[Bug 64353] Add support for accessing server certificate from TLS context
https://bz.apache.org/bugzilla/show_bug.cgi?id=64353 --- Comment #1 from Bhavesh --- Based on the Discussion (https://www.mail-archive.com/users@tomcat.apache.org/msg142103.html) with Mark, Please add the ability to get the SNI name used by TLS. For each request, this will give the ability to know the application that was SNI hostname used to connect to the server. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Document dome deprecations somewhere
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new ac6f75fd80 Document dome deprecations somewhere ac6f75fd80 is described below commit ac6f75fd807f9c75c8479fcfd9326097f59f750d Author: remm AuthorDate: Fri Sep 1 15:53:38 2023 +0200 Document dome deprecations somewhere --- modules/openssl-foreign/openssl-tomcat.conf | 36 ++--- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/modules/openssl-foreign/openssl-tomcat.conf b/modules/openssl-foreign/openssl-tomcat.conf index 0e7a6fdc04..5fab9dc305 100644 --- a/modules/openssl-foreign/openssl-tomcat.conf +++ b/modules/openssl-foreign/openssl-tomcat.conf @@ -61,31 +61,31 @@ --include-function CRYPTO_free # header: /usr/include/openssl/crypto.h --include-function OpenSSL_version # header: /usr/include/openssl/crypto.h --include-function OpenSSL_version_num # header: /usr/include/openssl/crypto.h ---include-constant OPENSSL_INIT_ENGINE_ALL_BUILTIN# header: /usr/include/openssl/crypto.h +--include-constant OPENSSL_INIT_ENGINE_ALL_BUILTIN# deprecated header: /usr/include/openssl/crypto.h Extracted from: /usr/include/openssl/dh.h ---include-function DH_free# header: /usr/include/openssl/dh.h ---include-function DH_new # header: /usr/include/openssl/dh.h ---include-function DH_set0_pqg# header: /usr/include/openssl/dh.h +--include-function DH_free# deprecated header: /usr/include/openssl/dh.h +--include-function DH_new # deprecated header: /usr/include/openssl/dh.h +--include-function DH_set0_pqg# deprecated header: /usr/include/openssl/dh.h Extracted from: /usr/include/openssl/ec.h --include-function d2i_ECPKParameters # header: /usr/include/openssl/ec.h --include-function EC_GROUP_free# header: /usr/include/openssl/ec.h --include-function EC_GROUP_get_curve_name # header: /usr/include/openssl/ec.h ---include-function EC_KEY_free # header: /usr/include/openssl/ec.h ---include-function EC_KEY_new_by_curve_name # header: /usr/include/openssl/ec.h +--include-function EC_KEY_free # deprecated header: /usr/include/openssl/ec.h +--include-function EC_KEY_new_by_curve_name # deprecated header: /usr/include/openssl/ec.h Extracted from: /usr/include/openssl/engine.h ---include-function ENGINE_by_id # header: /usr/include/openssl/engine.h ---include-function ENGINE_ctrl_cmd_string # header: /usr/include/openssl/engine.h ---include-function ENGINE_free # header: /usr/include/openssl/engine.h ---include-function ENGINE_load_private_key # header: /usr/include/openssl/engine.h ---include-function ENGINE_register_all_complete # header: /usr/include/openssl/engine.h ---include-function ENGINE_set_default # header: /usr/include/openssl/engine.h ---include-constant ENGINE_METHOD_ALL # header: /usr/include/openssl/engine.h +--include-function ENGINE_by_id # deprecated header: /usr/include/openssl/engine.h +--include-function ENGINE_ctrl_cmd_string # deprecated header: /usr/include/openssl/engine.h +--include-function ENGINE_free # deprecated header: /usr/include/openssl/engine.h +--include-function ENGINE_load_private_key # deprecated header: /usr/include/openssl/engine.h +--include-function ENGINE_register_all_complete # deprecated header: /usr/include/openssl/engine.h +--include-function ENGINE_set_default # deprecated header: /usr/include/openssl/engine.h +--include-constant ENGINE_METHOD_ALL# deprecated header: /usr/include/openssl/engine.h Extracted from: /usr/include/openssl/err.h @@ -141,8 +141,8 @@ Extracted from: /usr/include/openssl/pem.h --include-function PEM_ASN1_read_bio# header: /usr/include/openssl/pem.h ---include-function PEM_read_bio_DHparams# header: /usr/include/openssl/pem.h ---include-function PEM_read_bio_ECPKParameters # header: /usr/include/openssl/pem.h +--include-function PEM_read_bio_DHparams# deprecated header: /usr/include/openssl/pem.h +--include-function PEM_read_bio_ECPKParameters # deprecated header: /usr/include/openssl/pem.h --include-function PEM_r
Buildbot success in on tomcat-11.0.x
Build status: Build succeeded! Worker used: bb_worker2_ubuntu URL: https://ci2.apache.org/#builders/112/builds/554 Blamelist: lihan , remm Build Text: build successful Status Detected: restored build Build Source Stamp: [branch main] 80293fe2d556d82a2c332e1ce5291220bfdae5c0 Steps: worker_preparation: 0 git: 0 shell: 0 shell_1: 0 shell_2: 0 shell_3: 0 shell_4: 0 shell_5: 0 compile: 1 shell_6: 0 shell_7: 0 shell_8: 0 shell_9: 0 Rsync docs to nightlies.apache.org: 0 shell_10: 0 Rsync RAT to nightlies.apache.org: 0 compile_1: 1 shell_11: 0 Rsync Logs to nightlies.apache.org: 0 -- ASF Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Avoid deprecated OpenSSL APIs
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 80293fe2d5 Avoid deprecated OpenSSL APIs
80293fe2d5 is described below
commit 80293fe2d556d82a2c332e1ce5291220bfdae5c0
Author: remm
AuthorDate: Fri Sep 1 12:43:53 2023 +0200
Avoid deprecated OpenSSL APIs
Not sure if this is fully identical to the previous code. A few oddities
to investigate (EC with keystore ? DH auto use ?).
Based on the mod_ssl rev 1908537.
https://svn.apache.org/viewvc?view=revision&revision=1908537
Use @Deprecated in the generated classes to spot calls. Will be removed
when regenerating, unfortunately.
Since there is no rush, leave in the OpenSSL < 3.0 code for now.
Verified with org.apache.tomcat.util.net.TestSSLHostConfigCompat
---
.../ciphers/OpenSSLCipherConfigurationParser.java | 11 ++-
.../util/net/openssl/panama/OpenSSLContext.java| 101 -
.../util/net/openssl/panama/OpenSSLLibrary.java| 22 ++---
.../org/apache/tomcat/util/openssl/openssl_h.java | 14 +++
.../net/openssl/panama/LocalStrings.properties | 2 +
5 files changed, 113 insertions(+), 37 deletions(-)
diff --git
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 13be8d5eae..90d0eaca7e 100644
---
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -712,7 +712,16 @@ public class OpenSSLCipherConfigurationParser {
init();
}
String[] elements = expression.split(SEPARATOR);
-// TODO: Handle PROFILE= using OpenSSL (if present, otherwise warn),
then replace elements with that
+// Handle PROFILE= using OpenSSL (if present, otherwise warn), then
replace elements with that
+if (elements.length == 1 && elements[0].startsWith("PROFILE=")) {
+// Only use with Panama and if OpenSSL has been successfully
loaded before
+/* FIXME: Merge OpenSSL code first
+if (JreCompat.isJre22Available() &&
OpenSSLStatus.isLibraryInitialized()) {
+List cipherList =
OpenSSLLibrary.findCiphers(elements[0]);
+// Replace the original list with the profile contents
+elements = cipherList.toArray(new String[0]);
+}*/
+}
LinkedHashSet ciphers = new LinkedHashSet<>();
Set removedCiphers = new HashSet<>();
for (String element : elements) {
diff --git
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index c482025a79..343efb13a1 100644
---
a/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++
b/modules/openssl-foreign/src/main/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -22,6 +22,7 @@ import java.lang.foreign.FunctionDescriptor;
import java.lang.foreign.Linker;
import java.lang.foreign.MemorySegment;
import java.lang.foreign.SegmentAllocator;
+import java.lang.foreign.SymbolLookup;
import java.lang.foreign.ValueLayout;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
@@ -1113,32 +1114,65 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
// Try to read DH parameters from the (first) SSLCertificateFile
if (index == SSL_AIDX_RSA) {
bio = BIO_new_file(certificateFileNative,
localArena.allocateFrom("r"));
-var dh = PEM_read_bio_DHparams(bio, MemorySegment.NULL,
MemorySegment.NULL, MemorySegment.NULL);
-BIO_free(bio);
-// # define SSL_CTX_set_tmp_dh(sslCtx,dh) \
-// SSL_CTX_ctrl(sslCtx,SSL_CTRL_SET_TMP_DH,0,(char
*)(dh))
-if (!MemorySegment.NULL.equals(dh)) {
-SSL_CTX_ctrl(state.sslCtx, SSL_CTRL_SET_TMP_DH(), 0, dh);
-DH_free(dh);
+if (OpenSSL_version_num() < 0x300fL) {
+var dh = PEM_read_bio_DHparams(bio, MemorySegment.NULL,
MemorySegment.NULL, MemorySegment.NULL);
+BIO_free(bio);
+// # define SSL_CTX_set_tmp_dh(sslCtx,dh) \
+//
SSL_CTX_ctrl(sslCtx,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
+if (!MemorySegment.NULL.equals(dh)) {
+SSL_CTX_ctrl(state.sslCtx, SSL_CTRL_SET_TMP_DH(), 0,
dh);
+DH_free(dh);
+}
+} else {
+
[Bug 66005] Apache crashes, if there is a tomcat server, which can not be resolved
https://bz.apache.org/bugzilla/show_bug.cgi?id=66005 --- Comment #27 from Michael Osipov --- (In reply to Josef Čejka from comment #21) > Created attachment 38538 [details] > Limit mod_jk.so exported symbols to "jk_module" only. > > I found the real culprit. Please ignore my previous patch. > > ATM mod_jk.so library exports all internal symbols so any other library > loaded after it can bind it's unresolved symbols on mod_jk.so. Glibc is > checking dependencies and dlclose() does not unload library on which depends > other library. This breaks Apache module reloading mechanism because > following dlopen() will return already existing handler to mod_jk.so without > re-initialization of global static variables so they contain still already > invalid memory pointers instead of NULL values. > > In my case symbol "context_free@@LIBSELINUX_1.0" required by > libkrb5support.so was bound to context_free from mod_jk.so instead of > function with the same name provided by libselinux.so.1 because mod_jk.so > was loaded first. It occurred only if nscd daemon was disabled and nsswitch > had to load krb5 libraries. I can easily reproduce the issue on SLES15-SP4 > by disabling nscd service. IMO this can also explain why Lothar reported > that his issue disappeared after modifying nsswitch.conf. Josef, kudos to your investigation skills! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66005] Apache crashes, if there is a tomcat server, which can not be resolved
https://bz.apache.org/bugzilla/show_bug.cgi?id=66005 Michael Osipov changed: What|Removed |Added CC||micha...@apache.org -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66005] Apache crashes, if there is a tomcat server, which can not be resolved
https://bz.apache.org/bugzilla/show_bug.cgi?id=66005 --- Comment #26 from Michael Osipov --- (In reply to Rainer Jung from comment #25) > Not sure how highly nonportable, at least it uses libtool. > > Attributes are often used in GCC style. Do you have a concrete suggestion > how to use them in a portable way to only export the jk_handler symbol? Others supply a file of per-line symbols which should be visible externally. That can be made portable because all linkers support it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
