On 19/10/17 16:56, Mark Thomas wrote: > On 19 October 2017 15:11:19 BST, Brian Clozel <bclo...@pivotal.io> wrote: >> Hi, >> >> More and more servers are choosing to make available one or more >> solutions >> to use TLS native stacks by shipping them as JARs: >> >> * Netty has quite a few options there >> http://netty.io/wiki/forked-tomcat-native.html >> * Jetty is now shipping a conscrypt support as well >> https://webtide.com/conscrypting-native-ssl-for-jetty/ >> > > How does shipping a native library in a JAR work? What makes it simpler than > building from source?
Found the answer to my own question. Netty unpacks the native library into a temporary directory and loads it from there. Packaging in a JAR is simply a convenience to enable end users to use their build tool of choice to pull in the library. For Tomcat, this would be useful for the embedded scenario. The full binary distributions could leverage the same mechanism or they could do something different. That would increase the number of binary builds we needed to do for a release. Mark > (Past experience of providing binaries for OS other than Windows is that the > number of different builds rapidly multiplies - hence source only at the > moment.) > >> I know there are other solutions for that, like changing the boot >> classpath >> or installing native libraries directly on the host operating system. >> But >> those solutions aren't always super easy to achieve in cloud >> environments; >> there are also questions on this mailing list around >> tomcat+tcnative+openssl versions compatibility. >> >> Would the Tomcat community consider shipping JARs (with classifier and >> uber >> JARs) containing the required native libraries (libtcnative + openssl + >> apr)? > > In principle no reason why not but more detail on the requirements is needed. > >> Bonus question: would you consider supporting boringssl or libressl? > > Libressl is supported as of 1.2.13 apart from some features where we need > functionality not available in libressl (I forget what those features were > but I don't think they were significant) > > Boringssl should be doable as well but I don't think anyone has tried it yet. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
