You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Cormier, Greg" <Gr...@dfo-mpo.gc.ca> on 2014/04/16 19:44:57 UTC
Patching Tomcat for Heartbleed
I have a Tomcat 7.0.30 server I'm trying to patch to resolve the heartbleed exploit.
I shut down the server and overwrite tcnative-1.dll with the recently released version.
When I restart tomcat, I get errors about the Java Key Store.
Apr 16, 2014 9:36:07 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: D:\Tomcat 7.0\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\OpenSSL-Win32\bin;;.
Apr 16, 2014 9:36:11 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-443"]
Apr 16, 2014 9:36:12 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Failed to load keystore type JKS with path C:\/.keystore due to C:\.keystore (The system cannot find the file specified)
java.io.FileNotFoundException: C:\.keystore (The system cannot find the file specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(Unknown Source)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:400)
...
I don't understand why I'm getting these, as I'm 99% sure I'm using APR and not JSSE.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
SSLPassword="xxx"
SSLCertificateFile="xxx/server.crt"
SSLCertificateKeyFile="xxx/privkey.pem"
SSLCACertificateFile="xxx/server.crt"
SSLCertificateChainFile="xxx/server.crt"
Compression="on"/>
I haven't setup any keystore, as I'm not using the Java Key store for this... I'm not sure why the new version is trying to find a keystore despite this fact.
Thanks,
Greg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Patching Tomcat for Heartbleed
Posted by "Cormier, Greg" <Gr...@dfo-mpo.gc.ca>.
Chris/Konstatin,
Thanks for your help. It was indeed the wrong binary, I had used the x32 instead of x64. I also forced APR as recommended. Kicked the server and we're all good!
Many thanks,
Greg
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: April-16-14 6:13 PM
To: Tomcat Users List
Subject: Re: Patching Tomcat for Heartbleed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Greg,
On 4/16/14, 2:28 PM, Cormier, Greg wrote:
>> -----Original Message----- From: Konstantin Kolinko
>> [mailto:knst.kolinko@gmail.com] Sent: April-16-14 2:12 PM To:
>> Tomcat Users List Subject: Re: Patching Tomcat for Heartbleed
>>
>> 2014-04-16 21:44 GMT+04:00 Cormier, Greg
>> <Gr...@dfo-mpo.gc.ca>:
>>> I have a Tomcat 7.0.30 server I'm trying to patch to resolve the
>>> heartbleed
>> exploit.
>>>
>>> I shut down the server and overwrite tcnative-1.dll with the
>>> recently
>> released version.
>>>
>>> When I restart tomcat, I get errors about the Java Key Store.
>>>
>>> Apr 16, 2014 9:36:07 AM
>>> org.apache.catalina.core.AprLifecycleListener init INFO: The APR
>>> based Apache Tomcat Native library which allows optimal
>> performance in production environments was not found on the
>> java.library.path: D:\Tomcat
>> 7.0\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Wi
>>
>>
ndows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\S
>> ystem32\WindowsPowerShell\v1.0\;C:\OpenSSL-Win32\bin;;.
>>
>> The above means that tcnative-1.dll was not found in the directories
>> listed above.
>>
>> I would guess that you used a wrong DLL. It must match the CPU
>> architecture of JRE/JDK that you are using.
>>
>> Is tcnative-1.dll file readable?
>
> Hmm, I think this might be the case - I may have snagged the 32 bit
> version instead of 64 bit! I will try this after business hours so I
> can take Tomcat offline and let you know!
If you bounced Tomcat and got the above error, then your connector is dead anyway. Unless you rolled-back to the prior configuration, you are already down.
If you are pretty sure you are not down even with the above errors, then perhaps you don't need that connector at all. Is Tomcat terminating SSL for you? No web server or SSL-terminating load-balancer in front of Tomcat?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTTwBPAAoJEBzwKT+lPKRYBDgP/1yTjd/FIq4QHp2Ozvif+PP7
JW2knwVsk7A/63AmmZqzGPMoZrq7XrGTuhoinfTNCzQn6nlPNi8w/Fw+/btdPisp
LHDcgVThsYJJLhmPq8T3IiH9A9QY9hAugVs4OlGuetHtoZf5J5W7P1qMmrj8/3Cc
ejgKr4/a5/qzIVTsXfY5aNzjQicxC1yJgUwP0kuPojh4yc8ZQ6JO0jEmFCycfrmy
7fHwKosUoWOs4O5+wkzNMnhiEY5hGHDUujY5oQTY9RFdjbGJDzEfxGs2EEiH6S4v
A1pV/Srn/aNdT9PKkP5tH8ZgCJr4W4XRqr60UEe5Q27Ghii5ZzYYHWZ99FZF1TmE
slzL5ZQXEs7wjXt5nwxWOa0zuiP7oTGD02qHiyN76oVcq039x4NXc0JtiZbLJFlG
eR2HstrpRs3eFRXieuPfiFPEdbvn6uzgJi2A4mm+s1XOzyb5x8MGwNaUy3RnANem
OAf9h3BOVEV2wUfHmPhY896uia/cwpVuX0NAOehkJWqQF1UJ7wCeE0bRUjK+B62d
Qm1/j8vgcqNDjRatAFXig+/kLuHsRj+SA1PjoGLdU7UZ03qt075EIGxC/2YjbyKI
0AxJznTMRh0aPAAkyrkdsJIRZdNDWReOFmDAtp3fnsXvSZNjmr54pHK1SQFPvDzP
vwBJAPdIIeeb+G1MPz5+
=Dwd1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Patching Tomcat for Heartbleed
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Greg,
On 4/16/14, 2:28 PM, Cormier, Greg wrote:
>> -----Original Message----- From: Konstantin Kolinko
>> [mailto:knst.kolinko@gmail.com] Sent: April-16-14 2:12 PM To:
>> Tomcat Users List Subject: Re: Patching Tomcat for Heartbleed
>>
>> 2014-04-16 21:44 GMT+04:00 Cormier, Greg
>> <Gr...@dfo-mpo.gc.ca>:
>>> I have a Tomcat 7.0.30 server I'm trying to patch to resolve
>>> the heartbleed
>> exploit.
>>>
>>> I shut down the server and overwrite tcnative-1.dll with the
>>> recently
>> released version.
>>>
>>> When I restart tomcat, I get errors about the Java Key Store.
>>>
>>> Apr 16, 2014 9:36:07 AM
>>> org.apache.catalina.core.AprLifecycleListener init INFO: The
>>> APR based Apache Tomcat Native library which allows optimal
>> performance in production environments was not found on the
>> java.library.path: D:\Tomcat
>> 7.0\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Wi
>>
>>
ndows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\S
>> ystem32\WindowsPowerShell\v1.0\;C:\OpenSSL-Win32\bin;;.
>>
>> The above means that tcnative-1.dll was not found in the
>> directories listed above.
>>
>> I would guess that you used a wrong DLL. It must match the CPU
>> architecture of JRE/JDK that you are using.
>>
>> Is tcnative-1.dll file readable?
>
> Hmm, I think this might be the case - I may have snagged the 32 bit
> version instead of 64 bit! I will try this after business hours so
> I can take Tomcat offline and let you know!
If you bounced Tomcat and got the above error, then your connector is
dead anyway. Unless you rolled-back to the prior configuration, you
are already down.
If you are pretty sure you are not down even with the above errors,
then perhaps you don't need that connector at all. Is Tomcat
terminating SSL for you? No web server or SSL-terminating
load-balancer in front of Tomcat?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTTwBPAAoJEBzwKT+lPKRYBDgP/1yTjd/FIq4QHp2Ozvif+PP7
JW2knwVsk7A/63AmmZqzGPMoZrq7XrGTuhoinfTNCzQn6nlPNi8w/Fw+/btdPisp
LHDcgVThsYJJLhmPq8T3IiH9A9QY9hAugVs4OlGuetHtoZf5J5W7P1qMmrj8/3Cc
ejgKr4/a5/qzIVTsXfY5aNzjQicxC1yJgUwP0kuPojh4yc8ZQ6JO0jEmFCycfrmy
7fHwKosUoWOs4O5+wkzNMnhiEY5hGHDUujY5oQTY9RFdjbGJDzEfxGs2EEiH6S4v
A1pV/Srn/aNdT9PKkP5tH8ZgCJr4W4XRqr60UEe5Q27Ghii5ZzYYHWZ99FZF1TmE
slzL5ZQXEs7wjXt5nwxWOa0zuiP7oTGD02qHiyN76oVcq039x4NXc0JtiZbLJFlG
eR2HstrpRs3eFRXieuPfiFPEdbvn6uzgJi2A4mm+s1XOzyb5x8MGwNaUy3RnANem
OAf9h3BOVEV2wUfHmPhY896uia/cwpVuX0NAOehkJWqQF1UJ7wCeE0bRUjK+B62d
Qm1/j8vgcqNDjRatAFXig+/kLuHsRj+SA1PjoGLdU7UZ03qt075EIGxC/2YjbyKI
0AxJznTMRh0aPAAkyrkdsJIRZdNDWReOFmDAtp3fnsXvSZNjmr54pHK1SQFPvDzP
vwBJAPdIIeeb+G1MPz5+
=Dwd1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Patching Tomcat for Heartbleed
Posted by "Cormier, Greg" <Gr...@dfo-mpo.gc.ca>.
> -----Original Message-----
> From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
> Sent: April-16-14 2:12 PM
> To: Tomcat Users List
> Subject: Re: Patching Tomcat for Heartbleed
>
> 2014-04-16 21:44 GMT+04:00 Cormier, Greg <Gr...@dfo-mpo.gc.ca>:
> > I have a Tomcat 7.0.30 server I'm trying to patch to resolve the heartbleed
> exploit.
> >
> > I shut down the server and overwrite tcnative-1.dll with the recently
> released version.
> >
> > When I restart tomcat, I get errors about the Java Key Store.
> >
> > Apr 16, 2014 9:36:07 AM org.apache.catalina.core.AprLifecycleListener init
> > INFO: The APR based Apache Tomcat Native library which allows optimal
> performance in production environments was not found on the
> java.library.path: D:\Tomcat
> 7.0\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Wi
> ndows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\S
> ystem32\WindowsPowerShell\v1.0\;C:\OpenSSL-Win32\bin;;.
>
> The above means that tcnative-1.dll was not found in the directories
> listed above.
>
> I would guess that you used a wrong DLL.
> It must match the CPU architecture of JRE/JDK that you are using.
>
> Is tcnative-1.dll file readable?
Hmm, I think this might be the case - I may have snagged the 32 bit version instead of 64 bit! I will try this after business hours so I can take Tomcat offline and let you know!
>
>
> > Apr 16, 2014 9:36:11 AM org.apache.coyote.AbstractProtocol init
> > INFO: Initializing ProtocolHandler ["http-bio-443"]
> >
> > Apr 16, 2014 9:36:12 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory
> getStore
> > SEVERE: Failed to load keystore type JKS with path C:\/.keystore due to
> C:\.keystore (The system cannot find the file specified)
> > java.io.FileNotFoundException: C:\.keystore (The system cannot find the
> file specified)
> > at java.io.FileInputStream.open(Native Method)
> > at java.io.FileInputStream.<init>(Unknown Source)
> > at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFacto
> ry.java:400)
> > ...
> >
> >
> > I don't understand why I'm getting these, as I'm 99% sure I'm using APR and
> not JSSE.
> >
> >
> > <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>
> Replace protocol="HTTP/1.1" with explicit
> protocol="org.apache.coyote.http11.Http11AprProtocol"
>
> The former auto-switches between BIO and APR.
> The latter explicitly uses the APR implementation.
Thanks! I will change the config file as well!
>
> > maxThreads="150" scheme="https" secure="true"
> > clientAuth="false" sslProtocol="TLS"
> > SSLPassword="xxx"
> > SSLCertificateFile="xxx/server.crt"
> > SSLCertificateKeyFile="xxx/privkey.pem"
> > SSLCACertificateFile="xxx/server.crt"
> > SSLCertificateChainFile="xxx/server.crt"
> > Compression="on"/>
> >
> > I haven't setup any keystore, as I'm not using the Java Key store for this...
> I'm not sure why the new version is trying to find a keystore despite this fact.
> >
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: Patching Tomcat for Heartbleed
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-04-16 21:44 GMT+04:00 Cormier, Greg <Gr...@dfo-mpo.gc.ca>:
> I have a Tomcat 7.0.30 server I'm trying to patch to resolve the heartbleed exploit.
>
> I shut down the server and overwrite tcnative-1.dll with the recently released version.
>
> When I restart tomcat, I get errors about the Java Key Store.
>
> Apr 16, 2014 9:36:07 AM org.apache.catalina.core.AprLifecycleListener init
> INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: D:\Tomcat 7.0\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\OpenSSL-Win32\bin;;.
The above means that tcnative-1.dll was not found in the directories
listed above.
I would guess that you used a wrong DLL.
It must match the CPU architecture of JRE/JDK that you are using.
Is tcnative-1.dll file readable?
> Apr 16, 2014 9:36:11 AM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-bio-443"]
>
> Apr 16, 2014 9:36:12 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
> SEVERE: Failed to load keystore type JKS with path C:\/.keystore due to C:\.keystore (The system cannot find the file specified)
> java.io.FileNotFoundException: C:\.keystore (The system cannot find the file specified)
> at java.io.FileInputStream.open(Native Method)
> at java.io.FileInputStream.<init>(Unknown Source)
> at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:400)
> ...
>
>
> I don't understand why I'm getting these, as I'm 99% sure I'm using APR and not JSSE.
>
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
Replace protocol="HTTP/1.1" with explicit
protocol="org.apache.coyote.http11.Http11AprProtocol"
The former auto-switches between BIO and APR.
The latter explicitly uses the APR implementation.
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> SSLPassword="xxx"
> SSLCertificateFile="xxx/server.crt"
> SSLCertificateKeyFile="xxx/privkey.pem"
> SSLCACertificateFile="xxx/server.crt"
> SSLCertificateChainFile="xxx/server.crt"
> Compression="on"/>
>
> I haven't setup any keystore, as I'm not using the Java Key store for this... I'm not sure why the new version is trying to find a keystore despite this fact.
>
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org