-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sanaullah,
On 10/29/14 9:54 AM, Sanaullah wrote:
> I again started working on SSLEngine with safenet and i need some
> help, how to enable the debugging? I configure the engine as
> "LunaCA3".
>
> <Listener class="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="LunaCA3" />
>
> Here is error log after starting the server.
>
> Oct 29, 2014 1:40:21 PM
> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
> based Apache Tomcat Native library 1.1.31 using APR version 1.5.1.
> Oct 29, 2014 1:40:22 PM
> org.apache.catalina.core.AprLifecycleListener init INFO: APR
> capabilities: IPv6 [true], sendfile [true], accept filters [false],
> random [true]. Oct 29, 2014 1:40:22 PM
> org.apache.catalina.core.AprLifecycleListener lifecycleEvent
> SEVERE: Failed to initialize the SSLEngine.
> org.apache.tomcat.jni.Error: 70023: This function has not been
> implemented on this platform
So the error code 70023 is (at least on my Linux system) equal to the
APR error code with the label APR_ENOTIMPL. I can see that in a few
places in the native implementation of the "initialize" method:
Starting on line native/src/ssl.c:679:
if ((ee = ENGINE_by_id(J2S(engine))) == NULL
&& (ee = ssl_try_load_engine(J2S(engine))) == NULL)
err = APR_ENOTIMPL;
else {
if (strcmp(J2S(engine), "chil") == 0)
ENGINE_ctrl(ee, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1,
0, 0);
if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL))
err = APR_ENOTIMPL;
}
Again, starting on native/src/ssl.c:711:
SSL_TMP_KEYS_INIT(r);
if (r) {
TCN_FREE_CSTRING(engine);
ssl_init_cleanup(NULL);
tcn_ThrowAPRException(e, APR_ENOTIMPL);
return APR_ENOTIMPL;
}
So, either the engine cannot be loaded, or we can't call
ENGINE_set_default, or SSL_TMP_KEYS_INIT fails. I suspect it's not the
key init that's failing, given that you are trying to use a special
engine.
Are you comfortable modifying the code for tcnative? If you are on a
UNIX platform, (re-)compilation is pretty easy. You can add some code
to dump-out the state of things while the code executes.
I noticed at some point (re-reading the thread) that you were using
"SSLCryptoDevice LunaCA" but then somehow you and I started using
"LunaCA3". Have you tried with "LunaCA" (without the 3)?
When you can get httpd to do this for you, do you have to modify the
LD_LIBRARY_PATH or put a library anywhere, or does OpenSSL already
have whatever it needs in order to support the hardware crypto device?
I'm wondering if the JVM doesn't have the appropriate library
available for some reason.
What do you get when you run "openssl engine" from your command-line
without any other special circumstances?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUZreIAAoJEBzwKT+lPKRYbOEP/3ix/d/bWeQVWSjrimLGBosd
XgyF7Z4PqC4oChGYguxfu6K/47JRXwizZ3gWe6hNvdxivRU+Rnzhpre86bU6qqyO
glT6qO4qYrvnA35y0qj+bLAIjOekVTkEHS11HO4ZofUBn/mAHCcN98AJ8AH2M0v6
6G2Yx2rF2+Be7yPL7txCFObAagAXIwp20Bv22+zcswVo6YVlDAI1r1RpjUTafObg
9IR31BRCwY9P9oJZ3lDKzBOWX3bFU+12CxeKJjJDg1TA1eB8s0e7XVCWyKdPgafi
UNI5Zv2dFZLgy37/jTmCySpE71MtxmH0IOrs3vJJHr2o27Axk8vMQkKxzXO1ddZ5
uYvk5KBaMhAUgaWaMvPFC69KBUOv+bTQo/+HujmuM6M2ogIDXYmSJYmI6qM7SGWR
7cguyOS9+rgJiiCdRktvQJMj3I9ukHi8px3VU+hZRDv7OYKc4FRaDWAYt2NpnP/o
exKtjVl9gG8rX96Zhimik0S0sXeykF5mwFZeygno+6eIMdLeyz4R0yVaIJCRfX+z
yDomd6BrHjjTTSVU2DygkCESUlMSJ1RsyLjAPN7GRLCefy0kFnk0RukF0txulrnB
KoGlvVuY1moZrbMRmnL3zG8EX0zWkAjtjXk4Rd8mJ4aHQy1cMUgtZ7KCMTJYTfs5
rpPyrMcQZiYI5r3YjI0a
=Ax7i
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
