On 18/12/2025 01:28, Rainer Jung wrote:
Am 18.12.25 um 01:26 schrieb Rainer Jung:
<snip/>
I ran those unit tests from TC 9.0.113 and 10.1.50 which are TLS based
with the new tcnative versions 2.0.11 and 1.3.2. They fail in
TestClientCertTls13 for NIO and NIO2 with the following error:
Testcase: testClientCertPost[OpenSSL] took 0.104 sec
Caused an ERROR
Protocol handler initialization failed
<snip/>
I added some debug lines.
- the error "error:12800067:DSO support routines::could not load the
shared library" is shown, because "SSL_ERR_clear();" is missing
somewhere. If I add that in setCipherSuite, the SSL library error thrown
changes to "error:0A0000B9:SSL routines::no cipher match"
We should definitely add the call to SSL_ERR_clear()
- the error happens in the "if (maxProtoVer >= TLS1_3_VERSION) {" branch.
- the CipherSuite used is "!aNULL:!eNULL:!EXP:ALL" and "!aNULL:!eNULL:!
EXP:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA".
Where are those coming from? Have you modified the tests / Tomcat to use
different default ciphers?
- when using those with "openssl ciphers -ciphersuites" I get the same
SSL library error on the commandline.
- the code of the openssl commandline binary shows, it is using the same
call to SSL_CTX_set_ciphersuites() as our code
- the openssl CLI command works, as soon as I use a list of explicit TLS
1.3 ciphers. It does not work using group names like ALL or AES.
Hmm. That contradicts the information in
https://github.com/apache/tomcat-native/pull/32 that Rémy tested and
reported no issues.
I suspect, the implementation of SSL_CTX_set_ciphersuites() might not
resolve cipher group names.
So it seems our new code is not yet working as expected.
Agreed.
Therefore I vote -1 for 2.0.11 and 1.3.2.
ACK
I suspect we will need new releases. Fortunately, that should be quite
quick. The slow part is building APR and OpenSSL but I can re-use those
builds and link them to the new Tomcat Native build.
I'd like to create some Tomcat unit tests that trigger these issues
before I try fixing anything. Any hints / pointers or complete tests
appreciated.
In terms of timing, I had hoped to get the Tomcat Native releases out by
the end of this week. That isn't going to happen. My new plan is to be
bale to tag by the end of this week. Given the holiday period, I'm
expecting the release vote to be longer than usual. Worst case, if we
aren't in a position to tag by the end of the week, we'll need to tag in
early January which will push back the Tomcat releases.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
