-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sanaullah,
On 10/29/14 9:54 AM, Sanaullah wrote: > I again started working on SSLEngine with safenet and i need some > help, how to enable the debugging? I configure the engine as > "LunaCA3". > > <Listener class="org.apache.catalina.core.AprLifecycleListener" > SSLEngine="LunaCA3" /> > > Here is error log after starting the server. > > Oct 29, 2014 1:40:21 PM > org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR > based Apache Tomcat Native library 1.1.31 using APR version 1.5.1. > Oct 29, 2014 1:40:22 PM > org.apache.catalina.core.AprLifecycleListener init INFO: APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], > random [true]. Oct 29, 2014 1:40:22 PM > org.apache.catalina.core.AprLifecycleListener lifecycleEvent > SEVERE: Failed to initialize the SSLEngine. > org.apache.tomcat.jni.Error: 70023: This function has not been > implemented on this platform So the error code 70023 is (at least on my Linux system) equal to the APR error code with the label APR_ENOTIMPL. I can see that in a few places in the native implementation of the "initialize" method: Starting on line native/src/ssl.c:679: if ((ee = ENGINE_by_id(J2S(engine))) == NULL && (ee = ssl_try_load_engine(J2S(engine))) == NULL) err = APR_ENOTIMPL; else { if (strcmp(J2S(engine), "chil") == 0) ENGINE_ctrl(ee, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0); if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL)) err = APR_ENOTIMPL; } Again, starting on native/src/ssl.c:711: SSL_TMP_KEYS_INIT(r); if (r) { TCN_FREE_CSTRING(engine); ssl_init_cleanup(NULL); tcn_ThrowAPRException(e, APR_ENOTIMPL); return APR_ENOTIMPL; } So, either the engine cannot be loaded, or we can't call ENGINE_set_default, or SSL_TMP_KEYS_INIT fails. I suspect it's not the key init that's failing, given that you are trying to use a special engine. Are you comfortable modifying the code for tcnative? If you are on a UNIX platform, (re-)compilation is pretty easy. You can add some code to dump-out the state of things while the code executes. I noticed at some point (re-reading the thread) that you were using "SSLCryptoDevice LunaCA" but then somehow you and I started using "LunaCA3". Have you tried with "LunaCA" (without the 3)? When you can get httpd to do this for you, do you have to modify the LD_LIBRARY_PATH or put a library anywhere, or does OpenSSL already have whatever it needs in order to support the hardware crypto device? I'm wondering if the JVM doesn't have the appropriate library available for some reason. What do you get when you run "openssl engine" from your command-line without any other special circumstances? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUZreIAAoJEBzwKT+lPKRYbOEP/3ix/d/bWeQVWSjrimLGBosd XgyF7Z4PqC4oChGYguxfu6K/47JRXwizZ3gWe6hNvdxivRU+Rnzhpre86bU6qqyO glT6qO4qYrvnA35y0qj+bLAIjOekVTkEHS11HO4ZofUBn/mAHCcN98AJ8AH2M0v6 6G2Yx2rF2+Be7yPL7txCFObAagAXIwp20Bv22+zcswVo6YVlDAI1r1RpjUTafObg 9IR31BRCwY9P9oJZ3lDKzBOWX3bFU+12CxeKJjJDg1TA1eB8s0e7XVCWyKdPgafi UNI5Zv2dFZLgy37/jTmCySpE71MtxmH0IOrs3vJJHr2o27Axk8vMQkKxzXO1ddZ5 uYvk5KBaMhAUgaWaMvPFC69KBUOv+bTQo/+HujmuM6M2ogIDXYmSJYmI6qM7SGWR 7cguyOS9+rgJiiCdRktvQJMj3I9ukHi8px3VU+hZRDv7OYKc4FRaDWAYt2NpnP/o exKtjVl9gG8rX96Zhimik0S0sXeykF5mwFZeygno+6eIMdLeyz4R0yVaIJCRfX+z yDomd6BrHjjTTSVU2DygkCESUlMSJ1RsyLjAPN7GRLCefy0kFnk0RukF0txulrnB KoGlvVuY1moZrbMRmnL3zG8EX0zWkAjtjXk4Rd8mJ4aHQy1cMUgtZ7KCMTJYTfs5 rpPyrMcQZiYI5r3YjI0a =Ax7i -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org