-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mike,
On 12/17/14 8:12 PM, Mike Wertheim wrote: > I'm trying to upgrade from Tomcat 7.0.41 with APR to Tomcat 8.0.15 > with APR. (I'm using JDK 1.8.0.25 on CentOS.) > > My first step was to upgrade to Tomcat Native library 1.1.32 and > APR 1.5.1 while still using Tomcat 7.0.41. This combination works > great. My webapp starts up and is accessible using either SSL or > non-SSL. > > Next I upgraded to Tomcat 8.0.15 (again with Tomcat Native library > 1.1.32 and APR 1.5.1). Tomcat 8.0.15 starts up, and the first > lines of catalina.out are a message that shows that Tomcat Native > library 1.1.32 and APR 1.5.1 are indeed in use. My webapp starts > up and is accessible using non-SSL requests, but SSL requests don't > work. > > When I saw that SSL wasn't working, I looked in catalina.out and > saw this: > > org.apache.coyote.AbstractProtocol.init Failed to initialize end > point associated with ProtocolHandler ["http-apr-8443"] > java.lang.Exception: Unable to create SSLContext. Check that > SSLEngine is enabled in the AprLifecycleListener, the > AprLifecycleListener has initialised correctly and that a valid > SSLProtocol has been specified at > org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:532) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:730) > > [...] > Caused by: java.lang.Exception: Invalid Server SSL Protocol > (error:00000000:lib(0):func(0):reason(0 )) at > org.apache.tomcat.jni.SSLContext.make(Native Method) at > org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:527) > > > The SSL Connector in server.xml looks like this: <Connector > port="8443" URIEncoding="utf-8" maxKeepAliveRequests="3" > keepAliveTimeout="3000" scheme="https" secure="true" > SSLEnabled="true" SSLCertificateFile="/home/scuser/ssl/cert.crt" > SSLCertificateKeyFile="/home/scuser/ssl/cert.key" > > SSLCertificateChainFile="/home/scuser/ssl/intermediateCA.cer" > clientAuth="false" sslProtocol="TLS"/> > > Can anyone see what might be going wrong? As Konstantin points out, "sslProtocol" needs to be "SSLProtocol" for the APR connector, but the APR connector has a default SSLProtocol whose value is "all" (which is a synonym for "TLSv1+TLSv1.1+TLSv1.2"). What version of OpenSSL are you using? It's possible that your version of OpenSSL and the combination of protocols requested don't line up. I haven't made a table of behaviors with different inputs, but the native code in make() looks like there are multiple failure scenarios. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUkspKAAoJEBzwKT+lPKRYYyoP/RIzDGMncLX0IDuQEPLGCVnf aNirPO+b9WlwmcXUmL5pznCiWHz+LneN6MydAUWtF+SUbsKR5x6caMBeRsOweeve hYRZxIHP5U58A2feYJ/VYRCDAGKOXMWCWJwgS9JEKF1QsBR1khoXLteCAvMmNIbb QVSByE3FNPD8PHI5Xl8Zo9EAFFUhCco1w4c72efdmCoIP2+sGQAUxX+gw3gKz3lm JZv0LlYUNbKxHVM9NmGDRYWMWs1sZSENkjaNH3jDDR4jonk4oU6kJQ7N+yZZa3HK 7CsekRMr+PId2QyESVxCxWvl7GNMeG/Yl5aUUfDn0xSTLiYcF2nTRNkrMnepmdS1 ljX7zM+k+1h8KsO/X7Y5E4XMTGwD9rbldKP6j+73J9QWUQlU0xA27wdC6mMZlf+I 38lBJsKeBS8rR3RQC6I8rr4gPdV4qrk4HmLFpn0FYHXrDF82tSx2z9BnBTz9vynZ RPkk1TCQuGeQLaDo9D5/wGpfgb69KdAHEQEhRNIq3GHUm6DY/jqcF2cTBM71GZo3 JPJHBnoQ3h33Te5TqoigO3BLmRIxQnaXVOWPRYRwvxrO6wUUBgPO4337hjgxoldL HFHbvORE2iX1KwifWPA9S8ckKSX69Co11oxyHtXo+HDPeHuj4jcP8ojN3nyaosES i3glOCBcF06g2vNn7vcM =wW5G -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org