Hi Chris,
The Engine name is correct its "LunaCA3" Here is the code snippet from the
openssl for the confirmation.
openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID "LunaCA3"
I think the issue is with static and shared libraries of openssl. if
openssl build as shared then this LunaCA3 engine is not working for nodejs
and even for Apache as well both required openssl to build static.
I tried to follow the Build document of tomcat native.
Building statically linked library on Unixes
--------------------------------------------
To statically link apr and openssl dependencies use the following
procedure.
You will need to build static version of openssl library.
> ./config --prefix=~/natives/openssl no-shared -fPIC
> make
> make install_sw
Apr by default builds both static and dynamic libraries.
> ./configure --prefix=~/natives/apr
> make
> make install
After that edit the ~/natives/apr/lib/libapr-1.la file
and comment or delete the following sections:
dlname='...' and library_names='...'
This is needed so that libtool picks the static version of the library.
Build Tomcat native by executing
> ./configure --with-apr=~/natives/apr --with-ssl=~/natives/openssl
--prefix=~/natives/tomcat
> make
> make install
here is something strange, Openssl successully build and install with -fPIC
but tcnative still give me error.
/usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation
R_X86_64_32 against `.rodata' can not be used when making a shared object;
recompile with -fPIC
/usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
make[1]: *** [libtcnative-1.la] Error 1
make[1]: Leaving directory `/opt/aprtc/tomcat-native-1.1.31-src/jni/native'
make: *** [all-recursive] Error 1
I am not sure what to do here ?
Regards,
Sanaullah
On Sat, Nov 15, 2014 at 7:16 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sanaullah,
>
> On 10/29/14 9:54 AM, Sanaullah wrote:
> > I again started working on SSLEngine with safenet and i need some
> > help, how to enable the debugging? I configure the engine as
> > "LunaCA3".
> >
> > <Listener class="org.apache.catalina.core.AprLifecycleListener"
> > SSLEngine="LunaCA3" />
> >
> > Here is error log after starting the server.
> >
> > Oct 29, 2014 1:40:21 PM
> > org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
> > based Apache Tomcat Native library 1.1.31 using APR version 1.5.1.
> > Oct 29, 2014 1:40:22 PM
> > org.apache.catalina.core.AprLifecycleListener init INFO: APR
> > capabilities: IPv6 [true], sendfile [true], accept filters [false],
> > random [true]. Oct 29, 2014 1:40:22 PM
> > org.apache.catalina.core.AprLifecycleListener lifecycleEvent
> > SEVERE: Failed to initialize the SSLEngine.
> > org.apache.tomcat.jni.Error: 70023: This function has not been
> > implemented on this platform
>
> So the error code 70023 is (at least on my Linux system) equal to the
> APR error code with the label APR_ENOTIMPL. I can see that in a few
> places in the native implementation of the "initialize" method:
>
> Starting on line native/src/ssl.c:679:
> if ((ee = ENGINE_by_id(J2S(engine))) == NULL
> && (ee = ssl_try_load_engine(J2S(engine))) == NULL)
> err = APR_ENOTIMPL;
> else {
> if (strcmp(J2S(engine), "chil") == 0)
> ENGINE_ctrl(ee, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1,
> 0, 0);
> if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL))
> err = APR_ENOTIMPL;
> }
>
> Again, starting on native/src/ssl.c:711:
> SSL_TMP_KEYS_INIT(r);
> if (r) {
> TCN_FREE_CSTRING(engine);
> ssl_init_cleanup(NULL);
> tcn_ThrowAPRException(e, APR_ENOTIMPL);
> return APR_ENOTIMPL;
> }
>
> So, either the engine cannot be loaded, or we can't call
> ENGINE_set_default, or SSL_TMP_KEYS_INIT fails. I suspect it's not the
> key init that's failing, given that you are trying to use a special
> engine.
>
> Are you comfortable modifying the code for tcnative? If you are on a
> UNIX platform, (re-)compilation is pretty easy. You can add some code
> to dump-out the state of things while the code executes.
>
> I noticed at some point (re-reading the thread) that you were using
> "SSLCryptoDevice LunaCA" but then somehow you and I started using
> "LunaCA3". Have you tried with "LunaCA" (without the 3)?
>
> When you can get httpd to do this for you, do you have to modify the
> LD_LIBRARY_PATH or put a library anywhere, or does OpenSSL already
> have whatever it needs in order to support the hardware crypto device?
>
> I'm wondering if the JVM doesn't have the appropriate library
> available for some reason.
>
> What do you get when you run "openssl engine" from your command-line
> without any other special circumstances?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUZreIAAoJEBzwKT+lPKRYbOEP/3ix/d/bWeQVWSjrimLGBosd
> XgyF7Z4PqC4oChGYguxfu6K/47JRXwizZ3gWe6hNvdxivRU+Rnzhpre86bU6qqyO
> glT6qO4qYrvnA35y0qj+bLAIjOekVTkEHS11HO4ZofUBn/mAHCcN98AJ8AH2M0v6
> 6G2Yx2rF2+Be7yPL7txCFObAagAXIwp20Bv22+zcswVo6YVlDAI1r1RpjUTafObg
> 9IR31BRCwY9P9oJZ3lDKzBOWX3bFU+12CxeKJjJDg1TA1eB8s0e7XVCWyKdPgafi
> UNI5Zv2dFZLgy37/jTmCySpE71MtxmH0IOrs3vJJHr2o27Axk8vMQkKxzXO1ddZ5
> uYvk5KBaMhAUgaWaMvPFC69KBUOv+bTQo/+HujmuM6M2ogIDXYmSJYmI6qM7SGWR
> 7cguyOS9+rgJiiCdRktvQJMj3I9ukHi8px3VU+hZRDv7OYKc4FRaDWAYt2NpnP/o
> exKtjVl9gG8rX96Zhimik0S0sXeykF5mwFZeygno+6eIMdLeyz4R0yVaIJCRfX+z
> yDomd6BrHjjTTSVU2DygkCESUlMSJ1RsyLjAPN7GRLCefy0kFnk0RukF0txulrnB
> KoGlvVuY1moZrbMRmnL3zG8EX0zWkAjtjXk4Rd8mJ4aHQy1cMUgtZ7KCMTJYTfs5
> rpPyrMcQZiYI5r3YjI0a
> =Ax7i
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
