You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Clay Lehman <cl...@lehmansoftware.com> on 2022/04/05 16:47:13 UTC
Tomcat Native and OpenSSL v3.0.2
Hello!
I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running into
an error on startup. I have tried a ton of things, searched, read the docs
over and over, and cannot get past this. Has anyone had success with this
setup?
I created a fully working sample project and Dockerfile to demonstrate the
issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
Thanks!
Clay
More info below....
Most of the examples and documentation that I have found is for old
versions of OpenSSL, but I do see some release notes mentioning OpenSSL
v3.0.x so I suspect this is supported to some degree.
I am testing this using a docker container for "Oracle Linux Server 8"
(specifically FROM openjdk:latest) I am running embedded tomcat from
Spring Boot, but I dont suspect that is important for my issue.
Notes about the setup steps (in the Dockerfile example):
1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
(
https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
)
RUN cd /usr/src \
&& wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
&& tar -zxf openssl-3.0.2.tar.gz \
&& rm openssl-3.0.2.tar.gz \
&& cd openssl-3.0.2 \
&& ./config enable-fips && make -j8 && make -j8 install
RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
&& ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
/usr/local/lib/ossl-modules/fips.so
2) Installed Tomcat Native from source:
(https://tomcat.apache.org/native-doc/)
RUN microdnf install apr-devel openssl-devel \
&& mkdir /usr/lib/tcnative
RUN cd /usr/src \
&& wget
https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
\
&& tar -xvf tomcat-native-1.2.32-src.tar.gz \
&& rm tomcat-native-1.2.32-src.tar.gz \
&& cd tomcat-native-1.2.32-src/native \
&& ./configure --with-api=/usr/bin/apr-1-config
--with-java-home=/usr/java/latest --with-ssl=yes --prefix=/usr/lib/tcnative
\
&& make \
&& make install
3) Generate a self-signed certificate:
RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
-keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
test.lehmansoftware.com'
4) To enable tomcat native, i pass these parameters:
ENTRYPOINT java \
-Dserver.port=8443 \
-Dserver.ssl.enabled=true \
-Djava.library.path="/usr/lib/tcnative/lib" \
-Dserver.ssl.certificate-key-file="/testkey.pem" \
-Dserver.ssl.certificate-file="/testcert.pem" \
-jar app.jar
5) And finally, here is the error message that I receive on application
startup trying to use tcnative.
cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN [main]
core.AprLifecycleListener - The Apache Tomcat Native library failed to
load. The error reported was
[/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits]
cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits
cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
Method) ~[?:?]
Re: Tomcat Native and OpenSSL v3.0.2
Posted by Clay Lehman <cl...@lehmansoftware.com>.
Configuring both seemed to work. Thanks for all the help!!
On Fri, Apr 8, 2022 at 10:10 AM Christopher Schultz <
chris@christopherschultz.net> wrote:
> Clay,
>
> On 4/7/22 13:50, Clay Lehman wrote:
> > Chris, Thanks for your help so far! I am digging into this some more
> today.
> >
> > First off, once i started bulding APR from source instead of doing "yum
> > install apr-devel" - my main linking issue went away. so I think we are
> > getting close!!
> >
> > Now I am struggling to get Spring Boot's embedded Tomcat to startup in
> the
> > APR mode. Most of the blogs and docs i find are older and seem to be out
> > of date, or are otherwise not about embedded tomcat.
> >
> > With these JVM Params:
> > -Djava.library.path="/usr/lib/tcnative/lib"
> > -Dserver.ssl.certificate-key-file="/testkey.pem"
> > -Dserver.ssl.certificate-file="/testcert.pem"
> >
> > Spring Boot / Tomcat fails to start with this error:
> > org.springframework.context.ApplicationContextException: Unable to start
> > web server; nested exception is
> > org.springframework.boot.web.server.WebServerException: Could not load
> key
> > store 'null'
> >
> >
> > I have found tomcat notes on using this connector:
> >
> > <!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->
> > <Connector
> > protocol="org.apache.coyote.http11.Http11AprProtocol"
> > port="8443" maxThreads="200"
> > scheme="https" secure="true" SSLEnabled="true"
> > SSLCertificateFile="/usr/local/ssl/server.crt"
> > SSLCertificateKeyFile="/usr/local/ssl/server.pem"
> > SSLVerifyClient="optional"
> SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
> >
> >
> > But have not been able to figure out the right JVM params to tell Spring
> > Boot to work in that manner.
>
> You may have to ask Spring Boot about that. Sorry.
>
> > I am now trying setting up both .crt/.pem files AND ALSO the .pk12 to see
> > what happens....
>
> Wrapping the PEM files into .p12 files shouldn't be too onerous. If that
> works, good. But I wonder why the PEM files aren't working. "Could not
> load key store null" seems like the certificate-key-file either isn't a
> valid option, or isn't being applied as expected.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat Native and OpenSSL v3.0.2
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Clay,
On 4/7/22 13:50, Clay Lehman wrote:
> Chris, Thanks for your help so far! I am digging into this some more today.
>
> First off, once i started bulding APR from source instead of doing "yum
> install apr-devel" - my main linking issue went away. so I think we are
> getting close!!
>
> Now I am struggling to get Spring Boot's embedded Tomcat to startup in the
> APR mode. Most of the blogs and docs i find are older and seem to be out
> of date, or are otherwise not about embedded tomcat.
>
> With these JVM Params:
> -Djava.library.path="/usr/lib/tcnative/lib"
> -Dserver.ssl.certificate-key-file="/testkey.pem"
> -Dserver.ssl.certificate-file="/testcert.pem"
>
> Spring Boot / Tomcat fails to start with this error:
> org.springframework.context.ApplicationContextException: Unable to start
> web server; nested exception is
> org.springframework.boot.web.server.WebServerException: Could not load key
> store 'null'
>
>
> I have found tomcat notes on using this connector:
>
> <!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->
> <Connector
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> port="8443" maxThreads="200"
> scheme="https" secure="true" SSLEnabled="true"
> SSLCertificateFile="/usr/local/ssl/server.crt"
> SSLCertificateKeyFile="/usr/local/ssl/server.pem"
> SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
>
>
> But have not been able to figure out the right JVM params to tell Spring
> Boot to work in that manner.
You may have to ask Spring Boot about that. Sorry.
> I am now trying setting up both .crt/.pem files AND ALSO the .pk12 to see
> what happens....
Wrapping the PEM files into .p12 files shouldn't be too onerous. If that
works, good. But I wonder why the PEM files aren't working. "Could not
load key store null" seems like the certificate-key-file either isn't a
valid option, or isn't being applied as expected.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Native and OpenSSL v3.0.2
Posted by Clay Lehman <cl...@lehmansoftware.com>.
Chris, Thanks for your help so far! I am digging into this some more today.
First off, once i started bulding APR from source instead of doing "yum
install apr-devel" - my main linking issue went away. so I think we are
getting close!!
Now I am struggling to get Spring Boot's embedded Tomcat to startup in the
APR mode. Most of the blogs and docs i find are older and seem to be out
of date, or are otherwise not about embedded tomcat.
With these JVM Params:
-Djava.library.path="/usr/lib/tcnative/lib"
-Dserver.ssl.certificate-key-file="/testkey.pem"
-Dserver.ssl.certificate-file="/testcert.pem"
Spring Boot / Tomcat fails to start with this error:
org.springframework.context.ApplicationContextException: Unable to start
web server; nested exception is
org.springframework.boot.web.server.WebServerException: Could not load key
store 'null'
I have found tomcat notes on using this connector:
<!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
But have not been able to figure out the right JVM params to tell Spring
Boot to work in that manner.
I am now trying setting up both .crt/.pem files AND ALSO the .pk12 to see
what happens....
Thanks!
Clay
On Thu, Apr 7, 2022 at 1:22 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> Clay,
>
> On 4/6/22 07:57, Clay Lehman wrote:
> > "Make sure you have the same versions of libssl, libapr, and libtcnative
> > that you built yourself and not those that e.g. ship with the OS. Where
> > are all your .so files for libtcnative, libssl, and libapr?"
> >
> > Do you know if there are instructions on building these, or where the .so
> > files normally live?
>
> The default LD_LIBRARY_PATH for your system may have lots of stuff in
> it. You'll have to check your system to see.
>
> When Tomcat starts-up, the AprLifecycleListener should report all the
> versions of the various things it's using. Does it get that far, or does
> it choke before that?
>
> -chris
>
> > On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> >> Clay,
> >>
> >> On 4/5/22 12:47, Clay Lehman wrote:
> >>> Hello!
> >>>
> >>>
> >>> I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running
> >> into
> >>> an error on startup. I have tried a ton of things, searched, read the
> >> docs
> >>> over and over, and cannot get past this. Has anyone had success with
> >> this
> >>> setup?
> >>>
> >>>
> >>> I created a fully working sample project and Dockerfile to demonstrate
> >> the
> >>> issue:
> https://github.com/claylehman/spring-boot-tomcat-native-openssl3
> >>>
> >>>
> >>> Thanks!
> >>>
> >>> Clay
> >>>
> >>>
> >>> More info below....
> >>>
> >>>
> >>> Most of the examples and documentation that I have found is for old
> >>> versions of OpenSSL, but I do see some release notes mentioning OpenSSL
> >>> v3.0.x so I suspect this is supported to some degree.
> >>>
> >>>
> >>> I am testing this using a docker container for "Oracle Linux Server 8"
> >>> (specifically FROM openjdk:latest) I am running embedded tomcat from
> >>> Spring Boot, but I dont suspect that is important for my issue.
> >>>
> >>>
> >>>
> >>> Notes about the setup steps (in the Dockerfile example):
> >>>
> >>>
> >>> 1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
> >>>
> >>> (
> >>>
> >>
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> >>> )
> >>>
> >>>
> >>> RUN cd /usr/src \
> >>>
> >>> && wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
> >>>
> >>> && tar -zxf openssl-3.0.2.tar.gz \
> >>>
> >>> && rm openssl-3.0.2.tar.gz \
> >>>
> >>> && cd openssl-3.0.2 \
> >>>
> >>> && ./config enable-fips && make -j8 && make -j8 install
> >>>
> >>>
> >>> RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
> >>>
> >>> && ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
> >>>
> >>>
> >>> RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
> >>> /usr/local/lib/ossl-modules/fips.so
> >>>
> >>>
> >>> 2) Installed Tomcat Native from source:
> >>>
> >>> (https://tomcat.apache.org/native-doc/)
> >>>
> >>>
> >>> RUN microdnf install apr-devel openssl-devel \
> >>>
> >>> && mkdir /usr/lib/tcnative
> >>>
> >>>
> >>> RUN cd /usr/src \
> >>>
> >>> && wget
> >>>
> >>
> https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
> >>> \
> >>>
> >>> && tar -xvf tomcat-native-1.2.32-src.tar.gz \
> >>>
> >>> && rm tomcat-native-1.2.32-src.tar.gz \
> >>>
> >>> && cd tomcat-native-1.2.32-src/native \
> >>>
> >>> && ./configure --with-api=/usr/bin/apr-1-config
> >>> --with-java-home=/usr/java/latest --with-ssl=yes
> >> --prefix=/usr/lib/tcnative
> >>> \
> >>>
> >>> && make \
> >>>
> >>> && make install
> >>>
> >>>
> >>> 3) Generate a self-signed certificate:
> >>>
> >>> RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
> >>> -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
> >>> test.lehmansoftware.com'
> >>>
> >>>
> >>>
> >>> 4) To enable tomcat native, i pass these parameters:
> >>>
> >>> ENTRYPOINT java \
> >>>
> >>> -Dserver.port=8443 \
> >>>
> >>> -Dserver.ssl.enabled=true \
> >>>
> >>> -Djava.library.path="/usr/lib/tcnative/lib" \
> >>>
> >>> -Dserver.ssl.certificate-key-file="/testkey.pem" \
> >>>
> >>> -Dserver.ssl.certificate-file="/testcert.pem" \
> >>>
> >>> -jar app.jar
> >>>
> >>>
> >>>
> >>> 5) And finally, here is the error message that I receive on application
> >>> startup trying to use tcnative.
> >>>
> >>> cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN
> >> [main]
> >>> core.AprLifecycleListener - The Apache Tomcat Native library failed to
> >>> load. The error reported was
> >>> [/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> >>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> >>> EVP_PKEY_get_bits]
> >>>
> >>> cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
> >>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> >>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> >>> EVP_PKEY_get_bits
> >>>
> >>> cmts-docker-cmts-1 | at
> jdk.internal.loader.NativeLibraries.load(Native
> >>> Method) ~[?:?]
> >>
> >> Looks like the build worked (right?) so any "undefined symbol" issues
> >> you see must be related to the versions made available to the process at
> >> runtime.
> >>
> >> Make sure you have the same versions of libssl, libapr, and libtcnative
> >> that you built yourself and not those that e.g. ship with the OS. Where
> >> are all your .so files for libtcnative, libssl, and libapr?
> >>
> >> -chris
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat Native and OpenSSL v3.0.2
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Clay,
On 4/6/22 07:57, Clay Lehman wrote:
> "Make sure you have the same versions of libssl, libapr, and libtcnative
> that you built yourself and not those that e.g. ship with the OS. Where
> are all your .so files for libtcnative, libssl, and libapr?"
>
> Do you know if there are instructions on building these, or where the .so
> files normally live?
The default LD_LIBRARY_PATH for your system may have lots of stuff in
it. You'll have to check your system to see.
When Tomcat starts-up, the AprLifecycleListener should report all the
versions of the various things it's using. Does it get that far, or does
it choke before that?
-chris
> On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> Clay,
>>
>> On 4/5/22 12:47, Clay Lehman wrote:
>>> Hello!
>>>
>>>
>>> I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running
>> into
>>> an error on startup. I have tried a ton of things, searched, read the
>> docs
>>> over and over, and cannot get past this. Has anyone had success with
>> this
>>> setup?
>>>
>>>
>>> I created a fully working sample project and Dockerfile to demonstrate
>> the
>>> issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
>>>
>>>
>>> Thanks!
>>>
>>> Clay
>>>
>>>
>>> More info below....
>>>
>>>
>>> Most of the examples and documentation that I have found is for old
>>> versions of OpenSSL, but I do see some release notes mentioning OpenSSL
>>> v3.0.x so I suspect this is supported to some degree.
>>>
>>>
>>> I am testing this using a docker container for "Oracle Linux Server 8"
>>> (specifically FROM openjdk:latest) I am running embedded tomcat from
>>> Spring Boot, but I dont suspect that is important for my issue.
>>>
>>>
>>>
>>> Notes about the setup steps (in the Dockerfile example):
>>>
>>>
>>> 1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
>>>
>>> (
>>>
>> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
>>> )
>>>
>>>
>>> RUN cd /usr/src \
>>>
>>> && wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
>>>
>>> && tar -zxf openssl-3.0.2.tar.gz \
>>>
>>> && rm openssl-3.0.2.tar.gz \
>>>
>>> && cd openssl-3.0.2 \
>>>
>>> && ./config enable-fips && make -j8 && make -j8 install
>>>
>>>
>>> RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
>>>
>>> && ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
>>>
>>>
>>> RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
>>> /usr/local/lib/ossl-modules/fips.so
>>>
>>>
>>> 2) Installed Tomcat Native from source:
>>>
>>> (https://tomcat.apache.org/native-doc/)
>>>
>>>
>>> RUN microdnf install apr-devel openssl-devel \
>>>
>>> && mkdir /usr/lib/tcnative
>>>
>>>
>>> RUN cd /usr/src \
>>>
>>> && wget
>>>
>> https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
>>> \
>>>
>>> && tar -xvf tomcat-native-1.2.32-src.tar.gz \
>>>
>>> && rm tomcat-native-1.2.32-src.tar.gz \
>>>
>>> && cd tomcat-native-1.2.32-src/native \
>>>
>>> && ./configure --with-api=/usr/bin/apr-1-config
>>> --with-java-home=/usr/java/latest --with-ssl=yes
>> --prefix=/usr/lib/tcnative
>>> \
>>>
>>> && make \
>>>
>>> && make install
>>>
>>>
>>> 3) Generate a self-signed certificate:
>>>
>>> RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
>>> -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
>>> test.lehmansoftware.com'
>>>
>>>
>>>
>>> 4) To enable tomcat native, i pass these parameters:
>>>
>>> ENTRYPOINT java \
>>>
>>> -Dserver.port=8443 \
>>>
>>> -Dserver.ssl.enabled=true \
>>>
>>> -Djava.library.path="/usr/lib/tcnative/lib" \
>>>
>>> -Dserver.ssl.certificate-key-file="/testkey.pem" \
>>>
>>> -Dserver.ssl.certificate-file="/testcert.pem" \
>>>
>>> -jar app.jar
>>>
>>>
>>>
>>> 5) And finally, here is the error message that I receive on application
>>> startup trying to use tcnative.
>>>
>>> cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN
>> [main]
>>> core.AprLifecycleListener - The Apache Tomcat Native library failed to
>>> load. The error reported was
>>> [/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
>>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
>>> EVP_PKEY_get_bits]
>>>
>>> cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
>>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
>>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
>>> EVP_PKEY_get_bits
>>>
>>> cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
>>> Method) ~[?:?]
>>
>> Looks like the build worked (right?) so any "undefined symbol" issues
>> you see must be related to the versions made available to the process at
>> runtime.
>>
>> Make sure you have the same versions of libssl, libapr, and libtcnative
>> that you built yourself and not those that e.g. ship with the OS. Where
>> are all your .so files for libtcnative, libssl, and libapr?
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Native and OpenSSL v3.0.2
Posted by Clay Lehman <cl...@lehmansoftware.com>.
"Make sure you have the same versions of libssl, libapr, and libtcnative
that you built yourself and not those that e.g. ship with the OS. Where
are all your .so files for libtcnative, libssl, and libapr?"
Do you know if there are instructions on building these, or where the .so
files normally live?
On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> Clay,
>
> On 4/5/22 12:47, Clay Lehman wrote:
> > Hello!
> >
> >
> > I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running
> into
> > an error on startup. I have tried a ton of things, searched, read the
> docs
> > over and over, and cannot get past this. Has anyone had success with
> this
> > setup?
> >
> >
> > I created a fully working sample project and Dockerfile to demonstrate
> the
> > issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
> >
> >
> > Thanks!
> >
> > Clay
> >
> >
> > More info below....
> >
> >
> > Most of the examples and documentation that I have found is for old
> > versions of OpenSSL, but I do see some release notes mentioning OpenSSL
> > v3.0.x so I suspect this is supported to some degree.
> >
> >
> > I am testing this using a docker container for "Oracle Linux Server 8"
> > (specifically FROM openjdk:latest) I am running embedded tomcat from
> > Spring Boot, but I dont suspect that is important for my issue.
> >
> >
> >
> > Notes about the setup steps (in the Dockerfile example):
> >
> >
> > 1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
> >
> > (
> >
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> > )
> >
> >
> > RUN cd /usr/src \
> >
> > && wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
> >
> > && tar -zxf openssl-3.0.2.tar.gz \
> >
> > && rm openssl-3.0.2.tar.gz \
> >
> > && cd openssl-3.0.2 \
> >
> > && ./config enable-fips && make -j8 && make -j8 install
> >
> >
> > RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
> >
> > && ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
> >
> >
> > RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
> > /usr/local/lib/ossl-modules/fips.so
> >
> >
> > 2) Installed Tomcat Native from source:
> >
> > (https://tomcat.apache.org/native-doc/)
> >
> >
> > RUN microdnf install apr-devel openssl-devel \
> >
> > && mkdir /usr/lib/tcnative
> >
> >
> > RUN cd /usr/src \
> >
> > && wget
> >
> https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
> > \
> >
> > && tar -xvf tomcat-native-1.2.32-src.tar.gz \
> >
> > && rm tomcat-native-1.2.32-src.tar.gz \
> >
> > && cd tomcat-native-1.2.32-src/native \
> >
> > && ./configure --with-api=/usr/bin/apr-1-config
> > --with-java-home=/usr/java/latest --with-ssl=yes
> --prefix=/usr/lib/tcnative
> > \
> >
> > && make \
> >
> > && make install
> >
> >
> > 3) Generate a self-signed certificate:
> >
> > RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
> > -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
> > test.lehmansoftware.com'
> >
> >
> >
> > 4) To enable tomcat native, i pass these parameters:
> >
> > ENTRYPOINT java \
> >
> > -Dserver.port=8443 \
> >
> > -Dserver.ssl.enabled=true \
> >
> > -Djava.library.path="/usr/lib/tcnative/lib" \
> >
> > -Dserver.ssl.certificate-key-file="/testkey.pem" \
> >
> > -Dserver.ssl.certificate-file="/testcert.pem" \
> >
> > -jar app.jar
> >
> >
> >
> > 5) And finally, here is the error message that I receive on application
> > startup trying to use tcnative.
> >
> > cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN
> [main]
> > core.AprLifecycleListener - The Apache Tomcat Native library failed to
> > load. The error reported was
> > [/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> > EVP_PKEY_get_bits]
> >
> > cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> > EVP_PKEY_get_bits
> >
> > cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
> > Method) ~[?:?]
>
> Looks like the build worked (right?) so any "undefined symbol" issues
> you see must be related to the versions made available to the process at
> runtime.
>
> Make sure you have the same versions of libssl, libapr, and libtcnative
> that you built yourself and not those that e.g. ship with the OS. Where
> are all your .so files for libtcnative, libssl, and libapr?
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat Native and OpenSSL v3.0.2
Posted by Clay Lehman <cl...@lehmansoftware.com>.
This sounds promising. i installed apr-devel and openssl-devel from yum
repositories, and built OpenSSL 3.0 and Tomcat Native from source. I think
i saw instructions for building APR from source also. So I will try that
and report back.
Is there any way to find out what versions are recommended for proper use
of OpenSSL 3.0.x? I haven't been able to find this?
Thanks!
Clay
On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> Clay,
>
> On 4/5/22 12:47, Clay Lehman wrote:
> > Hello!
> >
> >
> > I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running
> into
> > an error on startup. I have tried a ton of things, searched, read the
> docs
> > over and over, and cannot get past this. Has anyone had success with
> this
> > setup?
> >
> >
> > I created a fully working sample project and Dockerfile to demonstrate
> the
> > issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
> >
> >
> > Thanks!
> >
> > Clay
> >
> >
> > More info below....
> >
> >
> > Most of the examples and documentation that I have found is for old
> > versions of OpenSSL, but I do see some release notes mentioning OpenSSL
> > v3.0.x so I suspect this is supported to some degree.
> >
> >
> > I am testing this using a docker container for "Oracle Linux Server 8"
> > (specifically FROM openjdk:latest) I am running embedded tomcat from
> > Spring Boot, but I dont suspect that is important for my issue.
> >
> >
> >
> > Notes about the setup steps (in the Dockerfile example):
> >
> >
> > 1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
> >
> > (
> >
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> > )
> >
> >
> > RUN cd /usr/src \
> >
> > && wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
> >
> > && tar -zxf openssl-3.0.2.tar.gz \
> >
> > && rm openssl-3.0.2.tar.gz \
> >
> > && cd openssl-3.0.2 \
> >
> > && ./config enable-fips && make -j8 && make -j8 install
> >
> >
> > RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
> >
> > && ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
> >
> >
> > RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
> > /usr/local/lib/ossl-modules/fips.so
> >
> >
> > 2) Installed Tomcat Native from source:
> >
> > (https://tomcat.apache.org/native-doc/)
> >
> >
> > RUN microdnf install apr-devel openssl-devel \
> >
> > && mkdir /usr/lib/tcnative
> >
> >
> > RUN cd /usr/src \
> >
> > && wget
> >
> https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
> > \
> >
> > && tar -xvf tomcat-native-1.2.32-src.tar.gz \
> >
> > && rm tomcat-native-1.2.32-src.tar.gz \
> >
> > && cd tomcat-native-1.2.32-src/native \
> >
> > && ./configure --with-api=/usr/bin/apr-1-config
> > --with-java-home=/usr/java/latest --with-ssl=yes
> --prefix=/usr/lib/tcnative
> > \
> >
> > && make \
> >
> > && make install
> >
> >
> > 3) Generate a self-signed certificate:
> >
> > RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
> > -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
> > test.lehmansoftware.com'
> >
> >
> >
> > 4) To enable tomcat native, i pass these parameters:
> >
> > ENTRYPOINT java \
> >
> > -Dserver.port=8443 \
> >
> > -Dserver.ssl.enabled=true \
> >
> > -Djava.library.path="/usr/lib/tcnative/lib" \
> >
> > -Dserver.ssl.certificate-key-file="/testkey.pem" \
> >
> > -Dserver.ssl.certificate-file="/testcert.pem" \
> >
> > -jar app.jar
> >
> >
> >
> > 5) And finally, here is the error message that I receive on application
> > startup trying to use tcnative.
> >
> > cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN
> [main]
> > core.AprLifecycleListener - The Apache Tomcat Native library failed to
> > load. The error reported was
> > [/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> > EVP_PKEY_get_bits]
> >
> > cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> > EVP_PKEY_get_bits
> >
> > cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
> > Method) ~[?:?]
>
> Looks like the build worked (right?) so any "undefined symbol" issues
> you see must be related to the versions made available to the process at
> runtime.
>
> Make sure you have the same versions of libssl, libapr, and libtcnative
> that you built yourself and not those that e.g. ship with the OS. Where
> are all your .so files for libtcnative, libssl, and libapr?
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat Native and OpenSSL v3.0.2
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Clay,
On 4/5/22 12:47, Clay Lehman wrote:
> Hello!
>
>
> I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running into
> an error on startup. I have tried a ton of things, searched, read the docs
> over and over, and cannot get past this. Has anyone had success with this
> setup?
>
>
> I created a fully working sample project and Dockerfile to demonstrate the
> issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
>
>
> Thanks!
>
> Clay
>
>
> More info below....
>
>
> Most of the examples and documentation that I have found is for old
> versions of OpenSSL, but I do see some release notes mentioning OpenSSL
> v3.0.x so I suspect this is supported to some degree.
>
>
> I am testing this using a docker container for "Oracle Linux Server 8"
> (specifically FROM openjdk:latest) I am running embedded tomcat from
> Spring Boot, but I dont suspect that is important for my issue.
>
>
>
> Notes about the setup steps (in the Dockerfile example):
>
>
> 1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
>
> (
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> )
>
>
> RUN cd /usr/src \
>
> && wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
>
> && tar -zxf openssl-3.0.2.tar.gz \
>
> && rm openssl-3.0.2.tar.gz \
>
> && cd openssl-3.0.2 \
>
> && ./config enable-fips && make -j8 && make -j8 install
>
>
> RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
>
> && ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
>
>
> RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
> /usr/local/lib/ossl-modules/fips.so
>
>
> 2) Installed Tomcat Native from source:
>
> (https://tomcat.apache.org/native-doc/)
>
>
> RUN microdnf install apr-devel openssl-devel \
>
> && mkdir /usr/lib/tcnative
>
>
> RUN cd /usr/src \
>
> && wget
> https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
> \
>
> && tar -xvf tomcat-native-1.2.32-src.tar.gz \
>
> && rm tomcat-native-1.2.32-src.tar.gz \
>
> && cd tomcat-native-1.2.32-src/native \
>
> && ./configure --with-api=/usr/bin/apr-1-config
> --with-java-home=/usr/java/latest --with-ssl=yes --prefix=/usr/lib/tcnative
> \
>
> && make \
>
> && make install
>
>
> 3) Generate a self-signed certificate:
>
> RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
> -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
> test.lehmansoftware.com'
>
>
>
> 4) To enable tomcat native, i pass these parameters:
>
> ENTRYPOINT java \
>
> -Dserver.port=8443 \
>
> -Dserver.ssl.enabled=true \
>
> -Djava.library.path="/usr/lib/tcnative/lib" \
>
> -Dserver.ssl.certificate-key-file="/testkey.pem" \
>
> -Dserver.ssl.certificate-file="/testcert.pem" \
>
> -jar app.jar
>
>
>
> 5) And finally, here is the error message that I receive on application
> startup trying to use tcnative.
>
> cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN [main]
> core.AprLifecycleListener - The Apache Tomcat Native library failed to
> load. The error reported was
> [/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> EVP_PKEY_get_bits]
>
> cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> EVP_PKEY_get_bits
>
> cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
> Method) ~[?:?]
Looks like the build worked (right?) so any "undefined symbol" issues
you see must be related to the versions made available to the process at
runtime.
Make sure you have the same versions of libssl, libapr, and libtcnative
that you built yourself and not those that e.g. ship with the OS. Where
are all your .so files for libtcnative, libssl, and libapr?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org