Re: 9.0.60 fix question
On Thu, Apr 7, 2022 at 8:41 PM Robert Hicks wrote: > >- [image: Fix:] Fix potential thread-safety issue that could cause >HTTP/1.1 request processing to wait, and potentially timeout, waiting for >additional data when the full request has been received. (markt) > > > What would that actually look like? Tomcat spinning its gears and not > serving anything? It would supposedly timeout (then close) that single connection where the issue occurred and that's it. Rémy > Thanks, > > Bob - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
9.0.60 fix question
- [image: Fix:] Fix potential thread-safety issue that could cause HTTP/1.1 request processing to wait, and potentially timeout, waiting for additional data when the full request has been received. (markt) What would that actually look like? Tomcat spinning its gears and not serving anything? Thanks, Bob
Re: Tomcat Native and OpenSSL v3.0.2
Chris, Thanks for your help so far! I am digging into this some more today. First off, once i started bulding APR from source instead of doing "yum install apr-devel" - my main linking issue went away. so I think we are getting close!! Now I am struggling to get Spring Boot's embedded Tomcat to startup in the APR mode. Most of the blogs and docs i find are older and seem to be out of date, or are otherwise not about embedded tomcat. With these JVM Params: -Djava.library.path="/usr/lib/tcnative/lib" -Dserver.ssl.certificate-key-file="/testkey.pem" -Dserver.ssl.certificate-file="/testcert.pem" Spring Boot / Tomcat fails to start with this error: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Could not load key store 'null' I have found tomcat notes on using this connector: But have not been able to figure out the right JVM params to tell Spring Boot to work in that manner. I am now trying setting up both .crt/.pem files AND ALSO the .pk12 to see what happens Thanks! Clay On Thu, Apr 7, 2022 at 1:22 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Clay, > > On 4/6/22 07:57, Clay Lehman wrote: > > "Make sure you have the same versions of libssl, libapr, and libtcnative > > that you built yourself and not those that e.g. ship with the OS. Where > > are all your .so files for libtcnative, libssl, and libapr?" > > > > Do you know if there are instructions on building these, or where the .so > > files normally live? > > The default LD_LIBRARY_PATH for your system may have lots of stuff in > it. You'll have to check your system to see. > > When Tomcat starts-up, the AprLifecycleListener should report all the > versions of the various things it's using. Does it get that far, or does > it choke before that? > > -chris > > > On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Clay, > >> > >> On 4/5/22 12:47, Clay Lehman wrote: > >>> Hello! > >>> > >>> > >>> I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running > >> into > >>> an error on startup. I have tried a ton of things, searched, read the > >> docs > >>> over and over, and cannot get past this. Has anyone had success with > >> this > >>> setup? > >>> > >>> > >>> I created a fully working sample project and Dockerfile to demonstrate > >> the > >>> issue: > https://github.com/claylehman/spring-boot-tomcat-native-openssl3 > >>> > >>> > >>> Thanks! > >>> > >>> Clay > >>> > >>> > >>> More info below > >>> > >>> > >>> Most of the examples and documentation that I have found is for old > >>> versions of OpenSSL, but I do see some release notes mentioning OpenSSL > >>> v3.0.x so I suspect this is supported to some degree. > >>> > >>> > >>> I am testing this using a docker container for "Oracle Linux Server 8" > >>> (specifically FROM openjdk:latest) I am running embedded tomcat from > >>> Spring Boot, but I dont suspect that is important for my issue. > >>> > >>> > >>> > >>> Notes about the setup steps (in the Dockerfile example): > >>> > >>> > >>> 1) Installed OpenSSL v3.0.2 from source with FIPS enabled. > >>> > >>>( > >>> > >> > https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0 > >>> ) > >>> > >>> > >>> RUN cd /usr/src \ > >>> > >>>&& wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \ > >>> > >>>&& tar -zxf openssl-3.0.2.tar.gz \ > >>> > >>>&& rm openssl-3.0.2.tar.gz \ > >>> > >>>&& cd openssl-3.0.2 \ > >>> > >>>&& ./config enable-fips && make -j8 && make -j8 install > >>> > >>> > >>> RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \ > >>> > >>>&& ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3 > >>> > >>> > >>> RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module > >>> /usr/local/lib/ossl-modules/fips.so > >>> > >>> > >>> 2) Installed Tomcat Native from source: > >>> > >>> (https://tomcat.apache.org/native-doc/) > >>> > >>> > >>> RUN microdnf install apr-devel openssl-devel \ > >>> > >>>&& mkdir /usr/lib/tcnative > >>> > >>> > >>> RUN cd /usr/src \ > >>> > >>>&& wget > >>> > >> > https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz > >>>\ > >>> > >>>&& tar -xvf tomcat-native-1.2.32-src.tar.gz \ > >>> > >>>&& rm tomcat-native-1.2.32-src.tar.gz \ > >>> > >>>&& cd tomcat-native-1.2.32-src/native \ > >>> > >>>&& ./configure --with-api=/usr/bin/apr-1-config > >>> --with-java-home=/usr/java/latest --with-ssl=yes > >> --prefix=/usr/lib/tcnative > >>> \ > >>> > >>>&& make \ > >>> > >>>&& make install > >>> > >>> > >>> 3) Generate a self-signed certificate: > >>> > >>> RUN openssl req -x509 -newkey rsa:4096 -passout pass:test > >>> -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN= > >>> test.lehmansoftware.com' > >>> > >>> > >>> > >>> 4)
Re: Tomcat Native and OpenSSL v3.0.2
Clay,
On 4/6/22 07:57, Clay Lehman wrote:
"Make sure you have the same versions of libssl, libapr, and libtcnative
that you built yourself and not those that e.g. ship with the OS. Where
are all your .so files for libtcnative, libssl, and libapr?"
Do you know if there are instructions on building these, or where the .so
files normally live?
The default LD_LIBRARY_PATH for your system may have lots of stuff in
it. You'll have to check your system to see.
When Tomcat starts-up, the AprLifecycleListener should report all the
versions of the various things it's using. Does it get that far, or does
it choke before that?
-chris
On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Clay,
On 4/5/22 12:47, Clay Lehman wrote:
Hello!
I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running
into
an error on startup. I have tried a ton of things, searched, read the
docs
over and over, and cannot get past this. Has anyone had success with
this
setup?
I created a fully working sample project and Dockerfile to demonstrate
the
issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
Thanks!
Clay
More info below
Most of the examples and documentation that I have found is for old
versions of OpenSSL, but I do see some release notes mentioning OpenSSL
v3.0.x so I suspect this is supported to some degree.
I am testing this using a docker container for "Oracle Linux Server 8"
(specifically FROM openjdk:latest) I am running embedded tomcat from
Spring Boot, but I dont suspect that is important for my issue.
Notes about the setup steps (in the Dockerfile example):
1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
(
https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
)
RUN cd /usr/src \
&& wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
&& tar -zxf openssl-3.0.2.tar.gz \
&& rm openssl-3.0.2.tar.gz \
&& cd openssl-3.0.2 \
&& ./config enable-fips && make -j8 && make -j8 install
RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
&& ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
/usr/local/lib/ossl-modules/fips.so
2) Installed Tomcat Native from source:
(https://tomcat.apache.org/native-doc/)
RUN microdnf install apr-devel openssl-devel \
&& mkdir /usr/lib/tcnative
RUN cd /usr/src \
&& wget
https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
\
&& tar -xvf tomcat-native-1.2.32-src.tar.gz \
&& rm tomcat-native-1.2.32-src.tar.gz \
&& cd tomcat-native-1.2.32-src/native \
&& ./configure --with-api=/usr/bin/apr-1-config
--with-java-home=/usr/java/latest --with-ssl=yes
--prefix=/usr/lib/tcnative
\
&& make \
&& make install
3) Generate a self-signed certificate:
RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
-keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
test.lehmansoftware.com'
4) To enable tomcat native, i pass these parameters:
ENTRYPOINT java \
-Dserver.port=8443 \
-Dserver.ssl.enabled=true \
-Djava.library.path="/usr/lib/tcnative/lib" \
-Dserver.ssl.certificate-key-file="/testkey.pem" \
-Dserver.ssl.certificate-file="/testcert.pem" \
-jar app.jar
5) And finally, here is the error message that I receive on application
startup trying to use tcnative.
cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN
[main]
core.AprLifecycleListener - The Apache Tomcat Native library failed to
load. The error reported was
[/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits]
cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits
cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
Method) ~[?:?]
Looks like the build worked (right?) so any "undefined symbol" issues
you see must be related to the versions made available to the process at
runtime.
Make sure you have the same versions of libssl, libapr, and libtcnative
that you built yourself and not those that e.g. ship with the OS. Where
are all your .so files for libtcnative, libssl, and libapr?
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] ApacheCon NA 2022 in New Orleans, 3-6 Oct 2022, CFP is OPEN!
All, [Cross-posting to dev@, please reply to users@] ApacheCon NA 2022 is back *in-person* in New Orleans, Louisiana. It will be held 3 - 6 October 2022 at the Canal Street Sheraton right next to the French Quarter. The call-for-presentations is currently open and we are looking to fill a 3-day track for Tomcat, so please submit your proposals today! https://www.apachecon.com/acna2022/ (The link at the top is a little obscure, but at the top of the page there is a "Call for Presentations" where you can submit a proposal). Note that you don't have to have the presentation ready to go today in order to make a proposal. It's just gotta be ready around 30 seconds before you start to present it ;) (There is a tradition at ApacheCon of editing ones slides during the previous presentation. I don't recommend it, but anyone who is intimidated by the process can rest assured that even repeat-presenters are putting things together at the last moment.) Anyone who has never attended an ApacheCon should consider making this year their first: it's great fun, and you get to meet a lof of folks from all over the ASF, not just the Tomcat or httpd people, but folks working on projects you've never even heard of. If you aren't sure if you are interested in presenting, or aren't sure if you have the experience, knowledge, etc. to warrant a position as a speaker, please consider the following: 1. This is a welcoming community 2. This community exists to serve YOU 3. You are a part of this community 4. Helping others within the community encourages others to do the same 5. Topics can be very wide-ranging. Here are some examples of presentations from previous ApacheCon events: [From Committers / directly about Tomcat] - Running Apache Tomcat on GraalVM - Tomcat in clusters and clouds - Using Let's Encrypt with Tomcat - Securing Tomcat - Reverse-proxying Tomcat - Load balancing with Tomcat - Clustering with Tomcat [From Non-Committers or not directly about Tomcat] - Packaging Tomcat for Linux Distributions - I Love Lucee -- a Java implementation of Cold Fusion - Routing CDN traffic at scale using Tomcat - Secure Web Applications using Apache Fortress - Monitoring Tomcat; various tools - Building Reactive Applications on Tomcat - Troubleshooting performance using thread dumps - High Throughput Production Systems on Tomcat - Why I Love Open Source - Introduction to Spring Boot - Tomcat, TomEE, and Meecrowave - Apache Tomcat: Enabling Scripting Languages in JSPs If you are using Tomcat at $work and doing something interesting, we'd love to hear about it. 6. You don't need to be the foremost expert in $feature to talk about it 7. We are actively looking for speakers to talk about these and other topics: - Deploying Tomcat in an auto-scaling environment (e.g. AWS EBS) - Tomcat should really have [Feature X] - Whatever you think might be interesting! Please consider speaking ESPECIALLY if you haven't done so before. If you are worried about whether your idea is good enough: don't. Just submit your idea to the CFP -- you don't have to write-up the presentation in order to submit an idea, just write a paragraph or two about what you want to do -- and the track chairpersons (chairpeople?[1]) will decide whether or not to include your presentation in the event. (And chances are good that if you submit an idea it will be accepted.) Please reply to the users list with any questions you may have about ApacheCon, the Tomcat track, or submitting a talk proposal. Thanks, -chris On behalf of all ApacheCon 2022 Tomcat Track chairpersons [1] https://vignette.wikia.nocookie.net/rickandmorty/images/c/cd/Furniture.png/revision/latest/scale-to-width-down/1000?cb=20160910223642 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
