  Preface

   This is the Changelog for Tomcat Native 1.3.x. The Tomcat Native 1.3.x
   branch started from the 1.2.39 tag.

  1.3.6

     * Code: Refactor the SSL_CONF_CTX clean-up to align it with SSL and
       SSL_CTX clean-up. (markt)
     * Fix: Fix unnecessarily large buffer allocation when filtering out NULL
       and export ciphers. Pull requests #35 and #37 provided by chenjp.
       (markt)
     * Fix: Fix a potential memory leak if an invalid OpenSSLConf is
       provided. Pull request #36 provided by chenjp. (markt)
     * Fix: Refactor setting of OCSP configuration defaults as they were only
       applied if the SSL_CONF_CTX was used. While one was always used wth
       Tomcat versions aware of the OCSP configuration options, one was not
       always used with Tomcat versions unaware of the OCSP configuration
       options leading to OCSP verification being enabled by default when the
       expected behaviour was disabled by default. (markt)
     * Code: Improve performance for the rare case of handling large OCSP
       responses. (markt)

  2026-01-19 1.3.5

     * Fix: Remove group write permissions from the files in the tar.gz
       source archive. (markt)
     * Fix: Clear an additional error in OCSP processing that was preventing
       OCSP soft fail working with Tomcat's APR/native connector. (markt)

  2026-01-12 1.3.4

     * Fix: Correct logic error that prevented the configuration of TLS 1.3
       cipher suites. (markt)

  not released 1.3.3

     * Fix: Refactor the addition of TLS 1.3 cipher suite configuration to
       avoid a regression when running a version of Tomcat that pre-dates
       this change. (markt)

  not released 1.3.2

     * Update: Rename configure.in to modern autotools style configure.ac.
       (rjung)
     * Update: Fix incomplete updates for autotools generated files during
       "buildconf" execution. (rjung)
     * Update: Improve quoting in tcnative.m4. (rjung)
     * Update: Update the minimum version of autoconf for releasing to 2.68.
       (rjung)
     * Fix: Fix the autoconf warnings when creating a release. (markt)
     * Update: The Windows binaries are now built with OCSP support enabled
       by default. (markt)
     * Add: Include a nonce with OCSP requests and check the nonce, if any,
       in the OCSP response. (markt)
     * Add: Expand verification of OCSP responses. (markt)
     * Add: Add the ability to configure the OCSP checks to soft-fail - i.e.
       if the responder cannot be contacted or fails to respond in a timely
       manner the OCSP check will not fail. (markt)
     * Add: Add a configurable timeout to the writing of OCSP requests and
       reading of OCSP responses. (markt)
     * Add: Add the ability to control the OCSP verification flags. (markt)
     * Add: Configure TLS 1.3 connections from the provided ciphers list as
       well as connections using TLS 1.2 and earlier. Pull request provided
       by gastush. (markt)
     * Update: Update the Windows build environment to use Visual Studio
       2022. (markt)

  2024-07-24 1.3.1

     * Fix: Fix a crash on Windows when SSLContext.setCACertificate() is
       invoked with a null value for caCertificateFile and a non-null value
       for caCertificatePath until properly addressed with
       https://github.com/openssl/openssl/issues/24416. (michaelo)
     * Add: Use ERR_error_string_n with a definite buffer length as a named
       constant. (schultz)
     * Add: Ensure local reference capacity is available when creating new
       arrays and Strings. (schultz)
     * Update: Update the recommended minimum version of OpenSSL to 3.0.14.
       (markt)

  2024-02-12 1.3.0

     * Update: Drop useless compile.optimize option. (michaelo)
     * Update: Align Java source compile configuration with Tomcat.
       (michaelo)
     * Fix: Fix version set in DLL header on Windows. (michaelo)
     * Update: Remove an unreachable if condition around CRLs in
       sslcontext.c. (michaelo)
     * Fix: 67818: When calling SSL.setVerify() or SSLContext.setVerify(),
       the default verify paths are no longer set. Only the explicitly
       configured trust store, if any, will be used. (michaelo)
     * Update: Update the minimum supported version of LibreSSL to 3.5.2.
       (markt)
     * Design: Remove NPN support as NPN was never standardised and browser
       support was removed in 2019. (markt)
     * Update: Update the recommended minimum version of OpenSSL to 3.0.13.
       (markt)

  Changes in 1.2.x

   Please see the 1.2.x changelog.

  Changes in 1.1.x

   Please see the 1.1.x changelog.

   Copyright  2008-2026, The Apache Software Foundation
