Am 17.12.25 um 20:58 schrieb Mark Thomas:
The key differences in version 2.0.11 compared to 2.0.9 are:
- The windows binaries in this release have been built with OpenSSL
3.5.4 and APR 1.7.6
- OCSP support is included (but not enabled) by default with various
improvements to the OCSP checks
- Add the ability to configure TLS 1.3 ciphers
The 2.0.x branch is primarily intended for use with Tomcat 10.1.x
onwards but can be used with earlier versions as long as the APR/native
connector is not used.
The proposed release artifacts can be found at [1],
and the build was done using tag [2].
The Apache Tomcat Native 2.0.11 release is
[ ] Stable, go ahead and release
[ ] Broken because of ...
I ran those unit tests from TC 9.0.113 and 10.1.50 which are TLS based
with the new tcnative versions 2.0.11 and 1.3.2. They fail in
TestClientCertTls13 for NIO and NIO2 with the following error:
Testcase: testClientCertPost[OpenSSL] took 0.104 sec
Caused an ERROR
Protocol handler initialization failed
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1084)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:520)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:984)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155)
at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437)
at
org.apache.catalina.startup.TomcatBaseTest$TomcatWithFastSessionIDs.start(TomcatBaseTest.java:902)
at
org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(TestClientCertTls13.java:93)
Caused by: java.lang.IllegalArgumentException: Error creating SSLContext
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:78)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:256)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1497)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1510)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:667)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1082)
Caused by: java.security.KeyManagementException: Error initializing SSL
context
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:447)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:262)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
Caused by: java.lang.Exception: Unable to configure permitted SSL
ciphers (error:12800067:DSO support routines::could not load the shared
library)
at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:332)
Testcase: testClientCertGet[OpenSSL] took 0.033 sec
Caused an ERROR
Protocol handler initialization failed
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1084)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:520)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:984)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155)
at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437)
at
org.apache.catalina.startup.TomcatBaseTest$TomcatWithFastSessionIDs.start(TomcatBaseTest.java:902)
at
org.apache.tomcat.util.net.TestClientCertTls13.testClientCertGet(TestClientCertTls13.java:81)
Caused by: java.lang.IllegalArgumentException: Error creating SSLContext
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:78)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:256)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1497)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1510)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:667)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1082)
Caused by: java.security.KeyManagementException: Error initializing SSL
context
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:447)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:262)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
Caused by: java.lang.Exception: Unable to configure permitted SSL
ciphers (error:12800067:DSO support routines::could not load the shared
library)
at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:332)
Although this looks like an integration issue on my side ("could not
load the shared library") the same tests using the same scripts dot not
fail for 2.0.9 and for 1.3.1. And other TLS based tests do not fail for
the new tcnative versions, only those. Since the tcnative code in
sslcontext.c changed in setCipherSuite() it is likely a failure caused
by the change.
Can anyone reproduce this?
Best regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
