You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Syam Pillai <sy...@engravgroup.com> on 2017/10/05 21:10:00 UTC
Tomcat 8 APR/openSSL Issue
On my AMI (Amazon Linux) server, tomcat 8 was running happily but today,
after an upgrade (Version is now 8.5.16.0), the server is failing to start
with the following message:
INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
ProtocolHandler ["https-openssl-nio-8443"]
/usr/share/soengine/jdk/bin/java: symbol lookup error:
/usr/lib64/libtcnative-1.so.0.2.10: undefined symbol:
SSL_CTX_add0_chain_cert
I can see that before these lines,
OpenSSL is loaded:
INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL
OpenSSL successfully initialized [OpenSSL 1.0.1e-fips 11 Feb 2013]
However,
I don't know why this version of OpenSSL is being shown. On the OS terminal
(Kernel:
4.9.51-10.52.amzn1.x86_64 #1 SMP), if I check, it is showing a different
version. (I could not find any duplicate installation of OpenSSL
on the server).
openssl version -v
OpenSSL 1.0.2k-fips 26 Jan 2017
Re: Tomcat 8 APR/openSSL Issue
Posted by Syam Pillai <sy...@engravgroup.com>.
Dear Mark,
Thanks for the response.
I already have the following installed:
Tomcat Native: 1.2.10-1.18.amzn1
OpenSSL 1.0.2k-fips 26 Jan 2017
Also, please see this:
ld /usr/lib64/libtcnative-1.so.0.2.10
ld: warning: cannot find entry symbol _start; not setting start address
/usr/lib64/libtcnative-1.so.0.2.10: undefined reference to
`SSL_CTX_add0_chain_cert'
The Tomcat Native package is from Amazon (I'm on their AMI Linux server).
Is this a packaging problem from their side?
On Fri, Oct 6, 2017 at 6:02 PM, Mark Thomas <ma...@apache.org> wrote:
> On 05/10/17 22:10, Syam Pillai wrote:
> > On my AMI (Amazon Linux) server, tomcat 8 was running happily but today,
> > after an upgrade (Version is now 8.5.16.0), the server is failing to
> start
> > with the following message:
> >
> > INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
> > ProtocolHandler ["https-openssl-nio-8443"]
> > /usr/share/soengine/jdk/bin/java: symbol lookup error:
> > /usr/lib64/libtcnative-1.so.0.2.10: undefined symbol:
> > SSL_CTX_add0_chain_cert
> >
> > I can see that before these lines,
> > OpenSSL is loaded:
> > INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL
> > OpenSSL successfully initialized [OpenSSL 1.0.1e-fips 11 Feb 2013]
>
> Tomcat 8.5.x requires Tomcat Native 1.2.x
>
> Tomcat Native 1.2.x requires OpenSSL 1.0.2
>
> The above is never going to work.
>
> > However,
> >
> > I don't know why this version of OpenSSL is being shown. On the OS
> terminal
> > (Kernel:
> > 4.9.51-10.52.amzn1.x86_64 #1 SMP), if I check, it is showing a different
> > version. (I could not find any duplicate installation of OpenSSL
> >
> > on the server).
> >
> > openssl version -v
> > OpenSSL 1.0.2k-fips 26 Jan 2017
>
> You need to contact the provider of your Tomcat Native binary.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
*Syam S. Pillai, **Director & Chief Technology Officer*
*ENGRAV Aviation Services & Systems Pvt. Ltd.*
*# 15, Level 1, Indradhanush, Gubbi Cross,*
*Kothannur PO, Bangalore - 560 077, India.*
*Phone: +91 80 2844 3740*
*http://www.engravgroup.com <https://www.engravgroup.com>*
Re: Tomcat 8 APR/openSSL Issue
Posted by Mark Thomas <ma...@apache.org>.
On 05/10/17 22:10, Syam Pillai wrote:
> On my AMI (Amazon Linux) server, tomcat 8 was running happily but today,
> after an upgrade (Version is now 8.5.16.0), the server is failing to start
> with the following message:
>
> INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
> ProtocolHandler ["https-openssl-nio-8443"]
> /usr/share/soengine/jdk/bin/java: symbol lookup error:
> /usr/lib64/libtcnative-1.so.0.2.10: undefined symbol:
> SSL_CTX_add0_chain_cert
>
> I can see that before these lines,
> OpenSSL is loaded:
> INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL
> OpenSSL successfully initialized [OpenSSL 1.0.1e-fips 11 Feb 2013]
Tomcat 8.5.x requires Tomcat Native 1.2.x
Tomcat Native 1.2.x requires OpenSSL 1.0.2
The above is never going to work.
> However,
>
> I don't know why this version of OpenSSL is being shown. On the OS terminal
> (Kernel:
> 4.9.51-10.52.amzn1.x86_64 #1 SMP), if I check, it is showing a different
> version. (I could not find any duplicate installation of OpenSSL
>
> on the server).
>
> openssl version -v
> OpenSSL 1.0.2k-fips 26 Jan 2017
You need to contact the provider of your Tomcat Native binary.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 8 APR/openSSL Issue
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Syam,
On 10/8/17 2:27 PM, Syam Pillai wrote:
> Thanks Chris, yes you are right they messed it up. I will also file
> a complaint with them.
https://forums.aws.amazon.com/thread.jspa?messageID=809159
https://forums.aws.amazon.com/thread.jspa?messageID=807909
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngJDcACgkQHPApP6U8
pFgdvg/+PNvw14upKjf10n6cJWozaDdG2RY251DY9I3gHyTJ+Cv97kQWNFB7xAcL
tKxOxwyWY7yYri37OdoBGGiTXKyqzbgF7oQB7A9pE0jitAFeAdaHXZQqVG/QCzIW
cWuttuCQZjCfXS6eMKG/cjIBcp+gHRRc32I4CDxE7CNeMZT9omRTghsr4NJck4EE
2wOweJ4KZIGyxE36mDa9jg7tt4683rue55tRz7aHG/Iutyh8raGovw4l9SvZTZYL
9VMnB+gawKrlAOMoe0So1ZBeGLpa10ZE6AqaYVn3TAGGwVvFbAgxYbql4YWnW4wA
4n2ZI4HijV16X71T9JKxhqMfmopgt8GdO/v3UAVQxPIV0vShSZSFyB8tXsd6/Hug
uClIozRJJev/OQbupOjQSHF7qR4R33fZyB0nhC/XKFfp18qt0DT1kNAe03aXWFRS
cAk7Blt4tf5o18wqWCyGWviuTwWU+3zGcHbzoc3V0NcqOW3TlUgI99rmS+APNvf4
oUGpJfKhbfUW5LPHrFePxBNKBlguM546df67YKQ/qy3TlsQIczZg7R2ufwOpEWTm
duPhieXnSmbt+A1rjpepDRModm0MpEqFlm7R9GyW1ZkD0x6gcd+vk75ahaY+vA1R
pj5E9NufMav4axX2F/oV1bmYM0rbCEYY4OvpHeCrSFrB5AeaIQc=
=T7CX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 8 APR/openSSL Issue
Posted by Syam Pillai <sy...@engravgroup.com>.
Thanks Chris, yes you are right they messed it up.
I will also file a complaint with them.
On Sun, Oct 8, 2017 at 9:44 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Syam,
>
> On 10/5/17 5:10 PM, Syam Pillai wrote:
> > On my AMI (Amazon Linux) server, tomcat 8 was running happily but
> > today, after an upgrade (Version is now 8.5.16.0), the server is
> > failing to start with the following message:
> >
> > INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
> > ProtocolHandler ["https-openssl-nio-8443"]
> > /usr/share/soengine/jdk/bin/java: symbol lookup error:
> > /usr/lib64/libtcnative-1.so.0.2.10: undefined symbol:
> > SSL_CTX_add0_chain_cert
> >
> > I can see that before these lines, OpenSSL is loaded: INFO [main]
> > org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
> > successfully initialized [OpenSSL 1.0.1e-fips 11 Feb 2013]
> >
> > However, I don't know why this version of OpenSSL is being
> > shown. On the OS terminal (Kernel: 4.9.51-10.52.amzn1.x86_64 #1
> > SMP), if I check, it is showing a different version. (I could not
> > find any duplicate installation of OpenSSL on the server).
> >
> > openssl version -v OpenSSL 1.0.2k-fips 26 Jan 2017
>
> Lemmie guess... you are using Amazon Linux and you just upgraded to
> release 2017.09.
>
> AWS appears to have done something horribly wrong with their OpenSSL
> deployment for this version. I get the same weird things trying to use
> stunnel, which reports conflicting libssl versions, FIPS-init errors
> ("bad signature") and other odd things.
>
> My recommendation is to file a support ticket (like I did) with Amazon
> and force them to un-break this release. Plus, you'll help me, too.
>
> For my part, I've had to disable FIPS mode for stunnel (which kind of
> defeats the purpose of having a FIPS build advertised) in order to get
> it to work AT ALL, and I'm pretty disappointed. I truly believe that
> FIPS compliance is useless at best and damaging at worst, but if the
> system is advertised as FIPS-certified, it should darned-well work in
> FIPS mode.</grump>
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnaY/wACgkQHPApP6U8
> pFidFQ//Xe+H80kSnpmkOn2Yh/CpSh8xA/iMGbH9B6aytLs5V1s/1BSa1phEYl+j
> 3OVzWKpjpGRtSc+6oV+WyLWvGACFTokQ/4/s+JXyDsEYJW1Ue078C9fFr+I0d4Vb
> JQEqrfarO9JrZhMy5fa3UaJydzS0yzxEOjPQA8+HKunixlTVX1fyzHyhIHa3DSrW
> j/G8MY4leUX/6f8dowZyIBkm9ZsFfTxKPkJtRfH4txKBbt2CLqsLQaUs8TT5DHg/
> nlFwmITYG44BgEciufn9VaVSz1+b4qT9jdtrgr8Pvmzp1Iv8RJhn5705PxqebT9m
> 9jCXhKJoYDrUN2Va3fRkwp8ySeovzoz7pxH+QQ92lcNvsjAHzJ2Diz/lpUVFgYAx
> MDsx3ROdbBEgrsRqFe9XEPEHfzIP1LlfwhpBeCKfuLtSB8Uw/EhN8U6MFCXijhMi
> Yc19nT0br/jppe6JM96QlTLuZFMYmTVOBLv2rfxf6PXe57tTT8MbjaxhuPCvD5/W
> CbMap+a1MS/zc588jvW5r/e/T1EK2Z7X9FMSM47pPj35G+bm++Uiv65JfS8Dskhf
> +w1bPAkoOINJr7Q796uWF6sOjP5TYxCGApxhLeKhWH7mB/X+n8gqs8ylWC729wwG
> iJssATlt7EHmqb7qxSjwHwcLue+plmB2vL3g85IjopqnmYY8NPc=
> =dviH
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
*Syam S. Pillai, **Director & Chief Technology Officer*
*ENGRAV Aviation Services & Systems Pvt. Ltd.*
*# 15, Level 1, Indradhanush, Gubbi Cross,*
*Kothannur PO, Bangalore - 560 077, India.*
*Phone: +91 80 2844 3740*
*http://www.engravgroup.com <https://www.engravgroup.com>*
Re: Tomcat 8 APR/openSSL Issue
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Syam,
On 10/5/17 5:10 PM, Syam Pillai wrote:
> On my AMI (Amazon Linux) server, tomcat 8 was running happily but
> today, after an upgrade (Version is now 8.5.16.0), the server is
> failing to start with the following message:
>
> INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
> ProtocolHandler ["https-openssl-nio-8443"]
> /usr/share/soengine/jdk/bin/java: symbol lookup error:
> /usr/lib64/libtcnative-1.so.0.2.10: undefined symbol:
> SSL_CTX_add0_chain_cert
>
> I can see that before these lines, OpenSSL is loaded: INFO [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
> successfully initialized [OpenSSL 1.0.1e-fips 11 Feb 2013]
>
> However, I don't know why this version of OpenSSL is being
> shown. On the OS terminal (Kernel: 4.9.51-10.52.amzn1.x86_64 #1
> SMP), if I check, it is showing a different version. (I could not
> find any duplicate installation of OpenSSL on the server).
>
> openssl version -v OpenSSL 1.0.2k-fips 26 Jan 2017
Lemmie guess... you are using Amazon Linux and you just upgraded to
release 2017.09.
AWS appears to have done something horribly wrong with their OpenSSL
deployment for this version. I get the same weird things trying to use
stunnel, which reports conflicting libssl versions, FIPS-init errors
("bad signature") and other odd things.
My recommendation is to file a support ticket (like I did) with Amazon
and force them to un-break this release. Plus, you'll help me, too.
For my part, I've had to disable FIPS mode for stunnel (which kind of
defeats the purpose of having a FIPS build advertised) in order to get
it to work AT ALL, and I'm pretty disappointed. I truly believe that
FIPS compliance is useless at best and damaging at worst, but if the
system is advertised as FIPS-certified, it should darned-well work in
FIPS mode.</grump>
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnaY/wACgkQHPApP6U8
pFidFQ//Xe+H80kSnpmkOn2Yh/CpSh8xA/iMGbH9B6aytLs5V1s/1BSa1phEYl+j
3OVzWKpjpGRtSc+6oV+WyLWvGACFTokQ/4/s+JXyDsEYJW1Ue078C9fFr+I0d4Vb
JQEqrfarO9JrZhMy5fa3UaJydzS0yzxEOjPQA8+HKunixlTVX1fyzHyhIHa3DSrW
j/G8MY4leUX/6f8dowZyIBkm9ZsFfTxKPkJtRfH4txKBbt2CLqsLQaUs8TT5DHg/
nlFwmITYG44BgEciufn9VaVSz1+b4qT9jdtrgr8Pvmzp1Iv8RJhn5705PxqebT9m
9jCXhKJoYDrUN2Va3fRkwp8ySeovzoz7pxH+QQ92lcNvsjAHzJ2Diz/lpUVFgYAx
MDsx3ROdbBEgrsRqFe9XEPEHfzIP1LlfwhpBeCKfuLtSB8Uw/EhN8U6MFCXijhMi
Yc19nT0br/jppe6JM96QlTLuZFMYmTVOBLv2rfxf6PXe57tTT8MbjaxhuPCvD5/W
CbMap+a1MS/zc588jvW5r/e/T1EK2Z7X9FMSM47pPj35G+bm++Uiv65JfS8Dskhf
+w1bPAkoOINJr7Q796uWF6sOjP5TYxCGApxhLeKhWH7mB/X+n8gqs8ylWC729wwG
iJssATlt7EHmqb7qxSjwHwcLue+plmB2vL3g85IjopqnmYY8NPc=
=dviH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org