We want to use APR to call openssl also do with native to support FIPS mode in tomcat.
Software info Tomcat/9.0.34 libtcnative-1-0-1.2.23-15.30.x86_64 configuration as below: <Connector SSLEnabled="true" acceptCount="100" connectionTimeout="60000" maxKeepAliveRequests="150" SSLCertificateFile="*****" SSLCertificateChainFile="****" SSLCertificateKeyFile="*****" compression="on" compressibleMimeType="text/html,text/xml,text/css,text/javascript,application/javascript" port="${bio.https.port}" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" URIEncoding="UTF-8"/> When enable debug info in tomcat will see 09-May-2020 00:51:35.358 FINE [https-openssl-apr-8443-exec-1] org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.doClose Calling [org.apache.tomcat.util.net.AprEndpoint@4275c20c].closeSocket([org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper@1efb5c3e:139622944367568]) 09-May-2020 00:51:35.367 FINE [https-openssl-apr-8443-Poller] org.apache.tomcat.util.net.AprEndpoint$Poller.removeFromPoller Attempting to remove [139,622,944,367,568] from poller 09-May-2020 00:51:35.367 FINER [https-openssl-apr-8443-Poller] org.apache.tomcat.util.net.AprEndpoint.destroySocketInternal Destroying socket [139,622,944,367,568] java.lang.Exception at org.apache.tomcat.util.net.AprEndpoint.destroySocketInternal(AprEndpoint.java:758) at org.apache.tomcat.util.net.AprEndpoint.access$200(AprEndpoint.java:81) at org.apache.tomcat.util.net.AprEndpoint$Poller.run(AprEndpoint.java:1338) at java.base/java.lang.Thread.run(Thread.java:834) BRs Dan -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Friday, May 8, 2020 10:37 PM To: users@tomcat.apache.org Subject: Re: APR connector questions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Daniel, On 5/8/20 04:25, daniel....@dell.com wrote: > We are changing from Nio connector to APR connector to enable FIPS > mode in tomcat. But we hit tomcat hang issue, ssl handshake no > response when run long time. So many close_wait in netstat output. > Do you have any advises about that issue? Can you please post your <Connector> configuration? Remember to remove any secrets that may be in there. You may be interested to know that FIPS is available through Java, though not through Sun's JSSE provider. https://stackoverflow.com/questions/5046482/which-jce-providers-are-fips - -140-2-compliant You may also be interested in the fact that FIPS mode doesn't really offer any additional security. In certain cases, it may reduce your security because of the various required-supported algorithms which, honestly, should never be used in production. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl61bnAACgkQHPApP6U8 pFjf2Q/+K/kHIF36pSJ3gzU1gkrRnmDOqLtNX4rAzJVguZrOqSDjVNyFjYlYPcDD A9szjfgdwd8PlTdgXJISpvdSqdvjGSadKbNswcN731VDptMlUz979R54+kRHeoWU lYdwZuNp/ACj+UXJnSDcxK0Q15UewlRLuTrtpFfoCkteS1uAXAH1OMStsZYFXrSt Jc3XmrmidTfAl8P24W8xNFxCTDPhkcnO7nJaNPKlGwdtjtxVfOaxyK9UtoKJW+te lANt3Fi8r5QlLbZIofK9A0BTyHsk17SmUseeETDPCUcqlEZ1z8KWN6NVlLl0O4Rk P/i3JUrsD8ZuCMghj1Jw6s4B4aWolLoSvxFYGLmNitqGNPGQnuUid5RV6LWLW7nH kMFDE6yGXHagZ/34GIWcPVJOmcobOdFGtGXb4SWRsf9xOU8U5g2ljpSIYA0xT4J+ lCWZLxkcxW0YdppfPWU7t7uKO8GPnCjBmBUgx7fSHRvNefrgof6CRSAjyKlMsU1w WSW8ZPblXSBToHy98JoT27wTrYUkhfDGzCDopkMxGH4QZZtvIVH+MNsBpWUWMhMc h/yo2ubKWwsrmPBhkd+Jjkon3FGsuBRpUdNQJx0+5G5CKGuDNFIIZYV5MDK0ovCu wmBN/6ZSwUj7ZqpOFekGHhM4DUee8R0kXmScDXd1nogkoIGIO20= =JFpT -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org