I tested TCN 1_1_30 with Tomcat 6 (which our app uses) and everything appears to work just fine. I haven't updated our install to try working with Tomcat 7. This is on a CentOS 6.5 (yum updated) box with fips mode enabled at boot, and a server.xml similar to yours. Just looking quickly at your log I'm concerned about the 'Failed to initialize the SSLEngine' message near the beginning. As I recall I use to see this if I explictly tried to initialize the SSL Engine twice - which openssl throws an exception on.
-R ________________________________________ From: bugzi...@apache.org [bugzi...@apache.org] Sent: Wednesday, June 25, 2014 12:56 PM To: dev@tomcat.apache.org Subject: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Simon Mijolovic <smijolo...@nutanix.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Version|1.1.29 |1.1.30 Resolution|FIXED |--- --- Comment #19 from Simon Mijolovic <smijolo...@nutanix.com> --- Still running into this issue where the APR library won't load when in fips mode using the FIPS validated OpenSSL library. CentOS 6.5 with OpenSSL 1.0.1e-16..el6_5.x86_64, and /boot/grub/grub.conf has fips=1 (prelink disabled, dracut -f, reboot shows "cat /proc/sys/crypto/fips_enabled" = 1) Tomcat 7.0.54 running, and compiled the tcnative APR lib with: ./configure --with-apr=`which apr-1-config` --with-java-home=/usr/java/jdk1.8.0_05 --with-ssl=yes --prefix=/usr/share/apache-tomcat-7.0.54 Setenv.sh: #!/bin/bash umask 0026 LD_LIBRARY_PATH=/usr/share/apache-tomcat-7.0.54/lib:$LD_LIBRARY_PATH export LD_LIBRARY_PATH Server.xml: <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> Connector.xml: <Connector clientAuth="false" port="9443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" SSLCertificateFile="/etc/private/rsacert.pem" SSLCertificateKeyFile="/etc/private/rsakey.pem" SSLCipherSuite="ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AES:!aNULL:!MD5:!DSS" SSLDisableCompression="true" SSLHonorCipherOrder="true" SSLVerifyClient="optional" SSLProtocol="TLSv1" server="Prism Server" connectionTimeout="60000" keepAliveTimeout="60000" maxKeepAliveRequests="100" maxThreads="150" maxPostSize="2097152" maxHeaderCount="50" maxHttpHeaderSize="8190" allowTrace="false" /> Starting services: service tomcat start Using CATALINA_BASE: /usr/share/apache-tomcat-7.0.54 Using CATALINA_HOME: /usr/share/apache-tomcat-7.0.54 Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.54/temp Using JRE_HOME: /usr/java/jdk1.8.0_05/jre Using CLASSPATH: /usr/share/apache-tomcat-7.0.54/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.54/bin/tomcat-juli.jar Tomcat started. logs/catalina.2014-06-12.log: Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.3.9. Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true ]. Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListene r.java:270) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListen er.java:124) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.j ava:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90 ) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-9443"] Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-9443"] java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has initialised correctly and that a valid SSLProtocol has been specified at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) at org.apache.catalina.connector.Connector.initInternal(Connector.java:978) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5 routines) at org.apache.tomcat.jni.SSLContext.make(Native Method) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498) ... 16 more Jun 12, 2014 1:30:20 PM org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1 -9443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:980) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) ... 12 more Caused by: java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has initialised correctly and that a valid SSLProtocol has been specified at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) at org.apache.catalina.connector.Connector.initInternal(Connector.java:978) ... 13 more Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5 routines) at org.apache.tomcat.jni.SSLContext.make(Native Method) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498) ... 16 more When I remove fips=1 from grub.conf, reboot, and add FIPSMode="on" to the AprLifecycleListener in server.xml, the Engine works and FIPSMode shows it's set to "on". What is up with the OpenSSL library with the kernel running in FIPS mode that keeps displaying the error: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5 routines)? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
