<div class="container">
<h1>Recommended update for libtcnative-1-0</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2026:1377-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-04-16T07:19:34Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1260322">bsc#1260322</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Basesystem Module 15-SP7</li>
<li class="list-group-item">openSUSE Leap 15.6</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP6 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP7</li>
<li class="list-group-item">Web and Scripting Module 15-SP7</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that has one fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for libtcnative-1-0 fixes the following issues:</p>
<p>Update to 1.3.7: [bsc#1260322]</p>
<p>1.3.7:
* Code: Refactor access to ASN1_OCTET_STRING to use setters to fix
errors when building against the latest OpenSSL 4.0.x code. (markt)
* Fix: Fix the handling of OCSP requests with multiple responder URIs.
(jfclere)
* Fix: Fix the handling of TRY_AGAIN responses to OCSP requests when
soft fail is disabled. (jfclere)</p>
<p>1.3.6:</p>
<pre><code>* Code: Refactor the SSL_CONF_CTX clean-up to align it with SSL and
SSL_CTX clean-up. (markt)
* Fix: Fix unnecessarily large buffer allocation when filtering out NULL
and export ciphers. Pull requests #35 and #37 provided by chenjp.
(markt)
* Fix: Fix a potential memory leak if an invalid OpenSSLConf is
provided. Pull request #36 provided by chenjp. (markt)
* Fix: Refactor setting of OCSP configuration defaults as they were only
applied if the SSL_CONF_CTX was used. While one was always used with
Tomcat versions aware of the OCSP configuration options, one was not
always used with Tomcat versions unaware of the OCSP configuration
options leading to OCSP verification being enabled by default when the
expected behaviour was disabled by default. (markt)
* Code: Improve performance for the rare case of handling large OCSP
responses. (markt)
</code></pre>
<p>1.3.5:</p>
<pre><code>* Fix: Remove group write permissions from the files in the tar.gz
source archive. (markt)
* Fix: Clear an additional error in OCSP processing that was preventing
OCSP soft fail working with Tomcat's APR/native connector. (markt)
</code></pre>
<p>1.3.4:</p>
<pre><code>* Fix: Correct logic error that prevented the configuration of TLS 1.3
cipher suites. (markt)
</code></pre>
<p>1.3.3;</p>
<pre><code>* Fix: Refactor the addition of TLS 1.3 cipher suite configuration to
avoid a regression when running a version of Tomcat that pre-dates
this change. (markt)
</code></pre>
<p>1.3.2:</p>
<pre><code>* Update: Rename configure.in to modern autotools style configure.ac.
(rjung)
* Update: Fix incomplete updates for autotools generated files during
"buildconf" execution. (rjung)
* Update: Improve quoting in tcnative.m4. (rjung)
* Update: Update the minimum version of autoconf for releasing to 2.68.
(rjung)
* Fix: Fix the autoconf warnings when creating a release. (markt)
* Update: The Windows binaries are now built with OCSP support enabled
by default. (markt)
* Add: Include a nonce with OCSP requests and check the nonce, if any,
in the OCSP response. (markt)
* Add: Expand verification of OCSP responses. (markt)
* Add: Add the ability to configure the OCSP checks to soft-fail - i.e.
if the responder cannot be contacted or fails to respond in a timely
manner the OCSP check will not fail. (markt)
* Add: Add a configurable timeout to the writing of OCSP requests and
reading of OCSP responses. (markt)
* Add: Add the ability to control the OCSP verification flags. (markt)
* Add: Configure TLS 1.3 connections from the provided ciphers list as
well as connections using TLS 1.2 and earlier. Pull request provided
by gastush. (markt)
* Update: Update the Windows build environment to use Visual Studio
2022. (markt)
</code></pre>
<p>1.3.1:</p>
<pre><code>* Fix: Fix a crash on Windows when SSLContext.setCACertificate() is
invoked with a null value for caCertificateFile and a non-null value
for caCertificatePath until properly addressed with
https://github.com/openssl/openssl/issues/24416. (michaelo)
* Add: Use ERR_error_string_n with a definite buffer length as a named
constant. (schultz)
* Add: Ensure local reference capacity is available when creating new
arrays and Strings. (schultz)
* Update: Update the recommended minimum version of OpenSSL to 3.0.14.
(markt)
</code></pre>
<p>1.3.0:</p>
<pre><code>* Update: Drop useless compile.optimize option. (michaelo)
* Update: Align Java source compile configuration with Tomcat.
(michaelo)
* Fix: Fix version set in DLL header on Windows. (michaelo)
* Update: Remove an unreachable if condition around CRLs in
sslcontext.c. (michaelo)
* Fix: 67818: When calling SSL.setVerify() or SSLContext.setVerify(),
the default verify paths are no longer set. Only the explicitly
configured trust store, if any, will be used. (michaelo)
* Update: Update the minimum supported version of LibreSSL to 3.5.2.
(markt)
* Design: Remove NPN support as NPN was never standardised and browser
support was removed in 2019. (markt)
* Update: Update the recommended minimum version of OpenSSL to 3.0.13.
(markt)
</code></pre>
<p>Update to 1.2.39:</p>
<ul>
<li>Fix: 67061: If the insecure optionalNoCA certificate verification
mode is used, disable OCSP if enabled else client certificates
from unknown certificate authorities will be rejected.</li>
<li>Update: Update the recommended minimum version of OpenSSL to
3.0.11.</li>
<li>Change the hardcoded libopenssl-1_1-devel to libopenssl-devel
for distributions that have the right version</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
Web and Scripting Module 15-SP7
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1377=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP6 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1377=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP6
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1377=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.6
<br/>
<code>zypper in -t patch SUSE-2026-1377=1 openSUSE-SLE-15.6-2026-1377=1</code>
</li>
<li class="list-group-item">
Basesystem Module 15-SP7
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-1377=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
Web and Scripting Module 15-SP7 (aarch64 ppc64le s390x x86_64)
<ul>
<li>libtcnative-1-0-debugsource-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-debuginfo-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-devel-1.3.7-150600.16.3.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
<ul>
<li>libtcnative-1-0-debugsource-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-debuginfo-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-devel-1.3.7-150600.16.3.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
<ul>
<li>libtcnative-1-0-debugsource-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-debuginfo-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-devel-1.3.7-150600.16.3.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
<ul>
<li>libtcnative-1-0-debugsource-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-debuginfo-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-devel-1.3.7-150600.16.3.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
<ul>
<li>libtcnative-1-0-debugsource-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-debuginfo-1.3.7-150600.16.3.1</li>
<li>libtcnative-1-0-1.3.7-150600.16.3.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1260322">https://bugzilla.suse.com/show_bug.cgi?id=1260322</a>
</li>
</ul>
</div>