RE: Tomcat 9.0.27 loads incorrect openssl version

Norbert Elbanbuena Sun, 07 Jun 2020 12:32:19 -0700

Hi Michael,

Interesting I find multiple files.


# ldd -v /usr/lib/libtcnative-1.so
        linux-vdso.so.1 =>  (0x00007ffd767f9000)
        libssl.so.1.1 => /usr/local/ssl/lib/libssl.so.1.1 (0x00007f33f497b000)
        libcrypto.so.1.1 => /usr/local/ssl/lib/libcrypto.so.1.1 
(0x00007f33f4491000)
        libapr-1.so.0 => /usr/local/apr/lib/libapr-1.so.0 (0x00007f33f4256000)
        libuuid.so.1 => /lib64/libuuid.so.1 (0x00007f33f4051000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f33f3e49000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f33f3c12000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f33f39f6000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f33f37f2000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f33f3424000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f33f320e000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f33f4e39000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007f33f300b000)

# ldd -v /usr/local/apr/lib/libtcnative-1.so
        linux-vdso.so.1 =>  (0x00007ffdad59d000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007fcee1505000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fcee10a2000)
        libapr-1.so.0 => /usr/local/apr/lib/libapr-1.so.0 (0x00007fcee0e67000)
        libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fcee0c62000)
        librt.so.1 => /lib64/librt.so.1 (0x00007fcee0a5a000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fcee0823000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fcee0607000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007fcee0403000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fcee0035000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fcedfde8000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fcedfaff000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fcedf8fb000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fcedf6c8000)
        libz.so.1 => /lib64/libz.so.1 (0x00007fcedf4b2000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fcee19a4000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007fcedf2af000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fcedf09f000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fcedee9b000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fcedec81000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fcedea5a000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fcede7f8000)



Warm regards,

Norbert Elbanbuena

-----Original Message-----
From: Michael Osipov <micha...@apache.org> 
Sent: Sunday, June 7, 2020 2:19 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9.0.27 loads incorrect openssl version

Am 2020-06-07 um 20:16 schrieb Norbert Elbanbuena:
> Hi,
> 
> I removed the previous version of OpenSSL 1.0.2k-fips from yum. Then I 
> installed OpenSSL 1.1.1g from source and made a clean install of 
> tomcat-native 1.2.24 pointing to the correct OpenSSL path.
> When I start Tomcat, it still shows OpenSSL 1.0.2k-fips being loaded on 
> startup.
> 
> 07-Jun-2020 18:09:20.357 INFO [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based 
> Apache Tomcat Native library [1.2.24] using APR version [1.7.0].
> 07-Jun-2020 18:09:20.357 INFO [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR 
> capabilities: IPv6 [true], sendfile [true], accept filters [false], random 
> [true].
> 07-Jun-2020 18:09:20.357 INFO [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL 
> configuration: useAprConnector [true], useOpenSSL [true]
> 07-Jun-2020 18:09:20.361 INFO [main] 
> org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL 
> successfully initialized [OpenSSL 1.0.2k-fips  26 Jan 2017]
> 
> I verified latest version of OpenSSL reflected
> 
> $openssl version -a
> OpenSSL 1.1.1g  21 Apr 2020
> built on: Sun Jun  7 15:15:04 2020 UTC
> platform: linux-x86_64
> options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
> compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 
> -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ 
> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM 
> -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM 
> -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG
> OPENSSLDIR: "/usr/local/ssl"
> ENGINESDIR: "/usr/local/ssl/lib/engines-1.1"
> Seeding source: os-specific
> 
> Can somebody help me understand why Tomcat still points to the old fips 
> version? Or do I need to install OpenSSL fips instead?

Run 'ldd .../libtcnative-1.so' and paste results.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 9.0.27 loads incorrect openssl version

Reply via email to