You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/06/25 18:56:29 UTC
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
Simon Mijolovic <sm...@nutanix.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Version|1.1.29 |1.1.30
Resolution|FIXED |---
--- Comment #19 from Simon Mijolovic <sm...@nutanix.com> ---
Still running into this issue where the APR library won't load when in fips
mode using the FIPS validated OpenSSL library.
CentOS 6.5 with OpenSSL 1.0.1e-16..el6_5.x86_64, and /boot/grub/grub.conf has
fips=1 (prelink disabled, dracut -f, reboot shows "cat
/proc/sys/crypto/fips_enabled" = 1)
Tomcat 7.0.54 running, and compiled the tcnative APR lib with:
./configure --with-apr=`which apr-1-config`
--with-java-home=/usr/java/jdk1.8.0_05 --with-ssl=yes
--prefix=/usr/share/apache-tomcat-7.0.54
Setenv.sh:
#!/bin/bash
umask 0026
LD_LIBRARY_PATH=/usr/share/apache-tomcat-7.0.54/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
Server.xml:
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
Connector.xml:
<Connector
clientAuth="false"
port="9443"
protocol="HTTP/1.1"
SSLEnabled="true"
scheme="https"
secure="true"
SSLCertificateFile="/etc/private/rsacert.pem"
SSLCertificateKeyFile="/etc/private/rsakey.pem"
SSLCipherSuite="ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AES:!aNULL:!MD5:!DSS"
SSLDisableCompression="true"
SSLHonorCipherOrder="true"
SSLVerifyClient="optional"
SSLProtocol="TLSv1"
server="Prism Server"
connectionTimeout="60000"
keepAliveTimeout="60000"
maxKeepAliveRequests="100"
maxThreads="150"
maxPostSize="2097152"
maxHeaderCount="50"
maxHttpHeaderSize="8190"
allowTrace="false"
/>
Starting services:
service tomcat start
Using CATALINA_BASE: /usr/share/apache-tomcat-7.0.54
Using CATALINA_HOME: /usr/share/apache-tomcat-7.0.54
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.54/temp
Using JRE_HOME: /usr/java/jdk1.8.0_05/jre
Using CLASSPATH:
/usr/share/apache-tomcat-7.0.54/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.54/bin/tomcat-juli.jar
Tomcat started.
logs/catalina.2014-06-12.log:
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version
1.3.9.
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true
].
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
org.apache.tomcat.jni.Error: 70023: This function has not been implemented on
this platform
at org.apache.tomcat.jni.SSL.initialize(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListene
r.java:270)
at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListen
er.java:124)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.j
ava:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90
)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-9443"]
Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler
["http-apr-9443"]
java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is
enabled in the AprLifecycleListener, the AprLifecycleListener has initialised
correctly and that a valid SSLProtocol has been specified
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL
routines:SSL_CTX_new:unable to load ssl2 md5 routines)
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
... 16 more
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]]
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1
-9443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.lang.Exception: Unable to create SSLContext. Check that
SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has
initialised correctly and that a valid SSLProtocol has been specified
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
... 13 more
Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL
routines:SSL_CTX_new:unable to load ssl2 md5 routines)
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
... 16 more
When I remove fips=1 from grub.conf, reboot, and add FIPSMode="on" to the
AprLifecycleListener in server.xml, the Engine works and FIPSMode shows it's
set to "on". What is up with the OpenSSL library with the kernel running in
FIPS mode that keeps displaying the error: java.lang.Exception: Invalid Server
SSL Protocol (error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5
routines)?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted
in fips mode
Posted by Robert Sanders <rs...@TrustedCS.com>.
I tested TCN 1_1_30 with Tomcat 6 (which our app uses) and everything appears to work just fine. I haven't updated our install to try working with Tomcat 7. This is on a CentOS 6.5 (yum updated) box with fips mode enabled at boot, and a server.xml similar to yours.
Just looking quickly at your log I'm concerned about the 'Failed to initialize the SSLEngine' message near the beginning. As I recall I use to see this if I explictly tried to initialize the SSL Engine twice - which openssl throws an exception on.
-R
________________________________________
From: bugzilla@apache.org [bugzilla@apache.org]
Sent: Wednesday, June 25, 2014 12:56 PM
To: dev@tomcat.apache.org
Subject: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
Simon Mijolovic <sm...@nutanix.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Version|1.1.29 |1.1.30
Resolution|FIXED |---
--- Comment #19 from Simon Mijolovic <sm...@nutanix.com> ---
Still running into this issue where the APR library won't load when in fips
mode using the FIPS validated OpenSSL library.
CentOS 6.5 with OpenSSL 1.0.1e-16..el6_5.x86_64, and /boot/grub/grub.conf has
fips=1 (prelink disabled, dracut -f, reboot shows "cat
/proc/sys/crypto/fips_enabled" = 1)
Tomcat 7.0.54 running, and compiled the tcnative APR lib with:
./configure --with-apr=`which apr-1-config`
--with-java-home=/usr/java/jdk1.8.0_05 --with-ssl=yes
--prefix=/usr/share/apache-tomcat-7.0.54
Setenv.sh:
#!/bin/bash
umask 0026
LD_LIBRARY_PATH=/usr/share/apache-tomcat-7.0.54/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
Server.xml:
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
Connector.xml:
<Connector
clientAuth="false"
port="9443"
protocol="HTTP/1.1"
SSLEnabled="true"
scheme="https"
secure="true"
SSLCertificateFile="/etc/private/rsacert.pem"
SSLCertificateKeyFile="/etc/private/rsakey.pem"
SSLCipherSuite="ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AES:!aNULL:!MD5:!DSS"
SSLDisableCompression="true"
SSLHonorCipherOrder="true"
SSLVerifyClient="optional"
SSLProtocol="TLSv1"
server="Prism Server"
connectionTimeout="60000"
keepAliveTimeout="60000"
maxKeepAliveRequests="100"
maxThreads="150"
maxPostSize="2097152"
maxHeaderCount="50"
maxHttpHeaderSize="8190"
allowTrace="false"
/>
Starting services:
service tomcat start
Using CATALINA_BASE: /usr/share/apache-tomcat-7.0.54
Using CATALINA_HOME: /usr/share/apache-tomcat-7.0.54
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.54/temp
Using JRE_HOME: /usr/java/jdk1.8.0_05/jre
Using CLASSPATH:
/usr/share/apache-tomcat-7.0.54/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.54/bin/tomcat-juli.jar
Tomcat started.
logs/catalina.2014-06-12.log:
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version
1.3.9.
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true
].
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
org.apache.tomcat.jni.Error: 70023: This function has not been implemented on
this platform
at org.apache.tomcat.jni.SSL.initialize(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListene
r.java:270)
at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListen
er.java:124)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.j
ava:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90
)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-9443"]
Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler
["http-apr-9443"]
java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is
enabled in the AprLifecycleListener, the AprLifecycleListener has initialised
correctly and that a valid SSLProtocol has been specified
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL
routines:SSL_CTX_new:unable to load ssl2 md5 routines)
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
... 16 more
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]]
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1
-9443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.lang.Exception: Unable to create SSLContext. Check that
SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has
initialised correctly and that a valid SSLProtocol has been specified
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
... 13 more
Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL
routines:SSL_CTX_new:unable to load ssl2 md5 routines)
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
... 16 more
When I remove fips=1 from grub.conf, reboot, and add FIPSMode="on" to the
AprLifecycleListener in server.xml, the Engine works and FIPSMode shows it's
set to "on". What is up with the OpenSSL library with the kernel running in
FIPS mode that keeps displaying the error: java.lang.Exception: Invalid Server
SSL Protocol (error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5
routines)?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org