Am 18.12.25 um 02:28 schrieb Rainer Jung:
Am 18.12.25 um 01:26 schrieb Rainer Jung:
Am 17.12.25 um 20:58 schrieb Mark Thomas:
The key differences in version 2.0.11 compared to 2.0.9 are:
- The windows binaries in this release have been built with OpenSSL
3.5.4 and APR 1.7.6
- OCSP support is included (but not enabled) by default with various
improvements to the OCSP checks
- Add the ability to configure TLS 1.3 ciphers
The 2.0.x branch is primarily intended for use with Tomcat 10.1.x
onwards but can be used with earlier versions as long as the APR/
native connector is not used.
The proposed release artifacts can be found at [1],
and the build was done using tag [2].
The Apache Tomcat Native 2.0.11 release is
[ ] Stable, go ahead and release
[ ] Broken because of ...
I ran those unit tests from TC 9.0.113 and 10.1.50 which are TLS based
with the new tcnative versions 2.0.11 and 1.3.2. They fail in
TestClientCertTls13 for NIO and NIO2 with the following error:
Testcase: testClientCertPost[OpenSSL] took 0.104 sec
Caused an ERROR
Protocol handler initialization failed
org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1084)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:520)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:984)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155)
at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437)
at
org.apache.catalina.startup.TomcatBaseTest$TomcatWithFastSessionIDs.start(TomcatBaseTest.java:902)
at
org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(TestClientCertTls13.java:93)
Caused by: java.lang.IllegalArgumentException: Error creating SSLContext
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:78)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:256)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1497)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1510)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:667)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1082)
Caused by: java.security.KeyManagementException: Error initializing
SSL context
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:447)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:262)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
Caused by: java.lang.Exception: Unable to configure permitted SSL
ciphers (error:12800067:DSO support routines::could not load the
shared library)
at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:332)
Testcase: testClientCertGet[OpenSSL] took 0.033 sec
Caused an ERROR
Protocol handler initialization failed
org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1084)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:520)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:984)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155)
at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437)
at
org.apache.catalina.startup.TomcatBaseTest$TomcatWithFastSessionIDs.start(TomcatBaseTest.java:902)
at
org.apache.tomcat.util.net.TestClientCertTls13.testClientCertGet(TestClientCertTls13.java:81)
Caused by: java.lang.IllegalArgumentException: Error creating SSLContext
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:78)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:256)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1497)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1510)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:667)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1082)
Caused by: java.security.KeyManagementException: Error initializing
SSL context
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:447)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:262)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
Caused by: java.lang.Exception: Unable to configure permitted SSL
ciphers (error:12800067:DSO support routines::could not load the
shared library)
at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:332)
Although this looks like an integration issue on my side ("could not
load the shared library") the same tests using the same scripts dot
not fail for 2.0.9 and for 1.3.1. And other TLS based tests do not
fail for the new tcnative versions, only those. Since the tcnative
code in sslcontext.c changed in setCipherSuite() it is likely a
failure caused by the change.
Can anyone reproduce this?
I added some debug lines.
- the error "error:12800067:DSO support routines::could not load the
shared library" is shown, because "SSL_ERR_clear();" is missing
somewhere. If I add that in setCipherSuite, the SSL library error thrown
changes to "error:0A0000B9:SSL routines::no cipher match"
- the error happens in the "if (maxProtoVer >= TLS1_3_VERSION) {" branch.
- the CipherSuite used is "!aNULL:!eNULL:!EXP:ALL" and "!aNULL:!eNULL:!
EXP:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA".
- when using those with "openssl ciphers -ciphersuites" I get the same
SSL library error on the commandline.
- the code of the openssl commandline binary shows, it is using the same
call to SSL_CTX_set_ciphersuites() as our code
- the openssl CLI command works, as soon as I use a list of explicit TLS
1.3 ciphers. It does not work using group names like ALL or AES.
I suspect, the implementation of SSL_CTX_set_ciphersuites() might not
resolve cipher group names.
Aha, from the OpenSSL docs:
SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3
ciphersuites for ctx. This is a simple colon (":") separated list of
TLSv1.3 ciphersuite names in order of preference. Valid TLSv1.3
ciphersuite names are:
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256
TLS_SHA384_SHA384 - integrity-only
TLS_SHA256_SHA256 - integrity-only
So no mention of using group names like "ALL". Looking at the OpenSSL
impl of SSL_CTX_set_ciphersuites() versus SSL_CTX_set_cipher_list(), I
have the impression, the latter calls code (ssl_create_cipher_list())
which seems to handle group aliases like "ALL".
So it seems our new code is not yet working as expected.
Therefore I vote -1 for 2.0.11 and 1.3.2.
Best regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
