We want to use APR to call openssl also do with native to support FIPS mode in
tomcat.
Software info
Tomcat/9.0.34
libtcnative-1-0-1.2.23-15.30.x86_64
configuration as below:
<Connector SSLEnabled="true"
acceptCount="100"
connectionTimeout="60000"
maxKeepAliveRequests="150"
SSLCertificateFile="*****"
SSLCertificateChainFile="****"
SSLCertificateKeyFile="*****"
compression="on"
compressibleMimeType="text/html,text/xml,text/css,text/javascript,application/javascript"
port="${bio.https.port}"
protocol="org.apache.coyote.http11.Http11AprProtocol"
scheme="https"
secure="true"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2"
URIEncoding="UTF-8"/>
When enable debug info in tomcat will see
09-May-2020 00:51:35.358 FINE [https-openssl-apr-8443-exec-1]
org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.doClose Calling
[org.apache.tomcat.util.net.AprEndpoint@4275c20c].closeSocket([org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@1efb5c3e:139622944367568])
09-May-2020 00:51:35.367 FINE [https-openssl-apr-8443-Poller]
org.apache.tomcat.util.net.AprEndpoint$Poller.removeFromPoller Attempting to
remove [139,622,944,367,568] from poller
09-May-2020 00:51:35.367 FINER [https-openssl-apr-8443-Poller]
org.apache.tomcat.util.net.AprEndpoint.destroySocketInternal Destroying socket
[139,622,944,367,568]
java.lang.Exception
at
org.apache.tomcat.util.net.AprEndpoint.destroySocketInternal(AprEndpoint.java:758)
at
org.apache.tomcat.util.net.AprEndpoint.access$200(AprEndpoint.java:81)
at
org.apache.tomcat.util.net.AprEndpoint$Poller.run(AprEndpoint.java:1338)
at java.base/java.lang.Thread.run(Thread.java:834)
BRs
Dan
-----Original Message-----
From: Christopher Schultz <[email protected]>
Sent: Friday, May 8, 2020 10:37 PM
To: [email protected]
Subject: Re: APR connector questions
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Daniel,
On 5/8/20 04:25, [email protected] wrote:
> We are changing from Nio connector to APR connector to enable FIPS
> mode in tomcat. But we hit tomcat hang issue, ssl handshake no
> response when run long time. So many close_wait in netstat output.
> Do you have any advises about that issue?
Can you please post your <Connector> configuration? Remember to remove any
secrets that may be in there.
You may be interested to know that FIPS is available through Java, though not
through Sun's JSSE provider.
https://stackoverflow.com/questions/5046482/which-jce-providers-are-fips
- -140-2-compliant
You may also be interested in the fact that FIPS mode doesn't really offer any
additional security. In certain cases, it may reduce your security because of
the various required-supported algorithms which, honestly, should never be used
in production.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl61bnAACgkQHPApP6U8
pFjf2Q/+K/kHIF36pSJ3gzU1gkrRnmDOqLtNX4rAzJVguZrOqSDjVNyFjYlYPcDD
A9szjfgdwd8PlTdgXJISpvdSqdvjGSadKbNswcN731VDptMlUz979R54+kRHeoWU
lYdwZuNp/ACj+UXJnSDcxK0Q15UewlRLuTrtpFfoCkteS1uAXAH1OMStsZYFXrSt
Jc3XmrmidTfAl8P24W8xNFxCTDPhkcnO7nJaNPKlGwdtjtxVfOaxyK9UtoKJW+te
lANt3Fi8r5QlLbZIofK9A0BTyHsk17SmUseeETDPCUcqlEZ1z8KWN6NVlLl0O4Rk
P/i3JUrsD8ZuCMghj1Jw6s4B4aWolLoSvxFYGLmNitqGNPGQnuUid5RV6LWLW7nH
kMFDE6yGXHagZ/34GIWcPVJOmcobOdFGtGXb4SWRsf9xOU8U5g2ljpSIYA0xT4J+
lCWZLxkcxW0YdppfPWU7t7uKO8GPnCjBmBUgx7fSHRvNefrgof6CRSAjyKlMsU1w
WSW8ZPblXSBToHy98JoT27wTrYUkhfDGzCDopkMxGH4QZZtvIVH+MNsBpWUWMhMc
h/yo2ubKWwsrmPBhkd+Jjkon3FGsuBRpUdNQJx0+5G5CKGuDNFIIZYV5MDK0ovCu
wmBN/6ZSwUj7ZqpOFekGHhM4DUee8R0kXmScDXd1nogkoIGIO20=
=JFpT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
