tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat 8 APR/openSSL Issue
Date Sun, 08 Oct 2017 17:44:28 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Syam,

On 10/5/17 5:10 PM, Syam Pillai wrote:
> On my AMI (Amazon Linux) server, tomcat 8 was running happily but
> today, after an upgrade (Version is now 8.5.16.0), the server is
> failing to start with the following message:
> 
> INFO [main] org.apache.coyote.AbstractProtocol.init Initializing 
> ProtocolHandler ["https-openssl-nio-8443"] 
> /usr/share/soengine/jdk/bin/java: symbol lookup error: 
> /usr/lib64/libtcnative-1.so.0.2.10: undefined symbol: 
> SSL_CTX_add0_chain_cert
> 
> I can see that before these lines, OpenSSL is loaded: INFO [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
> successfully initialized [OpenSSL 1.0.1e-fips 11 Feb 2013]
> 
> However, ​ ​ I don't know why this version of OpenSSL is being
> shown. On the OS terminal (Kernel: 4.9.51-10.52.amzn1.x86_64 #1
> SMP), if I check, it is showing a different version. (I could not
> find any duplicate installation of OpenSSL ​ ​ on the server).
> 
> openssl version -v OpenSSL 1.0.2k-fips  26 Jan 2017

Lemmie guess... you are using Amazon Linux and you just upgraded to
release 2017.09.

AWS appears to have done something horribly wrong with their OpenSSL
deployment for this version. I get the same weird things trying to use
stunnel, which reports conflicting libssl versions, FIPS-init errors
("bad signature") and other odd things.

My recommendation is to file a support ticket (like I did) with Amazon
and force them to un-break this release. Plus, you'll help me, too.

For my part, I've had to disable FIPS mode for stunnel (which kind of
defeats the purpose of having a FIPS build advertised) in order to get
it to work AT ALL, and I'm pretty disappointed. I truly believe that
FIPS compliance is useless at best and damaging at worst, but if the
system is advertised as FIPS-certified, it should darned-well work in
FIPS mode.</grump>

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnaY/wACgkQHPApP6U8
pFidFQ//Xe+H80kSnpmkOn2Yh/CpSh8xA/iMGbH9B6aytLs5V1s/1BSa1phEYl+j
3OVzWKpjpGRtSc+6oV+WyLWvGACFTokQ/4/s+JXyDsEYJW1Ue078C9fFr+I0d4Vb
JQEqrfarO9JrZhMy5fa3UaJydzS0yzxEOjPQA8+HKunixlTVX1fyzHyhIHa3DSrW
j/G8MY4leUX/6f8dowZyIBkm9ZsFfTxKPkJtRfH4txKBbt2CLqsLQaUs8TT5DHg/
nlFwmITYG44BgEciufn9VaVSz1+b4qT9jdtrgr8Pvmzp1Iv8RJhn5705PxqebT9m
9jCXhKJoYDrUN2Va3fRkwp8ySeovzoz7pxH+QQ92lcNvsjAHzJ2Diz/lpUVFgYAx
MDsx3ROdbBEgrsRqFe9XEPEHfzIP1LlfwhpBeCKfuLtSB8Uw/EhN8U6MFCXijhMi
Yc19nT0br/jppe6JM96QlTLuZFMYmTVOBLv2rfxf6PXe57tTT8MbjaxhuPCvD5/W
CbMap+a1MS/zc588jvW5r/e/T1EK2Z7X9FMSM47pPj35G+bm++Uiv65JfS8Dskhf
+w1bPAkoOINJr7Q796uWF6sOjP5TYxCGApxhLeKhWH7mB/X+n8gqs8ylWC729wwG
iJssATlt7EHmqb7qxSjwHwcLue+plmB2vL3g85IjopqnmYY8NPc=
=dviH
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message