Hi Christopher, I am using my own custom OpenSSL engine that I wrote for elliptical curve doggie Hellman (ECDH)
I am setting the SSLEngine to my engine name in the Listener in the tomcat configuration file (conf/server.xml) But looks like the engine is not being set in the function call to SSL_dh_GetParamFromFile(...) which returns the pointer to DH (in file tomcat-native-1.2.16-arc/native/src/sslcontext.c) , I don't believe the engine is being set (as SSL_dh_GetParamFromFile(...) calls PEM_read_bio_DHparams(...). However SSL_dh_GetParamFromFile doesn't set the ENGINE * parameter inside the structure for DH (aliased as dh_st). Because ENGINE * is not set the default OpenSSL implementation for ECDH is getting called. Please correct me if I am wrong, Regards, Piyush Sent from my iPhone > On Aug 4, 2018, at 8:49 AM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Piyush, > >> On 8/3/18 2:52 PM, Piyush K wrote: >> >> Dear tomcat community, >> >> I have a question - I am using tomcat and OpenSSL (with apr and >> tomcat= -native-1.2.16). Versions are as follows :- apr-1-config >> 1.5.2 tomcat-native-1.2.16 OpenSSL 1.1.0 Tomcat 8.5.31 >> >> This works fine with my custom OpenSSL 1.1.0 installation.=20 Next >> I wrote my own custom OpenSSL engine for ECDHE (ephemeral even), >> howeve= r tomcat native still seems to make calls to the default >> ECDHE engine that c= omes with OpenSSL (instead of using mine, even >> though I compiled, tested and= installed the needed shared object >> in the relevant directory for OpenSSL e= ngines shared objects). >> Does the tomcat native code needs to be modified to support a >> custom OpenSSL= engine for ECDHE.=20 If yes, can I get some help on >> which places and which files one needs to mod= ify (I have looked >> at the file sslcontext.c but it is bit very clear on how t= o tie >> your custom OpenSSL ECDHE engine with the EC keys being generated) > > > Do you have you own "engine" or are you just replacing one of the > cipher suites? > > What does your Tomcat <Connector> configuration and APR <Listener> > look like? > > You probably have to set the "SSLEngine" attribute to identify your > custom engine. > > http://tomcat.apache.org/tomcat-8.5-doc/config/listeners.html#APR_Lifecy > cle_Listener_-_org.apache.catalina.core.AprLifecycleListener > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltlyvAACgkQHPApP6U8 > pFjFZQ//QLHn9And0bqhlz/XQ01cwNA4ClpoCcMwd7t9DYsgLx26vRksIYCWiqIp > sUUZTlEJ4HDroKZcH4AkxPUER0Y1i0aC3Var4UfgNaojDH0upsX2mrm5P4JXHuXb > 6KiRkDfnRrkNAXoOiVFiaP/gK/jMtBDzPOgAGuOpHCDyaxXUCEQK+U0krPbslsLO > 3rsQuN/R+qj7DpR9j61Mpj4R4tCq+nKLcUH9xj6NlKfMTSkwaICYerjV1eBD0WAE > TI6u7Kd8gB8GLdug8kwct21jxi1vpspaOx5lxy9fe0YwAvvjz2xyT5Z+wlG6L+pT > 9e/VGI3wzvSaUP3yk2S3lw6cVmnuGRsODorDgmvzE3XptFl++uPM76QxlktChKjd > NsL25/EsxcPCSEiRUnevCPcnoJu4Dl/PdmNOZrd0oVuyRCaSFqOd4cLZ0mwvAjPE > TXQ7JKeGwu1MvmHPVoQ8J4uxIwwxhwWV/WGx9FdURjkGjBC9E6VMCi1D3rK2T3U3 > LeZhzf9ZKWyI3BFfFZtcEgMZe1lQGu9d8ck4fAgNaFn50v+rDdCGFnfdZhu1htXR > +JgzXXwyJMZJQuTDEMrr9xwZxsJjPx2RfSYTyY6iLeRfCsvxpi6gC8AsKKlsL7lV > RrWaOfU6sLJA4usrUtDu5fm54UjleW7ZfWvzhO1Kdhde3B9QjEQ= > =0b3l > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org