Hi Christopher,
I am using my own custom OpenSSL engine that I wrote for elliptical curve
doggie Hellman (ECDH)
I am setting the SSLEngine to my engine name in the Listener in the tomcat
configuration file (conf/server.xml)
But looks like the engine is not being set in the function call to
SSL_dh_GetParamFromFile(...) which returns the pointer to DH (in file
tomcat-native-1.2.16-arc/native/src/sslcontext.c) , I don't believe the engine
is being set (as
SSL_dh_GetParamFromFile(...) calls PEM_read_bio_DHparams(...). However
SSL_dh_GetParamFromFile doesn't set the ENGINE * parameter inside the
structure for DH (aliased as dh_st). Because ENGINE * is not set the default
OpenSSL implementation for ECDH is getting called.
Please correct me if I am wrong,
Regards,
Piyush
Sent from my iPhone
> On Aug 4, 2018, at 8:49 AM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Piyush,
>
>> On 8/3/18 2:52 PM, Piyush K wrote:
>>
>> Dear tomcat community,
>>
>> I have a question - I am using tomcat and OpenSSL (with apr and
>> tomcat= -native-1.2.16). Versions are as follows :- apr-1-config
>> 1.5.2 tomcat-native-1.2.16 OpenSSL 1.1.0 Tomcat 8.5.31
>>
>> This works fine with my custom OpenSSL 1.1.0 installation.=20 Next
>> I wrote my own custom OpenSSL engine for ECDHE (ephemeral even),
>> howeve= r tomcat native still seems to make calls to the default
>> ECDHE engine that c= omes with OpenSSL (instead of using mine, even
>> though I compiled, tested and= installed the needed shared object
>> in the relevant directory for OpenSSL e= ngines shared objects).
>> Does the tomcat native code needs to be modified to support a
>> custom OpenSSL= engine for ECDHE.=20 If yes, can I get some help on
>> which places and which files one needs to mod= ify (I have looked
>> at the file sslcontext.c but it is bit very clear on how t= o tie
>> your custom OpenSSL ECDHE engine with the EC keys being generated)
>
>
> Do you have you own "engine" or are you just replacing one of the
> cipher suites?
>
> What does your Tomcat <Connector> configuration and APR <Listener>
> look like?
>
> You probably have to set the "SSLEngine" attribute to identify your
> custom engine.
>
> http://tomcat.apache.org/tomcat-8.5-doc/config/listeners.html#APR_Lifecy
> cle_Listener_-_org.apache.catalina.core.AprLifecycleListener
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltlyvAACgkQHPApP6U8
> pFjFZQ//QLHn9And0bqhlz/XQ01cwNA4ClpoCcMwd7t9DYsgLx26vRksIYCWiqIp
> sUUZTlEJ4HDroKZcH4AkxPUER0Y1i0aC3Var4UfgNaojDH0upsX2mrm5P4JXHuXb
> 6KiRkDfnRrkNAXoOiVFiaP/gK/jMtBDzPOgAGuOpHCDyaxXUCEQK+U0krPbslsLO
> 3rsQuN/R+qj7DpR9j61Mpj4R4tCq+nKLcUH9xj6NlKfMTSkwaICYerjV1eBD0WAE
> TI6u7Kd8gB8GLdug8kwct21jxi1vpspaOx5lxy9fe0YwAvvjz2xyT5Z+wlG6L+pT
> 9e/VGI3wzvSaUP3yk2S3lw6cVmnuGRsODorDgmvzE3XptFl++uPM76QxlktChKjd
> NsL25/EsxcPCSEiRUnevCPcnoJu4Dl/PdmNOZrd0oVuyRCaSFqOd4cLZ0mwvAjPE
> TXQ7JKeGwu1MvmHPVoQ8J4uxIwwxhwWV/WGx9FdURjkGjBC9E6VMCi1D3rK2T3U3
> LeZhzf9ZKWyI3BFfFZtcEgMZe1lQGu9d8ck4fAgNaFn50v+rDdCGFnfdZhu1htXR
> +JgzXXwyJMZJQuTDEMrr9xwZxsJjPx2RfSYTyY6iLeRfCsvxpi6gC8AsKKlsL7lV
> RrWaOfU6sLJA4usrUtDu5fm54UjleW7ZfWvzhO1Kdhde3B9QjEQ=
> =0b3l
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
