Re: Tomcat 9.0.27 loads incorrect openssl version

Sun, 07 Jun 2020 12:20:19 -0700 

Am 2020-06-07 um 20:16 schrieb Norbert Elbanbuena:

Hi,

I removed the previous version of OpenSSL 1.0.2k-fips from yum. Then I 
installed OpenSSL 1.1.1g from source and made a clean install of tomcat-native 
1.2.24 pointing to the correct OpenSSL path.
When I start Tomcat, it still shows OpenSSL 1.0.2k-fips being loaded on startup.

07-Jun-2020 18:09:20.357 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based 
Apache Tomcat Native library [1.2.24] using APR version [1.7.0].
07-Jun-2020 18:09:20.357 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: 
IPv6 [true], sendfile [true], accept filters [false], random [true].
07-Jun-2020 18:09:20.357 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL 
configuration: useAprConnector [true], useOpenSSL [true]
07-Jun-2020 18:09:20.361 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL 
successfully initialized [OpenSSL 1.0.2k-fips  26 Jan 2017]

I verified latest version of OpenSSL reflected

$openssl version -a
OpenSSL 1.1.1g  21 Apr 2020
built on: Sun Jun  7 15:15:04 2020 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 
-DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM 
-DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM 
-DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/ssl/lib/engines-1.1"
Seeding source: os-specific

Can somebody help me understand why Tomcat still points to the old fips 
version? Or do I need to install OpenSSL fips instead?


Run 'ldd .../libtcnative-1.so' and paste results.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to