Hi Michael, Thank you I will review paths during config.
Warm regards, Norbert Elbanbuena Check out our new Website -----Original Message----- From: Michael Osipov <micha...@apache.org> Sent: Sunday, June 7, 2020 2:50 PM To: users@tomcat.apache.org Subject: Re: Tomcat 9.0.27 loads incorrect openssl version Am 2020-06-07 um 21:31 schrieb Norbert Elbanbuena: > Hi Michael, > > Interesting I find multiple files. You have managed to mess up your system. The loader hierarchy looks wrong. > # ldd -v /usr/lib/libtcnative-1.so I assume that this is provided by your package manager. If so > linux-vdso.so.1 => (0x00007ffd767f9000) > libssl.so.1.1 => /usr/local/ssl/lib/libssl.so.1.1 > (0x00007f33f497b000) > libcrypto.so.1.1 => /usr/local/ssl/lib/libcrypto.so.1.1 > (0x00007f33f4491000) > libapr-1.so.0 => /usr/local/apr/lib/libapr-1.so.0 > (0x00007f33f4256000) This is wrong. All deps should reside in /usr from other packages managed by your package manager. > libuuid.so.1 => /lib64/libuuid.so.1 (0x00007f33f4051000) > librt.so.1 => /lib64/librt.so.1 (0x00007f33f3e49000) > libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f33f3c12000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f33f39f6000) > libdl.so.2 => /lib64/libdl.so.2 (0x00007f33f37f2000) > libc.so.6 => /lib64/libc.so.6 (0x00007f33f3424000) > libz.so.1 => /lib64/libz.so.1 (0x00007f33f320e000) > /lib64/ld-linux-x86-64.so.2 (0x00007f33f4e39000) > libfreebl3.so => /lib64/libfreebl3.so (0x00007f33f300b000) > > # ldd -v /usr/local/apr/lib/libtcnative-1.so > linux-vdso.so.1 => (0x00007ffdad59d000) > libssl.so.10 => /lib64/libssl.so.10 (0x00007fcee1505000) this is obviously not what you wanted. Either RPATH is wrong in your shared objects or LD_LIBRARY_PATH leads to a weird state. > libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fcee10a2000) > libapr-1.so.0 => /usr/local/apr/lib/libapr-1.so.0 > (0x00007fcee0e67000) > libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fcee0c62000) > librt.so.1 => /lib64/librt.so.1 (0x00007fcee0a5a000) > libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fcee0823000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fcee0607000) > libdl.so.2 => /lib64/libdl.so.2 (0x00007fcee0403000) > libc.so.6 => /lib64/libc.so.6 (0x00007fcee0035000) > libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 > (0x00007fcedfde8000) > libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fcedfaff000) > libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fcedf8fb000) > libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fcedf6c8000) > libz.so.1 => /lib64/libz.so.1 (0x00007fcedf4b2000) > /lib64/ld-linux-x86-64.so.2 (0x00007fcee19a4000) > libfreebl3.so => /lib64/libfreebl3.so (0x00007fcedf2af000) > libkrb5support.so.0 => /lib64/libkrb5support.so.0 > (0x00007fcedf09f000) > libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fcedee9b000) > libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fcedec81000) > libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fcedea5a000) > libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fcede7f8000) As a side node, there is *no* /usr/local on Linux or System V UNIX, /usr/local is a BSD approach. You should put custom software into /opt. (I use /opt/ports on System 5 UNIX) What you should do now: * Separate clearly software from your package manager and manually compiled with GNU autoconf/make/cmake. Don't mix and match package provided software with custom compiled unless you perfectly know what you are doing, this can lead to subtile bugs. * Find out which of the libtcnative-1.so files Tomcat is loading. (use strace for this, you'll see dlopen(3)) * Install custom software into /opt with --prefix=/opt and ALWAYS provide linker and runtime path (rpath) to ./configure to have the exected result * Verify with ldd that linking is correct * Don't use LD_LIBRARY_PATH globally. This is merely a workaround for a missing RPATH and some other situations You can use Python's ctypes.CDLL() function to perform the same operation quick and easy in Python's REPL. Please also provide the ./configure args and output of libtcnative as well as config.log after configure. Michael > -----Original Message----- > From: Michael Osipov <micha...@apache.org> > Sent: Sunday, June 7, 2020 2:19 PM > To: users@tomcat.apache.org > Subject: Re: Tomcat 9.0.27 loads incorrect openssl version > > Am 2020-06-07 um 20:16 schrieb Norbert Elbanbuena: >> Hi, >> >> I removed the previous version of OpenSSL 1.0.2k-fips from yum. Then I >> installed OpenSSL 1.1.1g from source and made a clean install of >> tomcat-native 1.2.24 pointing to the correct OpenSSL path. >> When I start Tomcat, it still shows OpenSSL 1.0.2k-fips being loaded on >> startup. >> >> 07-Jun-2020 18:09:20.357 INFO [main] >> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR >> based Apache Tomcat Native library [1.2.24] using APR version [1.7.0]. >> 07-Jun-2020 18:09:20.357 INFO [main] >> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR >> capabilities: IPv6 [true], sendfile [true], accept filters [false], random >> [true]. >> 07-Jun-2020 18:09:20.357 INFO [main] >> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent >> APR/OpenSSL configuration: useAprConnector [true], useOpenSSL [true] >> 07-Jun-2020 18:09:20.361 INFO [main] >> org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL >> successfully initialized [OpenSSL 1.0.2k-fips 26 Jan 2017] >> >> I verified latest version of OpenSSL reflected >> >> $openssl version -a >> OpenSSL 1.1.1g 21 Apr 2020 >> built on: Sun Jun 7 15:15:04 2020 UTC >> platform: linux-x86_64 >> options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) >> compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 >> -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ >> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 >> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM >> -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM >> -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB >> -DNDEBUG >> OPENSSLDIR: "/usr/local/ssl" >> ENGINESDIR: "/usr/local/ssl/lib/engines-1.1" >> Seeding source: os-specific >> >> Can somebody help me understand why Tomcat still points to the old fips >> version? Or do I need to install OpenSSL fips instead? > > Run 'ldd .../libtcnative-1.so' and paste results. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
