On Thu, Dec 18, 2025 at 1:27 AM Rainer Jung <[email protected]> wrote: > > Am 17.12.25 um 20:58 schrieb Mark Thomas: > > The key differences in version 2.0.11 compared to 2.0.9 are: > > > > - The windows binaries in this release have been built with OpenSSL > > 3.5.4 and APR 1.7.6 > > > > - OCSP support is included (but not enabled) by default with various > > improvements to the OCSP checks > > > > - Add the ability to configure TLS 1.3 ciphers > > > > The 2.0.x branch is primarily intended for use with Tomcat 10.1.x > > onwards but can be used with earlier versions as long as the APR/native > > connector is not used. > > > > The proposed release artifacts can be found at [1], > > and the build was done using tag [2]. > > > > The Apache Tomcat Native 2.0.11 release is > > [ ] Stable, go ahead and release > > [ ] Broken because of ... > > I ran those unit tests from TC 9.0.113 and 10.1.50 which are TLS based > with the new tcnative versions 2.0.11 and 1.3.2. They fail in > TestClientCertTls13 for NIO and NIO2 with the following error: > > Testcase: testClientCertPost[OpenSSL] took 0.104 sec > Caused an ERROR > Protocol handler initialization failed > org.apache.catalina.LifecycleException: Protocol handler initialization > failed > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1084) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:520) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:984) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) > at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437) > at > org.apache.catalina.startup.TomcatBaseTest$TomcatWithFastSessionIDs.start(TomcatBaseTest.java:902) > at > org.apache.tomcat.util.net.TestClientCertTls13.testClientCertPost(TestClientCertTls13.java:93) > Caused by: java.lang.IllegalArgumentException: Error creating SSLContext > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:78) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:256) > at > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1497) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1510) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:667) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80) > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1082) > Caused by: java.security.KeyManagementException: Error initializing SSL > context > at > org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:447) > at > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:262) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) > Caused by: java.lang.Exception: Unable to configure permitted SSL > ciphers (error:12800067:DSO support routines::could not load the shared > library) > at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method) > at > org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:332) > > Testcase: testClientCertGet[OpenSSL] took 0.033 sec > Caused an ERROR > Protocol handler initialization failed > org.apache.catalina.LifecycleException: Protocol handler initialization > failed > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1084) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:520) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:984) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) > at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437) > at > org.apache.catalina.startup.TomcatBaseTest$TomcatWithFastSessionIDs.start(TomcatBaseTest.java:902) > at > org.apache.tomcat.util.net.TestClientCertTls13.testClientCertGet(TestClientCertTls13.java:81) > Caused by: java.lang.IllegalArgumentException: Error creating SSLContext > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:78) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:256) > at > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1497) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1510) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:667) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80) > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1082) > Caused by: java.security.KeyManagementException: Error initializing SSL > context > at > org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:447) > at > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:262) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) > Caused by: java.lang.Exception: Unable to configure permitted SSL > ciphers (error:12800067:DSO support routines::could not load the shared > library) > at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method) > at > org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:332) > > > Although this looks like an integration issue on my side ("could not > load the shared library") the same tests using the same scripts dot not > fail for 2.0.9 and for 1.3.1. And other TLS based tests do not fail for > the new tcnative versions, only those. Since the tcnative code in > sslcontext.c changed in setCipherSuite() it is likely a failure caused > by the change. > > Can anyone reproduce this?
I'm not getting this error. However, I always get "WARNING [main] org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the [ciphers] attribute" in the logs with the new changes, as the default cipher list is a concat of TLS 1.2 and TLS 1.3 ciphers, so it's never going to be able to enable everything ... Maybe (as I was doing in the FFM code before) we should disable the warning if the cipher suite has not been configured from its default value ? Rémy > Best regards, > > Rainer > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
