You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sanaullah <sa...@gmail.com> on 2014/10/29 14:54:35 UTC
Re: APR with PKCS11 support
I again started working on SSLEngine with safenet and i need some help, how
to enable the debugging? I configure the engine as "LunaCA3".
<Listener class="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="LunaCA3" />
Here is error log after starting the server.
Oct 29, 2014 1:40:21 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.31 using APR
version 1.5.1.
Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
org.apache.tomcat.jni.Error: 70023: This function has not been implemented
on this platform
at org.apache.tomcat.jni.SSL.initialize(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270)
at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Oct 29, 2014 1:40:22 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Oct 29, 2014 1:40:23 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8443"]
Oct 29, 2014 1:40:23 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler
["http-apr-8443"]
java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is
enabled in the AprLifecycleListener, the AprLifecycleListener has
initialised cor$
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.lang.Exception: Invalid Server SSL Protocol
(error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5 routines)
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
... 16 more
Regards,
Sanaullah
On Wed, Aug 6, 2014 at 5:12 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sunaullah,
>
> On 7/26/14, 4:50 AM, Sanaullah wrote:
> > I tried that configuration but getting errrors.
>
> I just want you to know that you haven't been forgotten: I'm on
> vacation for a bit but I'd really like to take a look at this issue
> when I return.
>
> In the meantime, feel free to check out the tcnative code if you want
> to see what is going on, or someone else could chime-in and give an
> opinion (or -- *gasp* -- a proposed patch!).
>
> Thanks,
> - -chris
>
> > NFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR
> > version 1.4.6. Jul 23, 2014 3:06:40 AM
> > org.apache.catalina.core.AprLifecycleListener init INFO: APR
> > capabilities: IPv6 [true], sendfile [true], accept filters [false],
> > random [true]. Jul 23, 2014 3:06:40 AM
> > org.apache.catalina.core.AprLifecycleListener lifecycleEvent
> > SEVERE: Failed to initialize the SSLEngine.
> > org.apache.tomcat.jni.Error: 70023: This function has not been
> > implemented on this platform at
> > org.apache.tomcat.jni.SSL.initialize(Native Method) at
> > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> >
> >
> at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >
> >
> at java.lang.reflect.Method.invoke(Method.java:606)
> > at
> >
> org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270)
> >
> >
> at
> >
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124)
> >
> >
> at
> >
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
> >
> >
> at
> >
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
> >
> >
> at
> >
> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
> >
> >
> at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at
> > org.apache.catalina.startup.Catalina.load(Catalina.java:663) at
> > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> >
> >
> at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >
> >
> at java.lang.reflect.Method.invoke(Method.java:606)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
> >
> >
> >
> > On Fri, Jul 25, 2014 at 8:05 PM, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Sanaullah,
> >
> > On 7/25/14, 9:16 AM, Sanaullah wrote:
> >>>> httpd is working with HSM with addition of parameter
> >>>> SSLCryptoDevice=LunaCA but when i try the same parameter in
> >>>> tomEE. TomEE don't recognized this parameters.
> >>>>
> >>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector}
> >>>> Setting property 'SSLCryptoDevice' to 'LunaCA3' did not find
> >>>> a matching property.
> >>>>
> >>>> Any Idea?
> >
> > Try setting SSLEngine="LunaCA3" instead of SSLEngine="on" in your:
> >
> > <Listener class="org.apache.catalina.core.AprLifecycleListener"
> > SSLEngine="on" />
> >
> > -chris
> >
> >>>> On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz <
> >>>> chris@christopherschultz.net> wrote:
> >>>>
> >>>> Sanaullah,
> >>>>
> >>>> On 7/10/14, 4:19 AM, Sanaullah wrote:
> >>>>>>> is there a way i can use pkcs11 supported
> >>>>>>> SmartCard/token when using APR based SSL Connector in
> >>>>>>> tomcat ? PEM encoded certificates and keys are stored
> >>>>>>> in smartcard.
> >>>>>>>
> >>>>>>> I know BIO/NIO connectors supported token/HSM but I am
> >>>>>>> looking for APR based connectors?
> >>>>
> >>>> I'm no expert at such configurations, but since tcnative/APR
> >>>> uses OpenSSL for its crypto engine, then it can do anything
> >>>> OpenSSL can do. Have you been able to configure e.g. httpd to
> >>>> use this kind of setup? If so, there ought to be a way to
> >>>> make it happen using Tomcat's APR connector.
> >>>>
> >>>> -chris
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>>
> >>>>>
> >
> >>>>>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail:
> >>>>> users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>>
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJT4XLjAAoJEBzwKT+lPKRYmFkP/2/C0lSRB17qjX3F3IC8CCUK
> 1ROyaFgdEMQHWtv6Ri9pKSTPhty60W69pDdz4WGTl7AYnrmkuzdaTA8OdG5RxrzM
> iEgmhrj9VRJE8qEwsXkbaVNytcxG1guesygUH8RODOdlA9yfbamkpR8wWqFjXwwp
> 8xiFbEr+I6cIMliznEAwD1rtry4u+usFRVPPG892v1h6TLOp0I//TSq/7G4Iwmhs
> 9wnK+1acNlC4rAIgNI1fgXv/Rgel3nn9KIQk3y4KM7HGx0BVVOBu+Hl335wMv9N6
> eNoQPe+v7/gfs6iADwG/ROPZcYU+4iRSzZeQjzu5E29NWJs7bD1/CtcxkPK9s9EW
> MsXJ7u3CP+OPomtriS/5Vcceb2rS28JtjWbAtnbyu6T4lJmEsLcX4YaTTfBwoWd3
> F2X8olHB7P+gPCSKZurkt8uNXOVKdpQgljWfJeqFsEyvyXArwk1OBKYHDBgt8uTE
> ML9Jrcs5QDPFDi/3MXgU/QV/OKqCeNVdsntS51NJ8uVE9nTfqgy9e5fcQGJR7hYA
> tqmzqwTbJvkfSouvxYuJIo04ZCFjMFrps8qhhO8eZ8AsCGU0U7T8hn1Y+BimNGp9
> LEVt2TUm0OmnR3tFKDBXGozDLQ3Ql62BzvdugRE2UOQ6XoxaHWb+0u472Pwdk+A1
> mnaWoqQDNYfJrS1A4XDp
> =ASDY
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: APR with PKCS11 support
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sanaullah,
On 12/1/14 6:09 AM, Sanaullah wrote:
> I have attached the diff [that allows external crypto decides to
> be used via tcnative). let me know if its ok?
For reference, here's the diff:
>
> 304c304 < #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ---
>> #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
> 661c661 < #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ---
>> #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
This looks like a /reverse/ diff, since you said you removed the
HAVE_ENGINE_LOAD_BUILTIN_ENGINES and replaced it with "1". Other than
that, it's about as compact as you can get!
I think this would have been easier if you had just built tcnative
like this:
$ cd /path/to/tcnative/jni/native
$ CFLAGS=-DHAVE_ENGINE_LOAD_BUILTIN_ENGINES ./configure ...
$ CFLAGS=-DHAVE_ENGINE_LOAD_BUILTIN_ENGINES make
Can you try re-downloading the source and re-building with the above
CFLAGS set instead of patching the code? If that works, it will be a
slightly safer way to build.
I wonder why HAVE_ENGINE_LOAD_BUILTIN_ENGINES isn't usually set to 1.
I'll do a bit of reading about it.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUfIh6AAoJEBzwKT+lPKRYbKgP/1K0FulX2YQmOLnlTupIqAye
/d5+MXepk/kWCdKswP2aSjqpVRF4aCt6aQiWDI5oxpG45b5hkTFk0wAkC9q8MQiv
Aq9RknauhbqExSLdXyS+krfZP+i3yFOEDGccxLyKg6svlIX6xsf3ywUtekBrx/G1
HdGhIXX3ipMKh36yYpfzJOlBNg3uTxdk8oADtQPBC4HsNR0ZGtE5tcAXbl0ZCN33
F5n/u5H6nYhOimlon6eFqpton6qqecjyyCNPhpoZFJFFgRJX9HrOuFkAPRyUc6GG
+VgTHpH7J/RxtA3Ac2nk3U91WMIFgu+faJT7erh4KaSTT/+PaYdc7YUfctnjgUg+
R/O1/q5YN8GOItCpe/wfCZEIxRbcBiPAsLhe8Dlz5nqdc1aauAaezuqUDZu6lQKG
mP/0YF5fg13L4YyEVcSM9MNzm/+vPABZ0QuZsD6QSlpAagOvbLQAX1saQeKo4ngF
Yu7Xa1oo0J8Lg3cUMq3JbK6v3/A/wXmNXe85JSViR8otpWz+rM3eT6WD5kcIczko
gPlF4c4bYL86i0JXJMm44Bv7ZNuOzYZk200IzlUe9ZBHiXX/UwbINawLisKcs5+G
+5evf1YyGn6HvucMC7ENvszLNJAyLWk6sOguutO2COry9tyq5AL9pkATwUhH6mkL
HPfFzWYVT+Kabcf7vvw/
=/JO0
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: APR with PKCS11 support
Posted by Sanaullah <sa...@gmail.com>.
Hi Chris,
I have attached the diff.let me know if its ok?
Regards,
Sanaullah
On Fri, Nov 21, 2014 at 2:08 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sanaullah,
>
> On 11/18/14 10:26 PM, Sanaullah wrote:
> > Hi Chris,
> >
> > Engine is loaded Successfully. the issue is with tcnative.
> > tcnative was not loading any engine and it was due to
> > HAVE_ENGINE_LOAD_BUILTIN_ENGINES preprocessor which is unable to
> > call ENGINE_load_builtin_engines. I made one change and in ssl.c of
> > tomcat-native-1.1.31
> >
> > original Preprocessor #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
> >
> > Changed to
> >
> > #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup();
> >
> > #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES
> > ENGINE_load_builtin_engines(); #endif
>
> Can you give me a patch in diff -U form? I'd like to take a look at it
> formally.
>
> Thanks for doing the digging to figure out how to make this work. I
> don't have a non-standard engine available to play with.
>
> Thanks,
> - -chris
>
> > On Wed, Nov 19, 2014 at 12:36 AM, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Sanaullah,
> >
> > On 11/14/14 10:04 PM, Sanaullah wrote:
> >>>> The Engine name is correct its "LunaCA3" Here is the code
> >>>> snippet from the openssl for the confirmation.
> >>>>
> >>>> openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID
> >>>> "LunaCA3"
> >>>>
> >>>> I think the issue is with static and shared libraries of
> >>>> openssl.
> >
> > It could be. Since you are building on *NIX, you should probably
> > be using dynamically-linked shared-libraries. But you have to be
> > careful about the load-ordering if you are using an OpenSSL that is
> > not the system default (e.g. in /usr/lib).
> >
> >>>> if openssl build as shared then this LunaCA3 engine is not
> >>>> working for nodejs and even for Apache as well both required
> >>>> openssl to build static.
> >
> > Interesting...
> >
> >>>> I tried to follow the Build document of tomcat native.
> >>>> Building statically linked library on Unixes
> >>>> --------------------------------------------
> >>>>
> >>>> To statically link apr and openssl dependencies use the
> >>>> following procedure.
> >>>>
> >>>> You will need to build static version of openssl library.
> >>>>
> >>>>> ./config --prefix=~/natives/openssl no-shared -fPIC make
> >>>>> make install_sw
> >>>> Apr by default builds both static and dynamic libraries.
> >>>>
> >>>>> ./configure --prefix=~/natives/apr make make install
> >>>>
> >>>> After that edit the ~/natives/apr/lib/libapr-1.la file and
> >>>> comment or delete the following sections: dlname='...' and
> >>>> library_names='...' This is needed so that libtool picks the
> >>>> static version of the library.
> >>>>
> >>>> Build Tomcat native by executing
> >>>>
> >>>>> ./configure --with-apr=~/natives/apr
> >>>>> --with-ssl=~/natives/openssl
> >>>> --prefix=~/natives/tomcat
> >>>>> make make install
> >
> > You're reaching the limits of my knowledge about building the
> > whole bundle statically. I'll ping Rainer (CC'd here) who knows
> > more than I do.
> >
> >>>> here is something strange, Openssl successully build and
> >>>> install with -fPIC but tcnative still give me error.
> >>>>
> >>>> /usr/bin/ld:
> >>>> /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation
> >>>> R_X86_64_32 against `.rodata' can not be used when making a
> >>>> shared object; recompile with -fPIC
> >>>> /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad
> >>>> value collect2: error: ld returned 1 exit status make[1]:
> >>>> *** [libtcnative-1.la] Error 1 make[1]: Leaving directory
> >>>> `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: ***
> >>>> [all-recursive] Error 1
> >>>>
> >>>> I am not sure what to do here ?
> >
> > Hmm. Let's see if Rainer (or anyone else!) replies.
> >
> > -chris
> >
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUblhaAAoJEBzwKT+lPKRY4Y4P/jz71yNBd5eqCoddMlRZ3ISV
> Zd5xFv2O42EKNb+Hh2ImbG+yC/PyNW/3K7vSFlMELcUOsvdjBht1GfEgMLba+dhm
> utoUiNj9ueavF/Ip7EC2dTgmcx1CYFjYlcPieRWQjU//i+oBBKw514lckBQUc+y/
> ScSU2ReMPUuWQ3C3sHVUYZcKoJNRYLFqXkcCc7GzNn+leNHfp55OqB/lVwCU06AE
> BbGA+tVTBL2cjbTV8qGvDSY4UuGlZU7JoOMRaliAJhgsyDl20kIVyi7pTL52ieAV
> jmhU+K34RMGxiDp2XpsKf9lLnOTW2JdMmir+XrOsrEHn9ZQ3lYo3fKgUa0a38maR
> zH5+bJ3L5aDL3ifZdcg0bozs+6l3rxC52Itwzskh2ZfPWsIbZaT7NMXjrQQ1KoGB
> yFE+JUg/M1WxikWsgkkmTVEMY2/VqJqNIplk8KZohCC6SnXxz4rjNAVV1jZUnzSZ
> gpEjyc71ElUO7KqD7HMtK9fXTYvBdUmXCWCuSZQ+LW1Z37CfXTLfQd9/jQDe2OL2
> ylseItc9mnyKiZ8X8dRUUjlqyiUIyOUCCBnI/Wm13sh8RQ7G0bvA63Lc0xhYbORf
> xQfmSguArnSDnMoNAswyl9taqHXUyZRtw+xSQVgBSDgww9KJc/SJzkrS++4xjs8o
> NUgaRzlaV134AyVsDxYb
> =1n83
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: APR with PKCS11 support
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sanaullah,
On 11/18/14 10:26 PM, Sanaullah wrote:
> Hi Chris,
>
> Engine is loaded Successfully. the issue is with tcnative.
> tcnative was not loading any engine and it was due to
> HAVE_ENGINE_LOAD_BUILTIN_ENGINES preprocessor which is unable to
> call ENGINE_load_builtin_engines. I made one change and in ssl.c of
> tomcat-native-1.1.31
>
> original Preprocessor #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
>
> Changed to
>
> #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup();
>
> #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES
> ENGINE_load_builtin_engines(); #endif
Can you give me a patch in diff -U form? I'd like to take a look at it
formally.
Thanks for doing the digging to figure out how to make this work. I
don't have a non-standard engine available to play with.
Thanks,
- -chris
> On Wed, Nov 19, 2014 at 12:36 AM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> Sanaullah,
>
> On 11/14/14 10:04 PM, Sanaullah wrote:
>>>> The Engine name is correct its "LunaCA3" Here is the code
>>>> snippet from the openssl for the confirmation.
>>>>
>>>> openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID
>>>> "LunaCA3"
>>>>
>>>> I think the issue is with static and shared libraries of
>>>> openssl.
>
> It could be. Since you are building on *NIX, you should probably
> be using dynamically-linked shared-libraries. But you have to be
> careful about the load-ordering if you are using an OpenSSL that is
> not the system default (e.g. in /usr/lib).
>
>>>> if openssl build as shared then this LunaCA3 engine is not
>>>> working for nodejs and even for Apache as well both required
>>>> openssl to build static.
>
> Interesting...
>
>>>> I tried to follow the Build document of tomcat native.
>>>> Building statically linked library on Unixes
>>>> --------------------------------------------
>>>>
>>>> To statically link apr and openssl dependencies use the
>>>> following procedure.
>>>>
>>>> You will need to build static version of openssl library.
>>>>
>>>>> ./config --prefix=~/natives/openssl no-shared -fPIC make
>>>>> make install_sw
>>>> Apr by default builds both static and dynamic libraries.
>>>>
>>>>> ./configure --prefix=~/natives/apr make make install
>>>>
>>>> After that edit the ~/natives/apr/lib/libapr-1.la file and
>>>> comment or delete the following sections: dlname='...' and
>>>> library_names='...' This is needed so that libtool picks the
>>>> static version of the library.
>>>>
>>>> Build Tomcat native by executing
>>>>
>>>>> ./configure --with-apr=~/natives/apr
>>>>> --with-ssl=~/natives/openssl
>>>> --prefix=~/natives/tomcat
>>>>> make make install
>
> You're reaching the limits of my knowledge about building the
> whole bundle statically. I'll ping Rainer (CC'd here) who knows
> more than I do.
>
>>>> here is something strange, Openssl successully build and
>>>> install with -fPIC but tcnative still give me error.
>>>>
>>>> /usr/bin/ld:
>>>> /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation
>>>> R_X86_64_32 against `.rodata' can not be used when making a
>>>> shared object; recompile with -fPIC
>>>> /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad
>>>> value collect2: error: ld returned 1 exit status make[1]:
>>>> *** [libtcnative-1.la] Error 1 make[1]: Leaving directory
>>>> `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: ***
>>>> [all-recursive] Error 1
>>>>
>>>> I am not sure what to do here ?
>
> Hmm. Let's see if Rainer (or anyone else!) replies.
>
> -chris
>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUblhaAAoJEBzwKT+lPKRY4Y4P/jz71yNBd5eqCoddMlRZ3ISV
Zd5xFv2O42EKNb+Hh2ImbG+yC/PyNW/3K7vSFlMELcUOsvdjBht1GfEgMLba+dhm
utoUiNj9ueavF/Ip7EC2dTgmcx1CYFjYlcPieRWQjU//i+oBBKw514lckBQUc+y/
ScSU2ReMPUuWQ3C3sHVUYZcKoJNRYLFqXkcCc7GzNn+leNHfp55OqB/lVwCU06AE
BbGA+tVTBL2cjbTV8qGvDSY4UuGlZU7JoOMRaliAJhgsyDl20kIVyi7pTL52ieAV
jmhU+K34RMGxiDp2XpsKf9lLnOTW2JdMmir+XrOsrEHn9ZQ3lYo3fKgUa0a38maR
zH5+bJ3L5aDL3ifZdcg0bozs+6l3rxC52Itwzskh2ZfPWsIbZaT7NMXjrQQ1KoGB
yFE+JUg/M1WxikWsgkkmTVEMY2/VqJqNIplk8KZohCC6SnXxz4rjNAVV1jZUnzSZ
gpEjyc71ElUO7KqD7HMtK9fXTYvBdUmXCWCuSZQ+LW1Z37CfXTLfQd9/jQDe2OL2
ylseItc9mnyKiZ8X8dRUUjlqyiUIyOUCCBnI/Wm13sh8RQ7G0bvA63Lc0xhYbORf
xQfmSguArnSDnMoNAswyl9taqHXUyZRtw+xSQVgBSDgww9KJc/SJzkrS++4xjs8o
NUgaRzlaV134AyVsDxYb
=1n83
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: APR with PKCS11 support
Posted by Sanaullah <sa...@gmail.com>.
Hi Chris,
Engine is loaded Successfully. the issue is with tcnative. tcnative was
not loading any engine and it was due to HAVE_ENGINE_LOAD_BUILTIN_ENGINES
preprocessor which is unable to call ENGINE_load_builtin_engines. I made
one change and in ssl.c of tomcat-native-1.1.31
original Preprocessor
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
Changed to
#if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_cleanup();
#if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_load_builtin_engines();
#endif
Regards,
Sanaullah
On Wed, Nov 19, 2014 at 12:36 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sanaullah,
>
> On 11/14/14 10:04 PM, Sanaullah wrote:
> > The Engine name is correct its "LunaCA3" Here is the code snippet
> > from the openssl for the confirmation.
> >
> > openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID
> > "LunaCA3"
> >
> > I think the issue is with static and shared libraries of openssl.
>
> It could be. Since you are building on *NIX, you should probably be
> using dynamically-linked shared-libraries. But you have to be careful
> about the load-ordering if you are using an OpenSSL that is not the
> system default (e.g. in /usr/lib).
>
> > if openssl build as shared then this LunaCA3 engine is not working
> > for nodejs and even for Apache as well both required openssl to
> > build static.
>
> Interesting...
>
> > I tried to follow the Build document of tomcat native. Building
> > statically linked library on Unixes
> > --------------------------------------------
> >
> > To statically link apr and openssl dependencies use the following
> > procedure.
> >
> > You will need to build static version of openssl library.
> >
> >> ./config --prefix=~/natives/openssl no-shared -fPIC make make
> >> install_sw
> > Apr by default builds both static and dynamic libraries.
> >
> >> ./configure --prefix=~/natives/apr make make install
> >
> > After that edit the ~/natives/apr/lib/libapr-1.la file and comment
> > or delete the following sections: dlname='...' and
> > library_names='...' This is needed so that libtool picks the
> > static version of the library.
> >
> > Build Tomcat native by executing
> >
> >> ./configure --with-apr=~/natives/apr
> >> --with-ssl=~/natives/openssl
> > --prefix=~/natives/tomcat
> >> make make install
>
> You're reaching the limits of my knowledge about building the whole
> bundle statically. I'll ping Rainer (CC'd here) who knows more than I do.
>
> > here is something strange, Openssl successully build and install
> > with -fPIC but tcnative still give me error.
> >
> > /usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o):
> > relocation R_X86_64_32 against `.rodata' can not be used when
> > making a shared object; recompile with -fPIC
> > /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value
> > collect2: error: ld returned 1 exit status make[1]: ***
> > [libtcnative-1.la] Error 1 make[1]: Leaving directory
> > `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: ***
> > [all-recursive] Error 1
> >
> > I am not sure what to do here ?
>
> Hmm. Let's see if Rainer (or anyone else!) replies.
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUa5+0AAoJEBzwKT+lPKRYBsoP/33HiFbBQpcM7SR+BQRyl/Tx
> DhA8AcP5jBQgkLkE3ZJy04QUgL6JWvX1vyxfQJxtMp1agmBtcMMgnkpUMIxLB7yP
> pOqy5mJJOsFL1hvg22n+MCfoT3+zAzFOhZvnTOXOp8OczVtJ35ZWcXl3oDaXHSyR
> mdkFCMXD8USwKVBv5PZm/OD+S5NEnv8PgxWiaFtNtSlfC38H+SLbf1JaMYvjhdAa
> PKcLpE2aI0efUX4tWG8bYK+hbzDkoL1D+3qEccCoKJ9DooMVHKiu+PB1Gf6oS5tD
> qS7ZblkqiBxwS5GOFBaoch29C+jQAB81Mrj9ndhD7BZ5o852NQUeIChWrKuX+QLw
> jWiPWaSU459uPdj1UZW0JibsN7U6N8V+hR1RvYNAL3kXRuJ9WjbHw5HmyiX0QeoF
> OwDAuKMOifXNnYsfxHtoNoNebB8smXntzMPA0b3mksywTDfI288vCOiAQm7XT44m
> u5MvyVIjpoWz/NZNm8t2Er1B1dceiRBpr9urO8HcljWY3oT8dMsfapEEDh2jlFV+
> LZphHn3Cu3FzEwbclAhD4hCbb6kUVxpZnBm8eAD9BvDn8Ym+nfrs+dGBVBMhf7le
> 1t4ayKz0A2VAldPOa9WsOO/g8VUoLGW7cKaKSAJfOdJFcnnpg7pYPy0Pj5bcmJrn
> xIF9OeYjsCFOhml42lpV
> =j3PO
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: APR with PKCS11 support
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sanaullah,
On 11/14/14 10:04 PM, Sanaullah wrote:
> The Engine name is correct its "LunaCA3" Here is the code snippet
> from the openssl for the confirmation.
>
> openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID
> "LunaCA3"
>
> I think the issue is with static and shared libraries of openssl.
It could be. Since you are building on *NIX, you should probably be
using dynamically-linked shared-libraries. But you have to be careful
about the load-ordering if you are using an OpenSSL that is not the
system default (e.g. in /usr/lib).
> if openssl build as shared then this LunaCA3 engine is not working
> for nodejs and even for Apache as well both required openssl to
> build static.
Interesting...
> I tried to follow the Build document of tomcat native. Building
> statically linked library on Unixes
> --------------------------------------------
>
> To statically link apr and openssl dependencies use the following
> procedure.
>
> You will need to build static version of openssl library.
>
>> ./config --prefix=~/natives/openssl no-shared -fPIC make make
>> install_sw
> Apr by default builds both static and dynamic libraries.
>
>> ./configure --prefix=~/natives/apr make make install
>
> After that edit the ~/natives/apr/lib/libapr-1.la file and comment
> or delete the following sections: dlname='...' and
> library_names='...' This is needed so that libtool picks the
> static version of the library.
>
> Build Tomcat native by executing
>
>> ./configure --with-apr=~/natives/apr
>> --with-ssl=~/natives/openssl
> --prefix=~/natives/tomcat
>> make make install
You're reaching the limits of my knowledge about building the whole
bundle statically. I'll ping Rainer (CC'd here) who knows more than I do.
> here is something strange, Openssl successully build and install
> with -fPIC but tcnative still give me error.
>
> /usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o):
> relocation R_X86_64_32 against `.rodata' can not be used when
> making a shared object; recompile with -fPIC
> /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value
> collect2: error: ld returned 1 exit status make[1]: ***
> [libtcnative-1.la] Error 1 make[1]: Leaving directory
> `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: ***
> [all-recursive] Error 1
>
> I am not sure what to do here ?
Hmm. Let's see if Rainer (or anyone else!) replies.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUa5+0AAoJEBzwKT+lPKRYBsoP/33HiFbBQpcM7SR+BQRyl/Tx
DhA8AcP5jBQgkLkE3ZJy04QUgL6JWvX1vyxfQJxtMp1agmBtcMMgnkpUMIxLB7yP
pOqy5mJJOsFL1hvg22n+MCfoT3+zAzFOhZvnTOXOp8OczVtJ35ZWcXl3oDaXHSyR
mdkFCMXD8USwKVBv5PZm/OD+S5NEnv8PgxWiaFtNtSlfC38H+SLbf1JaMYvjhdAa
PKcLpE2aI0efUX4tWG8bYK+hbzDkoL1D+3qEccCoKJ9DooMVHKiu+PB1Gf6oS5tD
qS7ZblkqiBxwS5GOFBaoch29C+jQAB81Mrj9ndhD7BZ5o852NQUeIChWrKuX+QLw
jWiPWaSU459uPdj1UZW0JibsN7U6N8V+hR1RvYNAL3kXRuJ9WjbHw5HmyiX0QeoF
OwDAuKMOifXNnYsfxHtoNoNebB8smXntzMPA0b3mksywTDfI288vCOiAQm7XT44m
u5MvyVIjpoWz/NZNm8t2Er1B1dceiRBpr9urO8HcljWY3oT8dMsfapEEDh2jlFV+
LZphHn3Cu3FzEwbclAhD4hCbb6kUVxpZnBm8eAD9BvDn8Ym+nfrs+dGBVBMhf7le
1t4ayKz0A2VAldPOa9WsOO/g8VUoLGW7cKaKSAJfOdJFcnnpg7pYPy0Pj5bcmJrn
xIF9OeYjsCFOhml42lpV
=j3PO
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: APR with PKCS11 support
Posted by Sanaullah <sa...@gmail.com>.
Hi Chris,
The Engine name is correct its "LunaCA3" Here is the code snippet from the
openssl for the confirmation.
openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID "LunaCA3"
I think the issue is with static and shared libraries of openssl. if
openssl build as shared then this LunaCA3 engine is not working for nodejs
and even for Apache as well both required openssl to build static.
I tried to follow the Build document of tomcat native.
Building statically linked library on Unixes
--------------------------------------------
To statically link apr and openssl dependencies use the following
procedure.
You will need to build static version of openssl library.
> ./config --prefix=~/natives/openssl no-shared -fPIC
> make
> make install_sw
Apr by default builds both static and dynamic libraries.
> ./configure --prefix=~/natives/apr
> make
> make install
After that edit the ~/natives/apr/lib/libapr-1.la file
and comment or delete the following sections:
dlname='...' and library_names='...'
This is needed so that libtool picks the static version of the library.
Build Tomcat native by executing
> ./configure --with-apr=~/natives/apr --with-ssl=~/natives/openssl
--prefix=~/natives/tomcat
> make
> make install
here is something strange, Openssl successully build and install with -fPIC
but tcnative still give me error.
/usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation
R_X86_64_32 against `.rodata' can not be used when making a shared object;
recompile with -fPIC
/usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
make[1]: *** [libtcnative-1.la] Error 1
make[1]: Leaving directory `/opt/aprtc/tomcat-native-1.1.31-src/jni/native'
make: *** [all-recursive] Error 1
I am not sure what to do here ?
Regards,
Sanaullah
On Sat, Nov 15, 2014 at 7:16 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sanaullah,
>
> On 10/29/14 9:54 AM, Sanaullah wrote:
> > I again started working on SSLEngine with safenet and i need some
> > help, how to enable the debugging? I configure the engine as
> > "LunaCA3".
> >
> > <Listener class="org.apache.catalina.core.AprLifecycleListener"
> > SSLEngine="LunaCA3" />
> >
> > Here is error log after starting the server.
> >
> > Oct 29, 2014 1:40:21 PM
> > org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
> > based Apache Tomcat Native library 1.1.31 using APR version 1.5.1.
> > Oct 29, 2014 1:40:22 PM
> > org.apache.catalina.core.AprLifecycleListener init INFO: APR
> > capabilities: IPv6 [true], sendfile [true], accept filters [false],
> > random [true]. Oct 29, 2014 1:40:22 PM
> > org.apache.catalina.core.AprLifecycleListener lifecycleEvent
> > SEVERE: Failed to initialize the SSLEngine.
> > org.apache.tomcat.jni.Error: 70023: This function has not been
> > implemented on this platform
>
> So the error code 70023 is (at least on my Linux system) equal to the
> APR error code with the label APR_ENOTIMPL. I can see that in a few
> places in the native implementation of the "initialize" method:
>
> Starting on line native/src/ssl.c:679:
> if ((ee = ENGINE_by_id(J2S(engine))) == NULL
> && (ee = ssl_try_load_engine(J2S(engine))) == NULL)
> err = APR_ENOTIMPL;
> else {
> if (strcmp(J2S(engine), "chil") == 0)
> ENGINE_ctrl(ee, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1,
> 0, 0);
> if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL))
> err = APR_ENOTIMPL;
> }
>
> Again, starting on native/src/ssl.c:711:
> SSL_TMP_KEYS_INIT(r);
> if (r) {
> TCN_FREE_CSTRING(engine);
> ssl_init_cleanup(NULL);
> tcn_ThrowAPRException(e, APR_ENOTIMPL);
> return APR_ENOTIMPL;
> }
>
> So, either the engine cannot be loaded, or we can't call
> ENGINE_set_default, or SSL_TMP_KEYS_INIT fails. I suspect it's not the
> key init that's failing, given that you are trying to use a special
> engine.
>
> Are you comfortable modifying the code for tcnative? If you are on a
> UNIX platform, (re-)compilation is pretty easy. You can add some code
> to dump-out the state of things while the code executes.
>
> I noticed at some point (re-reading the thread) that you were using
> "SSLCryptoDevice LunaCA" but then somehow you and I started using
> "LunaCA3". Have you tried with "LunaCA" (without the 3)?
>
> When you can get httpd to do this for you, do you have to modify the
> LD_LIBRARY_PATH or put a library anywhere, or does OpenSSL already
> have whatever it needs in order to support the hardware crypto device?
>
> I'm wondering if the JVM doesn't have the appropriate library
> available for some reason.
>
> What do you get when you run "openssl engine" from your command-line
> without any other special circumstances?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUZreIAAoJEBzwKT+lPKRYbOEP/3ix/d/bWeQVWSjrimLGBosd
> XgyF7Z4PqC4oChGYguxfu6K/47JRXwizZ3gWe6hNvdxivRU+Rnzhpre86bU6qqyO
> glT6qO4qYrvnA35y0qj+bLAIjOekVTkEHS11HO4ZofUBn/mAHCcN98AJ8AH2M0v6
> 6G2Yx2rF2+Be7yPL7txCFObAagAXIwp20Bv22+zcswVo6YVlDAI1r1RpjUTafObg
> 9IR31BRCwY9P9oJZ3lDKzBOWX3bFU+12CxeKJjJDg1TA1eB8s0e7XVCWyKdPgafi
> UNI5Zv2dFZLgy37/jTmCySpE71MtxmH0IOrs3vJJHr2o27Axk8vMQkKxzXO1ddZ5
> uYvk5KBaMhAUgaWaMvPFC69KBUOv+bTQo/+HujmuM6M2ogIDXYmSJYmI6qM7SGWR
> 7cguyOS9+rgJiiCdRktvQJMj3I9ukHi8px3VU+hZRDv7OYKc4FRaDWAYt2NpnP/o
> exKtjVl9gG8rX96Zhimik0S0sXeykF5mwFZeygno+6eIMdLeyz4R0yVaIJCRfX+z
> yDomd6BrHjjTTSVU2DygkCESUlMSJ1RsyLjAPN7GRLCefy0kFnk0RukF0txulrnB
> KoGlvVuY1moZrbMRmnL3zG8EX0zWkAjtjXk4Rd8mJ4aHQy1cMUgtZ7KCMTJYTfs5
> rpPyrMcQZiYI5r3YjI0a
> =Ax7i
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: APR with PKCS11 support
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sanaullah,
On 10/29/14 9:54 AM, Sanaullah wrote:
> I again started working on SSLEngine with safenet and i need some
> help, how to enable the debugging? I configure the engine as
> "LunaCA3".
>
> <Listener class="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="LunaCA3" />
>
> Here is error log after starting the server.
>
> Oct 29, 2014 1:40:21 PM
> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
> based Apache Tomcat Native library 1.1.31 using APR version 1.5.1.
> Oct 29, 2014 1:40:22 PM
> org.apache.catalina.core.AprLifecycleListener init INFO: APR
> capabilities: IPv6 [true], sendfile [true], accept filters [false],
> random [true]. Oct 29, 2014 1:40:22 PM
> org.apache.catalina.core.AprLifecycleListener lifecycleEvent
> SEVERE: Failed to initialize the SSLEngine.
> org.apache.tomcat.jni.Error: 70023: This function has not been
> implemented on this platform
So the error code 70023 is (at least on my Linux system) equal to the
APR error code with the label APR_ENOTIMPL. I can see that in a few
places in the native implementation of the "initialize" method:
Starting on line native/src/ssl.c:679:
if ((ee = ENGINE_by_id(J2S(engine))) == NULL
&& (ee = ssl_try_load_engine(J2S(engine))) == NULL)
err = APR_ENOTIMPL;
else {
if (strcmp(J2S(engine), "chil") == 0)
ENGINE_ctrl(ee, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1,
0, 0);
if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL))
err = APR_ENOTIMPL;
}
Again, starting on native/src/ssl.c:711:
SSL_TMP_KEYS_INIT(r);
if (r) {
TCN_FREE_CSTRING(engine);
ssl_init_cleanup(NULL);
tcn_ThrowAPRException(e, APR_ENOTIMPL);
return APR_ENOTIMPL;
}
So, either the engine cannot be loaded, or we can't call
ENGINE_set_default, or SSL_TMP_KEYS_INIT fails. I suspect it's not the
key init that's failing, given that you are trying to use a special
engine.
Are you comfortable modifying the code for tcnative? If you are on a
UNIX platform, (re-)compilation is pretty easy. You can add some code
to dump-out the state of things while the code executes.
I noticed at some point (re-reading the thread) that you were using
"SSLCryptoDevice LunaCA" but then somehow you and I started using
"LunaCA3". Have you tried with "LunaCA" (without the 3)?
When you can get httpd to do this for you, do you have to modify the
LD_LIBRARY_PATH or put a library anywhere, or does OpenSSL already
have whatever it needs in order to support the hardware crypto device?
I'm wondering if the JVM doesn't have the appropriate library
available for some reason.
What do you get when you run "openssl engine" from your command-line
without any other special circumstances?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUZreIAAoJEBzwKT+lPKRYbOEP/3ix/d/bWeQVWSjrimLGBosd
XgyF7Z4PqC4oChGYguxfu6K/47JRXwizZ3gWe6hNvdxivRU+Rnzhpre86bU6qqyO
glT6qO4qYrvnA35y0qj+bLAIjOekVTkEHS11HO4ZofUBn/mAHCcN98AJ8AH2M0v6
6G2Yx2rF2+Be7yPL7txCFObAagAXIwp20Bv22+zcswVo6YVlDAI1r1RpjUTafObg
9IR31BRCwY9P9oJZ3lDKzBOWX3bFU+12CxeKJjJDg1TA1eB8s0e7XVCWyKdPgafi
UNI5Zv2dFZLgy37/jTmCySpE71MtxmH0IOrs3vJJHr2o27Axk8vMQkKxzXO1ddZ5
uYvk5KBaMhAUgaWaMvPFC69KBUOv+bTQo/+HujmuM6M2ogIDXYmSJYmI6qM7SGWR
7cguyOS9+rgJiiCdRktvQJMj3I9ukHi8px3VU+hZRDv7OYKc4FRaDWAYt2NpnP/o
exKtjVl9gG8rX96Zhimik0S0sXeykF5mwFZeygno+6eIMdLeyz4R0yVaIJCRfX+z
yDomd6BrHjjTTSVU2DygkCESUlMSJ1RsyLjAPN7GRLCefy0kFnk0RukF0txulrnB
KoGlvVuY1moZrbMRmnL3zG8EX0zWkAjtjXk4Rd8mJ4aHQy1cMUgtZ7KCMTJYTfs5
rpPyrMcQZiYI5r3YjI0a
=Ax7i
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org