Re: Suggestion: Maven repository for Tomcat native library
On 27/08/2024 18:41, Mark Thomas wrote: Please open a Bugzilla issue for this request so that it does not get lost. https://bz.apache.org/bugzilla/show_bug.cgi?id=69299 Mark On 09/08/2024 10:56, Harri Pesonen wrote: Hello, currently Tomcat native library needs to be downloaded manually from here: https://tomcat.apache.org/download-native.cgi It would be better to download it from Maven repository, so that we could upgrade the version easier using Maven scripts. Also we could see easier when the version needs to be upgraded. Normally Maven repository contains only Java artifacts, but it is possible to upload binaries as well. For example Microsoft JDBC driver has Java .jar in on artifact, and native .dll in separate artifact: https://mvnrepository.com/artifact/com.microsoft.sqlserver/mssql-jdbc_auth/12.8.0.x64 What say you? -Harri - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Suggestion: Maven repository for Tomcat native library
Please open a Bugzilla issue for this request so that it does not get lost. Mark On 09/08/2024 10:56, Harri Pesonen wrote: Hello, currently Tomcat native library needs to be downloaded manually from here: https://tomcat.apache.org/download-native.cgi It would be better to download it from Maven repository, so that we could upgrade the version easier using Maven scripts. Also we could see easier when the version needs to be upgraded. Normally Maven repository contains only Java artifacts, but it is possible to upload binaries as well. For example Microsoft JDBC driver has Java .jar in on artifact, and native .dll in separate artifact: https://mvnrepository.com/artifact/com.microsoft.sqlserver/mssql-jdbc_auth/12.8.0.x64 What say you? -Harri - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Semi OT] Suggestion: Maven repository for Tomcat native library
Harri, On 8/12/24 03:26, Harri Pesonen wrote: Tomcat native gives much better SSL connection performance, they say. At least in Windows. I have not personally performed any tests though. https://tomcat.apache.org/tomcat-9.0-doc/apr.html I would love for you to do some of your own benchmarking to confirm. If you are using libtcnative along with the NIO connector (which is the default configuration for Tomcat 9), then you are not using APR for sockets, buffers, and such. This will perform identically to the Java-provided cryptographic provider-based connector (for the sockets and buffers) but may have fewer buffer-copies in- and out- of the native realm. So a potential performance improvement over the APR connector. Anyway. The libtcnative library of course uses OpenSSL for cryptographic primitives which have historically been much faster than those provided by Java. IIRC, jfclere identified a JVM bug which causes older versions of Java to fail to detect hardware support for certain cryptographic algorithms (specifically, AES!) which caused the software-based implementation to be used instead. Also IIRC, jfclere says that this has been fixed "in recent JVMs" but I'm not sure of the details of which version(s) contain such a fix. So I'd be quite happy to see if you see any significant difference between the two connectors (NIO+OpenSSL and NIO+JSSE) in your environment, Java version, etc. -chris -Original Message- From: Christopher Schultz Sent: lauantai 10. elokuuta 2024 0.51 To: users@tomcat.apache.org Subject: Re: [Semi OT] Suggestion: Maven repository for Tomcat native library Harri, On 8/9/24 05:56, Harri Pesonen wrote: Hello, currently Tomcat native library needs to be downloaded manually from here: https://tomcat.apache.org/download-native.cgi It would be better to download it from Maven repository, so that we could upgrade the version easier using Maven scripts. Also we could see easier when the version needs to be upgraded. Normally Maven repository contains only Java artifacts, but it is possible to upload binaries as well. For example Microsoft JDBC driver has Java .jar in on artifact, and native .dll in separate artifact: https://mvnrepository.com/artifact/com.microsoft.sqlserver/mssql-jdbc_auth/12.8.0.x64 What say you? I'm just academically curious: what do you need tcnative for? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [Semi OT] Suggestion: Maven repository for Tomcat native library
Tomcat native gives much better SSL connection performance, they say. At least in Windows. I have not personally performed any tests though. https://tomcat.apache.org/tomcat-9.0-doc/apr.html -Harri -Original Message- From: Christopher Schultz Sent: lauantai 10. elokuuta 2024 0.51 To: users@tomcat.apache.org Subject: Re: [Semi OT] Suggestion: Maven repository for Tomcat native library Harri, On 8/9/24 05:56, Harri Pesonen wrote: > Hello, currently Tomcat native library needs to be downloaded manually from > here: > > https://tomcat.apache.org/download-native.cgi > > It would be better to download it from Maven repository, so that we could > upgrade the version easier using Maven scripts. > Also we could see easier when the version needs to be upgraded. > Normally Maven repository contains only Java artifacts, but it is possible to > upload binaries as well. > For example Microsoft JDBC driver has Java .jar in on artifact, and native > .dll in separate artifact: > > https://mvnrepository.com/artifact/com.microsoft.sqlserver/mssql-jdbc_auth/12.8.0.x64 > > What say you? I'm just academically curious: what do you need tcnative for? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Semi OT] Suggestion: Maven repository for Tomcat native library
Harri, On 8/9/24 05:56, Harri Pesonen wrote: Hello, currently Tomcat native library needs to be downloaded manually from here: https://tomcat.apache.org/download-native.cgi It would be better to download it from Maven repository, so that we could upgrade the version easier using Maven scripts. Also we could see easier when the version needs to be upgraded. Normally Maven repository contains only Java artifacts, but it is possible to upload binaries as well. For example Microsoft JDBC driver has Java .jar in on artifact, and native .dll in separate artifact: https://mvnrepository.com/artifact/com.microsoft.sqlserver/mssql-jdbc_auth/12.8.0.x64 What say you? I'm just academically curious: what do you need tcnative for? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Suggestion: Maven repository for Tomcat native library
Hello, currently Tomcat native library needs to be downloaded manually from here: https://tomcat.apache.org/download-native.cgi It would be better to download it from Maven repository, so that we could upgrade the version easier using Maven scripts. Also we could see easier when the version needs to be upgraded. Normally Maven repository contains only Java artifacts, but it is possible to upload binaries as well. For example Microsoft JDBC driver has Java .jar in on artifact, and native .dll in separate artifact: https://mvnrepository.com/artifact/com.microsoft.sqlserver/mssql-jdbc_auth/12.8.0.x64 What say you? -Harri
[ANN] Apache Tomcat Native 2.0.8 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.8 stable. The key features of this release are: - Fix a crash on Windows when SSLContext.setCACertificate() is invoked with a null value for caCertificateFile and a non-null value for caCertificatePath - The windows binaries in this release have been built with OpenSSL 3.0.14 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x or later but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] Apache Tomcat Native 1.3.0 released
On 13/02/2024 10:21, Michael Osipov wrote: On 2024/02/13 08:46:42 Mark Thomas wrote: The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.3.0 stable. The key features of this release are: - The minimum supported OpenSSL version is 1.1.1 - The minimum supported APR version in 1.6.3 - The windows binaries in this release have been built with OpenSSL 3.0.13 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html This link is wrong, it leads me to Tomcat Native 2.0.x. Sorry. Copy/paste error. The correct link is: https://tomcat.apache.org/native-1.3-doc/miscellaneous/changelog.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] Apache Tomcat Native 1.3.0 released
On 2024/02/13 08:46:42 Mark Thomas wrote: > The Apache Tomcat team announces the immediate availability of Apache > Tomcat Native 1.3.0 stable. > > The key features of this release are: > > - The minimum supported OpenSSL version is 1.1.1 > - The minimum supported APR version in 1.6.3 > - The windows binaries in this release have been built with OpenSSL >3.0.13 > > Please refer to the change log for the complete list of changes: > http://tomcat.apache.org/native-doc/miscellaneous/changelog.html This link is wrong, it leads me to Tomcat Native 2.0.x. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.3.0 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.3.0 stable. The key features of this release are: - The minimum supported OpenSSL version is 1.1.1 - The minimum supported APR version in 1.6.3 - The windows binaries in this release have been built with OpenSSL 3.0.13 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 1.3.x provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 2.0.7 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.7 stable. The key features of this release are: - Align default pass phrase prompt with httpd on Windows - The windows binaries in this release have been built with OpenSSL 3.0.13 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x or later but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] Apache Tomcat Native 1.2.39 released
Could you help me with where the tomcat config files are placed in Apache OFBiz application Nithin P On Tue, 03 Oct 2023 14:38:46 +0530 Mark Thomas wrote --- The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.39 stable. The key features of this release are: - Disable OCSP if the insecure optionalNoCA certificate verification option is used - The binaries for Windows in this release have been built with OpenSSL 3.0.11 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: mailto:users-unsubscr...@tomcat.apache.org For additional commands, e-mail: mailto:users-h...@tomcat.apache.org This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. You cannot use or forward any attachments in the email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Finally, the opinions disclosed by the sender do not have to reflect those of the company, therefore the company refuses to take any liability for the damage caused by the content of this email. Yobitel Communications Limited, #11, Kingsley Mews, Ley Street, Ilford, London - IG1 4BT, United Kingdom. www.yobitel.com
[ANN] Apache Tomcat Native 1.2.39 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.39 stable. The key features of this release are: - Disable OCSP if the insecure optionalNoCA certificate verification option is used - The binaries for Windows in this release have been built with OpenSSL 3.0.11 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 2.0.6 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.6 stable. The key features of this release are: - Disable OCSP if the insecure optionalNoCA certificate verification option is used - The binaries for Windows in this release have been built with OpenSSL 3.0.11 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x or later but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Native
Thank you! Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Mark Thomas > Sent: Thursday, August 24, 2023 5:01 PM > To: users@tomcat.apache.org > Subject: Re: Tomcat Native > > On 24/08/2023 13:07, Mcalexander, Jon J. wrote: > > Getting a 404 error when trying to download the binaries for 2.0.5 > > > > https://urldefense.com/v3/__https://dlcdn.apache.org/tomcat/tomcat- > connectors/native/2.0.5/binaries/tomcat-native-2.0.5-openssl-3.0.9-ocsp- > win32- > bin.zip__;!!F9svGWnIaVPGSwU!v2J9En8N43arWrgkRM2JryQVOMbA8p1r7n > GLBKxNt1Tmp1P0JLZPZcm90bFeOkExjTaKTp-ekZH0Z-v0d7hGIg$ > > > > Is this a known issue? > > It is now. > > The OpenSSL version numbers hadn't been updated. Should be fixed now. > > Mark > > > > > > Dream * Excel * Explore * Inspire > > Jon McAlexander > > Senior Infrastructure Engineer > > Asst. Vice President > > He/His > > > > Middleware Product Engineering > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > MAC: F4469-010 > > Tel 515-988-2508 | Cell 515-988-2508 > > > > > jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com> > > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you > for your cooperation. > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Native
On 24/08/2023 13:07, Mcalexander, Jon J. wrote: Getting a 404 error when trying to download the binaries for 2.0.5 https://dlcdn.apache.org/tomcat/tomcat-connectors/native/2.0.5/binaries/tomcat-native-2.0.5-openssl-3.0.9-ocsp-win32-bin.zip Is this a known issue? It is now. The OpenSSL version numbers hadn't been updated. Should be fixed now. Mark Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Native
You can get it from the archives area https://archive.apache.org/dist/tomcat/tomcat-connectors/native/2.0.5/binaries/tomcat-native-2.0.5-openssl-3.0.10-win32-bin.zip On 2023-08-24 13:07, Mcalexander, Jon J. wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Getting a 404 error when trying to download the binaries for 2.0.5 https://dlcdn.apache.org/tomcat/tomcat-connectors/native/2.0.5/binaries/tomcat-native-2.0.5-openssl-3.0.9-ocsp-win32-bin.zip Is this a known issue? Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -- Evan Rempel 250.721.7691 Senior Systems Administrator erem...@uvic.ca Data Centre Services, University Systems, University of Victoria - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Native
Getting a 404 error when trying to download the binaries for 2.0.5 https://dlcdn.apache.org/tomcat/tomcat-connectors/native/2.0.5/binaries/tomcat-native-2.0.5-openssl-3.0.9-ocsp-win32-bin.zip Is this a known issue? Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
RE: RHEL 8.6 ==> Tomcat Native 1.2.32 ==> OpenSSLEngine could not initialize
Hi Christopher, Thanks for the reply. We found the solution for the problem. Tomcat Native, we used the same '*.so' compiled in RHEL 7.9. Once compiled with RHEL 8.6 it worked. Regards, Abirami.S -Original Message- From: Christopher Schultz Sent: Thursday, June 22, 2023 7:35 PM To: users@tomcat.apache.org Subject: Re: RHEL 8.6 ==> Tomcat Native 1.2.32 ==> OpenSSLEngine could not initialize Hello, On 6/22/23 07:47, S Abirami wrote: > Hi All, > > Our application using embedded tomcat 9.0.62 on RHEL linux environment. > Tomcat native version :1.2.32 > > openssl version OpenSSL 1.1.1k > > After upgrading from RHEL 7.9 to RHEL 8.6 version, embedded tomcat throws an > exception when starting the application for https. > > org.apache.catalina.util.LifecycleBase handleSubClassException > - Failed to start component [cmg.protocols.http.HTTPConnector] > java.lang.NoClassDefFoundError: Could not initialize class > org.apache.tomcat.util.net.openssl.OpenSSLEngine > at > org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols > (OpenSSLUtil.java:54) > > > Http is working fine without issue. Please help use here to find the solution > for this problem. Is there more to the stack trace? For example, "Caused by..." maybe multiple times? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RHEL 8.6 ==> Tomcat Native 1.2.32 ==> OpenSSLEngine could not initialize
Hello, On 6/22/23 07:47, S Abirami wrote: Hi All, Our application using embedded tomcat 9.0.62 on RHEL linux environment. Tomcat native version :1.2.32 openssl version OpenSSL 1.1.1k After upgrading from RHEL 7.9 to RHEL 8.6 version, embedded tomcat throws an exception when starting the application for https. org.apache.catalina.util.LifecycleBase handleSubClassException - Failed to start component [cmg.protocols.http.HTTPConnector] java.lang.NoClassDefFoundError: Could not initialize class org.apache.tomcat.util.net.openssl.OpenSSLEngine at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols(OpenSSLUtil.java:54) Http is working fine without issue. Please help use here to find the solution for this problem. Is there more to the stack trace? For example, "Caused by..." maybe multiple times? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RHEL 8.6 ==> Tomcat Native 1.2.32 ==> OpenSSLEngine could not initialize
Hi All, Our application using embedded tomcat 9.0.62 on RHEL linux environment. Tomcat native version :1.2.32 openssl version OpenSSL 1.1.1k After upgrading from RHEL 7.9 to RHEL 8.6 version, embedded tomcat throws an exception when starting the application for https. org.apache.catalina.util.LifecycleBase handleSubClassException - Failed to start component [cmg.protocols.http.HTTPConnector] java.lang.NoClassDefFoundError: Could not initialize class org.apache.tomcat.util.net.openssl.OpenSSLEngine at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols(OpenSSLUtil.java:54) Http is working fine without issue. Please help use here to find the solution for this problem. Regards, Abirami.S
[ANN] Apache Tomcat Native 1.2.37 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.37 stable. The key features of this release are: - Update the version of OpenSSL used to create the binaries for Windows to OpenSSL 1.1.1u Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 2.0.4 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.4 stable. The key features of this release are: - The binaries for Windows in this release have been built with OpenSSL 3.0.9 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x or later but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Tomcat Native 1.2.30 -- Windows 2016 TLSv1.3 support?
Ok -- makes sense. Thank you, Vincent -Original Message- From: Christopher Schultz Sent: Tuesday, April 25, 2023 10:28 AM To: users@tomcat.apache.org Subject: [External] Re: Tomcat Native 1.2.30 -- Windows 2016 TLSv1.3 support? WARNING: This message has originated from an External Source. This may be a phishing email that can result in unauthorized access to Honeywell systems. Please use proper judgment and caution when opening attachments, clicking links or responding. Vincent, On 4/25/23 05:14, Mark Thomas wrote: > On 24/04/2023 20:15, Ragosta, Vincent wrote: >> Hello all, >> >> We have an application packaged with Tomcat Native 1.2.30, which, per >> the following, the Windows binaries were built using OpenSSL 1.1.1k: >> >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww >> .mail-archive.com%2Fdev%40tomcat.apache.org%2Fmsg152993.html&data=05% >> 7C01%7CVincent.Ragosta%40honeywell.com%7C70f0a3eb5dc94a74900708db4599 >> 4f40%7C96ece5269c7d48b08daf8b93c90a5d18%7C0%7C0%7C638180297054464718% >> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I >> k1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=q0CbLjS0uMiZz1xCezTSXQMr9 >> xEiDPwaBZubhLa4XkE%3D&reserved=0 >> >> However, per Microsoft, Windows 2016 does not support TLSv1.3: >> >> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flea >> rn.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Fsecauthn%2Fprotocols-in- >> tls-ssl--schannel-ssp-&data=05%7C01%7CVincent.Ragosta%40honeywell.com >> %7C70f0a3eb5dc94a74900708db45994f40%7C96ece5269c7d48b08daf8b93c90a5d1 >> 8%7C0%7C0%7C638180297054464718%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj >> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C& >> sdata=7HQSNFGjhMN%2B%2FMY6awtM7jtZdtTLK%2FNEQdRk1F7q%2B3o%3D&reserved >> =0 >> >> >> Do Tomcat Native or OpenSSL depend upon support for TLSv1.3 in the >> underlying OS? > > No. :) To be more specific, OpenSSL *is an implementation of SSL/TLS and the underlying cryptographic primitives*. The whole point is that it is not dependent upon whatever the operating system supports. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Native 1.2.30 -- Windows 2016 TLSv1.3 support?
Vincent, On 4/25/23 05:14, Mark Thomas wrote: On 24/04/2023 20:15, Ragosta, Vincent wrote: Hello all, We have an application packaged with Tomcat Native 1.2.30, which, per the following, the Windows binaries were built using OpenSSL 1.1.1k: https://www.mail-archive.com/dev@tomcat.apache.org/msg152993.html However, per Microsoft, Windows 2016 does not support TLSv1.3: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- Do Tomcat Native or OpenSSL depend upon support for TLSv1.3 in the underlying OS? No. :) To be more specific, OpenSSL *is an implementation of SSL/TLS and the underlying cryptographic primitives*. The whole point is that it is not dependent upon whatever the operating system supports. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Native 1.2.30 -- Windows 2016 TLSv1.3 support?
On 24/04/2023 20:15, Ragosta, Vincent wrote: Hello all, We have an application packaged with Tomcat Native 1.2.30, which, per the following, the Windows binaries were built using OpenSSL 1.1.1k: https://www.mail-archive.com/dev@tomcat.apache.org/msg152993.html However, per Microsoft, Windows 2016 does not support TLSv1.3: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- Do Tomcat Native or OpenSSL depend upon support for TLSv1.3 in the underlying OS? No. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Native 1.2.30 -- Windows 2016 TLSv1.3 support?
Hello all, We have an application packaged with Tomcat Native 1.2.30, which, per the following, the Windows binaries were built using OpenSSL 1.1.1k: https://www.mail-archive.com/dev@tomcat.apache.org/msg152993.html However, per Microsoft, Windows 2016 does not support TLSv1.3: https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- Do Tomcat Native or OpenSSL depend upon support for TLSv1.3 in the underlying OS? Thank you, Vincent
Re: [ANN] Apache Tomcat Native 1.2.36 released
Try using "libapr1-dev" instead. Mark On 18/02/2023 19:32, Amn Ojee Uw wrote: Following the example provided in the link provided I 'apt-get install libapr1.0-dev libssl-dev', but I got an error that reads: --- Reading package lists... Done Building dependency tree... Done Reading state information... Done Package libapr1.0-dev is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source -- Is there a way to solve this in Debian 11, I am using Tomcat 10.x? On Mon, 2023-02-13 at 20:54 +, Mark Thomas wrote: The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.36 stable. The key features of this release are: - Update the version of OpenSSL used to create the binaries for Windows to OpenSSL 1.1.1t Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] Apache Tomcat Native 1.2.36 released
Following the example provided in the link provided I 'apt-get install libapr1.0-dev libssl-dev', but I got an error that reads: --- Reading package lists... Done Building dependency tree... Done Reading state information... Done Package libapr1.0-dev is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source -- Is there a way to solve this in Debian 11, I am using Tomcat 10.x? On Mon, 2023-02-13 at 20:54 +, Mark Thomas wrote: > The Apache Tomcat team announces the immediate availability of Apache > Tomcat Native 1.2.36 stable. > > The key features of this release are: > > - Update the version of OpenSSL used to create the binaries for > Windows > to OpenSSL 1.1.1t > > Please refer to the change log for the complete list of changes: > http://tomcat.apache.org/native-doc/miscellaneous/changelog.html > > Downloads: > http://tomcat.apache.org/download-native.cgi > > The Apache Tomcat Native Library provides portable API for features > not found in contemporary JDK's. It uses Apache Portable Runtime as > operating system abstraction layer and OpenSSL for SSL networking and > allows optimal performance in production environments. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 2.0.3 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.3 stable. The key features of this release are: - The binaries for Windows in this release have been built with OpenSSL 3.0.8 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x or later but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.36 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.36 stable. The key features of this release are: - Update the version of OpenSSL used to create the binaries for Windows to OpenSSL 1.1.1t Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 2.0.2 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.2 stable. The key features of this release are: - Update the minimum supported version of LibreSSL to 3.5.2. Based on a #13 provided by orbea. - The windows binaries in this release have been built with OpenSSL 3.0.7 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x or later but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: any plans for tomcat-native 1.2.36
On 03/11/2022 19:41, Усманов Азат Анварович wrote: Hi Everyone! I'm wondering if there are plans to release the next version of tomcat native 1.2 branch?I've scheduled a big server migration as well as tomcat upgrade 7.0.92 to -9.0.48 (everything seems to work on test-enviroment) at $work on weekend(Oct 5th-6th) .I usually build openssl,tomcat-native manually, currently using openssl 3.03 and tomcat native 1.2.33. it would be nice to upgrade both openssl and tomcat native at the same time during scheduled downtime. I did see a vote on a dev list for next release of 2.0 branch of tomcat native. any plans for tomcat -native 1.2.36? No plans at all since there have been no changes to the code base since 1.2.35. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
any plans for tomcat-native 1.2.36
Hi Everyone! I'm wondering if there are plans to release the next version of tomcat native 1.2 branch?I've scheduled a big server migration as well as tomcat upgrade 7.0.92 to -9.0.48 (everything seems to work on test-enviroment) at $work on weekend(Oct 5th-6th) .I usually build openssl,tomcat-native manually, currently using openssl 3.03 and tomcat native 1.2.33. it would be nice to upgrade both openssl and tomcat native at the same time during scheduled downtime. I did see a vote on a dev list for next release of 2.0 branch of tomcat native. any plans for tomcat -native 1.2.36? Sincerely, Azat Usmanov P.S. Our servers run on RHEL6 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Native and macOS 10.15.7
Thad, On 8/23/22 10:49, Thad Humphries wrote: On Tue, Aug 23, 2022 at 10:18 AM Mark Thomas wrote: On 23/08/2022 14:12, Thad Humphries wrote: I'm trying to understand a problem I'm having with Tomcat Native since moving from 1.2.x to 2.0. For several years I have been running Tomcat 9.0.12 in Eclipse and 9.0.37 for localhost on my home and office Mac Mini's with macOS 10.15.7 Catalina. Both use OpenJDK 8 from Amazon. To support development I have a self-signed certificate and until recently used Tomcat Native 1.2.x installed with Homebrew. I added `CATALINA_OPTS="-Xmx1024m -Djava.library.path=/usr/local/opt/tomcat-native/lib"` to my bin/setevn.sh With this configuration I was able to the connector org.apache.coyote.http11.Http11AprProtocol with UpgradeProtocol for org.apache.coyote.http2.Http2Protocol Recently Homebrew replaced Tomcat Native 1.2.x with 2.0.1. Since then when Tomcat starts I see in catalina.out "The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/local/opt/tomcat-native/lib]". I've had to switch my development to connector org.apache.coyote.http11.Http11NioProtocol (I need SSL for my client-server setup). I've tried using a Tomcat Native 2 I built myself, but get the same "not found on the java.library.path" message. I tried using a Tomcat Native 1.2.35 I built myself but got the following stacktrace in catalina.out 23-Aug-2022 03:07:29.541 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.35] using APR version [1.7.0]. 23-Aug-2022 03:07:29.541 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 23-Aug-2022 03:07:29.541 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 23-Aug-2022 03:07:29.544 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:289) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:136) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:135) at org.apache.catalina.startup.Catalina.load(Catalina.java:690) at org.apache.catalina.startup.Catalina.load(Catalina.java:712) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) What is the issue I'm seeing and how might it be corrected if I want to run Tomcat Native for the APR protocol? You can't. The APR connector has been deprecated and has been removed in Tomcat 10.1.x onwards. Tomcat Native 2.0.x does not support the APR connectors. You need to switch to NIO or NIO2. If you want to use OpenSSL for TLS then you can do so (you'll need Tomcat Native 2.0.x and OpenSSL). Look at the docs for the sslImplementationName attribute. BTW, this is not critical to me; I can live with NIO. However I'm the *only* person on this team who pays any attention to Tomcat, and I may be having to explain this to my coworkers and our boss. Others use a mix of Linux, Windows, and Mac. Most don't use SSL internally but some use the AJP connector for Apache, and IIRC that needs Tomcat Native, too. AJP does not require APR/Native. There are NIO and NIO2 implementations for AJP. Mark Thank you, Mark. That all makes sense. I'll look at the docs you've referenced. I recall once watching some YouTube videos on Tomcat connectors. I'll find and rewatch those, too. Some additional details: tcnative 2.x, while not supporting the APR connector, supports everything you need for native cryptographic operations via OpenSSL. It likely works with LibreSSL as well but there hasn't been significant testing done, there. Switching from AP
Re: Tomcat Native and macOS 10.15.7
On Tue, Aug 23, 2022 at 10:18 AM Mark Thomas wrote: > On 23/08/2022 14:12, Thad Humphries wrote: > > I'm trying to understand a problem I'm having with Tomcat Native since > > moving from 1.2.x to 2.0. > > > > For several years I have been running Tomcat 9.0.12 in Eclipse and 9.0.37 > > for localhost on my home and office Mac Mini's with macOS 10.15.7 > Catalina. > > Both use OpenJDK 8 from Amazon. To support development I have a > self-signed > > certificate and until recently used Tomcat Native 1.2.x installed with > > Homebrew. I added `CATALINA_OPTS="-Xmx1024m > > -Djava.library.path=/usr/local/opt/tomcat-native/lib"` to my > bin/setevn.sh > > > > With this configuration I was able to the > > connector org.apache.coyote.http11.Http11AprProtocol with UpgradeProtocol > > for org.apache.coyote.http2.Http2Protocol > > > > Recently Homebrew replaced Tomcat Native 1.2.x with 2.0.1. Since then > when > > Tomcat starts I see in catalina.out "The Apache Tomcat Native library > which > > allows using OpenSSL was not found on the java.library.path: > > [/usr/local/opt/tomcat-native/lib]". I've had to switch my development to > > connector org.apache.coyote.http11.Http11NioProtocol (I need SSL for my > > client-server setup). > > > > I've tried using a Tomcat Native 2 I built myself, but get the same "not > > found on the java.library.path" message. I tried using a Tomcat Native > > 1.2.35 I built myself but got the following stacktrace in catalina.out > > > > 23-Aug-2022 03:07:29.541 INFO [main] > > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded > Apache > > Tomcat Native library [1.2.35] using APR version [1.7.0]. > > 23-Aug-2022 03:07:29.541 INFO [main] > > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR > > capabilities: IPv6 [true], sendfile [true], accept filters [false], > random > > [true]. > > 23-Aug-2022 03:07:29.541 INFO [main] > > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL > > configuration: useAprConnector [false], useOpenSSL [true] > > 23-Aug-2022 03:07:29.544 SEVERE [main] > > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to > > initialize the SSLEngine. > > org.apache.tomcat.jni.Error: 70023: This function has not been > implemented > > on this platform > > at org.apache.tomcat.jni.SSL.initialize(Native Method) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > > org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:289) > > at > > > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:136) > > at > > > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) > > at > > > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:135) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:690) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:712) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) > > > > What is the issue I'm seeing and how might it be corrected if I want to > run > > Tomcat Native for the APR protocol? > > You can't. > > The APR connector has been deprecated and has been removed in Tomcat > 10.1.x onwards. > > Tomcat Native 2.0.x does not support the APR connectors. > > You need to switch to NIO or NIO2. If you want to use OpenSSL for TLS > then you can do so (you'll need Tomcat Native 2.0.x and OpenSSL). Look > at the docs for the sslImplementationName attribute. > > > BTW, this is not critical to me; I can live with NIO. However I'm the > *only* > > person on this team who pays any attention to Tomcat, and I may be having > > to expl
Re: Tomcat Native and macOS 10.15.7
On 23/08/2022 14:12, Thad Humphries wrote: I'm trying to understand a problem I'm having with Tomcat Native since moving from 1.2.x to 2.0. For several years I have been running Tomcat 9.0.12 in Eclipse and 9.0.37 for localhost on my home and office Mac Mini's with macOS 10.15.7 Catalina. Both use OpenJDK 8 from Amazon. To support development I have a self-signed certificate and until recently used Tomcat Native 1.2.x installed with Homebrew. I added `CATALINA_OPTS="-Xmx1024m -Djava.library.path=/usr/local/opt/tomcat-native/lib"` to my bin/setevn.sh With this configuration I was able to the connector org.apache.coyote.http11.Http11AprProtocol with UpgradeProtocol for org.apache.coyote.http2.Http2Protocol Recently Homebrew replaced Tomcat Native 1.2.x with 2.0.1. Since then when Tomcat starts I see in catalina.out "The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/local/opt/tomcat-native/lib]". I've had to switch my development to connector org.apache.coyote.http11.Http11NioProtocol (I need SSL for my client-server setup). I've tried using a Tomcat Native 2 I built myself, but get the same "not found on the java.library.path" message. I tried using a Tomcat Native 1.2.35 I built myself but got the following stacktrace in catalina.out 23-Aug-2022 03:07:29.541 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.35] using APR version [1.7.0]. 23-Aug-2022 03:07:29.541 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 23-Aug-2022 03:07:29.541 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 23-Aug-2022 03:07:29.544 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:289) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:136) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:135) at org.apache.catalina.startup.Catalina.load(Catalina.java:690) at org.apache.catalina.startup.Catalina.load(Catalina.java:712) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) What is the issue I'm seeing and how might it be corrected if I want to run Tomcat Native for the APR protocol? You can't. The APR connector has been deprecated and has been removed in Tomcat 10.1.x onwards. Tomcat Native 2.0.x does not support the APR connectors. You need to switch to NIO or NIO2. If you want to use OpenSSL for TLS then you can do so (you'll need Tomcat Native 2.0.x and OpenSSL). Look at the docs for the sslImplementationName attribute. BTW, this is not critical to me; I can live with NIO. However I'm the *only* person on this team who pays any attention to Tomcat, and I may be having to explain this to my coworkers and our boss. Others use a mix of Linux, Windows, and Mac. Most don't use SSL internally but some use the AJP connector for Apache, and IIRC that needs Tomcat Native, too. AJP does not require APR/Native. There are NIO and NIO2 implementations for AJP. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Native and macOS 10.15.7
I'm trying to understand a problem I'm having with Tomcat Native since moving from 1.2.x to 2.0. For several years I have been running Tomcat 9.0.12 in Eclipse and 9.0.37 for localhost on my home and office Mac Mini's with macOS 10.15.7 Catalina. Both use OpenJDK 8 from Amazon. To support development I have a self-signed certificate and until recently used Tomcat Native 1.2.x installed with Homebrew. I added `CATALINA_OPTS="-Xmx1024m -Djava.library.path=/usr/local/opt/tomcat-native/lib"` to my bin/setevn.sh With this configuration I was able to the connector org.apache.coyote.http11.Http11AprProtocol with UpgradeProtocol for org.apache.coyote.http2.Http2Protocol Recently Homebrew replaced Tomcat Native 1.2.x with 2.0.1. Since then when Tomcat starts I see in catalina.out "The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/local/opt/tomcat-native/lib]". I've had to switch my development to connector org.apache.coyote.http11.Http11NioProtocol (I need SSL for my client-server setup). I've tried using a Tomcat Native 2 I built myself, but get the same "not found on the java.library.path" message. I tried using a Tomcat Native 1.2.35 I built myself but got the following stacktrace in catalina.out 23-Aug-2022 03:07:29.541 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.35] using APR version [1.7.0]. 23-Aug-2022 03:07:29.541 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 23-Aug-2022 03:07:29.541 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 23-Aug-2022 03:07:29.544 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:289) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:136) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:135) at org.apache.catalina.startup.Catalina.load(Catalina.java:690) at org.apache.catalina.startup.Catalina.load(Catalina.java:712) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) What is the issue I'm seeing and how might it be corrected if I want to run Tomcat Native for the APR protocol? BTW, this is not critical to me; I can live with NIO. However I'm the *only* person on this team who pays any attention to Tomcat, and I may be having to explain this to my coworkers and our boss. Others use a mix of Linux, Windows, and Mac. Most don't use SSL internally but some use the AJP connector for Apache, and IIRC that needs Tomcat Native, too. -- "Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where hell is, there must we ever be" --Christopher Marlowe, *Doctor Faustus* (v. 111-13)
[ANN] Apache Tomcat Native 2.0.1 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.1 stable. The key features of this release are: - JNI API has been reduced to just that required to support Tomcat's OpenSSL based TLS implementation. The APR/native connector is no longer supported in this branch. - The minimum supported versions have been increased to OpenSSL 3.0.x, Apache APR 1.7.x, Java 11, Windows 7 / Server 2008 R2 - The windows binaries in this release have been built with OpenSSL 3.0.5 The 2.0.x branch is primarily intended for use with Tomcat 10.1.x but can be used with earlier versions as long as the APR/native connector is not used. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library 2.0.x provides an API for using OpenSSL for SSL networking with Apache Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.34 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.34 stable. The key features of this release are: - Refactor the initialization of the native code so it is compatible with Tomcat 10.1.x where deprecated Java classes will be removed - Map the OpenSSL 3.0.x FIPS behaviour to the 1.1.1 API to allow clients to determine if the FIPS provider is being used when Tomcat Native is compiled against OpenSSL 3.0.x Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.33 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.33 stable. The key features of this release are: - Windows binaries built using OpenSSL 1.1.1o - Fixes a potential crash when attempting to read the TLS session ID after a handshake failure. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Native and OpenSSL v3.0.2
Configuring both seemed to work. Thanks for all the help!! On Fri, Apr 8, 2022 at 10:10 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Clay, > > On 4/7/22 13:50, Clay Lehman wrote: > > Chris, Thanks for your help so far! I am digging into this some more > today. > > > > First off, once i started bulding APR from source instead of doing "yum > > install apr-devel" - my main linking issue went away. so I think we are > > getting close!! > > > > Now I am struggling to get Spring Boot's embedded Tomcat to startup in > the > > APR mode. Most of the blogs and docs i find are older and seem to be out > > of date, or are otherwise not about embedded tomcat. > > > > With these JVM Params: > > -Djava.library.path="/usr/lib/tcnative/lib" > > -Dserver.ssl.certificate-key-file="/testkey.pem" > > -Dserver.ssl.certificate-file="/testcert.pem" > > > > Spring Boot / Tomcat fails to start with this error: > > org.springframework.context.ApplicationContextException: Unable to start > > web server; nested exception is > > org.springframework.boot.web.server.WebServerException: Could not load > key > > store 'null' > > > > > > I have found tomcat notes on using this connector: > > > > > > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > port="8443" maxThreads="200" > > scheme="https" secure="true" SSLEnabled="true" > > SSLCertificateFile="/usr/local/ssl/server.crt" > > SSLCertificateKeyFile="/usr/local/ssl/server.pem" > > SSLVerifyClient="optional" > SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/> > > > > > > But have not been able to figure out the right JVM params to tell Spring > > Boot to work in that manner. > > You may have to ask Spring Boot about that. Sorry. > > > I am now trying setting up both .crt/.pem files AND ALSO the .pk12 to see > > what happens > > Wrapping the PEM files into .p12 files shouldn't be too onerous. If that > works, good. But I wonder why the PEM files aren't working. "Could not > load key store null" seems like the certificate-key-file either isn't a > valid option, or isn't being applied as expected. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat Native and OpenSSL v3.0.2
Clay, On 4/7/22 13:50, Clay Lehman wrote: Chris, Thanks for your help so far! I am digging into this some more today. First off, once i started bulding APR from source instead of doing "yum install apr-devel" - my main linking issue went away. so I think we are getting close!! Now I am struggling to get Spring Boot's embedded Tomcat to startup in the APR mode. Most of the blogs and docs i find are older and seem to be out of date, or are otherwise not about embedded tomcat. With these JVM Params: -Djava.library.path="/usr/lib/tcnative/lib" -Dserver.ssl.certificate-key-file="/testkey.pem" -Dserver.ssl.certificate-file="/testcert.pem" Spring Boot / Tomcat fails to start with this error: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Could not load key store 'null' I have found tomcat notes on using this connector: But have not been able to figure out the right JVM params to tell Spring Boot to work in that manner. You may have to ask Spring Boot about that. Sorry. I am now trying setting up both .crt/.pem files AND ALSO the .pk12 to see what happens Wrapping the PEM files into .p12 files shouldn't be too onerous. If that works, good. But I wonder why the PEM files aren't working. "Could not load key store null" seems like the certificate-key-file either isn't a valid option, or isn't being applied as expected. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Native and OpenSSL v3.0.2
Chris, Thanks for your help so far! I am digging into this some more today. First off, once i started bulding APR from source instead of doing "yum install apr-devel" - my main linking issue went away. so I think we are getting close!! Now I am struggling to get Spring Boot's embedded Tomcat to startup in the APR mode. Most of the blogs and docs i find are older and seem to be out of date, or are otherwise not about embedded tomcat. With these JVM Params: -Djava.library.path="/usr/lib/tcnative/lib" -Dserver.ssl.certificate-key-file="/testkey.pem" -Dserver.ssl.certificate-file="/testcert.pem" Spring Boot / Tomcat fails to start with this error: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Could not load key store 'null' I have found tomcat notes on using this connector: But have not been able to figure out the right JVM params to tell Spring Boot to work in that manner. I am now trying setting up both .crt/.pem files AND ALSO the .pk12 to see what happens Thanks! Clay On Thu, Apr 7, 2022 at 1:22 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Clay, > > On 4/6/22 07:57, Clay Lehman wrote: > > "Make sure you have the same versions of libssl, libapr, and libtcnative > > that you built yourself and not those that e.g. ship with the OS. Where > > are all your .so files for libtcnative, libssl, and libapr?" > > > > Do you know if there are instructions on building these, or where the .so > > files normally live? > > The default LD_LIBRARY_PATH for your system may have lots of stuff in > it. You'll have to check your system to see. > > When Tomcat starts-up, the AprLifecycleListener should report all the > versions of the various things it's using. Does it get that far, or does > it choke before that? > > -chris > > > On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Clay, > >> > >> On 4/5/22 12:47, Clay Lehman wrote: > >>> Hello! > >>> > >>> > >>> I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running > >> into > >>> an error on startup. I have tried a ton of things, searched, read the > >> docs > >>> over and over, and cannot get past this. Has anyone had success with > >> this > >>> setup? > >>> > >>> > >>> I created a fully working sample project and Dockerfile to demonstrate > >> the > >>> issue: > https://github.com/claylehman/spring-boot-tomcat-native-openssl3 > >>> > >>> > >>> Thanks! > >>> > >>> Clay > >>> > >>> > >>> More info below > >>> > >>> > >>> Most of the examples and documentation that I have found is for old > >>> versions of OpenSSL, but I do see some release notes mentioning OpenSSL > >>> v3.0.x so I suspect this is supported to some degree. > >>> > >>> > >>> I am testing this using a docker container for "Oracle Linux Server 8" > >>> (specifically FROM openjdk:latest) I am running embedded tomcat from > >>> Spring Boot, but I dont suspect that is important for my issue. > >>> > >>> > >>> > >>> Notes about the setup steps (in the Dockerfile example): > >>> > >>> > >>> 1) Installed OpenSSL v3.0.2 from source with FIPS enabled. > >>> > >>>( > >>> > >> > https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0 > >>> ) > >>> > >>> > >>> RUN cd /usr/src \ > >>> > >>>&& wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \ > >>> > >>>&& tar -zxf openssl-3.0.2.tar.gz \ > >>> > >>>&& rm openssl-3.0.2.tar.gz \ > >>> > >>>&& cd openssl-3.0.2 \ > >>> > >>>&& ./config enable-fips && make -j8 && make -j8 install > >>> > >>> > >>> RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \ > >>> > >>>&& ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3 > >>> > >>> > >>> RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module > >>> /usr
Re: Tomcat Native and OpenSSL v3.0.2
Clay,
On 4/6/22 07:57, Clay Lehman wrote:
"Make sure you have the same versions of libssl, libapr, and libtcnative
that you built yourself and not those that e.g. ship with the OS. Where
are all your .so files for libtcnative, libssl, and libapr?"
Do you know if there are instructions on building these, or where the .so
files normally live?
The default LD_LIBRARY_PATH for your system may have lots of stuff in
it. You'll have to check your system to see.
When Tomcat starts-up, the AprLifecycleListener should report all the
versions of the various things it's using. Does it get that far, or does
it choke before that?
-chris
On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Clay,
On 4/5/22 12:47, Clay Lehman wrote:
Hello!
I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running
into
an error on startup. I have tried a ton of things, searched, read the
docs
over and over, and cannot get past this. Has anyone had success with
this
setup?
I created a fully working sample project and Dockerfile to demonstrate
the
issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
Thanks!
Clay
More info below
Most of the examples and documentation that I have found is for old
versions of OpenSSL, but I do see some release notes mentioning OpenSSL
v3.0.x so I suspect this is supported to some degree.
I am testing this using a docker container for "Oracle Linux Server 8"
(specifically FROM openjdk:latest) I am running embedded tomcat from
Spring Boot, but I dont suspect that is important for my issue.
Notes about the setup steps (in the Dockerfile example):
1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
(
https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
)
RUN cd /usr/src \
&& wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
&& tar -zxf openssl-3.0.2.tar.gz \
&& rm openssl-3.0.2.tar.gz \
&& cd openssl-3.0.2 \
&& ./config enable-fips && make -j8 && make -j8 install
RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
&& ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
/usr/local/lib/ossl-modules/fips.so
2) Installed Tomcat Native from source:
(https://tomcat.apache.org/native-doc/)
RUN microdnf install apr-devel openssl-devel \
&& mkdir /usr/lib/tcnative
RUN cd /usr/src \
&& wget
https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
\
&& tar -xvf tomcat-native-1.2.32-src.tar.gz \
&& rm tomcat-native-1.2.32-src.tar.gz \
&& cd tomcat-native-1.2.32-src/native \
&& ./configure --with-api=/usr/bin/apr-1-config
--with-java-home=/usr/java/latest --with-ssl=yes
--prefix=/usr/lib/tcnative
\
&& make \
&& make install
3) Generate a self-signed certificate:
RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
-keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
test.lehmansoftware.com'
4) To enable tomcat native, i pass these parameters:
ENTRYPOINT java \
-Dserver.port=8443 \
-Dserver.ssl.enabled=true \
-Djava.library.path="/usr/lib/tcnative/lib" \
-Dserver.ssl.certificate-key-file="/testkey.pem" \
-Dserver.ssl.certificate-file="/testcert.pem" \
-jar app.jar
5) And finally, here is the error message that I receive on application
startup trying to use tcnative.
cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN
[main]
core.AprLifecycleListener - The Apache Tomcat Native library failed to
load. The error reported was
[/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits]
cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits
cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
Method) ~[?:?]
Looks like the build worked (right?) so any "undefined symbol" issues
you see must be related to the versions made available to the process at
runtime.
Make sure you have the same versions of libssl, libapr, and libtcnative
that you built yourself and not those that e.g. ship with the OS. Where
are all your .so files for libtcnative, libssl, and libapr?
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Native and OpenSSL v3.0.2
"Make sure you have the same versions of libssl, libapr, and libtcnative
that you built yourself and not those that e.g. ship with the OS. Where
are all your .so files for libtcnative, libssl, and libapr?"
Do you know if there are instructions on building these, or where the .so
files normally live?
On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Clay,
>
> On 4/5/22 12:47, Clay Lehman wrote:
> > Hello!
> >
> >
> > I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running
> into
> > an error on startup. I have tried a ton of things, searched, read the
> docs
> > over and over, and cannot get past this. Has anyone had success with
> this
> > setup?
> >
> >
> > I created a fully working sample project and Dockerfile to demonstrate
> the
> > issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
> >
> >
> > Thanks!
> >
> > Clay
> >
> >
> > More info below
> >
> >
> > Most of the examples and documentation that I have found is for old
> > versions of OpenSSL, but I do see some release notes mentioning OpenSSL
> > v3.0.x so I suspect this is supported to some degree.
> >
> >
> > I am testing this using a docker container for "Oracle Linux Server 8"
> > (specifically FROM openjdk:latest) I am running embedded tomcat from
> > Spring Boot, but I dont suspect that is important for my issue.
> >
> >
> >
> > Notes about the setup steps (in the Dockerfile example):
> >
> >
> > 1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
> >
> > (
> >
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> > )
> >
> >
> > RUN cd /usr/src \
> >
> > && wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
> >
> > && tar -zxf openssl-3.0.2.tar.gz \
> >
> > && rm openssl-3.0.2.tar.gz \
> >
> > && cd openssl-3.0.2 \
> >
> > && ./config enable-fips && make -j8 && make -j8 install
> >
> >
> > RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
> >
> > && ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
> >
> >
> > RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
> > /usr/local/lib/ossl-modules/fips.so
> >
> >
> > 2) Installed Tomcat Native from source:
> >
> > (https://tomcat.apache.org/native-doc/)
> >
> >
> > RUN microdnf install apr-devel openssl-devel \
> >
> > && mkdir /usr/lib/tcnative
> >
> >
> > RUN cd /usr/src \
> >
> > && wget
> >
> https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
> > \
> >
> > && tar -xvf tomcat-native-1.2.32-src.tar.gz \
> >
> > && rm tomcat-native-1.2.32-src.tar.gz \
> >
> > && cd tomcat-native-1.2.32-src/native \
> >
> > && ./configure --with-api=/usr/bin/apr-1-config
> > --with-java-home=/usr/java/latest --with-ssl=yes
> --prefix=/usr/lib/tcnative
> > \
> >
> > && make \
> >
> > && make install
> >
> >
> > 3) Generate a self-signed certificate:
> >
> > RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
> > -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
> > test.lehmansoftware.com'
> >
> >
> >
> > 4) To enable tomcat native, i pass these parameters:
> >
> > ENTRYPOINT java \
> >
> > -Dserver.port=8443 \
> >
> > -Dserver.ssl.enabled=true \
> >
> > -Djava.library.path="/usr/lib/tcnative/lib" \
> >
> > -Dserver.ssl.certificate-key-file="/testkey.pem" \
> >
> > -Dserver.ssl.certificate-file="/testcert.pem" \
> >
> > -jar app.jar
> >
> >
> >
> > 5) And finally, here is the error message that I receive on application
> > startup trying to use tcnative.
> >
> > cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN
> [main]
> > core.AprLifecycleListener - The Apache Tomcat Native library failed to
> > load. The error reported was
> > [/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> > EVP_PKEY_get_bits]
> >
> > cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> > EVP_PKEY_get_bits
> >
> > cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
> > Method) ~[?:?]
>
> Looks like the build worked (right?) so any "undefined symbol" issues
> you see must be related to the versions made available to the process at
> runtime.
>
> Make sure you have the same versions of libssl, libapr, and libtcnative
> that you built yourself and not those that e.g. ship with the OS. Where
> are all your .so files for libtcnative, libssl, and libapr?
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: Tomcat Native and OpenSSL v3.0.2
This sounds promising. i installed apr-devel and openssl-devel from yum
repositories, and built OpenSSL 3.0 and Tomcat Native from source. I think
i saw instructions for building APR from source also. So I will try that
and report back.
Is there any way to find out what versions are recommended for proper use
of OpenSSL 3.0.x? I haven't been able to find this?
Thanks!
Clay
On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Clay,
>
> On 4/5/22 12:47, Clay Lehman wrote:
> > Hello!
> >
> >
> > I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running
> into
> > an error on startup. I have tried a ton of things, searched, read the
> docs
> > over and over, and cannot get past this. Has anyone had success with
> this
> > setup?
> >
> >
> > I created a fully working sample project and Dockerfile to demonstrate
> the
> > issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
> >
> >
> > Thanks!
> >
> > Clay
> >
> >
> > More info below
> >
> >
> > Most of the examples and documentation that I have found is for old
> > versions of OpenSSL, but I do see some release notes mentioning OpenSSL
> > v3.0.x so I suspect this is supported to some degree.
> >
> >
> > I am testing this using a docker container for "Oracle Linux Server 8"
> > (specifically FROM openjdk:latest) I am running embedded tomcat from
> > Spring Boot, but I dont suspect that is important for my issue.
> >
> >
> >
> > Notes about the setup steps (in the Dockerfile example):
> >
> >
> > 1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
> >
> > (
> >
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> > )
> >
> >
> > RUN cd /usr/src \
> >
> > && wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
> >
> > && tar -zxf openssl-3.0.2.tar.gz \
> >
> > && rm openssl-3.0.2.tar.gz \
> >
> > && cd openssl-3.0.2 \
> >
> > && ./config enable-fips && make -j8 && make -j8 install
> >
> >
> > RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
> >
> > && ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
> >
> >
> > RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
> > /usr/local/lib/ossl-modules/fips.so
> >
> >
> > 2) Installed Tomcat Native from source:
> >
> > (https://tomcat.apache.org/native-doc/)
> >
> >
> > RUN microdnf install apr-devel openssl-devel \
> >
> > && mkdir /usr/lib/tcnative
> >
> >
> > RUN cd /usr/src \
> >
> > && wget
> >
> https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
> > \
> >
> > && tar -xvf tomcat-native-1.2.32-src.tar.gz \
> >
> > && rm tomcat-native-1.2.32-src.tar.gz \
> >
> > && cd tomcat-native-1.2.32-src/native \
> >
> > && ./configure --with-api=/usr/bin/apr-1-config
> > --with-java-home=/usr/java/latest --with-ssl=yes
> --prefix=/usr/lib/tcnative
> > \
> >
> > && make \
> >
> > && make install
> >
> >
> > 3) Generate a self-signed certificate:
> >
> > RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
> > -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
> > test.lehmansoftware.com'
> >
> >
> >
> > 4) To enable tomcat native, i pass these parameters:
> >
> > ENTRYPOINT java \
> >
> > -Dserver.port=8443 \
> >
> > -Dserver.ssl.enabled=true \
> >
> > -Djava.library.path="/usr/lib/tcnative/lib" \
> >
> > -Dserver.ssl.certificate-key-file="/testkey.pem" \
> >
> > -Dserver.ssl.certificate-file="/testcert.pem" \
> >
> > -jar app.jar
> >
> >
> >
> > 5) And finally, here is the error message that I receive on application
> > startup trying to use tcnative.
> >
> > cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN
> [main]
> > core.AprLifecycleListener - The Apache Tomcat Native library failed to
> > load. The error reported was
> > [/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> > EVP_PKEY_get_bits]
> >
> > cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> > EVP_PKEY_get_bits
> >
> > cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
> > Method) ~[?:?]
>
> Looks like the build worked (right?) so any "undefined symbol" issues
> you see must be related to the versions made available to the process at
> runtime.
>
> Make sure you have the same versions of libssl, libapr, and libtcnative
> that you built yourself and not those that e.g. ship with the OS. Where
> are all your .so files for libtcnative, libssl, and libapr?
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: Tomcat Native and OpenSSL v3.0.2
Clay,
On 4/5/22 12:47, Clay Lehman wrote:
Hello!
I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running into
an error on startup. I have tried a ton of things, searched, read the docs
over and over, and cannot get past this. Has anyone had success with this
setup?
I created a fully working sample project and Dockerfile to demonstrate the
issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
Thanks!
Clay
More info below
Most of the examples and documentation that I have found is for old
versions of OpenSSL, but I do see some release notes mentioning OpenSSL
v3.0.x so I suspect this is supported to some degree.
I am testing this using a docker container for "Oracle Linux Server 8"
(specifically FROM openjdk:latest) I am running embedded tomcat from
Spring Boot, but I dont suspect that is important for my issue.
Notes about the setup steps (in the Dockerfile example):
1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
(
https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
)
RUN cd /usr/src \
&& wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
&& tar -zxf openssl-3.0.2.tar.gz \
&& rm openssl-3.0.2.tar.gz \
&& cd openssl-3.0.2 \
&& ./config enable-fips && make -j8 && make -j8 install
RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
&& ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
/usr/local/lib/ossl-modules/fips.so
2) Installed Tomcat Native from source:
(https://tomcat.apache.org/native-doc/)
RUN microdnf install apr-devel openssl-devel \
&& mkdir /usr/lib/tcnative
RUN cd /usr/src \
&& wget
https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
\
&& tar -xvf tomcat-native-1.2.32-src.tar.gz \
&& rm tomcat-native-1.2.32-src.tar.gz \
&& cd tomcat-native-1.2.32-src/native \
&& ./configure --with-api=/usr/bin/apr-1-config
--with-java-home=/usr/java/latest --with-ssl=yes --prefix=/usr/lib/tcnative
\
&& make \
&& make install
3) Generate a self-signed certificate:
RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
-keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
test.lehmansoftware.com'
4) To enable tomcat native, i pass these parameters:
ENTRYPOINT java \
-Dserver.port=8443 \
-Dserver.ssl.enabled=true \
-Djava.library.path="/usr/lib/tcnative/lib" \
-Dserver.ssl.certificate-key-file="/testkey.pem" \
-Dserver.ssl.certificate-file="/testcert.pem" \
-jar app.jar
5) And finally, here is the error message that I receive on application
startup trying to use tcnative.
cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN [main]
core.AprLifecycleListener - The Apache Tomcat Native library failed to
load. The error reported was
[/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits]
cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits
cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
Method) ~[?:?]
Looks like the build worked (right?) so any "undefined symbol" issues
you see must be related to the versions made available to the process at
runtime.
Make sure you have the same versions of libssl, libapr, and libtcnative
that you built yourself and not those that e.g. ship with the OS. Where
are all your .so files for libtcnative, libssl, and libapr?
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Native on M1 Macs
Robert, Brian, On 4/5/22 13:59, Robert Turner wrote: I think you need to use an ARM-based JVM -- IIRC, you will need Corretto JDK 18 I think, otherwise it will be running in emulation. +1 M1 macs can run either x86_84 code OR arm64, but not both in the same process. If you want to run tcnative in your JVM, the architectures of the binaries (JVM, tcnative, libapr, libssl, etc.) all have to match each other. On 4/5/22 13:59, Robert Turner wrote: Does anyone have instructions for compiling Native on an ARM-based Mac? Or suggestions around this issue? For the tcnative build, you should be able to build an x86_86 binary like this: $ arch arm64 $ intel $ arch i386 $ make distclean $ ./configure ... $ make I think you'll end up with an x86-64 tcnative binary. Thanks, -chris On Tue, Apr 5, 2022 at 1:56 PM Paquin, Brian wrote: After compiling Tomcat Native (that comes with Tomcat 9.0.62, version 1.2.32) on a (ARM) M1 Mac (with Amazon Coretto 11 JDK, APR, and OpenSSL 1.1.1n), I get the following error in Catalina.out: 05-Apr-2022 11:10:32.307 WARNING [main] org.apache.catalina.core.AprLifecycleListener.init The Apache Tomcat Native library failed to load. The error reported was [/Library/Java/Extensions/libtcnative-1.0.dylib: dlopen(/Library/Java/Extensions/libtcnative-1.0.dylib, 0x0001): tried: '/Library/Java/Extensions/libtcnative-1.0.dylib' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/usr/lib/libtcnative-1.0.dylib' (no such file)] java.lang.UnsatisfiedLinkError: /Library/Java/Extensions/libtcnative-1.0.dylib: dlopen(/Library/Java/Extensions/libtcnative-1.0.dylib, 0x0001): tried: '/Library/Java/Extensions/libtcnative-1.0.dylib' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/usr/lib/libtcnative-1.0.dylib' (no such file) Note: After I compiled Native, I did the following (we did this in the past but I don’t know if it is still required): 1. cp /usr/local/tomcat/bin/tomcat-native-1.2.32-src/native/.libs/libtcnative-1.0.dylib /Library/Java/Extensions 2. cd /Library/Java/Extensions 3. ln -sfhv libtcnative-1.0.dylib libtcnative-1.dylib 4. ln -sfhv libtcnative-1.dylib libtcnative-1.jnilib (Not sure if this is needed anymore…) Does anyone have instructions for compiling Native on an ARM-based Mac? Or suggestions around this issue? Thank you, Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Native on M1 Macs
I think you need to use an ARM-based JVM -- IIRC, you will need Corretto JDK 18 I think, otherwise it will be running in emulation. On Tue, Apr 5, 2022 at 1:56 PM Paquin, Brian wrote: > After compiling Tomcat Native (that comes with Tomcat 9.0.62, version > 1.2.32) on a (ARM) M1 Mac (with Amazon Coretto 11 JDK, APR, and OpenSSL > 1.1.1n), I get the following error in Catalina.out: > > 05-Apr-2022 11:10:32.307 WARNING [main] > org.apache.catalina.core.AprLifecycleListener.init The Apache Tomcat Native > library failed to load. The error reported was > [/Library/Java/Extensions/libtcnative-1.0.dylib: > dlopen(/Library/Java/Extensions/libtcnative-1.0.dylib, 0x0001): tried: > '/Library/Java/Extensions/libtcnative-1.0.dylib' (mach-o file, but is an > incompatible architecture (have 'arm64', need 'x86_64')), > '/usr/lib/libtcnative-1.0.dylib' (no such file)] > java.lang.UnsatisfiedLinkError: > /Library/Java/Extensions/libtcnative-1.0.dylib: > dlopen(/Library/Java/Extensions/libtcnative-1.0.dylib, 0x0001): tried: > '/Library/Java/Extensions/libtcnative-1.0.dylib' (mach-o file, but is an > incompatible architecture (have 'arm64', need 'x86_64')), > '/usr/lib/libtcnative-1.0.dylib' (no such file) > > Note: After I compiled Native, I did the following (we did this in the > past but I don’t know if it is still required): > > 1. cp > /usr/local/tomcat/bin/tomcat-native-1.2.32-src/native/.libs/libtcnative-1.0.dylib > /Library/Java/Extensions > 2. cd /Library/Java/Extensions > 3. ln -sfhv libtcnative-1.0.dylib libtcnative-1.dylib > 4. ln -sfhv libtcnative-1.dylib libtcnative-1.jnilib > (Not sure if this is needed anymore…) > > Does anyone have instructions for compiling Native on an ARM-based Mac? Or > suggestions around this issue? > > Thank you, > > Brian >
Tomcat Native on M1 Macs
After compiling Tomcat Native (that comes with Tomcat 9.0.62, version 1.2.32) on a (ARM) M1 Mac (with Amazon Coretto 11 JDK, APR, and OpenSSL 1.1.1n), I get the following error in Catalina.out: 05-Apr-2022 11:10:32.307 WARNING [main] org.apache.catalina.core.AprLifecycleListener.init The Apache Tomcat Native library failed to load. The error reported was [/Library/Java/Extensions/libtcnative-1.0.dylib: dlopen(/Library/Java/Extensions/libtcnative-1.0.dylib, 0x0001): tried: '/Library/Java/Extensions/libtcnative-1.0.dylib' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/usr/lib/libtcnative-1.0.dylib' (no such file)] java.lang.UnsatisfiedLinkError: /Library/Java/Extensions/libtcnative-1.0.dylib: dlopen(/Library/Java/Extensions/libtcnative-1.0.dylib, 0x0001): tried: '/Library/Java/Extensions/libtcnative-1.0.dylib' (mach-o file, but is an incompatible architecture (have 'arm64', need 'x86_64')), '/usr/lib/libtcnative-1.0.dylib' (no such file) Note: After I compiled Native, I did the following (we did this in the past but I don’t know if it is still required): 1. cp /usr/local/tomcat/bin/tomcat-native-1.2.32-src/native/.libs/libtcnative-1.0.dylib /Library/Java/Extensions 2. cd /Library/Java/Extensions 3. ln -sfhv libtcnative-1.0.dylib libtcnative-1.dylib 4. ln -sfhv libtcnative-1.dylib libtcnative-1.jnilib (Not sure if this is needed anymore…) Does anyone have instructions for compiling Native on an ARM-based Mac? Or suggestions around this issue? Thank you, Brian
Tomcat Native and OpenSSL v3.0.2
Hello!
I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running into
an error on startup. I have tried a ton of things, searched, read the docs
over and over, and cannot get past this. Has anyone had success with this
setup?
I created a fully working sample project and Dockerfile to demonstrate the
issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
Thanks!
Clay
More info below
Most of the examples and documentation that I have found is for old
versions of OpenSSL, but I do see some release notes mentioning OpenSSL
v3.0.x so I suspect this is supported to some degree.
I am testing this using a docker container for "Oracle Linux Server 8"
(specifically FROM openjdk:latest) I am running embedded tomcat from
Spring Boot, but I dont suspect that is important for my issue.
Notes about the setup steps (in the Dockerfile example):
1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
(
https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
)
RUN cd /usr/src \
&& wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
&& tar -zxf openssl-3.0.2.tar.gz \
&& rm openssl-3.0.2.tar.gz \
&& cd openssl-3.0.2 \
&& ./config enable-fips && make -j8 && make -j8 install
RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
&& ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
/usr/local/lib/ossl-modules/fips.so
2) Installed Tomcat Native from source:
(https://tomcat.apache.org/native-doc/)
RUN microdnf install apr-devel openssl-devel \
&& mkdir /usr/lib/tcnative
RUN cd /usr/src \
&& wget
https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
\
&& tar -xvf tomcat-native-1.2.32-src.tar.gz \
&& rm tomcat-native-1.2.32-src.tar.gz \
&& cd tomcat-native-1.2.32-src/native \
&& ./configure --with-api=/usr/bin/apr-1-config
--with-java-home=/usr/java/latest --with-ssl=yes --prefix=/usr/lib/tcnative
\
&& make \
&& make install
3) Generate a self-signed certificate:
RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
-keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
test.lehmansoftware.com'
4) To enable tomcat native, i pass these parameters:
ENTRYPOINT java \
-Dserver.port=8443 \
-Dserver.ssl.enabled=true \
-Djava.library.path="/usr/lib/tcnative/lib" \
-Dserver.ssl.certificate-key-file="/testkey.pem" \
-Dserver.ssl.certificate-file="/testcert.pem" \
-jar app.jar
5) And finally, here is the error message that I receive on application
startup trying to use tcnative.
cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN [main]
core.AprLifecycleListener - The Apache Tomcat Native library failed to
load. The error reported was
[/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits]
cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits
cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
Method) ~[?:?]
[ANN] Apache Tomcat Native 1.2.32 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.32 stable. The key features of this release are: - Windows binaries built using OpenSSL 1.1.1n Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.31 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.31 stable. The key features of this release are: - Windows binaries built using OpenSSL 1.1.1l - Fix an issue when building with OpenSSl 3.0.0 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.30 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.30 stable. The key features of this release are: - Windows binaries built using OpenSSL 1.1.1k - Fix an issue where some Windows systems in some configurations would only listen on IPv6 addresses on dual stack systems even though configured to listen on both IPv6 and IPv4 addresses. - Additional fix for bug 65181 (support loading private keys in proprietary formats) Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.28 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.28 stable. The key features of this release are: - Windows binaries built using 1.1.1k - Correct a regression in the fix for 65181 that prevented an error message from being displayed if an invalid key file was provided and no OpenSSL Engine was configured. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Native library with OpenSSL Engine
Hello users, I am new to Tomcat and to this mailing list. Looked far and wide for a solution to my problem, but couldn't find anything effective. I found other folks asking about similar issues. I then looked through the source and think I got a solution that I'd like to share as a patch. The problem is this: Trying to use Apache Tomcat with an OpenSSL Engine that has proprietary private ECC key format fails. The private key file is not PEM, and only this specific OpenSSL Engine can load such a private ECC key. When the server.xml configuration includes reference to a proprietary format private ECC key, in a Service/Connector/SSLHostConfig/Certificate/certificateKeyFile, the run-time fails to initialize a new SSL context. As a result, TLS doesn't get established, connection fails. I have tried Tomcat7, 9 and 10. To illustrate the configuration in server.xml, it includes elements like these: The logs may include lines like these: 05-Mar-2021 14:37:07.175 INFO [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [/opt/my-keys/server.pem] or its private key [/opt/my-keys/server.key] could not be processed using a JSSE key manager and will be given directly to OpenSSL 05-Mar-2021 14:37:07.176 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context java.lang.Exception: Unable to load certificate key /opt/my-keys/server.key (error:0909006C:PEM routines:get_name:no start line) at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.openssl.OpenSSLContext.addCertificate(OpenSSLContext.java:379) at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:250) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246) at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:401) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:367) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1164) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1177) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1052) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:558) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:747) at org.apache.catalina.startup.Catalina.load(Catalina.java:769) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) My understanding of the root cause is that Tomcat doesn't support a proprietary format of the private ECC key. It insists that the key be in PEM format, in a file or in a keystore. What I needed was support for the "engine" key format. Similar to the feature of the "openssl digest" command in the following invocation: openssl dgst \ -sign my-keys/server.key \ *-keyform ENGINE* \ -engine MySslEngine \ -out signature.bin \ my-input When the key has the form "engine", the key is loaded using the ENGINE_load_private_key API ( https://www.openssl.org/docs/man1.1.0/man3/ENGINE_load_private_key.html). I have come up with a small change to the Tomcat Native library that resolves the problem for me. It is not as general as the "engine" key form in the openssl command line. The change below simply attempts to load the private key through the ENGINE_load_private_key if load_pem_key fails. Please consider the change as a patch to the Tomcat Native library: --- tomcat-native-1.2.26-src/native/include/ssl_private.h 2020-12-10 09:09:19.000
[ANN] Apache Tomcat Native 1.2.26 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.26 stable. The key features of this release are: - Windows binaries built using 1.1.1i - Expose support for Unix domain sockets (bug 64942) Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.25 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.25 stable. The key features of this release are: - Improvements to the build system - Add an option to allow the OCSP check to be bypassed Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.24 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.24 stable. The key features of this release are: - Improvements to the build system - Update Windows binaries to APR 1.7.0 and OpenSSL 1.1.1g Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Tomcat Native Library - compatibility clarification needed?
Hi. Not a full response but an additional source. On 02.08.2019 11:12, Polina Georgieva wrote: Hi all, Would you please clarify the compatibility restrictions (if any) between the Apache Tomcat Native Lib and its dependencies on one hand and between Apache Tomcat server and the native lib. My questions are based on the information available here: http://tomcat.apache.org/native-doc/ You may also want to look at these pages : http://tomcat.apache.org/whichversion.html http://tomcat.apache.org/migration.html 1) Is it possible (or at all advisable) to build the tc-native once and then use it on a system that is not necessarily with the same versions of dependencies or JVM as the ones it was built with? Or for productive systems it is recommend always to compile on the actual system that the lib will be running on. I’m specifically interested for Linux environment. Again, not a full response, but some info : For most Linux distributions, there exist a software package manager which allows to install a pre-determined version of tomcat, including the tc-native library, and they are guaranteed to work together and with the installed OS and the installed java JVM version. (Because the "packagers" of these distributions normally make sure that this is so). The only catch is that these versions are not necessarily always the latest available tomcat versions per the tomcat website. Some Linux distributions are better than others in terms of staying up-to-date, but generally-speaking anything related to security is pretty well followed-up. If you want to always run the latest version as per the official tomcat website, then the "download" page of that website is your best choice, and whatever links you find there will always be for versions compatible with one another. But be aware in that case, that the standard layout of the files of the official tomcat website download package, is probably different from the layout of the packaged tomcats available from your Linux distribution, and that in case of updates, you will not be able to switch so easily from one to the other method. The "migration" page cited above provides additional information on that topic. 2) Are there strict requirements for the dependencies versions, meaning Tomcat Native Lib version X works only with APR version Y, OpenSSL version Z, etc. ? 3) Are there any strict compatibility mapping between the native lib version and the Tomcat server version? In other words could every Tomcat version work smoothly with the latest tc-native version? Thanks a lot! Regards, Polina - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Tomcat Native Library - compatibility clarification needed?
On 02/08/2019 10:12, Polina Georgieva wrote: > Hi all, > > Would you please clarify the compatibility restrictions (if any) between > the Apache Tomcat Native Lib and its dependencies on one hand and between > Apache Tomcat server and the native lib. My questions are based on the > information available here: http://tomcat.apache.org/native-doc/ > > 1) Is it possible (or at all advisable) to build the tc-native once and > then use it on a system that is not necessarily with the same versions of > dependencies or JVM as the ones it was built with? Or for productive > systems it is recommend always to compile on the actual system that the lib > will be running on. I’m specifically interested for Linux environment. The specific JVM version isn't that important. It will certainly work with any current JVM and probably any JVM back at least as far as Java 1.3. You should be fine building it with one JVM and using it with another. Generally, you want to compile against the versions of OpenSSL and APR that you plan to use. > 2) Are there strict requirements for the dependencies versions, meaning > Tomcat Native Lib version X works only with APR version Y, OpenSSL version > Z, etc. ? OpenSSL Needs to be one of the currently supported versions. We tend to remove the workarounds for features not present in older versions once they are no longer supported. APR We try and build with the latest version. 1.7.x and 1.6.x should both be fine. It will probably work with 1.5.x as well and maybe further back too. > 3) Are there any strict compatibility mapping between the native lib > version and the Tomcat server version? In other words could every Tomcat > version work smoothly with the latest tc-native version? You should be able to use the current Tomcat-Native library with any previous Tomcat version. The converse is not true. Each Tomcat version has a minimum required Tomcat Native version and a minimum recommended version. You'll see log errors/warnings if you start Tomcat with a version of the Native library that does not meet these minimums. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Apache Tomcat Native Library - compatibility clarification needed?
Hi all, Would you please clarify the compatibility restrictions (if any) between the Apache Tomcat Native Lib and its dependencies on one hand and between Apache Tomcat server and the native lib. My questions are based on the information available here: http://tomcat.apache.org/native-doc/ 1) Is it possible (or at all advisable) to build the tc-native once and then use it on a system that is not necessarily with the same versions of dependencies or JVM as the ones it was built with? Or for productive systems it is recommend always to compile on the actual system that the lib will be running on. I’m specifically interested for Linux environment. 2) Are there strict requirements for the dependencies versions, meaning Tomcat Native Lib version X works only with APR version Y, OpenSSL version Z, etc. ? 3) Are there any strict compatibility mapping between the native lib version and the Tomcat server version? In other words could every Tomcat version work smoothly with the latest tc-native version? Thanks a lot! Regards, Polina
Re: Test for tomcat native
On 04/07/2019 12:46, Markus Fömpe wrote: > Hello, > > I'm not sure if I'm on the right user mailing list or if my question belongs > more on the dev mailing list. If I am wrong here, please let me know. > > Yesterday I got a notification that there is a new version of Tomcat Native > available. I work with macOS and install programs with homebrew. For the last > updates of Tomcat 9 I updated the Homebrew Formula and wanted to do the same > for Tomcat Native [1]. > > During the update of the formula I stumbled over the requirement that now a > test for the formula is necessary [2]. > Unfortunately, I have no idea how such a test could look like for the Tomcat > Native library. Is there someone on the mailing list who could give me a hint? You need a JAVA_HOME to compile the library so compile the Java source as well (a useful test in itself) and write a short Java class that: - calls Library.initialize(null) - checks the version number is correct Mark > > Best regards, > Markus > > [1] > https://github.com/mystygage/homebrew-core/commit/e28e93e3e90c3fa2273990a91c8643ca9c97d296 > [2] https://docs.brew.sh/Formula-Cookbook#add-a-test-to-the-formula > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Test for tomcat native
Hello, I'm not sure if I'm on the right user mailing list or if my question belongs more on the dev mailing list. If I am wrong here, please let me know. Yesterday I got a notification that there is a new version of Tomcat Native available. I work with macOS and install programs with homebrew. For the last updates of Tomcat 9 I updated the Homebrew Formula and wanted to do the same for Tomcat Native [1]. During the update of the formula I stumbled over the requirement that now a test for the formula is necessary [2]. Unfortunately, I have no idea how such a test could look like for the Tomcat Native library. Is there someone on the mailing list who could give me a hint? Best regards, Markus [1] https://github.com/mystygage/homebrew-core/commit/e28e93e3e90c3fa2273990a91c8643ca9c97d296 [2] https://docs.brew.sh/Formula-Cookbook#add-a-test-to-the-formula
[ANN] Apache Tomcat Native 1.2.23 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.23 stable. The key features of this release are: - Add support for TLS key logging when using OpenSSL 1.1.1 or later - Fix crashes when a CRL file or path is configured - Update Windows binaries to APR 1.7.0 and OpenSSL 1.1.1c Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.21 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.21 stable. The key features of this release are: - Fixed memory leaks when using NIO/NIO2 with OpenSSL for TLS Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.19 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.19 stable. The key features of this release are: - Fixed memory leaks when using OCSP checks - Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1.a - Windows binaries built with APR 1.6.5 and OpenSSL 1.0.2q Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Debugging tomcat native connector
Wow, thanks a lot. That was exactly what it was. Something else, just in the event that someone references this email thread in the future, I also realized I could put this in my logging.properties file: org.apache.coyote.level = FINE I didn't think to add that until after the entropy thing was figured out, but it is something that may come in handy in similar situations. Mark Claassen Senior Software Engineer Donnell Systems, Inc. 130 South Main Street Leighton Plaza Suite 375 South Bend, IN 46601 E-mail: mailto:mclaas...@ocie.net Voice: (574)232-3784 Fax: (574)232-4014 Disclaimer: The opinions provided herein do not necessarily state or reflect those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal liability or responsibility for the posting. -Original Message- From: Christopher Schultz Sent: Thursday, November 1, 2018 1:19 PM To: users@tomcat.apache.org Subject: Re: Debugging tomcat native connector -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 11/1/18 11:51, Mark A. Claassen wrote: > Thanks for the reply. I am using > "org.apache.coyote.http11.Http11AprProtocol" in Tomcat 9. > > The NIO connectors worked fine when we tried them, but the native ones > seem to start up, but then don’t work. > > Interestingly, we found out that these connectors do eventually start > working! We tried to connect a few hours later and they were working > fine. We are now trying to determine exactly how long it takes for > them to accept connections in hopes that this will help us figure out > what is going on. > > Having a way to debug this better would be helpful. Are you getting log entries in catalina.out similar to these? INFO: Starting ProtocolHandler ["ajp-nio-8215"] Oct 10, 2018 4:23:38 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-nio-127.0.0.1-8217"] Oct 10, 2018 4:23:38 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 6819 ms ?? If so, there should also be some timing information for initializing certain things. For example, if the server doesn't have much entropy in the entropy pool, then you can get a slow-startup while the crypto engine starts. This may be worse with the APR connector than for the NIO connectors as the source of randomness may be different by default (e.g. /dev/urandom for Java, /dev/random for APR). That may not actually be *true*, but it's a possibility. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvbNXYACgkQHPApP6U8 pFhXkBAAny/RjuglPB38vMd1HZ45+9ifW4zRVgGY+2VjtJLSCJKf8+bouMdr6ZWY 5MbE9ru4WYNnIE7J01gYK7vjGfrotjxNLVAsY52qiCAf9u6Q+hsZb00T5B9Fog+z 9lFm2J4alHUMTe758vBJDtuuCqiB3I3SaY2f5rp5TiCWYVExrbNDQUe50ClbqFmB +/e0XIybWXMCPsgylfyqQIZLwJ3t/Q+1eocQUIst86+tMrJdv2PWu+b7+J2y752Y 8dy3LqUjLQ218nDaXe1DXnWajunhuwAunK0/y1fL4pqlwJYDf6GTuWbW+AVDkBZh 3Q1o74QmM230FVyBhll2HSh9wi+rOON7MnjQD8Buks8LeTzyHRdGPRnFXoZm4H99 Re5uDXHLsJ0pweucVc4hqfE+2BxW33GT36FHUjGVAijMO6V3NX4CYhiOD7XkSlaz uvoC+3ibhZZrgmc1AkM122u0YciSLDLb5iqGoVP/cOGJ0JVEwlEPMrpwSSe0ZTXz BB6mTRu9WzN9j4YboTNmuiYnBx6wDAEWu+f9CjFptw7qGcwrzqrFyLp+/QuYzf4l 3iEVDlXPjF0bFsuJOvTChxfVm7s5NrxUBf2hJfMxmuKjeKKPZElgnWYtyoKokCHW GNUD+HIGvJmc5bICo+WRzyf7zu1bsVoATcNvzM+K9WF1TBsrS+I= =7fqB -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Debugging tomcat native connector
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 11/1/18 11:51, Mark A. Claassen wrote: > Thanks for the reply. I am using > "org.apache.coyote.http11.Http11AprProtocol" in Tomcat 9. > > The NIO connectors worked fine when we tried them, but the native > ones seem to start up, but then don’t work. > > Interestingly, we found out that these connectors do eventually > start working! We tried to connect a few hours later and they were > working fine. We are now trying to determine exactly how long it > takes for them to accept connections in hopes that this will help > us figure out what is going on. > > Having a way to debug this better would be helpful. Are you getting log entries in catalina.out similar to these? INFO: Starting ProtocolHandler ["ajp-nio-8215"] Oct 10, 2018 4:23:38 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-nio-127.0.0.1-8217"] Oct 10, 2018 4:23:38 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 6819 ms ?? If so, there should also be some timing information for initializing certain things. For example, if the server doesn't have much entropy in the entropy pool, then you can get a slow-startup while the crypto engine starts. This may be worse with the APR connector than for the NIO connectors as the source of randomness may be different by default (e.g. /dev/urandom for Java, /dev/random for APR). That may not actually be *true*, but it's a possibility. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvbNXYACgkQHPApP6U8 pFhXkBAAny/RjuglPB38vMd1HZ45+9ifW4zRVgGY+2VjtJLSCJKf8+bouMdr6ZWY 5MbE9ru4WYNnIE7J01gYK7vjGfrotjxNLVAsY52qiCAf9u6Q+hsZb00T5B9Fog+z 9lFm2J4alHUMTe758vBJDtuuCqiB3I3SaY2f5rp5TiCWYVExrbNDQUe50ClbqFmB +/e0XIybWXMCPsgylfyqQIZLwJ3t/Q+1eocQUIst86+tMrJdv2PWu+b7+J2y752Y 8dy3LqUjLQ218nDaXe1DXnWajunhuwAunK0/y1fL4pqlwJYDf6GTuWbW+AVDkBZh 3Q1o74QmM230FVyBhll2HSh9wi+rOON7MnjQD8Buks8LeTzyHRdGPRnFXoZm4H99 Re5uDXHLsJ0pweucVc4hqfE+2BxW33GT36FHUjGVAijMO6V3NX4CYhiOD7XkSlaz uvoC+3ibhZZrgmc1AkM122u0YciSLDLb5iqGoVP/cOGJ0JVEwlEPMrpwSSe0ZTXz BB6mTRu9WzN9j4YboTNmuiYnBx6wDAEWu+f9CjFptw7qGcwrzqrFyLp+/QuYzf4l 3iEVDlXPjF0bFsuJOvTChxfVm7s5NrxUBf2hJfMxmuKjeKKPZElgnWYtyoKokCHW GNUD+HIGvJmc5bICo+WRzyf7zu1bsVoATcNvzM+K9WF1TBsrS+I= =7fqB -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Debugging tomcat native connector
Thanks for the reply. I am using "org.apache.coyote.http11.Http11AprProtocol" in Tomcat 9. The NIO connectors worked fine when we tried them, but the native ones seem to start up, but then don’t work. Interestingly, we found out that these connectors do eventually start working! We tried to connect a few hours later and they were working fine. We are now trying to determine exactly how long it takes for them to accept connections in hopes that this will help us figure out what is going on. Having a way to debug this better would be helpful. Mark Claassen Senior Software Engineer Donnell Systems, Inc. 130 South Main Street Leighton Plaza Suite 375 South Bend, IN 46601 E-mail: mailto:mclaas...@ocie.net Voice: (574)232-3784 Fax: (574)232-4014 Disclaimer: The opinions provided herein do not necessarily state or reflect those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal liability or responsibility for the posting. -Original Message- From: Roger Brechbühl Sent: Wednesday, October 31, 2018 5:25 PM To: Tomcat Users List Subject: Re: Debugging tomcat native connector with which connector do you have problems? nio, nio2 or apr? I ask because we have problems with nio2-openssl when ssl session is reused e.g. when a request is proxied with nginx. kind regards, Roger Mark A. Claassen schrieb am Mi. 31. Okt. 2018 um 15:32: > Is there a way to debug the native connectors? Specifically, we are > having some problems getting the native openssl connector working on Ubuntu. > Doing an strace on the process shows a lot of FUTEX_WAIT_PRIVATE, but > we don't know why. We were hoping that there was some way to get more > information. > > Thanks, > > Mark Claassen > Senior Software Engineer > > Donnell Systems, Inc. > 130 South Main Street > Leighton Plaza Suite 375 > South Bend, IN 46601 > E-mail: mailto:mclaas...@ocie.net > Voice: (574)232-3784 > Fax: (574)232-4014 > > Disclaimer: > The opinions provided herein do not necessarily state or reflect those > of Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes > no legal liability or responsibility for the posting. > >
Re: Debugging tomcat native connector
with which connector do you have problems? nio, nio2 or apr? I ask because we have problems with nio2-openssl when ssl session is reused e.g. when a request is proxied with nginx. kind regards, Roger Mark A. Claassen schrieb am Mi. 31. Okt. 2018 um 15:32: > Is there a way to debug the native connectors? Specifically, we are > having some problems getting the native openssl connector working on Ubuntu. > Doing an strace on the process shows a lot of FUTEX_WAIT_PRIVATE, but we > don't know why. We were hoping that there was some way to get more > information. > > Thanks, > > Mark Claassen > Senior Software Engineer > > Donnell Systems, Inc. > 130 South Main Street > Leighton Plaza Suite 375 > South Bend, IN 46601 > E-mail: mailto:mclaas...@ocie.net > Voice: (574)232-3784 > Fax: (574)232-4014 > > Disclaimer: > The opinions provided herein do not necessarily state or reflect > those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and > assumes no legal liability or responsibility for the posting. > >
Debugging tomcat native connector
Is there a way to debug the native connectors? Specifically, we are having some problems getting the native openssl connector working on Ubuntu. Doing an strace on the process shows a lot of FUTEX_WAIT_PRIVATE, but we don't know why. We were hoping that there was some way to get more information. Thanks, Mark Claassen Senior Software Engineer Donnell Systems, Inc. 130 South Main Street Leighton Plaza Suite 375 South Bend, IN 46601 E-mail: mailto:mclaas...@ocie.net Voice: (574)232-3784 Fax: (574)232-4014 Disclaimer: The opinions provided herein do not necessarily state or reflect those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal liability or responsibility for the posting.
[ANN] Apache Tomcat Native 1.2.18 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.18. The key features of this release are: - Windows binaries built with APR 1.6.5 and OpenSSL 1.0.2p. - Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1. - TLSv1.3 support when built with OpenSSL 1.1.1 Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
On Thu, Oct 11, 2018 at 4:52 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Усманов, > > On 10/10/18 11:12 AM, Усманов Азат Анварович wrote: > > Thanks Cristopher, I already did. All that´s left is to get the > > latest patch backported to tomcat 7 > > For APR, it shouldn't be too much of an issue; it's just about getting > a qualifying tcnative build into tc7 and a little plumbing code. > > My *guess* right now is that Tomcat 7 will not get any back-ports for > NIO[2] for either JSSE or OpenSSL, so Tomcat 7 will have incomplete > TLSv1.3 support. > Tomcat 7 cannot get NIO2 (it needs Java 7), and it didn't get the OpenSSL engine either. So APR and vanilla JSSE with NIO (or java.io) are the only possibilities. Rémy
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 10/10/18 11:12 AM, Усманов Азат Анварович wrote: > Thanks Cristopher, I already did. All that´s left is to get the > latest patch backported to tomcat 7 For APR, it shouldn't be too much of an issue; it's just about getting a qualifying tcnative build into tc7 and a little plumbing code. My *guess* right now is that Tomcat 7 will not get any back-ports for NIO[2] for either JSSE or OpenSSL, so Tomcat 7 will have incomplete TLSv1.3 support. - -chris > От: Christopher Schultz > Отправлено: 10 октября 2018 г. > 17:47:47 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 10/6/18 17:27, Усманов Азат Анварович wrote: >> I've been searching the web for any idea why Chrome can do throw >> empty response error with tls1.3 and found this bug >> https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , >> it looks like the same sort of a problem,Interestingly enough it >> does have a fix. My knowledge of C is quite limited, so could >> anyone please look at the patch provided by these guys and see >> if it is of any use in case of tomcat-native ? > Have a look at the recent bug comments, especially Rainer's > comment about Chrome/ff versions. > > -chris > >> От: Усманов Азат Анварович >> Отправлено: 25 сентября 2018 г. 11:39 Кому: >> Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with >> APR/tomcat-native > >> Do I need to file a separate feature request for Tomcat itself? >> The one I already >> filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is >> for tomcat-native component. I looked through Tomcat changelog, >> I've found that previously TLS1.2 support was added via >> enhancement request to tomcat native . >> (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) >> ________ От: Усманов Азат Анварович >> Отправлено: 20 сентября 2018 г. 12:05:07 Кому: >> users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 >> with APR/tomcat-native > >> I did file a feature -enhancement in bugzilla > >> https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 > >> От: Christopher Schultz >> Отправлено: 19 сентября 2018 г. >> 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support >> for tomcat 7 with APR/tomcat-native > >> Усманов, > >> On 9/19/18 05:56, Усманов Азат Анварович wrote: >>> Hi Christopher! I did remove supportedProtocols attribute >>> entirely (SSL Labs server test confirms it ). >> You mean that SSL Labs then tells you that other protocols are >> available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if >> TLSv1.3 is available, so testing with e.g. Chrome shouldn't be >> necessary. > >>> >> maxPostSize="10485760 " maxHttpHeaderSize="1048576" >>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> connectionTimeout="2" redirectPort="8443" >>> SSLHonorCipherOrder="true" >>> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" >>> SSLCertificateKeyFile="/home/idis/server.key" >>> SSLCertificateChainFile="/home/idis/authorities.crt" > >>> maxThreads="350" minSpareThreads="25" SSLEnabled="true" >>> enableLookups="false" disableUploadTimeout="true" >>> acceptCount="100" scheme="https" secure="true" >>> compression="force" >>> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384, T > >>> L > >>> > S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256- GC >> > M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECD > HE > > > -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, >>> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES2 5 > >>> 6 > >>> > -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > >> ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > >>> I did put >>> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_ S > >>> H > >>> > A256 >>> as tls 1.3 ciphers for tls 1.3 , so my guess is that more >>> work is required for tls.1.3 to work in my case > >> Yes, you will definitely
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
Thanks Cristopher, I already did. All that´s left is to get the latest patch backported to tomcat 7 От: Christopher Schultz Отправлено: 10 октября 2018 г. 17:47:47 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 10/6/18 17:27, Усманов Азат Анварович wrote: > I've been searching the web for any idea why Chrome can do throw > empty response error with tls1.3 and found this bug > https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it > looks like the same sort of a problem,Interestingly enough it does > have a fix. My knowledge of C is quite limited, so could anyone > please look at the patch provided by these guys and see if it is > of any use in case of tomcat-native ? Have a look at the recent bug comments, especially Rainer's comment about Chrome/ff versions. - -chris > От: Усманов Азат Анварович > Отправлено: 25 сентября 2018 г. 11:39 Кому: > Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with > APR/tomcat-native > > Do I need to file a separate feature request for Tomcat itself? The > one I already > filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for > tomcat-native component. I looked through Tomcat changelog, I've > found that previously TLS1.2 support was added via enhancement > request to tomcat native . > (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) > От: Усманов Азат Анварович > Отправлено: 20 сентября 2018 г. 12:05:07 Кому: > users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with > APR/tomcat-native > > I did file a feature -enhancement in bugzilla > > https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 > > От: Christopher Schultz > Отправлено: 19 сентября 2018 г. > 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/19/18 05:56, Усманов Азат Анварович wrote: >> Hi Christopher! I did remove supportedProtocols attribute >> entirely (SSL Labs server test confirms it ). > You mean that SSL Labs then tells you that other protocols are > available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 > is available, so testing with e.g. Chrome shouldn't be necessary. > >> > maxPostSize="10485760 " maxHttpHeaderSize="1048576" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> connectionTimeout="2" redirectPort="8443" >> SSLHonorCipherOrder="true" >> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" >> SSLCertificateKeyFile="/home/idis/server.key" >> SSLCertificateChainFile="/home/idis/authorities.crt" > >> maxThreads="350" minSpareThreads="25" SSLEnabled="true" >> enableLookups="false" disableUploadTimeout="true" >> acceptCount="100" scheme="https" secure="true" >> compression="force" >> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,T L > >> S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC > M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECD HE > > - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, >> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES25 6 > >> - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > >> I did put >> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_S H > >> A256 >> as tls 1.3 ciphers for tls 1.3 , so my guess is that more work >> is required for tls.1.3 to work in my case > > Yes, you will definitely have to mention the TLSv1.3 ciphers in > order to allow a TLSv1.3 handshake to succeed. > > But yes, it does indeed look like Tomcat requires some work. > > Can you please file an enhancement request in Bugzilla? > > Thanks, -chris > >> От: Christopher Schultz >> Отправлено: 18 сентября 2018 г. >> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for >> tomcat 7 with APR/tomcat-native > >> Усманов, > >> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >>> I have a java7 web application that runs on tomcat 7.0.70 I'm >>> using Apr/tomcat-native w OpenSSL for TLS connections >>> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >>> stable OpenSSL release
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 10/6/18 17:27, Усманов Азат Анварович wrote: > I've been searching the web for any idea why Chrome can do throw > empty response error with tls1.3 and found this bug > https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it > looks like the same sort of a problem,Interestingly enough it does > have a fix. My knowledge of C is quite limited, so could anyone > please look at the patch provided by these guys and see if it is > of any use in case of tomcat-native ? Have a look at the recent bug comments, especially Rainer's comment about Chrome/ff versions. - -chris > От: Усманов Азат Анварович > Отправлено: 25 сентября 2018 г. 11:39 Кому: > Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with > APR/tomcat-native > > Do I need to file a separate feature request for Tomcat itself? The > one I already > filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for > tomcat-native component. I looked through Tomcat changelog, I've > found that previously TLS1.2 support was added via enhancement > request to tomcat native . > (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) > От: Усманов Азат Анварович > Отправлено: 20 сентября 2018 г. 12:05:07 Кому: > users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with > APR/tomcat-native > > I did file a feature -enhancement in bugzilla > > https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 > > От: Christopher Schultz > Отправлено: 19 сентября 2018 г. > 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/19/18 05:56, Усманов Азат Анварович wrote: >> Hi Christopher! I did remove supportedProtocols attribute >> entirely (SSL Labs server test confirms it ). > You mean that SSL Labs then tells you that other protocols are > available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 > is available, so testing with e.g. Chrome shouldn't be necessary. > >> > maxPostSize="10485760 " maxHttpHeaderSize="1048576" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> connectionTimeout="2" redirectPort="8443" >> SSLHonorCipherOrder="true" >> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" >> SSLCertificateKeyFile="/home/idis/server.key" >> SSLCertificateChainFile="/home/idis/authorities.crt" > >> maxThreads="350" minSpareThreads="25" SSLEnabled="true" >> enableLookups="false" disableUploadTimeout="true" >> acceptCount="100" scheme="https" secure="true" >> compression="force" >> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,T L > >> S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC > M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECD HE > > - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, >> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES25 6 > >> - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > >> I did put >> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_S H > >> A256 >> as tls 1.3 ciphers for tls 1.3 , so my guess is that more work >> is required for tls.1.3 to work in my case > > Yes, you will definitely have to mention the TLSv1.3 ciphers in > order to allow a TLSv1.3 handshake to succeed. > > But yes, it does indeed look like Tomcat requires some work. > > Can you please file an enhancement request in Bugzilla? > > Thanks, -chris > >> От: Christopher Schultz >> Отправлено: 18 сентября 2018 г. >> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for >> tomcat 7 with APR/tomcat-native > >> Усманов, > >> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >>> I have a java7 web application that runs on tomcat 7.0.70 I'm >>> using Apr/tomcat-native w OpenSSL for TLS connections >>> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >>> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >>> upgraded to it successfully. My question is if and when >>> tomcat 7 will be upgraded to support TLS1.3 through w >>> APR/tomcat-native/OpenSSL? do such plans even exi
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
I've been searching the web for any idea why Chrome can do throw empty response error with tls1.3 and found this bug https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it looks like the same sort of a problem,Interestingly enough it does have a fix. My knowledge of C is quite limited, so could anyone please look at the patch provided by these guys and see if it is of any use in case of tomcat-native ? От: Усманов Азат Анварович Отправлено: 25 сентября 2018 г. 11:39 Кому: Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native Do I need to file a separate feature request for Tomcat itself? The one I already filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for tomcat-native component. I looked through Tomcat changelog, I've found that previously TLS1.2 support was added via enhancement request to tomcat native . (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) От: Усманов Азат Анварович Отправлено: 20 сентября 2018 г. 12:05:07 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native I did file a feature -enhancement in bugzilla https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 От: Christopher Schultz Отправлено: 19 сентября 2018 г. 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/19/18 05:56, Усманов Азат Анварович wrote: > Hi Christopher! I did remove supportedProtocols attribute entirely > (SSL Labs server test confirms it ). You mean that SSL Labs then tells you that other protocols are available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is available, so testing with e.g. Chrome shouldn't be necessary. > maxPostSize="10485760 " maxHttpHeaderSize="1048576" > protocol="org.apache.coyote.http11.Http11AprProtocol" > connectionTimeout="2" redirectPort="8443" > SSLHonorCipherOrder="true" > SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" > SSLCertificateKeyFile="/home/idis/server.key" > SSLCertificateChainFile="/home/idis/authorities.crt" > > maxThreads="350" minSpareThreads="25" SSLEnabled="true" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" compression="force" > SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, > ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256 - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > > I did put > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH A256 > as tls 1.3 ciphers for tls 1.3 , so my guess is that more work > is required for tls.1.3 to work in my case Yes, you will definitely have to mention the TLSv1.3 ciphers in order to allow a TLSv1.3 handshake to succeed. But yes, it does indeed look like Tomcat requires some work. Can you please file an enhancement request in Bugzilla? Thanks, - -chris > От: Christopher Schultz > Отправлено: 18 сентября 2018 г. > 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >> I have a java7 web application that runs on tomcat 7.0.70 I'm >> using Apr/tomcat-native w OpenSSL for TLS connections >> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >> upgraded to it successfully. My question is if and when >> tomcat 7 will be upgraded to support TLS1.3 through w >> APR/tomcat-native/OpenSSL? do such plans even exist? > > Try not specifying any "supported protocol" (e.g. allow all > protocol flavors), and OpenSSL should allow TLSv1.3 to be > negotiated. > >> I'm guessing it will not happen at least untill both Chrome and >> firefox release theirbrowser updates for RFC8446 support >> (which are both scheduled for Mid october Crome 70 and firefox >> 63) but would like to know more about it > > I for one would like to see TLSv1.3 supported as quickly as > possible. > > The OpenSSL project states that 1.1.1 is a drop-in API- and > ABI-compatible replacement for 1.1.0 and there
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
Do I need to file a separate feature request for Tomcat itself? The one I already filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for tomcat-native component. I looked through Tomcat changelog, I've found that previously TLS1.2 support was added via enhancement request to tomcat native . (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) От: Усманов Азат Анварович Отправлено: 20 сентября 2018 г. 12:05:07 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native I did file a feature -enhancement in bugzilla https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 От: Christopher Schultz Отправлено: 19 сентября 2018 г. 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/19/18 05:56, Усманов Азат Анварович wrote: > Hi Christopher! I did remove supportedProtocols attribute entirely > (SSL Labs server test confirms it ). You mean that SSL Labs then tells you that other protocols are available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is available, so testing with e.g. Chrome shouldn't be necessary. > maxPostSize="10485760 " maxHttpHeaderSize="1048576" > protocol="org.apache.coyote.http11.Http11AprProtocol" > connectionTimeout="2" redirectPort="8443" > SSLHonorCipherOrder="true" > SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" > SSLCertificateKeyFile="/home/idis/server.key" > SSLCertificateChainFile="/home/idis/authorities.crt" > > maxThreads="350" minSpareThreads="25" SSLEnabled="true" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" compression="force" > SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, > ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256 - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > > I did put > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH A256 > as tls 1.3 ciphers for tls 1.3 , so my guess is that more work > is required for tls.1.3 to work in my case Yes, you will definitely have to mention the TLSv1.3 ciphers in order to allow a TLSv1.3 handshake to succeed. But yes, it does indeed look like Tomcat requires some work. Can you please file an enhancement request in Bugzilla? Thanks, - -chris > От: Christopher Schultz > Отправлено: 18 сентября 2018 г. > 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >> I have a java7 web application that runs on tomcat 7.0.70 I'm >> using Apr/tomcat-native w OpenSSL for TLS connections >> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >> upgraded to it successfully. My question is if and when >> tomcat 7 will be upgraded to support TLS1.3 through w >> APR/tomcat-native/OpenSSL? do such plans even exist? > > Try not specifying any "supported protocol" (e.g. allow all > protocol flavors), and OpenSSL should allow TLSv1.3 to be > negotiated. > >> I'm guessing it will not happen at least untill both Chrome and >> firefox release theirbrowser updates for RFC8446 support >> (which are both scheduled for Mid october Crome 70 and firefox >> 63) but would like to know more about it > > I for one would like to see TLSv1.3 supported as quickly as > possible. > > The OpenSSL project states that 1.1.1 is a drop-in API- and > ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should > "just work" under certain conditions. > > Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) > by default which might make things tricky when trying to accept > "all protocols" as described above. > > Please let me know if you have any success with an out-of-the-box > Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in > Tomcat that might *prevent* TLSv1.3 from being available. > > -chris > > - > > To
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
I did file a feature -enhancement in bugzilla https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 От: Christopher Schultz Отправлено: 19 сентября 2018 г. 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/19/18 05:56, Усманов Азат Анварович wrote: > Hi Christopher! I did remove supportedProtocols attribute entirely > (SSL Labs server test confirms it ). You mean that SSL Labs then tells you that other protocols are available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is available, so testing with e.g. Chrome shouldn't be necessary. > maxPostSize="10485760 " maxHttpHeaderSize="1048576" > protocol="org.apache.coyote.http11.Http11AprProtocol" > connectionTimeout="2" redirectPort="8443" > SSLHonorCipherOrder="true" > SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" > SSLCertificateKeyFile="/home/idis/server.key" > SSLCertificateChainFile="/home/idis/authorities.crt" > > maxThreads="350" minSpareThreads="25" SSLEnabled="true" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" compression="force" > SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, > ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256 - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > > I did put > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH A256 > as tls 1.3 ciphers for tls 1.3 , so my guess is that more work > is required for tls.1.3 to work in my case Yes, you will definitely have to mention the TLSv1.3 ciphers in order to allow a TLSv1.3 handshake to succeed. But yes, it does indeed look like Tomcat requires some work. Can you please file an enhancement request in Bugzilla? Thanks, - -chris > От: Christopher Schultz > Отправлено: 18 сентября 2018 г. > 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >> I have a java7 web application that runs on tomcat 7.0.70 I'm >> using Apr/tomcat-native w OpenSSL for TLS connections >> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >> upgraded to it successfully. My question is if and when >> tomcat 7 will be upgraded to support TLS1.3 through w >> APR/tomcat-native/OpenSSL? do such plans even exist? > > Try not specifying any "supported protocol" (e.g. allow all > protocol flavors), and OpenSSL should allow TLSv1.3 to be > negotiated. > >> I'm guessing it will not happen at least untill both Chrome and >> firefox release theirbrowser updates for RFC8446 support >> (which are both scheduled for Mid october Crome 70 and firefox >> 63) but would like to know more about it > > I for one would like to see TLSv1.3 supported as quickly as > possible. > > The OpenSSL project states that 1.1.1 is a drop-in API- and > ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should > "just work" under certain conditions. > > Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) > by default which might make things tricky when trying to accept > "all protocols" as described above. > > Please let me know if you have any success with an out-of-the-box > Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in > Tomcat that might *prevent* TLSv1.3 from being available. > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluisiAACgkQHPApP6U8 pFiH3Q/+KWvdZpWPpR9SkJp9NCQFQHhxJjrgW++fXrdKb0ySj5eV8NvmSjb253GZ BHwSlzLlG0QDAxHuL7Xux6EuO/W3OzibhS0V6touLZ0bSmO1uJ/cP/VIVDZTXw6P z7Vs/hDYIlucCHf1ZJnYMPfSuk+t8YGToK8qYwFXnrZyHfDx4Wq+wqHLMltu+n/v dX12V2OCw7XWrKeYjHvRxCffwoNkqkrJrUxekpEeTd39s5Vj6/
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
Hi Chris!Yes,ssllabs test does show TLS 1.0,and TLS 1.1 enabled when I ommit supported protocols attribute.Current version of ssllabs server test uses draft 28 version for TLS 1.3 testing, that is why I used the Chrome beta test. What steps do I need to take to file a enhancement request in Bugzilla? I'm a newbie to the tomcat users list От: Christopher Schultz Отправлено: 19 сентября 2018 г. 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/19/18 05:56, Усманов Азат Анварович wrote: > Hi Christopher! I did remove supportedProtocols attribute entirely > (SSL Labs server test confirms it ). You mean that SSL Labs then tells you that other protocols are available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is available, so testing with e.g. Chrome shouldn't be necessary. > maxPostSize="10485760 " maxHttpHeaderSize="1048576" > protocol="org.apache.coyote.http11.Http11AprProtocol" > connectionTimeout="2" redirectPort="8443" > SSLHonorCipherOrder="true" > SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" > SSLCertificateKeyFile="/home/idis/server.key" > SSLCertificateChainFile="/home/idis/authorities.crt" > > maxThreads="350" minSpareThreads="25" SSLEnabled="true" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" compression="force" > SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, > ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256 - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > > I did put > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH A256 > as tls 1.3 ciphers for tls 1.3 , so my guess is that more work > is required for tls.1.3 to work in my case Yes, you will definitely have to mention the TLSv1.3 ciphers in order to allow a TLSv1.3 handshake to succeed. But yes, it does indeed look like Tomcat requires some work. Can you please file an enhancement request in Bugzilla? Thanks, - -chris > От: Christopher Schultz > Отправлено: 18 сентября 2018 г. > 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >> I have a java7 web application that runs on tomcat 7.0.70 I'm >> using Apr/tomcat-native w OpenSSL for TLS connections >> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >> upgraded to it successfully. My question is if and when >> tomcat 7 will be upgraded to support TLS1.3 through w >> APR/tomcat-native/OpenSSL? do such plans even exist? > > Try not specifying any "supported protocol" (e.g. allow all > protocol flavors), and OpenSSL should allow TLSv1.3 to be > negotiated. > >> I'm guessing it will not happen at least untill both Chrome and >> firefox release theirbrowser updates for RFC8446 support >> (which are both scheduled for Mid october Crome 70 and firefox >> 63) but would like to know more about it > > I for one would like to see TLSv1.3 supported as quickly as > possible. > > The OpenSSL project states that 1.1.1 is a drop-in API- and > ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should > "just work" under certain conditions. > > Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) > by default which might make things tricky when trying to accept > "all protocols" as described above. > > Please let me know if you have any success with an out-of-the-box > Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in > Tomcat that might *prevent* TLSv1.3 from being available. > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluisiAACgkQHPApP6U8 pFiH3Q/+KWvdZpWPpR9SkJp9NCQF
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/19/18 05:56, Усманов Азат Анварович wrote: > Hi Christopher! I did remove supportedProtocols attribute entirely > (SSL Labs server test confirms it ). You mean that SSL Labs then tells you that other protocols are available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is available, so testing with e.g. Chrome shouldn't be necessary. > maxPostSize="10485760 " maxHttpHeaderSize="1048576" > protocol="org.apache.coyote.http11.Http11AprProtocol" > connectionTimeout="2" redirectPort="8443" > SSLHonorCipherOrder="true" > SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" > SSLCertificateKeyFile="/home/idis/server.key" > SSLCertificateChainFile="/home/idis/authorities.crt" > > maxThreads="350" minSpareThreads="25" SSLEnabled="true" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" compression="force" > SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, > ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256 - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > > I did put > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH A256 > as tls 1.3 ciphers for tls 1.3 , so my guess is that more work > is required for tls.1.3 to work in my case Yes, you will definitely have to mention the TLSv1.3 ciphers in order to allow a TLSv1.3 handshake to succeed. But yes, it does indeed look like Tomcat requires some work. Can you please file an enhancement request in Bugzilla? Thanks, - -chris > От: Christopher Schultz > Отправлено: 18 сентября 2018 г. > 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >> I have a java7 web application that runs on tomcat 7.0.70 I'm >> using Apr/tomcat-native w OpenSSL for TLS connections >> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >> upgraded to it successfully. My question is if and when >> tomcat 7 will be upgraded to support TLS1.3 through w >> APR/tomcat-native/OpenSSL? do such plans even exist? > > Try not specifying any "supported protocol" (e.g. allow all > protocol flavors), and OpenSSL should allow TLSv1.3 to be > negotiated. > >> I'm guessing it will not happen at least untill both Chrome and >> firefox release theirbrowser updates for RFC8446 support >> (which are both scheduled for Mid october Crome 70 and firefox >> 63) but would like to know more about it > > I for one would like to see TLSv1.3 supported as quickly as > possible. > > The OpenSSL project states that 1.1.1 is a drop-in API- and > ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should > "just work" under certain conditions. > > Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) > by default which might make things tricky when trying to accept > "all protocols" as described above. > > Please let me know if you have any success with an out-of-the-box > Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in > Tomcat that might *prevent* TLSv1.3 from being available. > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluisiAACgkQHPApP6U8 pFiH3Q/+KWvdZpWPpR9SkJp9NCQFQHhxJjrgW++fXrdKb0ySj5eV8NvmSjb253GZ BHwSlzLlG0QDAxHuL7Xux6EuO/W3OzibhS0V6touLZ0bSmO1uJ/cP/VIVDZTXw6P z7Vs/hDYIlucCHf1ZJnYMPfSuk+t8YGToK8qYwFXnrZyHfDx4Wq+wqHLMltu+n/v dX12V2OCw7XWrKeYjHvRxCffwoNkqkrJrUxekpEeTd39s5Vj6/Z/jveeRY3Yz2Zj GGe+E7H7tIOywLXC9tAYXmj4CqFab9s5jTpEgD1IiphhA118WLAd97AAo5o/0t3R RcGrxMbYo3vpRYhhIAxNOnVvbfu+pxCGIc6BdeWhyzVvjutMetUyAQBujc97Em0X QpXG+V/7D55iJIFE7rhV6hpg5+/TC43oCLPn6KVQyoamLUET7rNRVzueMKPvNXow tONSSGHUOAv7hRhdvplp5aW4h3L0BgDjTdIjcPwr/YcprU/9SC2gRs+iLX5nwMwS +ZOSKufTBBqOVRLJNA3NVjfbozLZCzk3unTYrX0am2Fw3HRXnU3d4LogsDVdXUS5 xxj9+XBjcr2/wtUcufS3beuYPUQq6LR5ZNqG/XsPl3xMtg0skV2+JqQEVIEqcbnW Up/egu3bHKc/oQBsqtKNviH2gPdxw6eUTJnjtlW5d1myE8quMIU= =OwrK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
Hi Christopher! I did remove supportedProtocols attribute entirely (SSL Labs server test confirms it ).I also did install chrome 70 beta and did enable TLS 1.3 final version in it ,but the security tab in chrome still shows tls 1.2 as my protocol and no tls 1.3. Here is my connectorf form the server.xml I did put TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SHA256 as tls 1.3 ciphers for tls 1.3 , so my guess is that more work is required for tls.1.3 to work in my case От: Christopher Schultz Отправлено: 18 сентября 2018 г. 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: > I have a java7 web application that runs on tomcat 7.0.70 I'm > using Apr/tomcat-native w OpenSSL for TLS connections > .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest > stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have upgraded > to it successfully. My question is if and whentomcat 7 will > be upgraded to support TLS1.3 through w APR/tomcat-native/OpenSSL? > do such plans even exist? Try not specifying any "supported protocol" (e.g. allow all protocol flavors), and OpenSSL should allow TLSv1.3 to be negotiated. > I'm guessing it will not happen at least untill both Chrome and > firefox release theirbrowser updates for RFC8446 support > (which are both scheduled for Mid october Crome 70 and firefox 63) > but would like to know more about it I for one would like to see TLSv1.3 supported as quickly as possible. The OpenSSL project states that 1.1.1 is a drop-in API- and ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should "just work" under certain conditions. Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) by default which might make things tricky when trying to accept "all protocols" as described above. Please let me know if you have any success with an out-of-the-box Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in Tomcat that might *prevent* TLSv1.3 from being available. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org GPG Suite<http://gpgtools.org/> gpgtools.org Everything you need to get started with secure communication and encrypting files in one simple package leveraging the power of OpenPGP/GPG Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluhX64ACgkQHPApP6U8 pFigRA//Un2OHvcVetuFicBs2Hncv7L7SkQyyldKUEZ1OK5l0GkNGxnZpWGrzSKv 64szQ8xjz1C1rgDSxsJF2VtELu9ZQ3zrLQ2kjBhfUG3sfRQ/Y7/dnFv3ia95XgUG Pc1/G0Pb86FoKPJbB5TbsmZ0U/ABZ1nlsMOHJZJ9No+Si/UiNDeBsxObQr9z2PvC AyYMq2Pavyl6FYr9pTSBaGlPyoL9pbr5tc5JiGOos7LG23mgnYYlXZqklsMsZ1gq QG7h0Y7Z8CNybCq8EzWBz/WqIpUPdGZnvJpl0Q7K3Um8BYB05Ce78kXoYi5WYd1z YruvC7DSMUzzI+uvj3fEQF/RLe5iUgxfBCys1XCrZ0EWj5JpQO7UySqera4mnFUq vTz1H3UNkAnneVeOnZ+zpSbDx1sB24gI8fTbuHxg0760zH4dABGcxas+xhs7MpHl 5k5jrxkTsKuiypYPOg4cUXkERUh8FkVp+/MtsIWCnk+1UGo1dxbGeRejwL6ba8pD Jbfoib7e3CcA2lAWDr3tx7TM8usWtx+IKByMHbdktX6Z++9pbSyVKY54I2dki6i3 Dc69nGGBbWWTQILKijxaZlru/wnN0nnIJQB5PmjxqMm6AkEHL8qlEGflnIA+xGNU +2NX3i9oFNCk3ifGhgqWUIb8/a62y8xB1UGaMPkbj51YpijEIuo= =uNao -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: > I have a java7 web application that runs on tomcat 7.0.70 I'm > using Apr/tomcat-native w OpenSSL for TLS connections > .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest > stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have upgraded > to it successfully. My question is if and whentomcat 7 will > be upgraded to support TLS1.3 through w APR/tomcat-native/OpenSSL? > do such plans even exist? Try not specifying any "supported protocol" (e.g. allow all protocol flavors), and OpenSSL should allow TLSv1.3 to be negotiated. > I'm guessing it will not happen at least untill both Chrome and > firefox release theirbrowser updates for RFC8446 support > (which are both scheduled for Mid october Crome 70 and firefox 63) > but would like to know more about it I for one would like to see TLSv1.3 supported as quickly as possible. The OpenSSL project states that 1.1.1 is a drop-in API- and ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should "just work" under certain conditions. Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) by default which might make things tricky when trying to accept "all protocols" as described above. Please let me know if you have any success with an out-of-the-box Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in Tomcat that might *prevent* TLSv1.3 from being available. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluhX64ACgkQHPApP6U8 pFigRA//Un2OHvcVetuFicBs2Hncv7L7SkQyyldKUEZ1OK5l0GkNGxnZpWGrzSKv 64szQ8xjz1C1rgDSxsJF2VtELu9ZQ3zrLQ2kjBhfUG3sfRQ/Y7/dnFv3ia95XgUG Pc1/G0Pb86FoKPJbB5TbsmZ0U/ABZ1nlsMOHJZJ9No+Si/UiNDeBsxObQr9z2PvC AyYMq2Pavyl6FYr9pTSBaGlPyoL9pbr5tc5JiGOos7LG23mgnYYlXZqklsMsZ1gq QG7h0Y7Z8CNybCq8EzWBz/WqIpUPdGZnvJpl0Q7K3Um8BYB05Ce78kXoYi5WYd1z YruvC7DSMUzzI+uvj3fEQF/RLe5iUgxfBCys1XCrZ0EWj5JpQO7UySqera4mnFUq vTz1H3UNkAnneVeOnZ+zpSbDx1sB24gI8fTbuHxg0760zH4dABGcxas+xhs7MpHl 5k5jrxkTsKuiypYPOg4cUXkERUh8FkVp+/MtsIWCnk+1UGo1dxbGeRejwL6ba8pD Jbfoib7e3CcA2lAWDr3tx7TM8usWtx+IKByMHbdktX6Z++9pbSyVKY54I2dki6i3 Dc69nGGBbWWTQILKijxaZlru/wnN0nnIJQB5PmjxqMm6AkEHL8qlEGflnIA+xGNU +2NX3i9oFNCk3ifGhgqWUIb8/a62y8xB1UGaMPkbj51YpijEIuo= =uNao -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
TLS1.3 support for tomcat 7 with APR/tomcat-native
Hi everyone! I have a java7 web application that runs on tomcat 7.0.70 I'm using Apr/tomcat-native w OpenSSL for TLS connections .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have upgraded to it successfully. My question is if and when tomcat 7 will be upgraded to support TLS1.3 through w APR/tomcat-native/OpenSSL? do such plans even exist? I'm guessing it will not happen at least untill both Chrome and firefox release theirbrowser updates for RFC8446 support (which are both scheduled for Mid october Crome 70 and firefox 63) but would like to know more about it
Re: Tomcat native tc and a custom OpenSSL engine for ECDH
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Piyush, On 8/6/18 7:37 PM, Piyush K wrote: > Hi Christopher, > > I am using my own custom OpenSSL engine that I wrote for elliptical > curve doggie Hellman (ECDH) > > I am setting the SSLEngine to my engine name in the Listener in the > tomcat configuration file (conf/server.xml) > > But looks like the engine is not being set in the function call to > SSL_dh_GetParamFromFile(...) which returns the pointer to DH (in > file tomcat-native-1.2.16-arc/native/src/sslcontext.c) , I don't > believe the engine is being set (as SSL_dh_GetParamFromFile(...) > calls PEM_read_bio_DHparams(...). However SSL_dh_GetParamFromFile > doesn't set the ENGINE * parameter inside the structure for DH > (aliased as dh_st). Because ENGINE * is not set the default OpenSSL > implementation for ECDH is getting called. Please correct me if I > am wrong, Just for confirmation, please post your and configurations, plus the relevant log file lines from catalina.out (or similar) that show the APRLifecycleListener starting up. - -chris >> On Aug 4, 2018, at 8:49 AM, Christopher Schultz >> wrote: >> > Piyush, > >>>> On 8/3/18 2:52 PM, Piyush K wrote: >>>> >>>> Dear tomcat community, >>>> >>>> I have a question - I am using tomcat and OpenSSL (with apr >>>> and tomcat= -native-1.2.16). Versions are as follows :- >>>> apr-1-config 1.5.2 tomcat-native-1.2.16 OpenSSL 1.1.0 Tomcat >>>> 8.5.31 >>>> >>>> This works fine with my custom OpenSSL 1.1.0 installation.=20 >>>> Next I wrote my own custom OpenSSL engine for ECDHE >>>> (ephemeral even), howeve= r tomcat native still seems to make >>>> calls to the default ECDHE engine that c= omes with OpenSSL >>>> (instead of using mine, even though I compiled, tested and= >>>> installed the needed shared object in the relevant directory >>>> for OpenSSL e= ngines shared objects). Does the tomcat native >>>> code needs to be modified to support a custom OpenSSL= engine >>>> for ECDHE.=20 If yes, can I get some help on which places and >>>> which files one needs to mod= ify (I have looked at the file >>>> sslcontext.c but it is bit very clear on how t= o tie your >>>> custom OpenSSL ECDHE engine with the EC keys being >>>> generated) > > > Do you have you own "engine" or are you just replacing one of the > cipher suites? > > What does your Tomcat configuration and APR > look like? > > You probably have to set the "SSLEngine" attribute to identify > your custom engine. > > http://tomcat.apache.org/tomcat-8.5-doc/config/listeners.html#APR_Life cy > > cle_Listener_-_org.apache.catalina.core.AprLifecycleListener > > -chris >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltpDK0ACgkQHPApP6U8 pFhoGg//Y85TkRhY9IZT692O6hNYxOTnLhzuqmS86pF5oMp3EQQtvYwAUtXt6IRj HNhbyZUzqyY+ISIxTFdRHMzGdahtariAYLUB3ZjiMCKrcVC1dI7+jERzlh8oBiLG ENQdGdR+6RsTMY3o1Kk6QAHXLKQRyVP+ASlfQajrey7TU0ivu5VqjsIcHFBZhQwU hRuruSyDH6Prdx3VvuWA400sgb27ogriPBXWGgG6OmIpeH+maAW+yPyJFC+McP8N fmEKo5inbo9NcL+8ENeAEU2HbvN/xTZWQMpJxKqMDEi3f7yrLGAuDWJX8W0JduVE jm9+HRppl/LeSjLDGpEIqfuCxPBYuZK1r3ZT11sVzVOM23lRHM5ynXFAdw555FfF YOpC+4CZpIp7aKahkgjWhGfsF3knuaXmadKIJ7J5QKlmstLVpf++QtDxbLSp4bzT Uh3L0oLkEFGsOIgfOiOXgK94gS143e+lVLacqMBw28VRptJiZbcSMgBCbEKyo4Cb obxrKm8lnYraj/EkW+HDQNwl/baFYDQx2GzkGyz9YXDraE/uEKbCc3//xyMm7AQH DhDHZ/qP3s+owQ84qS4LHIY+Ea8KZIetGrUlhudD67aiU6rv1c/Rm6zoxEbriaiG pEikGIGXg4Zljnz9YcX49Lx20/akwwNxiNErXjUCjKCdtY6ZMCw= =f6yb -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat native tc and a custom OpenSSL engine for ECDH
I meant "Diffie Hellman", my iPhone spell checker has a mind of its own :) Sent from my iPhone > On Aug 6, 2018, at 4:37 PM, Piyush K wrote: > > Hi Christopher, > > I am using my own custom OpenSSL engine that I wrote for elliptical curve > doggie Hellman (ECDH) > > I am setting the SSLEngine to my engine name in the Listener in the > tomcat configuration file (conf/server.xml) > > But looks like the engine is not being set in the function call to > SSL_dh_GetParamFromFile(...) which returns the pointer to DH (in file > tomcat-native-1.2.16-arc/native/src/sslcontext.c) , I don't believe the > engine is being set (as > SSL_dh_GetParamFromFile(...) calls PEM_read_bio_DHparams(...). However > SSL_dh_GetParamFromFile doesn't set the ENGINE * parameter inside the > structure for DH (aliased as dh_st). Because ENGINE * is not set the default > OpenSSL implementation for ECDH is getting called. >Please correct me if I am wrong, > > Regards, > Piyush > > Sent from my iPhone > >> On Aug 4, 2018, at 8:49 AM, Christopher Schultz >> wrote: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Piyush, >> >>> On 8/3/18 2:52 PM, Piyush K wrote: >>> >>> Dear tomcat community, >>> >>> I have a question - I am using tomcat and OpenSSL (with apr and >>> tomcat= -native-1.2.16). Versions are as follows :- apr-1-config >>> 1.5.2 tomcat-native-1.2.16 OpenSSL 1.1.0 Tomcat 8.5.31 >>> >>> This works fine with my custom OpenSSL 1.1.0 installation.=20 Next >>> I wrote my own custom OpenSSL engine for ECDHE (ephemeral even), >>> howeve= r tomcat native still seems to make calls to the default >>> ECDHE engine that c= omes with OpenSSL (instead of using mine, even >>> though I compiled, tested and= installed the needed shared object >>> in the relevant directory for OpenSSL e= ngines shared objects). >>> Does the tomcat native code needs to be modified to support a >>> custom OpenSSL= engine for ECDHE.=20 If yes, can I get some help on >>> which places and which files one needs to mod= ify (I have looked >>> at the file sslcontext.c but it is bit very clear on how t= o tie >>> your custom OpenSSL ECDHE engine with the EC keys being generated) >> >> >> Do you have you own "engine" or are you just replacing one of the >> cipher suites? >> >> What does your Tomcat configuration and APR >> look like? >> >> You probably have to set the "SSLEngine" attribute to identify your >> custom engine. >> >> http://tomcat.apache.org/tomcat-8.5-doc/config/listeners.html#APR_Lifecy >> cle_Listener_-_org.apache.catalina.core.AprLifecycleListener >> >> - -chris >> -BEGIN PGP SIGNATURE- >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltlyvAACgkQHPApP6U8 >> pFjFZQ//QLHn9And0bqhlz/XQ01cwNA4ClpoCcMwd7t9DYsgLx26vRksIYCWiqIp >> sUUZTlEJ4HDroKZcH4AkxPUER0Y1i0aC3Var4UfgNaojDH0upsX2mrm5P4JXHuXb >> 6KiRkDfnRrkNAXoOiVFiaP/gK/jMtBDzPOgAGuOpHCDyaxXUCEQK+U0krPbslsLO >> 3rsQuN/R+qj7DpR9j61Mpj4R4tCq+nKLcUH9xj6NlKfMTSkwaICYerjV1eBD0WAE >> TI6u7Kd8gB8GLdug8kwct21jxi1vpspaOx5lxy9fe0YwAvvjz2xyT5Z+wlG6L+pT >> 9e/VGI3wzvSaUP3yk2S3lw6cVmnuGRsODorDgmvzE3XptFl++uPM76QxlktChKjd >> NsL25/EsxcPCSEiRUnevCPcnoJu4Dl/PdmNOZrd0oVuyRCaSFqOd4cLZ0mwvAjPE >> TXQ7JKeGwu1MvmHPVoQ8J4uxIwwxhwWV/WGx9FdURjkGjBC9E6VMCi1D3rK2T3U3 >> LeZhzf9ZKWyI3BFfFZtcEgMZe1lQGu9d8ck4fAgNaFn50v+rDdCGFnfdZhu1htXR >> +JgzXXwyJMZJQuTDEMrr9xwZxsJjPx2RfSYTyY6iLeRfCsvxpi6gC8AsKKlsL7lV >> RrWaOfU6sLJA4usrUtDu5fm54UjleW7ZfWvzhO1Kdhde3B9QjEQ= >> =0b3l >> -END PGP SIGNATURE- >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat native tc and a custom OpenSSL engine for ECDH
Hi Christopher, I am using my own custom OpenSSL engine that I wrote for elliptical curve doggie Hellman (ECDH) I am setting the SSLEngine to my engine name in the Listener in the tomcat configuration file (conf/server.xml) But looks like the engine is not being set in the function call to SSL_dh_GetParamFromFile(...) which returns the pointer to DH (in file tomcat-native-1.2.16-arc/native/src/sslcontext.c) , I don't believe the engine is being set (as SSL_dh_GetParamFromFile(...) calls PEM_read_bio_DHparams(...). However SSL_dh_GetParamFromFile doesn't set the ENGINE * parameter inside the structure for DH (aliased as dh_st). Because ENGINE * is not set the default OpenSSL implementation for ECDH is getting called. Please correct me if I am wrong, Regards, Piyush Sent from my iPhone > On Aug 4, 2018, at 8:49 AM, Christopher Schultz > wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Piyush, > >> On 8/3/18 2:52 PM, Piyush K wrote: >> >> Dear tomcat community, >> >> I have a question - I am using tomcat and OpenSSL (with apr and >> tomcat= -native-1.2.16). Versions are as follows :- apr-1-config >> 1.5.2 tomcat-native-1.2.16 OpenSSL 1.1.0 Tomcat 8.5.31 >> >> This works fine with my custom OpenSSL 1.1.0 installation.=20 Next >> I wrote my own custom OpenSSL engine for ECDHE (ephemeral even), >> howeve= r tomcat native still seems to make calls to the default >> ECDHE engine that c= omes with OpenSSL (instead of using mine, even >> though I compiled, tested and= installed the needed shared object >> in the relevant directory for OpenSSL e= ngines shared objects). >> Does the tomcat native code needs to be modified to support a >> custom OpenSSL= engine for ECDHE.=20 If yes, can I get some help on >> which places and which files one needs to mod= ify (I have looked >> at the file sslcontext.c but it is bit very clear on how t= o tie >> your custom OpenSSL ECDHE engine with the EC keys being generated) > > > Do you have you own "engine" or are you just replacing one of the > cipher suites? > > What does your Tomcat configuration and APR > look like? > > You probably have to set the "SSLEngine" attribute to identify your > custom engine. > > http://tomcat.apache.org/tomcat-8.5-doc/config/listeners.html#APR_Lifecy > cle_Listener_-_org.apache.catalina.core.AprLifecycleListener > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltlyvAACgkQHPApP6U8 > pFjFZQ//QLHn9And0bqhlz/XQ01cwNA4ClpoCcMwd7t9DYsgLx26vRksIYCWiqIp > sUUZTlEJ4HDroKZcH4AkxPUER0Y1i0aC3Var4UfgNaojDH0upsX2mrm5P4JXHuXb > 6KiRkDfnRrkNAXoOiVFiaP/gK/jMtBDzPOgAGuOpHCDyaxXUCEQK+U0krPbslsLO > 3rsQuN/R+qj7DpR9j61Mpj4R4tCq+nKLcUH9xj6NlKfMTSkwaICYerjV1eBD0WAE > TI6u7Kd8gB8GLdug8kwct21jxi1vpspaOx5lxy9fe0YwAvvjz2xyT5Z+wlG6L+pT > 9e/VGI3wzvSaUP3yk2S3lw6cVmnuGRsODorDgmvzE3XptFl++uPM76QxlktChKjd > NsL25/EsxcPCSEiRUnevCPcnoJu4Dl/PdmNOZrd0oVuyRCaSFqOd4cLZ0mwvAjPE > TXQ7JKeGwu1MvmHPVoQ8J4uxIwwxhwWV/WGx9FdURjkGjBC9E6VMCi1D3rK2T3U3 > LeZhzf9ZKWyI3BFfFZtcEgMZe1lQGu9d8ck4fAgNaFn50v+rDdCGFnfdZhu1htXR > +JgzXXwyJMZJQuTDEMrr9xwZxsJjPx2RfSYTyY6iLeRfCsvxpi6gC8AsKKlsL7lV > RrWaOfU6sLJA4usrUtDu5fm54UjleW7ZfWvzhO1Kdhde3B9QjEQ= > =0b3l > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat native tc and a custom OpenSSL engine for ECDH
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Piyush, On 8/3/18 2:52 PM, Piyush K wrote: > > Dear tomcat community, > > I have a question - I am using tomcat and OpenSSL (with apr and > tomcat= -native-1.2.16). Versions are as follows :- apr-1-config > 1.5.2 tomcat-native-1.2.16 OpenSSL 1.1.0 Tomcat 8.5.31 > > This works fine with my custom OpenSSL 1.1.0 installation.=20 Next > I wrote my own custom OpenSSL engine for ECDHE (ephemeral even), > howeve= r tomcat native still seems to make calls to the default > ECDHE engine that c= omes with OpenSSL (instead of using mine, even > though I compiled, tested and= installed the needed shared object > in the relevant directory for OpenSSL e= ngines shared objects). > Does the tomcat native code needs to be modified to support a > custom OpenSSL= engine for ECDHE.=20 If yes, can I get some help on > which places and which files one needs to mod= ify (I have looked > at the file sslcontext.c but it is bit very clear on how t= o tie > your custom OpenSSL ECDHE engine with the EC keys being generated) Do you have you own "engine" or are you just replacing one of the cipher suites? What does your Tomcat configuration and APR look like? You probably have to set the "SSLEngine" attribute to identify your custom engine. http://tomcat.apache.org/tomcat-8.5-doc/config/listeners.html#APR_Lifecy cle_Listener_-_org.apache.catalina.core.AprLifecycleListener - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltlyvAACgkQHPApP6U8 pFjFZQ//QLHn9And0bqhlz/XQ01cwNA4ClpoCcMwd7t9DYsgLx26vRksIYCWiqIp sUUZTlEJ4HDroKZcH4AkxPUER0Y1i0aC3Var4UfgNaojDH0upsX2mrm5P4JXHuXb 6KiRkDfnRrkNAXoOiVFiaP/gK/jMtBDzPOgAGuOpHCDyaxXUCEQK+U0krPbslsLO 3rsQuN/R+qj7DpR9j61Mpj4R4tCq+nKLcUH9xj6NlKfMTSkwaICYerjV1eBD0WAE TI6u7Kd8gB8GLdug8kwct21jxi1vpspaOx5lxy9fe0YwAvvjz2xyT5Z+wlG6L+pT 9e/VGI3wzvSaUP3yk2S3lw6cVmnuGRsODorDgmvzE3XptFl++uPM76QxlktChKjd NsL25/EsxcPCSEiRUnevCPcnoJu4Dl/PdmNOZrd0oVuyRCaSFqOd4cLZ0mwvAjPE TXQ7JKeGwu1MvmHPVoQ8J4uxIwwxhwWV/WGx9FdURjkGjBC9E6VMCi1D3rK2T3U3 LeZhzf9ZKWyI3BFfFZtcEgMZe1lQGu9d8ck4fAgNaFn50v+rDdCGFnfdZhu1htXR +JgzXXwyJMZJQuTDEMrr9xwZxsJjPx2RfSYTyY6iLeRfCsvxpi6gC8AsKKlsL7lV RrWaOfU6sLJA4usrUtDu5fm54UjleW7ZfWvzhO1Kdhde3B9QjEQ= =0b3l -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat native tc and a custom OpenSSL engine for ECDH
Dear tomcat community, I have a question - I am using tomcat and OpenSSL (with apr and tomcat= -native-1.2.16). Versions are as follows :- apr-1-config 1.5.2 tomcat-native-1.2.16 OpenSSL 1.1.0 Tomcat 8.5.31 This works fine with my custom OpenSSL 1.1.0 installation.=20 Next I wrote my own custom OpenSSL engine for ECDHE (ephemeral even), howeve= r tomcat native still seems to make calls to the default ECDHE engine that c= omes with OpenSSL (instead of using mine, even though I compiled, tested and= installed the needed shared object in the relevant directory for OpenSSL e= ngines shared objects). Does the tomcat native code needs to be modified to support a custom OpenSSL= engine for ECDHE.=20 If yes, can I get some help on which places and which files one needs to mod= ify (I have looked at the file sslcontext.c but it is bit very clear on how t= o tie your custom OpenSSL ECDHE engine with the EC keys being generated) Regards, Piyush Sent from my iPhone - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2018-8020 Apache Tomcat Native Connector - Mishandled OCSP responses can allow clients to authenticate with revoked certificates
CVE-2018-8020 Apache Tomcat Native Connector - Mishandled OCSP responses can allow clients to authenticate with revoked certificates Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat Native 1.2.0 to 1.2.16 Apache Tomcat Native 1.1.23 to 1.1.34 Description: Apache Tomcat Native has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certicates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 1.2.17 or later Note: This version was included in Apache Tomcat 9.0.10 onwards, 8.5.32 onwards, 8.0.53 onwards and 7.0.90 onwards. History: 2018-03-09 Original advisory References: [1] http://tomcat.apache.org/security-native.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2018-8019 Apache Tomcat Native Connector - Mishandled OCSP invalid response
CVE-2018-8019 Apache Tomcat Native Connector - Mishandled OCSP invalid response Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat Native 1.2.0 to 1.2.16 Apache Tomcat Native 1.1.23 to 1.1.34 Description: When using an OCSP responder Tomcat Native did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 1.2.17 or later Note: This version was included in Apache Tomcat 9.0.10 onwards, 8.5.32 onwards, 8.0.53 onwards and 7.0.90 onwards. History: 2018-03-09 Original advisory References: [1] http://tomcat.apache.org/security-native.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.17 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.17 stable. The key features of this release are: - Windows binaries built with APR 1.6.3 and OpenSSL 1.0.2o. - Fix Certificate verification using CRL. - Arrange OCSP response processing. Note that users should now be using 1.2.x in preference to 1.1.x. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted
CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat Native 1.2.0 to 1.2.14 Apache Tomcat Native 1.1.23 to 1.1.34 Description: When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 1.2.16 or later Note: 1.2.15 was not released This version was included in Apache Tomcat 9.0.2 onwards, 8.5.24 onwards, 8.0.48 onwards and 7.0.84 onwards. Credit: This issue was reported responsibly to the Apache Tomcat Security Team by Jonas Klempel. History: 2018-01-31 Original advisory References: [1] http://tomcat.apache.org/security-native.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.2.16 released
Apologies for the delayed announcement. The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.16 stable. The key features of this release are: - Windows binaries built with APR 1.6.3 and OpenSSL 1.0.2m. - Improved parsing of OCSP extensions Note that users should now be using 1.2.x in preference to 1.1.x. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi The Apache Tomcat Native Library provides portable API for features not found in contemporary JDK's. It uses Apache Portable Runtime as operating system abstraction layer and OpenSSL for SSL networking and allows optimal performance in production environments. Thank you, -- The Apache Tomcat Team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OSCP support in tomcat-native (was OCSP)
On Thu, Nov 9, 2017 at 1:45 PM, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Coty, > > On 11/9/17 12:19 PM, Coty Sutherland wrote: >> Hi, >> >> I'm trying to determine whether or not we fully support OCSP in >> tomcat-native 1.2.x on Linux. There isn't any documentation about >> it other than some on the Downloads page that says it's >> experimental on Windows: >> >> "The Windows binaries are available in two variants. a) Default. >> This is what people usually use. This version of library is >> included in Apache Tomcat distributions. b) OCSP-enabled. This one >> has enabled (experimental) support for verification of client SSL >> certificates via OCSP protocol (45392)." >> >> I see that it's enabled by default when building Linux, but for >> Windows you have to enable it in the build. >> >> Can anyone help me out here? > > Without reading anything at all (from memory), I believe it all has to > do with how OpenSSL itself was built. > > The reason we are mum on *NIX is because the consumer is expected to > provide their own OpenSSL library, while the Windows build comes from > us with a statically-linked OpenSSL (with or without OSCP compiled-in). So technically all OCSP support is considered experimental then (since we consider OCSP support in Windows experimental where we know that openssl supports it)? It isn't just a pass through to openssl, the call to the OCSP server (for example) happens inside of tomcat-native. I have a user complaining about the fact that there's no logging in those functions, so I plan to eventually add some, but I wanted to make sure we are confident that it works correctly first :) > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEokkACgkQHPApP6U8 > pFgdcA/+LomHqxKsVS5VMn9ZCZT3Vuwdwl6JbBL5Tfrx+r226zfEvDDP/xjrKDNm > WxD+fXhfi4Vrf+vcZEdTSr2/ubCQIIE+fgj2WYhz9XWWGgPNOK1LRgk92HvWqy9B > tSbv5+hg6T7+gP8YoNKSr32j+MicgbkNE8BGmewMJNOMKkyHTWeGZaU726kqGeFC > oCGmuUbcWWxcE6wkk48Cdsy+/oTZcvAEDu82Pfl490joBI7gCURqa2AfYpv7b3qu > oYs/T7Cm+YMZAIU/kZBtlEQUUIscc/vf2AqHM8n22Uft5s9F9e1pSnm3aWmzAF6a > fM3NifxyQl1Yabl5wTfXxm3hBTzovZJsOQhfASq1pkbNS2dRGg1s9Z4ITXzCYwVv > +whoNLocxWeFmOY8S9CQM4PaGDPEWT2Pd7dFL1ae9xBNdNuc4mnbnvk980DpCHbG > 7p6+U8T7Pun+GBC602VXDgdajfGHO6bWhwuu33H7G1JgGnPnrYaOCLupaQhXT/FC > ZQiyex2n+j3g07d269gs3UqsHxM3SA3COdogNpdfOYrdq+cYhov19G3R2O+lGd1/ > WqciphuopiUbMtDs+s88zhw5AZldwEDHdsI2bxzthjATbT7VH+BLGSR+aF8SS3H/ > ybix8mdlIP4G28Ml2q7jYzXoBji7SeTNt95Bes0xaQ6FcfaPI+Q= > =uwu2 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: OSCP support in tomcat-native (was OCSP)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Coty, On 11/9/17 12:19 PM, Coty Sutherland wrote: > Hi, > > I'm trying to determine whether or not we fully support OCSP in > tomcat-native 1.2.x on Linux. There isn't any documentation about > it other than some on the Downloads page that says it's > experimental on Windows: > > "The Windows binaries are available in two variants. a) Default. > This is what people usually use. This version of library is > included in Apache Tomcat distributions. b) OCSP-enabled. This one > has enabled (experimental) support for verification of client SSL > certificates via OCSP protocol (45392)." > > I see that it's enabled by default when building Linux, but for > Windows you have to enable it in the build. > > Can anyone help me out here? Without reading anything at all (from memory), I believe it all has to do with how OpenSSL itself was built. The reason we are mum on *NIX is because the consumer is expected to provide their own OpenSSL library, while the Windows build comes from us with a statically-linked OpenSSL (with or without OSCP compiled-in). - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEokkACgkQHPApP6U8 pFgdcA/+LomHqxKsVS5VMn9ZCZT3Vuwdwl6JbBL5Tfrx+r226zfEvDDP/xjrKDNm WxD+fXhfi4Vrf+vcZEdTSr2/ubCQIIE+fgj2WYhz9XWWGgPNOK1LRgk92HvWqy9B tSbv5+hg6T7+gP8YoNKSr32j+MicgbkNE8BGmewMJNOMKkyHTWeGZaU726kqGeFC oCGmuUbcWWxcE6wkk48Cdsy+/oTZcvAEDu82Pfl490joBI7gCURqa2AfYpv7b3qu oYs/T7Cm+YMZAIU/kZBtlEQUUIscc/vf2AqHM8n22Uft5s9F9e1pSnm3aWmzAF6a fM3NifxyQl1Yabl5wTfXxm3hBTzovZJsOQhfASq1pkbNS2dRGg1s9Z4ITXzCYwVv +whoNLocxWeFmOY8S9CQM4PaGDPEWT2Pd7dFL1ae9xBNdNuc4mnbnvk980DpCHbG 7p6+U8T7Pun+GBC602VXDgdajfGHO6bWhwuu33H7G1JgGnPnrYaOCLupaQhXT/FC ZQiyex2n+j3g07d269gs3UqsHxM3SA3COdogNpdfOYrdq+cYhov19G3R2O+lGd1/ WqciphuopiUbMtDs+s88zhw5AZldwEDHdsI2bxzthjATbT7VH+BLGSR+aF8SS3H/ ybix8mdlIP4G28Ml2q7jYzXoBji7SeTNt95Bes0xaQ6FcfaPI+Q= =uwu2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
OCSP support in tomcat-native
Hi, I'm trying to determine whether or not we fully support OCSP in tomcat-native 1.2.x on Linux. There isn't any documentation about it other than some on the Downloads page that says it's experimental on Windows: "The Windows binaries are available in two variants. a) Default. This is what people usually use. This version of library is included in Apache Tomcat distributions. b) OCSP-enabled. This one has enabled (experimental) support for verification of client SSL certificates via OCSP protocol (45392)." I see that it's enabled by default when building Linux, but for Windows you have to enable it in the build. Can anyone help me out here? Thanks, Coty - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] End of life for Apache Tomcat Native 1.1.x
The Apache Tomcat Team announces that support for Apache Tomcat Native 1.1.x will end on 30 September 2018. This means that after 30 September 2018: - releases from the 1.1.x branch are highly unlikely - bugs affecting only the 1.1.x branch will not be addressed - security vulnerability reports will not be checked against the 1.1.x branch - Apache Tomcat releases of 7.0.x after this date may require 1.2.x as a minimum Three months later (i.e. after 31 December 2018) - the 1.1.x download pages will be removed - the latest 1.1.x release will be removed from the mirror system - the links to the 1.1.x documentation will be removed from tomcat.apache.org The latest binary releases of 1.1.x for Microsoft Windows are not built with a current version of OpenSSL and will therefore be removed from the download pages with immediate effect. Please also note the following additional information: Tomcat 8.5.x and 9.0.x require a minimum of Tomcat Native 1.2.x and are therefore unaffected by this notice. Tomcat 8.0.x will reach end of life on 30 June 2018 and is therefore unaffected by this notice. Only Tomcat 7.0.x is affected by this notice. Tomcat 7.0.x has shipped with Tomcat Native 1.2.x since 7.0.70 (June 2016). All 1.1.x releases will always be available from the archive. Tomcat Native 1.2.x is a drop-in replacement for 1.1.x although it does require OpenSSL 1.0.2 as a minimum. All Tomcat Native releases from 1.1.34 onwards have indicated that users should use 1.2.x in preference to 1.1.x. The most recent release of 1.1.x (1.1.34) was released in December 2015. It is likely that 1.1.34 will be the final 1.1.x release unless a security vulnerability is discovered in 1.1.x that cannot be worked around without a new release. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
