Preface

This is the Changelog for Tomcat Native 1.2.

Changes in 1.2.39

  • Fix: 67061: If the insecure optionalNoCA certificate verification mode is used, disable OCSP if enabled else client certificates from unknown certificate authorities will be rejected. (markt)
  • Update: Update the recommended minimum version of OpenSSL to 3.0.11. (markt)

Changes in 1.2.38

  • Update: Align default pass phrase prompt with HTTPd. (michaelo)
  • Fix: 66669: Fix memory leak in SNI processing. (markt)
  • Update: Update the recommended minimum version of OpenSSL to 1.1.1v. (markt)

Changes in 1.2.37

  • Update: Update the recommended minimum version of APR to 1.7.4. (markt)
  • Update: Update the recommended minimum version of OpenSSL to 1.1.1u. (markt)

Changes in 1.2.36

  • Update: Update the recommended minimum version of APR to 1.7.2. (markt)
  • Update: Update the recommended minimum version of OpenSSL to 1.1.1t. (markt)

Changes in 1.2.35

  • Docs: Document the TLS rengotiation behaviour. (markt)
  • Docs: Add HOWTO-RELEASE.txt that describes the release process. (markt)
  • Update: Update recommended OpenSSL version to 1.1.1q or later. (markt)

Changes in 1.2.34

  • Code: Refactor library initialization so it is compatible with Tomcat 10.1.x onwards where a number of Java classes have been removed. (markt)
  • Add: Map the OpenSSL 3.x FIPS behaviour to the OpenSSL 1.x API to allow clients to determine if the FIPS provider is being used when Tomcat Native is compiled against OpenSSL 3.x. (markt)

Changes in 1.2.33

  • Fix: 66035: Fix crash when attempting to read TLS session ID after a handshake failure. (schultz/markt)
  • Fix: Enable download_deps.sh to be called from any directory. Pull request #12 provided by Dimitrios Soumis. (markt)
  • Update: Update recommended OpenSSL version to 1.1.1o or later. (markt)

Changes in 1.2.32

  • Update: Update recommended OpenSSL version to 1.1.1n or later. (markt)
  • Fix: Fix release script so it works with the current git layout. (markt)

Changes in 1.2.31

  • Fix: 65441: Correct previous fix that enabled building to continue with OpenSSL 3.x. Patch provided by lzsiga. (markt)
  • Fix: 65659: Remove remaining reference to pkg-config which is no longer included in the Tomcat Native distribution. (markt)

Changes in 1.2.30

  • Add: 65181: Additional changes required to provided support for using OpenSSL Engines that use proprietary key formats. Based on a patch provided by Edin Hodzic. (markt)
  • Fix: 65329: Correct handling of WINVER in make file to use correct constant for Windows 7. Add constants for Windows 8, Windows 8.1 and Windows 10. Rename WINNT to WIN2k as it is used for Windows 2000 upwards, not Windows NT upwards. (markt)

Changes in 1.2.29 (not released)

  • Fix: Add a patch for APR that fixes an issue where some Windows systems in some configurations would only listen on IPv6 addresses on dual stack systems even though configured to listen on both IPv6 and IPv4 addresses. (michaelo)

Changes in 1.2.28

  • Fix: Correct a regression in the fix for 65181 that prevented an error message from being displayed if an invalid key file was provided and no OpenSSL Engine was configured. (markt)

Changes in 1.2.27

  • Add: 65181: Improve support for using OpenSSL Engines that use proprietary key formats. Patch provided by Edin Hodzic. (markt)
  • Update: Update recommended OpenSSL version to 1.1.1k or later. (markt)

Changes in 1.2.26

  • Fix: Enable building to continue against OpenSSL 3.x and 1.1.1. (markt)
  • Add: 64942: Expose support for Unix Domain Sockets in APR v1.6 and up. (minfrin)
  • Update: Update recommended OpenSSL version to 1.1.1i or later. (markt)

Changes in 1.2.25

  • Fix: Incomplete name mangling fix for C++ compilers in tcn_api.h. (michaelo)
  • Update: Improve OS-specific header include for native thread id. (michaelo)
  • Fix: Disable keylog callback support for LibreSSL. (michaelo)
  • Add: Add support for SSLContext.addChainCertificateRaw() with LibreSSL 2.9.1 and up. (michaelo)
  • Add: Add support for HP-UX's _lwp_self() in our ssl_thread_id(void). (michaelo)
  • Remove default option passed for rpath to linker on HP-UX. (michaelo)
  • Add: Add an option to allow the OCSP responder check to be bypassed. Note that if OCSP is enabled, a missing responder is now treated as an error. (jfclere)
  • Fix: 64429: Fix compilation with LibreSSL. (markt)

Changes in 1.2.24

  • Fix: 63671: libtcnative does not compile with OpenSSL < 1.1.0 and APR w/o threading support. (michaelo)
  • Fix: Correct configure message for OpenSSL libdir. (michaelo)
  • Update: 64260: Clean up install target. (michaelo)
  • Fix: 64315: configure output for OpenSSL wrong/incomplete sometimes. (michaelo)
  • Update: Drop obsolete build time workarounds for HP-UX. (michaelo)
  • Add: Add support for FreeBSD's pthread_getthreadid_np() in our ssl_thread_id(void). (michaelo)
  • Update: 63701: Use new OpenSSL initialisation process when building with OpenSSL 1.1.0 onwards. (mturk)
  • Add: 64316: Introduce tcn_get_thread_id(void) to reduce code duplication. (michaelo)
  • Fix: Fix linking against OpenSSL in non-standard locations on FreeBSD. (michaelo)

Changes in 1.2.23

  • Fix: Make file fixes to enable building with APR 1.7.x. (markt)
  • Fix: Switch to Windows 7 as the default target. (markt)
  • Update: Update minimum OpenSSL version to 1.0.2r. (markt)

Changes in 1.2.22

  • Fix: 63159: Unable to complete build when build directory is outside of the source tree. Patch provided by Bob Huemmer. (markt)
  • Fix: 63356: Fix client certificate authentication when a certificate contains an AIA extension without an OCSP URI. Patch provided by Milind Takawale. (markt)
  • Fix: 63500: Fix JVM crash on Connector start when a certificate revocation file or path is specified for OpenSSL. (markt)
  • Add: Add support for TLS key logging when using OpenSSL 1.1.1 or later. If the environment variable SSLKEYLOGFILE is set then the TLS keys will be logged to that file. Patch provided by John Kelly. (markt)
  • Fix: Update build script after migration of soucre repository from Subversion to Git. (markt)

Changes in 1.2.21

  • Fix: Correct a possible JVM crash during shutdown caused by a bug in the fix for the per connection memory leak included in 1.2.20. (rjung)

Changes in 1.2.20

  • Fix: Update includedir name to tomcat-native instead of apr. (csutherl)
  • Fix: Fix a minor memory leak. It occurred every time a TLS connector was started so the impact was very unlikely to be noticed. (markt)
  • Fix: Fix some minor memory leaks that could occur after error conditions during TLS connector initialisation. (markt)
  • Fix: Fix a per connection memory leak when using OpenSSL BIO. This is typically used when OpenSSL is providing the TLS support for NIO or NIO2. (markt)

Changes in 1.2.19

  • Fix: 62892: Fix memory leaks in OCSP handling. (jfclere)
  • Fix: 62944: Fix copy/paste error that prevented TLS 1.0 and TLS 1.1 from being used if TLS 1.3 was available. Patch provided by Dean Rasheed. (markt)
  • Fix: Include OpenSSL licensing information in the Tomcat Native binaries for Windows that are built with OpenSSL. (markt)
  • Update: Update recommended OpenSSL version to 1.0.2q or later. (markt)

Changes in 1.2.18

  • Fix: 62641: libtool invocations should use --tag=CC. (michaelo)
  • Code: Remove support for Netware as there has not been a supported Netware platform for a number of years. (markt)
  • Add: 62748: Add support for TLS 1.3 when built with OpenSSL 1.1.1 or equivalent. (schultz/markt)
  • Add: Expose the API necessary for CLIENT-CERT authentication to be correctly supported when using Tomcat's JSSE implementation backed by OpenSSL. (markt)

Changes in 1.2.17

  • Fix: 62094: Certificate verification using CRL with Tomcat APR connector does not work. (jfclere)
  • Fix: 62122: undefined symbol: SSL_COMP_free_compression_methods. (jfclere)
  • Fix: 62221: OCSP response processing uses always the first entry in the response. (jfclere)
  • Fix: Further clean-up in the OCSP extension logic. (jfclere)

Changes in 1.2.16

  • Fix: Further clean-up in the parsing of the OCSP extension. (markt)

Changes in 1.2.15

  • Update: Update recommended OpenSSL version to 1.0.2m. (markt)
  • Fix: Correctly calculate field lengths when parsing the OCSP extension so that longer values are read correctly. (markt)
  • Update: Update the recommended APR version to 1.6.3 or later. (markt)

Changes in 1.2.14

  • Fix: Fix a small memory leak during certificate initialization. (rjung)
  • Fix: Replace use of deprecated ASN1_STRING_data with ASN1_STRING_get0_data when building against OpenSSL 1.1.0 and newer. (rjung)
  • Fix: Fix a thread local key leak. Only relevant when doing SSL.initialize() and Library.terminate() a lot of times. (rjung)

Changes in 1.2.13

  • Fix: Add missing source files to Visual Studio project files. (wrowe)
  • Add: Add support for the OpenSSL SSL_CONF API. (rjung)
  • Add: Add SSLContext.getCiphers(). (rjung)
  • Add: Add method to add a single CA certificate to the list of CA certificates which are accepted as issuers of client certificates. (rjung)
  • Fix: Fix an error not announcing the correct CA list for client certificates during TLS handshake. (rjung)
  • Fix: Fix renegotiation to obtain a client certificate from a user agent. (markt)
  • Fix: 58434: Allow Tomcat Native to be compiled with LibreSSL. Note that some features may not be available when using LibreSSL. (markt)
  • Fix: 60290: When building Tomcat Native, don't ignore the value of CC if explicitly set. Patch provided by Michael Osipov. (markt)
  • Fix: 60301: When building Tomcat Native, allow the user to override the libtool specified by APR by setting the LIBTOOL environment variable. (markt)
  • Update: Update build to use APR 1.6.x, with 1.6.2 recommended. (markt)
  • Update: Update recommended OpenSSL version to 1.0.2l. (markt)

Changes in 1.2.12

  • Fix: Correct a regression in the fix for 59797 that triggered a JVM crash on shutdown in some Tomcat unit tests when using the APR/native connector. (markt)

Changes in 1.2.11

  • Fix: 52627: Prevent a crash in File.infoGet() caused by the use of uninitialised variables. Based on patch by Ilya Maykov. (markt)
  • Fix: 55113: Document the process for creating a static tc-native library with a FIPS-enabled OpenSSL and update the nmake make file to support the process. (markt)
  • Fix: 55114: Clean up building instructions for the native component and expand the instructions for building for Windows platforms. (markt)
  • Fix: 55938: Resolve remaining clang-analyzer warnings. Note that the use of -1 to indicate the full array in File.(read|write)[Full] has been removed since it was only partially implemented and the implementation was faulty. (markt)
  • Fix: 58082: Update unit tests to use JUnit 4. Refactor unit tests into separate tests and use an external to reference them in the same way an external is used to reference the main code. (markt)
  • Fix: 59797: Ensure that the per thread error hash maintained by OpenSSL is cleaned up as individual threads exit to ensure it does not grow too large. Patch provided by Nate Clark. (markt)
  • Fix: 59996: Correctly handle building tc-native on a 64-bit system when using an OpenSSL distribution that is not in /usr. (csutherl)
  • Fix: 60388: The --disable-maintainer-mode option of the configure script no longer enables the maintainer mode. (ebourg)
  • Update: Update minimum recommended OpenSSL version to 1.0.2k. (markt)

Changes in 1.2.10

  • Update: Update minimum recommended OpenSSL version to 1.0.2j. (markt)

Changes in 1.2.9

  • Update: Update minimum recommended OpenSSL version to 1.0.2i. (markt)

Changes in 1.2.8

  • Fix: 59616: Correct the Windows build files so that OCSP is correctly enabled and disabled in the respective Windows binaries. (markt)
  • Fix: Correctly handle OS level EAGAIN return codes during non-blocking TLS I/O. (markt)
  • Fix: Correct a potential performance problem identified by Nate Clark due to Tomcat Native providing OpenSSL with thread identifiers poorly suited to the hash function used by OpenSSL when selecting a bucket for the hash that holds the per thread error data. Tomcat Native on Windows and on Solaris were not affected. A fix has been applied for OSX and Linux. Other platforms may still be affected. (markt/rjung)

Changes in 1.2.7

  • Update: Update minimum recommended OpenSSL version to 1.0.2h. (markt)

Changes in 1.2.6

  • Update: Change the OpenSSL version check in configure to be fatal. (rjung)
  • Update: Use new OpenSSL 1.1.0 protocol version max and min API when creating a new SSL context. (rjung)
  • Update: Improve renegotiation code and make it compatible with OpenSSL 1.1.0. (rjung)
  • Code: OpenSSL 1.1.0 compatibility updates. (rjung)
  • Fix: Fix some compiler warnings in native ssl code. (rjung)
  • Add: Add support for using Java keystores for certificate chains. (markt)
  • Update: Remove the explicit CRL check when verifying certificates. The checks were already part of the internal certification verification since OpenSSL 0.9.7. Backport from mod_ssl. (rjung)

Changes in 1.2.5

  • Update: Enable OpenSSL version check in configure by default. It can be turned off using --disable-openssl-version-check. (rjung)
  • Fix: 59024: Native function versionString() and for OpenSSL 1.1.0 also version() (both in in ssl.c) now return the OpenSSL run time version, not the compile time version. (rjung)
  • Code: Track changes in the OpenSSL master branch so it is possible to build Tomcat Native with that branch. (billbarker)

Changes in 1.2.4

  • Fix: SSL.getHandshakeCount(), which was unused, now returns the handshake completed count rather than the handshake started count. (remm)

Changes in 1.2.3

  • Fix: Remove Java classes that do not have C implementation code for their native methods in the current library. They were used for NPN support which is superseded by ALPN support in the current code. (kkolinko)
  • Fix: Fix typo in declaration of a stub method used when the library is compiled without OpenSSL support. (kkolinko)
  • Fix: Fix the signature of the implementation of the native SSL method newSSL() in the case when OPENSSL is not available. (rjung)
  • Fix: Fix the signature of the implementation of the native SSLSocket method getInfoB() to return jbyteArray instead of jobject. This is consistent with what it actually returns and how the native Java method is declared. (rjung)
  • Add: Add support for using Java keystores for certificates and keys. (jfclere)
  • Code: Remove code that performs a read after a renegotiation that appears to be unnecessary with OpenSSL 1.0.2. (billbarker)
  • Add: Expose SSL_renegotiate to the Java API. (remm)

Changes in 1.2.2

  • Fix: Fix broken debug and maintainer mode build. (rjung)
  • Fix: Forward port additional fixes to the OpenSSL I/O to align it with non-OpenSSL I/O. (markt)

Changes in 1.2.1

  • Fix: 58566: Enable Tomcat Native 1.2.x to work with Tomcat releases that do not have the necessary Java code to support SNI. (markt)
  • Update: Minor rework of "buildconf" script. (rjung)
  • Fix: Fix APR dependency version expression in RPM spec file. (rjung)
  • Fix: Fix major library version number in Windows build files, RPM spec file and build description. (rjung)
  • Fix: Remove files "KEYS" and "download_deps.sh" from Windows (zip) source distribution. (rjung)
  • Fix: Fix "unused variable" compiler warning. (rjung)

Changes in 1.2.0

  • Add: Add support for TLS extension ALPN. (markt)
  • Add: Add support for TLS extension SNI (Server Name Indication). (markt)
  • Add: Add support for OpenSSL BIO. (jfclere)
  • Add: Support wakeable pollsets and add Poll.interrupt() API. (mturk)
  • Add: Add Pool.unmanaged() API. (mturk)
  • Update: APIs SSL.generateRSATempKey() and SSL.loadDSATempKey() have been removed. (rjung)
  • Update: The minimum required APR version is 1.4.3.
  • Update: The minimum required OpenSSL version is 1.0.2.

Changes in 1.1.x

Please see the 1.1.x changelog.