You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sanaullah <sa...@gmail.com> on 2014/12/01 12:09:04 UTC
Re: APR with PKCS11 support
Hi Chris,
I have attached the diff.let me know if its ok?
Regards,
Sanaullah
On Fri, Nov 21, 2014 at 2:08 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sanaullah,
>
> On 11/18/14 10:26 PM, Sanaullah wrote:
> > Hi Chris,
> >
> > Engine is loaded Successfully. the issue is with tcnative.
> > tcnative was not loading any engine and it was due to
> > HAVE_ENGINE_LOAD_BUILTIN_ENGINES preprocessor which is unable to
> > call ENGINE_load_builtin_engines. I made one change and in ssl.c of
> > tomcat-native-1.1.31
> >
> > original Preprocessor #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
> >
> > Changed to
> >
> > #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup();
> >
> > #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES
> > ENGINE_load_builtin_engines(); #endif
>
> Can you give me a patch in diff -U form? I'd like to take a look at it
> formally.
>
> Thanks for doing the digging to figure out how to make this work. I
> don't have a non-standard engine available to play with.
>
> Thanks,
> - -chris
>
> > On Wed, Nov 19, 2014 at 12:36 AM, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Sanaullah,
> >
> > On 11/14/14 10:04 PM, Sanaullah wrote:
> >>>> The Engine name is correct its "LunaCA3" Here is the code
> >>>> snippet from the openssl for the confirmation.
> >>>>
> >>>> openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID
> >>>> "LunaCA3"
> >>>>
> >>>> I think the issue is with static and shared libraries of
> >>>> openssl.
> >
> > It could be. Since you are building on *NIX, you should probably
> > be using dynamically-linked shared-libraries. But you have to be
> > careful about the load-ordering if you are using an OpenSSL that is
> > not the system default (e.g. in /usr/lib).
> >
> >>>> if openssl build as shared then this LunaCA3 engine is not
> >>>> working for nodejs and even for Apache as well both required
> >>>> openssl to build static.
> >
> > Interesting...
> >
> >>>> I tried to follow the Build document of tomcat native.
> >>>> Building statically linked library on Unixes
> >>>> --------------------------------------------
> >>>>
> >>>> To statically link apr and openssl dependencies use the
> >>>> following procedure.
> >>>>
> >>>> You will need to build static version of openssl library.
> >>>>
> >>>>> ./config --prefix=~/natives/openssl no-shared -fPIC make
> >>>>> make install_sw
> >>>> Apr by default builds both static and dynamic libraries.
> >>>>
> >>>>> ./configure --prefix=~/natives/apr make make install
> >>>>
> >>>> After that edit the ~/natives/apr/lib/libapr-1.la file and
> >>>> comment or delete the following sections: dlname='...' and
> >>>> library_names='...' This is needed so that libtool picks the
> >>>> static version of the library.
> >>>>
> >>>> Build Tomcat native by executing
> >>>>
> >>>>> ./configure --with-apr=~/natives/apr
> >>>>> --with-ssl=~/natives/openssl
> >>>> --prefix=~/natives/tomcat
> >>>>> make make install
> >
> > You're reaching the limits of my knowledge about building the
> > whole bundle statically. I'll ping Rainer (CC'd here) who knows
> > more than I do.
> >
> >>>> here is something strange, Openssl successully build and
> >>>> install with -fPIC but tcnative still give me error.
> >>>>
> >>>> /usr/bin/ld:
> >>>> /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation
> >>>> R_X86_64_32 against `.rodata' can not be used when making a
> >>>> shared object; recompile with -fPIC
> >>>> /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad
> >>>> value collect2: error: ld returned 1 exit status make[1]:
> >>>> *** [libtcnative-1.la] Error 1 make[1]: Leaving directory
> >>>> `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: ***
> >>>> [all-recursive] Error 1
> >>>>
> >>>> I am not sure what to do here ?
> >
> > Hmm. Let's see if Rainer (or anyone else!) replies.
> >
> > -chris
> >
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUblhaAAoJEBzwKT+lPKRY4Y4P/jz71yNBd5eqCoddMlRZ3ISV
> Zd5xFv2O42EKNb+Hh2ImbG+yC/PyNW/3K7vSFlMELcUOsvdjBht1GfEgMLba+dhm
> utoUiNj9ueavF/Ip7EC2dTgmcx1CYFjYlcPieRWQjU//i+oBBKw514lckBQUc+y/
> ScSU2ReMPUuWQ3C3sHVUYZcKoJNRYLFqXkcCc7GzNn+leNHfp55OqB/lVwCU06AE
> BbGA+tVTBL2cjbTV8qGvDSY4UuGlZU7JoOMRaliAJhgsyDl20kIVyi7pTL52ieAV
> jmhU+K34RMGxiDp2XpsKf9lLnOTW2JdMmir+XrOsrEHn9ZQ3lYo3fKgUa0a38maR
> zH5+bJ3L5aDL3ifZdcg0bozs+6l3rxC52Itwzskh2ZfPWsIbZaT7NMXjrQQ1KoGB
> yFE+JUg/M1WxikWsgkkmTVEMY2/VqJqNIplk8KZohCC6SnXxz4rjNAVV1jZUnzSZ
> gpEjyc71ElUO7KqD7HMtK9fXTYvBdUmXCWCuSZQ+LW1Z37CfXTLfQd9/jQDe2OL2
> ylseItc9mnyKiZ8X8dRUUjlqyiUIyOUCCBnI/Wm13sh8RQ7G0bvA63Lc0xhYbORf
> xQfmSguArnSDnMoNAswyl9taqHXUyZRtw+xSQVgBSDgww9KJc/SJzkrS++4xjs8o
> NUgaRzlaV134AyVsDxYb
> =1n83
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: APR with PKCS11 support
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sanaullah,
On 12/1/14 6:09 AM, Sanaullah wrote:
> I have attached the diff [that allows external crypto decides to
> be used via tcnative). let me know if its ok?
For reference, here's the diff:
>
> 304c304 < #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ---
>> #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
> 661c661 < #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ---
>> #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
This looks like a /reverse/ diff, since you said you removed the
HAVE_ENGINE_LOAD_BUILTIN_ENGINES and replaced it with "1". Other than
that, it's about as compact as you can get!
I think this would have been easier if you had just built tcnative
like this:
$ cd /path/to/tcnative/jni/native
$ CFLAGS=-DHAVE_ENGINE_LOAD_BUILTIN_ENGINES ./configure ...
$ CFLAGS=-DHAVE_ENGINE_LOAD_BUILTIN_ENGINES make
Can you try re-downloading the source and re-building with the above
CFLAGS set instead of patching the code? If that works, it will be a
slightly safer way to build.
I wonder why HAVE_ENGINE_LOAD_BUILTIN_ENGINES isn't usually set to 1.
I'll do a bit of reading about it.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUfIh6AAoJEBzwKT+lPKRYbKgP/1K0FulX2YQmOLnlTupIqAye
/d5+MXepk/kWCdKswP2aSjqpVRF4aCt6aQiWDI5oxpG45b5hkTFk0wAkC9q8MQiv
Aq9RknauhbqExSLdXyS+krfZP+i3yFOEDGccxLyKg6svlIX6xsf3ywUtekBrx/G1
HdGhIXX3ipMKh36yYpfzJOlBNg3uTxdk8oADtQPBC4HsNR0ZGtE5tcAXbl0ZCN33
F5n/u5H6nYhOimlon6eFqpton6qqecjyyCNPhpoZFJFFgRJX9HrOuFkAPRyUc6GG
+VgTHpH7J/RxtA3Ac2nk3U91WMIFgu+faJT7erh4KaSTT/+PaYdc7YUfctnjgUg+
R/O1/q5YN8GOItCpe/wfCZEIxRbcBiPAsLhe8Dlz5nqdc1aauAaezuqUDZu6lQKG
mP/0YF5fg13L4YyEVcSM9MNzm/+vPABZ0QuZsD6QSlpAagOvbLQAX1saQeKo4ngF
Yu7Xa1oo0J8Lg3cUMq3JbK6v3/A/wXmNXe85JSViR8otpWz+rM3eT6WD5kcIczko
gPlF4c4bYL86i0JXJMm44Bv7ZNuOzYZk200IzlUe9ZBHiXX/UwbINawLisKcs5+G
+5evf1YyGn6HvucMC7ENvszLNJAyLWk6sOguutO2COry9tyq5AL9pkATwUhH6mkL
HPfFzWYVT+Kabcf7vvw/
=/JO0
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org