This sounds promising. i installed apr-devel and openssl-devel from yum repositories, and built OpenSSL 3.0 and Tomcat Native from source. I think i saw instructions for building APR from source also. So I will try that and report back.
Is there any way to find out what versions are recommended for proper use of OpenSSL 3.0.x? I haven't been able to find this? Thanks! Clay On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Clay, > > On 4/5/22 12:47, Clay Lehman wrote: > > Hello! > > > > > > I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running > into > > an error on startup. I have tried a ton of things, searched, read the > docs > > over and over, and cannot get past this. Has anyone had success with > this > > setup? > > > > > > I created a fully working sample project and Dockerfile to demonstrate > the > > issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3 > > > > > > Thanks! > > > > Clay > > > > > > More info below.... > > > > > > Most of the examples and documentation that I have found is for old > > versions of OpenSSL, but I do see some release notes mentioning OpenSSL > > v3.0.x so I suspect this is supported to some degree. > > > > > > I am testing this using a docker container for "Oracle Linux Server 8" > > (specifically FROM openjdk:latest) I am running embedded tomcat from > > Spring Boot, but I dont suspect that is important for my issue. > > > > > > > > Notes about the setup steps (in the Dockerfile example): > > > > > > 1) Installed OpenSSL v3.0.2 from source with FIPS enabled. > > > > ( > > > https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0 > > ) > > > > > > RUN cd /usr/src \ > > > > && wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \ > > > > && tar -zxf openssl-3.0.2.tar.gz \ > > > > && rm openssl-3.0.2.tar.gz \ > > > > && cd openssl-3.0.2 \ > > > > && ./config enable-fips && make -j8 && make -j8 install > > > > > > RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \ > > > > && ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3 > > > > > > RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module > > /usr/local/lib/ossl-modules/fips.so > > > > > > 2) Installed Tomcat Native from source: > > > > (https://tomcat.apache.org/native-doc/) > > > > > > RUN microdnf install apr-devel openssl-devel \ > > > > && mkdir /usr/lib/tcnative > > > > > > RUN cd /usr/src \ > > > > && wget > > > https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz > > \ > > > > && tar -xvf tomcat-native-1.2.32-src.tar.gz \ > > > > && rm tomcat-native-1.2.32-src.tar.gz \ > > > > && cd tomcat-native-1.2.32-src/native \ > > > > && ./configure --with-api=/usr/bin/apr-1-config > > --with-java-home=/usr/java/latest --with-ssl=yes > --prefix=/usr/lib/tcnative > > \ > > > > && make \ > > > > && make install > > > > > > 3) Generate a self-signed certificate: > > > > RUN openssl req -x509 -newkey rsa:4096 -passout pass:test > > -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN= > > test.lehmansoftware.com' > > > > > > > > 4) To enable tomcat native, i pass these parameters: > > > > ENTRYPOINT java \ > > > > -Dserver.port=8443 \ > > > > -Dserver.ssl.enabled=true \ > > > > -Djava.library.path="/usr/lib/tcnative/lib" \ > > > > -Dserver.ssl.certificate-key-file="/testkey.pem" \ > > > > -Dserver.ssl.certificate-file="/testcert.pem" \ > > > > -jar app.jar > > > > > > > > 5) And finally, here is the error message that I receive on application > > startup trying to use tcnative. > > > > cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN > [main] > > core.AprLifecycleListener - The Apache Tomcat Native library failed to > > load. The error reported was > > [/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: > > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol: > > EVP_PKEY_get_bits] > > > > cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError: > > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: > > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol: > > EVP_PKEY_get_bits > > > > cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native > > Method) ~[?:?] > > Looks like the build worked (right?) so any "undefined symbol" issues > you see must be related to the versions made available to the process at > runtime. > > Make sure you have the same versions of libssl, libapr, and libtcnative > that you built yourself and not those that e.g. ship with the OS. Where > are all your .so files for libtcnative, libssl, and libapr? > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
