Am 15.04.2016 um 20:24 schrieb Michael Fox:
Per https://access.redhat.com/solutions/445713, the Apache httpd rpm package
included in RHEL 7 is based on Apache 2.4.6.
OpenSSL version 1.0.1 is the latest version available from RedHat.
As you said, "... the current patch level of 1.0.2, which is 1.0.2g has no known security
issues" and" ...symbol SSL_CTX_set_alpn_select_cb only exists in 1.0.2 and newer ".
You are referring to the version of OpenSSL which available as open source, not from Red Hat,
correct?
Yes. You can get OpenSSL 1.0.2g (or anything newer at the time of
retrieval from openssl.org). You'd have to build it yourself.
If I am still confused, please explain it to me. If not, I would like to refer
to the questions at the end of my original post (below).
You are not confused.
>> Should I investigate the use of older versions of Tomcat, Java, and
Tomcat connector?
In general "no" and also not because of this problem.
>> Should I not use APR with Tomcat (and then use HTTP/1.1)?
If you have a need for the APR connector you can use it.
>> Should I abandon the RedHat Apache/OpenSSL software and use the
latest Apache/OpenSSL from apache.org?
>>
Apache as in "Apache web server" doesn't have anything to do with the
topic here. You can create the tcnative libs based on your own
compilation of OpenSSL (and if you like also the APR libs) without
influencing which OpenSSL or APR version your Linux and your Apache web
server coming from this Linux distro uses. If RedHat doesn't provide you
OpenSSL 1.0.2 and you'd like to use up-to-date Tomcat (recommended) and
you have a need for tcnative, then yes, you'd need to do your own
OpenSSL compilation.
Regards,
Rainer
-----Original Message-----
From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Friday, April 15, 2016 1:57 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: SSL_CTX_set_alpn_select_cb undefined
Am 15.04.2016 um 19:37 schrieb Michael Fox:
I am running Red Hat Linux version 7.2, Apache version 2.4.6, Java JDK
1.8.0_65, Tomcat version 9.0.0.M1, Tomcat connector version 1.2.5, and have
uncommented the HTTP/2 Connector lines in the Tomcat server.xml file. When I
run the configure command for the Tomcat connector, I get the message:
checking OpenSSL library version >= 1.0.2...
Found OPENSSL_VERSION_NUMBER 0x1000105f (OpenSSL 1.0.1e 11 Feb 2013)
Require OPENSSL_VERSION_NUMBER 0x1000200f or greater (1.0.2)
Per Red Hat (https://access.redhat.com/articles/1384453), they consider OpenSSL
version 1.0.2 to have security issues, and so are not issuing that version.
You misunderstood that text. Version 1.0.2 had security issues, which where
fixed by 1.0.2a. So the current patch level of 1.0.2, which is 1.0.2g has no
known security issues.
tcnative starting with version 1.2.0 no longer supports OpenSSL older than
1.0.2. So no support for 0.9.8, 1.0.0 and 1.0.1. You need to build tcnative
1.2.x against OpenSSL 1.0.2 preferably against 1.0.2g.
The symbol SSL_CTX_set_alpn_select_cb only exists in 1.0.2 and newer.
Regards,
Rainer
To be able to configure and make the tcnative library, I run the configure
command as such:
./configure --with-apr=/usr/bin/apr-1-config
--with-java-home=$JAVA_HOME --prefix=$CATALINA_HOME
--disable-openssl-version-check --with-ssl=yes
I am able to make and install the library, but when I run the Tomcat configtest
I get:
INFO: Initializing ProtocolHandler ["https-apr-8443"]
/usr/java/jdk1.8.0_65/bin/java: symbol lookup error:
/home/tomcat/apache-tomcat-9.0.0.M1-src/output/build/lib/libtcnative-1
.so.0.2.5: undefined symbol: SSL_CTX_set_alpn_select_cb
Configuration error detected!
Is there a way to get around or define this symbol?
Should I investigate the use of older versions of Tomcat, Java, and Tomcat
connector?
Should I not use APR with Tomcat (and then use HTTP/1.1)?
Should I abandon the RedHat Apache/OpenSSL software and use the latest
Apache/OpenSSL from apache.org?
Thanks,
Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
