tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Syam Pillai <s...@engravgroup.com>
Subject Re: Tomcat 8 APR/openSSL Issue
Date Sun, 08 Oct 2017 18:27:03 GMT
Thanks Chris, yes you are right they messed it up.
I will also file a complaint with them.

On Sun, Oct 8, 2017 at 9:44 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Syam,
>
> On 10/5/17 5:10 PM, Syam Pillai wrote:
> > On my AMI (Amazon Linux) server, tomcat 8 was running happily but
> > today, after an upgrade (Version is now 8.5.16.0), the server is
> > failing to start with the following message:
> >
> > INFO [main] org.apache.coyote.AbstractProtocol.init Initializing
> > ProtocolHandler ["https-openssl-nio-8443"]
> > /usr/share/soengine/jdk/bin/java: symbol lookup error:
> > /usr/lib64/libtcnative-1.so.0.2.10: undefined symbol:
> > SSL_CTX_add0_chain_cert
> >
> > I can see that before these lines, OpenSSL is loaded: INFO [main]
> > org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
> > successfully initialized [OpenSSL 1.0.1e-fips 11 Feb 2013]
> >
> > However, ​ ​ I don't know why this version of OpenSSL is being
> > shown. On the OS terminal (Kernel: 4.9.51-10.52.amzn1.x86_64 #1
> > SMP), if I check, it is showing a different version. (I could not
> > find any duplicate installation of OpenSSL ​ ​ on the server).
> >
> > openssl version -v OpenSSL 1.0.2k-fips  26 Jan 2017
>
> Lemmie guess... you are using Amazon Linux and you just upgraded to
> release 2017.09.
>
> AWS appears to have done something horribly wrong with their OpenSSL
> deployment for this version. I get the same weird things trying to use
> stunnel, which reports conflicting libssl versions, FIPS-init errors
> ("bad signature") and other odd things.
>
> My recommendation is to file a support ticket (like I did) with Amazon
> and force them to un-break this release. Plus, you'll help me, too.
>
> For my part, I've had to disable FIPS mode for stunnel (which kind of
> defeats the purpose of having a FIPS build advertised) in order to get
> it to work AT ALL, and I'm pretty disappointed. I truly believe that
> FIPS compliance is useless at best and damaging at worst, but if the
> system is advertised as FIPS-certified, it should darned-well work in
> FIPS mode.</grump>
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnaY/wACgkQHPApP6U8
> pFidFQ//Xe+H80kSnpmkOn2Yh/CpSh8xA/iMGbH9B6aytLs5V1s/1BSa1phEYl+j
> 3OVzWKpjpGRtSc+6oV+WyLWvGACFTokQ/4/s+JXyDsEYJW1Ue078C9fFr+I0d4Vb
> JQEqrfarO9JrZhMy5fa3UaJydzS0yzxEOjPQA8+HKunixlTVX1fyzHyhIHa3DSrW
> j/G8MY4leUX/6f8dowZyIBkm9ZsFfTxKPkJtRfH4txKBbt2CLqsLQaUs8TT5DHg/
> nlFwmITYG44BgEciufn9VaVSz1+b4qT9jdtrgr8Pvmzp1Iv8RJhn5705PxqebT9m
> 9jCXhKJoYDrUN2Va3fRkwp8ySeovzoz7pxH+QQ92lcNvsjAHzJ2Diz/lpUVFgYAx
> MDsx3ROdbBEgrsRqFe9XEPEHfzIP1LlfwhpBeCKfuLtSB8Uw/EhN8U6MFCXijhMi
> Yc19nT0br/jppe6JM96QlTLuZFMYmTVOBLv2rfxf6PXe57tTT8MbjaxhuPCvD5/W
> CbMap+a1MS/zc588jvW5r/e/T1EK2Z7X9FMSM47pPj35G+bm++Uiv65JfS8Dskhf
> +w1bPAkoOINJr7Q796uWF6sOjP5TYxCGApxhLeKhWH7mB/X+n8gqs8ylWC729wwG
> iJssATlt7EHmqb7qxSjwHwcLue+plmB2vL3g85IjopqnmYY8NPc=
> =dviH
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 
*Syam S. Pillai, **Director & Chief Technology Officer*
*ENGRAV Aviation Services & Systems Pvt. Ltd.*
*# 15, Level 1, Indradhanush,  Gubbi Cross,*
*Kothannur PO, Bangalore - 560 077, India.*
*Phone: +91 80 2844 3740*
*http://www.engravgroup.com <https://www.engravgroup.com>*

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message