Clay,
On 4/6/22 07:57, Clay Lehman wrote:
"Make sure you have the same versions of libssl, libapr, and libtcnative
that you built yourself and not those that e.g. ship with the OS. Where
are all your .so files for libtcnative, libssl, and libapr?"
Do you know if there are instructions on building these, or where the .so
files normally live?
The default LD_LIBRARY_PATH for your system may have lots of stuff in
it. You'll have to check your system to see.
When Tomcat starts-up, the AprLifecycleListener should report all the
versions of the various things it's using. Does it get that far, or does
it choke before that?
-chris
On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Clay,
On 4/5/22 12:47, Clay Lehman wrote:
Hello!
I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running
into
an error on startup. I have tried a ton of things, searched, read the
docs
over and over, and cannot get past this. Has anyone had success with
this
setup?
I created a fully working sample project and Dockerfile to demonstrate
the
issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3
Thanks!
Clay
More info below....
Most of the examples and documentation that I have found is for old
versions of OpenSSL, but I do see some release notes mentioning OpenSSL
v3.0.x so I suspect this is supported to some degree.
I am testing this using a docker container for "Oracle Linux Server 8"
(specifically FROM openjdk:latest) I am running embedded tomcat from
Spring Boot, but I dont suspect that is important for my issue.
Notes about the setup steps (in the Dockerfile example):
1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
(
https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
)
RUN cd /usr/src \
&& wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
&& tar -zxf openssl-3.0.2.tar.gz \
&& rm openssl-3.0.2.tar.gz \
&& cd openssl-3.0.2 \
&& ./config enable-fips && make -j8 && make -j8 install
RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
&& ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
/usr/local/lib/ossl-modules/fips.so
2) Installed Tomcat Native from source:
(https://tomcat.apache.org/native-doc/)
RUN microdnf install apr-devel openssl-devel \
&& mkdir /usr/lib/tcnative
RUN cd /usr/src \
&& wget
https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
\
&& tar -xvf tomcat-native-1.2.32-src.tar.gz \
&& rm tomcat-native-1.2.32-src.tar.gz \
&& cd tomcat-native-1.2.32-src/native \
&& ./configure --with-api=/usr/bin/apr-1-config
--with-java-home=/usr/java/latest --with-ssl=yes
--prefix=/usr/lib/tcnative
\
&& make \
&& make install
3) Generate a self-signed certificate:
RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
-keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
test.lehmansoftware.com'
4) To enable tomcat native, i pass these parameters:
ENTRYPOINT java \
-Dserver.port=8443 \
-Dserver.ssl.enabled=true \
-Djava.library.path="/usr/lib/tcnative/lib" \
-Dserver.ssl.certificate-key-file="/testkey.pem" \
-Dserver.ssl.certificate-file="/testcert.pem" \
-jar app.jar
5) And finally, here is the error message that I receive on application
startup trying to use tcnative.
cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN
[main]
core.AprLifecycleListener - The Apache Tomcat Native library failed to
load. The error reported was
[/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits]
cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
EVP_PKEY_get_bits
cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native
Method) ~[?:?]
Looks like the build worked (right?) so any "undefined symbol" issues
you see must be related to the versions made available to the process at
runtime.
Make sure you have the same versions of libssl, libapr, and libtcnative
that you built yourself and not those that e.g. ship with the OS. Where
are all your .so files for libtcnative, libssl, and libapr?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
