Thad,

On 8/23/22 10:49, Thad Humphries wrote:
On Tue, Aug 23, 2022 at 10:18 AM Mark Thomas <ma...@apache.org> wrote:

On 23/08/2022 14:12, Thad Humphries wrote:
I'm trying to understand a problem I'm having with Tomcat Native since
moving from 1.2.x to 2.0.

For several years I have been running Tomcat 9.0.12 in Eclipse and 9.0.37
for localhost on my home and office Mac Mini's with macOS 10.15.7
Catalina.
Both use OpenJDK 8 from Amazon. To support development I have a
self-signed
certificate and until recently used Tomcat Native 1.2.x installed with
Homebrew. I added `CATALINA_OPTS="-Xmx1024m
-Djava.library.path=/usr/local/opt/tomcat-native/lib"` to my
bin/setevn.sh

With this configuration I was able to the
connector org.apache.coyote.http11.Http11AprProtocol with UpgradeProtocol
for org.apache.coyote.http2.Http2Protocol

Recently Homebrew replaced Tomcat Native 1.2.x with 2.0.1. Since then
when
Tomcat starts I see in catalina.out "The Apache Tomcat Native library
which
allows using OpenSSL was not found on the java.library.path:
[/usr/local/opt/tomcat-native/lib]". I've had to switch my development to
connector org.apache.coyote.http11.Http11NioProtocol (I need SSL for my
client-server setup).

I've tried using a Tomcat Native 2 I built myself, but get the same "not
found on the java.library.path" message. I tried using a Tomcat Native
1.2.35 I built myself but got the following stacktrace in catalina.out

23-Aug-2022 03:07:29.541 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded
Apache
Tomcat Native library [1.2.35] using APR version [1.7.0].
23-Aug-2022 03:07:29.541 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false],
random
[true].
23-Aug-2022 03:07:29.541 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
23-Aug-2022 03:07:29.544 SEVERE [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
initialize the SSLEngine.
org.apache.tomcat.jni.Error: 70023: This function has not been
implemented
on this platform
at org.apache.tomcat.jni.SSL.initialize(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at

org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:289)
at

org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:136)
at

org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at

org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:135)
at org.apache.catalina.startup.Catalina.load(Catalina.java:690)
at org.apache.catalina.startup.Catalina.load(Catalina.java:712)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)

What is the issue I'm seeing and how might it be corrected if I want to
run
Tomcat Native for the APR protocol?

You can't.

The APR connector has been deprecated and has been removed in Tomcat
10.1.x onwards.

Tomcat Native 2.0.x does not support the APR connectors.

You need to switch to NIO or NIO2. If you want to use OpenSSL for TLS
then you can do so (you'll need Tomcat Native 2.0.x and OpenSSL). Look
at the docs for the sslImplementationName attribute.

BTW, this is not critical to me; I can live with NIO. However I'm the
*only*
person on this team who pays any attention to Tomcat, and I may be having
to explain this to my coworkers and our boss. Others use a mix of Linux,
Windows, and Mac. Most don't use SSL internally but some use the AJP
connector for Apache, and IIRC that needs Tomcat Native, too.

AJP does not require APR/Native. There are NIO and NIO2 implementations
for AJP.

Mark


Thank you, Mark. That all makes sense. I'll look at the docs you've
referenced. I recall once watching some YouTube videos on Tomcat
connectors. I'll find and rewatch those, too.

Some additional details:

tcnative 2.x, while not supporting the APR connector, supports everything you need for native cryptographic operations via OpenSSL. It likely works with LibreSSL as well but there hasn't been significant testing done, there.

Switching from APR to NIO+tcnative+OpenSSL should give you a reasonably efficient connector which is slightly "safer" than the APR connector (there is less native code in there) and also supports non-blocking I/O when performing TLS handshakes, which is very advantageous for high-traffic environments.

See
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Connector_Comparison for a comparison of the (nearly identical, these days) connectors.

The APR connector was great, but NIO/2 is The Future. Dropping the APR connector means we can have more uniform code internally, while tcnative can continue to provide faster crypto via OpenSSL than the JVM native TLS components can (for various reasons). It's just that we are using OpenSSL through the BIO connectors, now.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to