You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/06/27 13:48:42 UTC
DO NOT REPLY [Bug 51437] New: JVM crash when SSL connector is
enabled
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
Bug #: 51437
Summary: JVM crash when SSL connector is enabled
Product: Tomcat Native
Version: 1.1.20
Platform: Other
OS/Version: Windows Server 2003
Status: NEW
Severity: blocker
Priority: P2
Component: Library
AssignedTo: dev@tomcat.apache.org
ReportedBy: osegarra@gencat.net
Classification: Unclassified
Created attachment 27210
--> https://issues.apache.org/bugzilla/attachment.cgi?id=27210
jvm stack trace
Hi,
I'm trying to enable SSL on a tomcat 6.0.32 on a windows 2003 server machine
with tcnative version 1.20.
When I add the following lines to the server.xml
<Connector port="8443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
SSLCertificateFile="${catalina.base}/conf/ssl/presidencia.crt"
SSLCertificateKeyFile="${catalina.base}/conf/ssl/presidencia.key"
SSLCACertificateFile="${catalina.base}/conf/ssl/CA/catcert.pem"/>
It crashes as:
C:\Tomcat 6.0\bin>tomcat6.exe
27-jun-2011 13:45:19 org.apache.catalina.core.AprLifecycleListener init
INFO: Cargada la biblioteca nativa APR de Apache Tomcat 1.1.20
27-jun-2011 13:45:19 org.apache.catalina.core.AprLifecycleListener init
INFO: Capacidades APR: IPv6 [true], enviar fichero [true], aceptar filtros
[false], aleatorio [true].
27-jun-2011 13:45:19 org.apache.coyote.http11.Http11AprProtocol init
INFO: Inicializando Coyote HTTP/1.1 en puerto http-8181
#
# A fatal error has been detected by the Java Runtime Environment:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x10009890, pid=5300, tid=2620
#
# JRE version: 6.0_26-b03
# Java VM: Java HotSpot(TM) Client VM (20.1-b02 mixed mode, sharing windows-x86
)
# Problematic frame:
# C [tcnative-1.dll+0x9890]
#
# An error report file with more information is saved as:
# C:\Tomcat 6.0\hs_err_pid5300.log
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
C:\Tomcat 6.0\bin>
It looks an error related to tcnative and SSL.
I attach the complete log.
Thanks a lot.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51437] JVM crash when SSL connector is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
Mladen Turk <mt...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #11 from Mladen Turk <mt...@apache.org> 2011-06-30 04:29:09 UTC ---
Fix in the SVN.
Like Apache Httpd's mod_ssl, the certificate will be loaded in DER format if
PEM format indicates PEM_R_NO_START_LINE
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51437] JVM crash when SSL connector is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
--- Comment #7 from oscar <os...@gencat.net> 2011-06-29 08:00:54 UTC ---
Hi,
I meant another apache web server (httpd).
Where can I send to you the certs ?
Thanks a lot.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51437] JVM crash when SSL connector is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
--- Comment #4 from Mladen Turk <mt...@apache.org> 2011-06-28 17:44:20 UTC ---
Have you tried without setting the SSLCACertificateFile
Also does your presidencia.key requires a password?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51437] JVM crash when SSL connector is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
--- Comment #10 from oscar <os...@gencat.net> 2011-06-29 15:12:18 UTC ---
Hi,
Transforming certificate into .PEM format makes system work perfectly.
Thanks a lot for your quick response.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51437] JVM crash when SSL connector is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
--- Comment #8 from oscar <os...@gencat.net> 2011-06-29 08:03:16 UTC ---
I have found your email and I have sent to you the certificates.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51437] JVM crash when SSL connector is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
--- Comment #9 from Mladen Turk <mt...@apache.org> 2011-06-29 14:09:12 UTC ---
You have a wrong certificate format.
It should be PEM not DER like in your case
Convert it to .pem
C:\> openssl x509 -trustout -inform DER -in presidencia.crt -outform PEM -out
presidencia.pem
Then use
SSLCertificateFile="${catalina.base}/conf/ssl/presidencia.pem"
In your server.xml
However I'll leave this issue open, cause we have some problem in reporting
that error.
Eg. it should throw something something like openssl.exe prints out:
c:\>openssl.exe s_server -cert presidencia.crt -key presidencia.key
unable to load certificate
1448:error:0906D06C:PEM routines:PEM_read_bio:no start
line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
Instead crashing the JVM
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51437] JVM crash when SSL connector is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
--- Comment #2 from Mladen Turk <mt...@apache.org> 2011-06-28 17:30:54 UTC ---
> SSLCACertificateFile="${catalina.base}/conf/ssl/CA/catcert.pem"
Are you sure this is a correct path?
Usually the file is named cacert.pem not catcert.pem
If you can confirm the typo has caused the crash, it would be a
good starting point in making sure it doesn't happen again.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51437] JVM crash when SSL connector is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
--- Comment #1 from oscar <os...@gencat.net> 2011-06-28 17:19:35 UTC ---
Hi,
Is there any new about this bug? a big project is stopped due to this error.
Thanks a lot.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51437] JVM crash when SSL connector is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
--- Comment #6 from Mladen Turk <mt...@apache.org> 2011-06-29 07:51:14 UTC ---
By "another Apache" are you thinking of Apache Tomcat or Apache Http?
And yes, the crash happens before CA file.
If not sensitive can you send me privately those certs, since I newer saw this
kind of error.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51437] JVM crash when SSL connector is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
--- Comment #3 from oscar <os...@gencat.net> 2011-06-28 17:33:35 UTC ---
Yes, I'm sure.
It cames from Catcert (www.catcert.cat) which is our CA entity.
The complete path:
C:\Tomcat 6.0\conf\ssl\CA\catcert.pem
Thanks a lot for your update.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51437] JVM crash when SSL connector is enabled
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51437
--- Comment #5 from oscar <os...@gencat.net> 2011-06-29 07:31:42 UTC ---
Hi Mark,
I have tried without the SSLCACertificateFile key but system raises the same
error at startup.
presidencia.key does not require password.
Note that the certificate I'm using (crt + key + pem) is correctly working on
another apache we have in our infraestructure.
Thanks a lot.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org