[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

Wed, 25 Jun 2014 09:57:07 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

Simon Mijolovic <smijolo...@nutanix.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
            Version|1.1.29                      |1.1.30
         Resolution|FIXED                       |---

--- Comment #19 from Simon Mijolovic <smijolo...@nutanix.com> ---
Still running into this issue where the APR library won't load when in fips
mode using the FIPS validated OpenSSL library.

CentOS 6.5 with OpenSSL 1.0.1e-16..el6_5.x86_64, and /boot/grub/grub.conf has
fips=1 (prelink disabled, dracut -f, reboot shows "cat
/proc/sys/crypto/fips_enabled" = 1)

Tomcat 7.0.54 running, and compiled the tcnative APR lib with:
./configure --with-apr=`which apr-1-config`
--with-java-home=/usr/java/jdk1.8.0_05 --with-ssl=yes
--prefix=/usr/share/apache-tomcat-7.0.54

Setenv.sh:
#!/bin/bash
umask 0026
LD_LIBRARY_PATH=/usr/share/apache-tomcat-7.0.54/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

Server.xml:
 <Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />

Connector.xml:
<Connector
  clientAuth="false"
  port="9443"
  protocol="HTTP/1.1"
  SSLEnabled="true"
  scheme="https"
  secure="true"
  SSLCertificateFile="/etc/private/rsacert.pem"
  SSLCertificateKeyFile="/etc/private/rsakey.pem"
  SSLCipherSuite="ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AES:!aNULL:!MD5:!DSS"
  SSLDisableCompression="true"
  SSLHonorCipherOrder="true"
  SSLVerifyClient="optional"
  SSLProtocol="TLSv1"
  server="Prism Server"
  connectionTimeout="60000"
  keepAliveTimeout="60000"
  maxKeepAliveRequests="100"
  maxThreads="150"
  maxPostSize="2097152"
  maxHeaderCount="50"
  maxHttpHeaderSize="8190"
  allowTrace="false"
/>

Starting services:
service tomcat start
Using CATALINA_BASE:   /usr/share/apache-tomcat-7.0.54
Using CATALINA_HOME:   /usr/share/apache-tomcat-7.0.54
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.54/temp
Using JRE_HOME:        /usr/java/jdk1.8.0_05/jre
Using CLASSPATH:      
/usr/share/apache-tomcat-7.0.54/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.54/bin/tomcat-juli.jar
Tomcat started.

logs/catalina.2014-06-12.log:

Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version
1.3.9.
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true
].
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
org.apache.tomcat.jni.Error: 70023: This function has not been implemented on
this platform
    at org.apache.tomcat.jni.SSL.initialize(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListene
r.java:270)
    at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListen
er.java:124)
    at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.j
ava:117)
    at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90
)
    at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)

Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-9443"]
Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler
["http-apr-9443"]
java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is
enabled in the AprLifecycleListener, the AprLifecycleListener has initialised
correctly and that a valid SSLProtocol has been specified
    at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
    at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL
routines:SSL_CTX_new:unable to load ssl2 md5 routines)
    at org.apache.tomcat.jni.SSLContext.make(Native Method)
    at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
    ... 16 more

Jun 12, 2014 1:30:20 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]]
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1
-9443]]
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
    at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    ... 12 more
Caused by: java.lang.Exception: Unable to create SSLContext. Check that
SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has
initialised correctly and that a valid SSLProtocol has been specified
    at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
    at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
    ... 13 more
Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL
routines:SSL_CTX_new:unable to load ssl2 md5 routines)
    at org.apache.tomcat.jni.SSLContext.make(Native Method)
    at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
    ... 16 more

When I remove fips=1 from grub.conf, reboot, and add FIPSMode="on" to the
AprLifecycleListener in server.xml, the Engine works and FIPSMode shows it's
set to "on".  What is up with the OpenSSL library with the kernel running in
FIPS mode that keeps displaying the error: java.lang.Exception: Invalid Server
SSL Protocol (error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5
routines)?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to