  Preface

   This is the Changelog for Apache Tomcat Native 2.0.x. The Tomcat Native
   2.0.x branch started from the 1.2.33 tag.

  2.0.13

     * Code: Due to various refactorings, the 2.0.x code no longer compiles
       with LibreSSL. Without a volunteer to maintain LibreSSL support, the
       LibreSSL code will be removed no earlier than 30 September 2026.
       (markt)
     * Fix: Remove group write permissions from the files in the tar.gz
       source archive. (markt)
     * Code: Refactor the SSL_CONF_CTX clean-up to align it with SSL and
       SSL_CTX clean-up. (markt)
     * Fix: Fix unnecessarily large buffer allocation when filtering out NULL
       and export ciphers. Pull requests #35 and #37 provided by chenjp.
       (markt)
     * Fix: Fix a potential memory leak if an invalid OpenSSLConf is
       provided. Pull request #36 provided by chenjp. (markt)
     * Fix: Refactor setting of OCSP configuration defaults as they were only
       applied if the SSL_CONF_CTX was used. While one was always used wth
       Tomcat versions aware of the OCSP configuration options, one was not
       always used with Tomcat versions unaware of the OCSP configuration
       options leading to OCSP verification being enabled by default when the
       expected behaviour was disabled by default. (markt)
     * Code: Improve performance for the rare case of handling large OCSP
       responses. (markt)
     * Fix: 69939: Fix the cause of a crash with OpenSSL 3.0.x when a
       certificate PEM file does not contain explicit DH parameters. (markt)
     * Fix: Refactor extraction of ECDH curve name from the Certificate to
       avoid deprecated OpenSSL methods.
     * Fix: Refactor the native implementation of SSL.getTime() to avoid the
       Y2038 problem in SSL_SESSION_get_time() when running on a version of
       OpenSSL that includes the new SSL_SESSION_get_time_ex() method.
       (markt)

  2026-01-12 2.0.12

     * Fix: Refactor the addition of TLS 1.3 cipher suite configuration to
       avoid a regression when running a version of Tomcat that pre-dates
       this change. (markt)

  not released 2.0.11

     * Fix: Fix a reference to an uninitialized variable. (schultz)
     * Fix: Correct file names and update versions in native build
       instructions. (markt)
     * Update: Remove references to deprecated engine configuration. (markt)

  not released 2.0.10

     * Update: The Windows binaries are now built with OCSP support enabled
       by default. (markt)
     * Add: Include a nonce with OCSP requests and check the nonce, if any,
       in the OCSP response. (markt)
     * Add: Expand verification of OCSP responses. (markt)
     * Add: Add the ability to configure the OCSP checks to soft-fail - i.e.
       if the responder cannot be contacted or fails to respond in a timely
       manner the OCSP check will not fail. (markt)
     * Add: Add a configurable timeout to the writing of OCSP requests and
       reading of OCSP responses. (markt)
     * Add: Add the ability to control the OCSP verification flags. (markt)
     * Add: Configure TLS 1.3 connections from the provided ciphers list as
       well as connections using TLS 1.2 and earlier. Pull request provided
       by gastush. (markt)
     * Update: Remove out of date options from make file. (markt)
     * Update: Use automated configuration of DH parameters rather than
       deprecated callback. (markt)

  2025-05-29 2.0.9

     * Update: Update the Windows build environment to use Visual Studio
       2022. (markt)
     * Update: Update the recommended minimum version of OpenSSL to 3.5.0.
       (markt)
     * Update: Update the recommended minimum version of APR to 1.7.6.
       (markt)

  2024-07-24 2.0.8

     * Fix: Fix a crash on Windows when SSLContext.setCACertificate() is
       invoked with a null value for caCertificateFile and a non-null value
       for caCertificatePath until properly addressed with
       https://github.com/openssl/openssl/issues/24416. (michaelo)
     * Add: Use ERR_error_string_n with a definite buffer length as a named
       constant. (schultz)
     * Add: Ensure local reference capacity is available when creating new
       arrays and Strings. (schultz)
     * Update: Update the recommended minimum version of OpenSSL to 3.0.14.
       (markt)

  2024-02-08 2.0.7

     * Add: 67538: Make use of Ant's <javaversion /> task to enforce the
       mininum Java build version. (michaelo)
     * Fix: 67615: Windows binary for version 2 has incorrect version suffix
       compared to the GNU autoconf version. (michaelo)
     * Update: Align default pass phrase prompt with HTTPd on Windows as
       well. (michaelo)
     * Fix: 67616: o.a.tomcat.jni.SSL contains useless check for old OpenSSL
       version. (michaelo)
     * Update: Drop useless compile.optimize option. (michaelo)
     * Update: Align Java source compile configuration with Tomcat.
       (michaelo)
     * Add: Add Ant version (1.10.2) requirement identical to Tomcat.
       (michaelo)
     * Update: Remove an unreachable if condition around CRLs in
       sslcontext.c. (michaelo)
     * Fix: 67818: When calling SSL.setVerify() or SSLContext.setVerify(),
       the default verify paths are no longer set. Only the explicitly
       configured trust store, if any, will be used. (michaelo)
     * Update: Update the recommended minimum version of OpenSSL to 3.0.13.
       (markt)

  2023-10-02 2.0.6

     * Fix: 67061: If the insecure optionalNoCA certificate verification mode
       is used, disable OCSP if enabled else client certificates from unknown
       certificate authorities will be rejected. (markt)
     * Update: Update the recommended minimum version of OpenSSL to 3.0.11.
       (markt)

  2023-08-07 2.0.5

     * Update: 66666: Remove non-reachable functions from ssl.c. (michaelo)
     * Update: Align default pass phrase prompt with HTTPd. (michaelo)
     * Update: Rename configure.in to modern autotools style configure.ac.
       (rjung)
     * Update: Fix incomplete updates for autotools generated files during
       "buildconf" execution. (rjung)
     * Update: Improve quoting in tcnative.m4. (rjung)
     * Update: Update the minimum version of autoconf for releasing to 2.68.
       (rjung)
     * Fix: 66669: Fix memory leak in SNI processing. (markt)
     * Update: Update the recommended minimum version of OpenSSL to 3.0.10.
       (markt)

  not released 2.0.4

     * Update: Update the recommended minimum version of APR to 1.7.4.
       (markt)
     * Update: Update the recommended minimum version of OpenSSL to 3.0.9.
       (markt)

  2023-02-13 2.0.3

     * Update: Update the recommended minimum version of APR to 1.7.2.
       (markt)
     * Update: Update the recommended minimum version of OpenSSL to 3.0.8.
       (markt)

  2022-11-08 2.0.2

     * Update: Update the minimum supported version of LibreSSL to 3.5.2.
       Based on pull request #13 provided by orbea. (markt)
     * Fix: Fix build when building with rlibtool. Pull request #14 provided
       by orbea. (markt)

  2022-07-12 2.0.1

     * Update: Update recommended OpenSSL version to 3.0.5 or later. (markt)

  not released 2.0.0

     * Update: Update the minimum required version of OpenSSL to 3.0.0 and
       make it a madatory dependency. (markt)
     * Update: Update the minimum required version of APR to 1.7.0. (markt)
     * Design: Remove NPN support as NPN was never standardised and browser
       support was removed in 2019. (markt)
     * Add: Add support for using OpenSSL when the FIPS provider is
       configured as the default provider. (markt)
     * Design: Remove all API methods (and supporting code) that are not used
       by Tomcat 10.1.x to support the use of OpenSSL as a replacement for
       JSSE to provide TLS functionality. (markt)
     * Docs: Document the TLS rengotiation behaviour. (markt)
     * Update: Update the minimum required Java version to Java 11. (markt)
     * Update: Remove support for Windows 2000, Windows XP, Windows Server
       2003, Windows Vista and Windows Server 2008. The minimum Windows
       version is now Windows 7 / Windows Server 2008 R2. (markt)
     * Docs: Add HOWTO-RELEASE.txt that describes the release process.
       (markt)
     * Fix: Fix the autoconf warnings when creating a release. (markt)

  Changes in 1.3.x

   Please see the 1.3.x changelog.

  Changes in 1.2.x

   Please see the 1.2.x changelog.

  Changes in 1.1.x

   Please see the 1.1.x changelog.

   Copyright  2008-2026, The Apache Software Foundation
