Add: Use ERR_error_string_n with a definite buffer length as a named constant. (schultz)
  • Add: Ensure local reference capacity is available when creating new arrays and Strings. (schultz)
  • Update: Update the recommended minimum version of OpenSSL to 3.0.14. (markt)

Changes in 2.0.7

  • Add: 67538: Make use of Ant's <javaversion /> task to enforce the mininum Java build version. (michaelo)
  • Fix: 67615: Windows binary for version 2 has incorrect version suffix compared to the GNU autoconf version. (michaelo)
  • Update: Align default pass phrase prompt with HTTPd on Windows as well. (michaelo)
  • Fix: 67616: o.a.tomcat.jni.SSL contains useless check for old OpenSSL version. (michaelo)
  • Update: Drop useless compile.optimize option. (michaelo)
  • Update: Align Java source compile configuration with Tomcat. (michaelo)
  • Add: Add Ant version (1.10.2) requirement identical to Tomcat. (michaelo)
  • Update: Remove an unreachable if condition around CRLs in sslcontext.c. (michaelo)
  • Fix: 67818: When calling SSL.setVerify() or SSLContext.setVerify(), the default verify paths are no longer set. Only the explicitly configured trust store, if any, will be used. (michaelo)
  • Update: Update the recommended minimum version of OpenSSL to 3.0.13. (markt)

Changes in 2.0.6

  • Fix: 67061: If the insecure optionalNoCA certificate verification mode is used, disable OCSP if enabled else client certificates from unknown certificate authorities will be rejected. (markt)
  • Update: Update the recommended minimum version of OpenSSL to 3.0.11. (markt)

Changes in 2.0.5

  • Update: 66666: Remove non-reachable functions from ssl.c. (michaelo)
  • Update: Align default pass phrase prompt with HTTPd. (michaelo)
  • Update: Rename configure.in to modern autotools style configure.ac. (rjung)
  • Update: Fix incomplete updates for autotools generated files during "buildconf" execution. (rjung)
  • Update: Improve quoting in tcnative.m4. (rjung)
  • Update: Update the minimum version of autoconf for releasing to 2.68. (rjung)
  • Fix: 66669: Fix memory leak in SNI processing. (markt)
  • Update: Update the recommended minimum version of OpenSSL to 3.0.10. (markt)

Changes in 2.0.4

  • Update: Update the recommended minimum version of APR to 1.7.4. (markt)
  • Update: Update the recommended minimum version of OpenSSL to 3.0.9. (markt)

Changes in 2.0.3

  • Update: Update the recommended minimum version of APR to 1.7.2. (markt)
  • Update: Update the recommended minimum version of OpenSSL to 3.0.8. (markt)

Changes in 2.0.2

  • Update: Update the minimum supported version of LibreSSL to 3.5.2. Based on pull request #13 provided by orbea. (markt)
  • Fix: Fix build when building with rlibtool. Pull request #14 provided by orbea. (markt)

Changes in 2.0.1

  • Update: Update recommended OpenSSL version to 3.0.5 or later. (markt)

Changes in 2.0.0

  • Update: Update the minimum required version of OpenSSL to 3.0.0 and make it a madatory dependency. (markt)
  • Update: Update the minimum required version of APR to 1.7.0. (markt)
  • Design: Remove NPN support as NPN was never standardised and browser support was removed in 2019. (markt)
  • Add: Add support for using OpenSSL when the FIPS provider is configured as the default provider. (markt)
  • Design: Remove all API methods (and supporting code) that are not used by Tomcat 10.1.x to support the use of OpenSSL as a replacement for JSSE to provide TLS functionality. (markt)
  • Docs: Document the TLS rengotiation behaviour. (markt)
  • Update: Update the minimum required Java version to Java 11. (markt)
  • Update: Remove support for Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The minimum Windows version is now Windows 7 / Windows Server 2008 R2. (markt)
  • Docs: Add HOWTO-RELEASE.txt that describes the release process. (markt)
  • Fix: Fix the autoconf warnings when creating a release. (markt)

Changes in 1.3.x

Please see the 1.3.x changelog.

Changes in 1.2.x

Please see the 1.2.x changelog.

Changes in 1.1.x

Please see the 1.1.x changelog.