Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
On 09/11/2011 23:39, Konstantin Kolinko wrote: Maybe add explicit FIPS mode status check below the above error handling? Something like: if (on.equalsIgnoreCase(FIPSMode) !fipsModeActive) { fail fatally; } +1 Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Mark, On 11/10/11 6:28 AM, Mark Thomas wrote: On 09/11/2011 23:39, Konstantin Kolinko wrote: Maybe add explicit FIPS mode status check below the above error handling? Something like: if (on.equalsIgnoreCase(FIPSMode) !fipsModeActive) { fail fatally; } +1 Sounds good to me. What about checking for either FIPS *or* SSL initialization failure? I suppose that the connector will bomb if SSL doesn't initialize properly. -chris signature.asc Description: OpenPGP digital signature
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
On 09/11/2011 21:34, schu...@apache.org wrote: Author: schultz Date: Wed Nov 9 21:34:31 2011 New Revision: 1199980 URL: http://svn.apache.org/viewvc?rev=1199980view=rev Log: Fixed bug #50570 - Allow explicit use of FIPS mode in APR lifecycle listener - Added FIPSMode attribute to AprLifecycleListener that causes OpenSSL to go into FIPS mode Isn't this dependent on an tcnative update? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Mark, On 11/9/11 2:06 PM, Mark Thomas wrote: On 09/11/2011 21:34, schu...@apache.org wrote: Author: schultz Date: Wed Nov 9 21:34:31 2011 New Revision: 1199980 URL: http://svn.apache.org/viewvc?rev=1199980view=rev Log: Fixed bug #50570 - Allow explicit use of FIPS mode in APR lifecycle listener - Added FIPSMode attribute to AprLifecycleListener that causes OpenSSL to go into FIPS mode Isn't this dependent on an tcnative update? Yes, it is. I'm updating the documentation for AprLifecycleListener and I will mention the version dependency in there. If this is not yet appropriate to release, I can roll-back the patch. -chris signature.asc Description: OpenPGP digital signature
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/11/2011 22:09, Christopher Schultz wrote: Mark, On 11/9/11 2:06 PM, Mark Thomas wrote: On 09/11/2011 21:34, schu...@apache.org wrote: Author: schultz Date: Wed Nov 9 21:34:31 2011 New Revision: 1199980 URL: http://svn.apache.org/viewvc?rev=1199980view=rev Log: Fixed bug #50570 - Allow explicit use of FIPS mode in APR lifecycle listener - Added FIPSMode attribute to AprLifecycleListener that causes OpenSSL to go into FIPS mode Isn't this dependent on an tcnative update? Yes, it is. I'm updating the documentation for AprLifecycleListener and I will mention the version dependency in there. If this is not yet appropriate to release, I can roll-back the patch. What happens if I try this with 1.1.22? If it blows up, that is bad. If it logs an error, that is fine. If it silently carries on, that is bad. Mark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOuvrfAAoJEBDAHFovYFnnZxQQANYotg5DUaa2IJlr0wgI2oGr 8ya5N38EsHjwUYLU+0j35b1Q7n1AWi0AxK2GFaW8Gqde54W0MZOdkYfg6/RGHTKB gDIWHACkd3QEmnxSgyRZd+EBqjFrxIn94rGlG3l3Q+uVhI6sT0Ljqh5BwH7f85qv A0PHxby3SJWfk38MdE9168A8+wrBL3JMtdSJU2Wd6mZEANPr8oEp0tJ6EeI3HpfX oc4H7GGmJf1wBfUPzhVBTxZKJ+6RWzxxKqtQPHVm6q/8s2/qT3kHBCIUPAdL2qpd IEsAorUGg9PW2a70nX20l9ANr0WWuR7jjh/AGHhPVd11ahqsNXRc2yw1vxMVPHua xsHx6Hx7g/Zt8iZL3OGhq75x6ewTmAPp6Df4GFUqm4y4foUWJQEH9gdr2F2nTr3C 87KbGgGOhUh10DPArTWyqeZYQqNKb0I369qcClE552zzIhzsYA1wyuwaEECYZRWR 7/RS5Zz3gdT/z/vdYyds6wayIYFny31PQ8vGpfwrAW+e0HmnV8WEjBX6grdXEq51 M8845CaFXKO0U3GwVw2ECnYUcvTCiGm/lWe5s1fHWXXRKTpsCmw0LVGPAPdg/ore M+nVgLN32DKNiUGCUL/koj9v0YJdLYfKDsWJidRsCcXfoJWPodm0VlOsJbwj/1jS jEL/Re/qFpMszaIS6Jpo =Y0eN -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
2011/11/10 Mark Thomas ma...@apache.org: On 09/11/2011 21:34, schu...@apache.org wrote: Author: schultz Date: Wed Nov 9 21:34:31 2011 New Revision: 1199980 URL: http://svn.apache.org/viewvc?rev=1199980view=rev Log: Fixed bug #50570 - Allow explicit use of FIPS mode in APR lifecycle listener - Added FIPSMode attribute to AprLifecycleListener that causes OpenSSL to go into FIPS mode Isn't this dependent on an tcnative update? Yes, it is. I'm updating the documentation for AprLifecycleListener and I will mention the version dependency in there. If this is not yet appropriate to release, I can roll-back the patch. What happens if I try this with 1.1.22? If it blows up, that is bad. If it logs an error, that is fine. If it silently carries on, that is bad. Just testing this. If I do not set FIPSMode property, all is OK. No difference from previous behaviour. If I set FIPSMode=on, the following happens [[[ 10-Nov-2011 01:13:59.484 INFO [main] org.apache.catalina.core.AprLifecycleListener.init Loaded APR based Apache Tomcat Native library 1.1.22. 10-Nov-2011 01:13:59.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.init APR capabilities: IPv6 [false], sendfile [true], accept filters [false], random [true]. 10-Nov-2011 01:13:59.937 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode... 10-Nov-2011 01:13:59.937 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine. java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.SSL.fipsModeSet(I)I at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:248) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:109) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:573) at org.apache.catalina.startup.Catalina.load(Catalina.java:598) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) (...) 10-Nov-2011 01:14:01.203 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 1030 ms ]]] There is java.lang.UnsatisfiedLinkError (and not the IllegalStateException that the code throws). Despite this error, Tomcat startup sequence continues. I guess that from FIPS PoV the failure to initialize FIPS mode should be more fatal, regardless of its cause. Be it because of native lib returning error code or this tc-native version mismatch. Maybe even throw an error if SSLEngine was not on. Now it just causes the FIPS mode to be ignored. I do not know why UnsatisfiedLinkError error was not enough to break it. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Konstantin, On 11/9/11 2:24 PM, Konstantin Kolinko wrote: 2011/11/10 Mark Thomas ma...@apache.org: On 09/11/2011 21:34, schu...@apache.org wrote: Author: schultz Date: Wed Nov 9 21:34:31 2011 New Revision: 1199980 URL: http://svn.apache.org/viewvc?rev=1199980view=rev Log: Fixed bug #50570 - Allow explicit use of FIPS mode in APR lifecycle listener - Added FIPSMode attribute to AprLifecycleListener that causes OpenSSL to go into FIPS mode Isn't this dependent on an tcnative update? Yes, it is. I'm updating the documentation for AprLifecycleListener and I will mention the version dependency in there. If this is not yet appropriate to release, I can roll-back the patch. What happens if I try this with 1.1.22? If it blows up, that is bad. If it logs an error, that is fine. If it silently carries on, that is bad. Just testing this. If I do not set FIPSMode property, all is OK. No difference from previous behaviour. If I set FIPSMode=on, the following happens [[[ 10-Nov-2011 01:13:59.484 INFO [main] org.apache.catalina.core.AprLifecycleListener.init Loaded APR based Apache Tomcat Native library 1.1.22. 10-Nov-2011 01:13:59.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.init APR capabilities: IPv6 [false], sendfile [true], accept filters [false], random [true]. 10-Nov-2011 01:13:59.937 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode... 10-Nov-2011 01:13:59.937 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine. java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.SSL.fipsModeSet(I)I at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:248) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:109) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:573) at org.apache.catalina.startup.Catalina.load(Catalina.java:598) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) (...) 10-Nov-2011 01:14:01.203 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 1030 ms ]]] There is java.lang.UnsatisfiedLinkError (and not the IllegalStateException that the code throws). Despite this error, Tomcat startup sequence continues. I guess that from FIPS PoV the failure to initialize FIPS mode should be more fatal, regardless of its cause. Be it because of native lib returning error code or this tc-native version mismatch. Maybe even throw an error if SSLEngine was not on. Now it just causes the FIPS mode to be ignored. I do not know why UnsatisfiedLinkError error was not enough to break it. Because the AprLifecycleListener's code looks like this: if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) { synchronized (lock) { init(); if (aprAvailable) { try { initializeSSL(); } catch (Throwable t) { ExceptionUtils.handleThrowable(t); log.error(sm.getString(aprListener.sslInit), t); } } } The error is caught, logged, and execution continues. I did not feel that this was an appropriate patch to include changes to exception handling within the AprLivecycleListener. -chris signature.asc Description: OpenPGP digital signature
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
2011/11/10 Christopher Schultz ch...@christopherschultz.net: There is java.lang.UnsatisfiedLinkError (and not the IllegalStateException that the code throws). Despite this error, Tomcat startup sequence continues. I guess that from FIPS PoV the failure to initialize FIPS mode should be more fatal, regardless of its cause. Be it because of native lib returning error code or this tc-native version mismatch. Maybe even throw an error if SSLEngine was not on. Now it just causes the FIPS mode to be ignored. I do not know why UnsatisfiedLinkError error was not enough to break it. Because the AprLifecycleListener's code looks like this: if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) { synchronized (lock) { init(); if (aprAvailable) { try { initializeSSL(); } catch (Throwable t) { ExceptionUtils.handleThrowable(t); log.error(sm.getString(aprListener.sslInit), t); } } } The error is caught, logged, and execution continues. I did not feel that this was an appropriate patch to include changes to exception handling within the AprLivecycleListener. Maybe add explicit FIPS mode status check below the above error handling? Something like: if (on.equalsIgnoreCase(FIPSMode) !fipsModeActive) { fail fatally; } Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Mark, On 11/9/11 2:12 PM, Mark Thomas wrote: What happens if I try this with 1.1.22? Here is the behavior under various circumstances: 1.1.23, openssl-fips, FIPSMode!=on : regular startup 1.1.23, openssl-fips, FIPSMode=on : enter FIPS mode 1.1.23, openssl, FIPSMode!=on : regular startup 1.1.23, openssl, FIPSMode=on, error: java.lang.Exception: FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS. 1.1.22, any combination: UnsatisfiedLinkError followed by SSL connector configuration NOT in FIPS mode :( Honestly, I am surprised that the Connector comes up when AprLifecycleListener fails to set sslAvailable = true. I think I might need to shut-down the SSL engine if there are any errors coming back from setFIPSMode. I think I might also want to set sslInitialized = true *after* all of the initialization has actually occurred: AprLifecycleListener is/was setting sslInitialized=true *before* any initialization actually occurs. I see several ways to move forward, here, not necessarily mutually exclusive: 1. terminate SSL on FIPS error 2. set sslInitialized after initialization is complete (including FIPS), not before 3. set error state in SSL class to prevent connectors from using an improperly-initialized SSL environment Comments? -chris signature.asc Description: OpenPGP digital signature
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
All, On 11/9/11 4:32 PM, Christopher Schultz wrote: I see several ways to move forward, here, not necessarily mutually exclusive: 1. terminate SSL on FIPS error 2. set sslInitialized after initialization is complete (including FIPS), not before 3. set error state in SSL class to prevent connectors from using an improperly-initialized SSL environment I forgot one: 4. Have an explicit check in lifecycleEvent() that throws an error instead of merely logging the error. -chris signature.asc Description: OpenPGP digital signature
Re: svn commit: r1199980 - in /tomcat/trunk/java/org/apache: catalina/core/AprLifecycleListener.java catalina/core/LocalStrings.properties tomcat/jni/SSL.java
Konstantin, On 11/9/11 3:39 PM, Konstantin Kolinko wrote: 2011/11/10 Christopher Schultz ch...@christopherschultz.net: There is java.lang.UnsatisfiedLinkError (and not the IllegalStateException that the code throws). Despite this error, Tomcat startup sequence continues. I guess that from FIPS PoV the failure to initialize FIPS mode should be more fatal, regardless of its cause. Be it because of native lib returning error code or this tc-native version mismatch. Maybe even throw an error if SSLEngine was not on. Now it just causes the FIPS mode to be ignored. I do not know why UnsatisfiedLinkError error was not enough to break it. Because the AprLifecycleListener's code looks like this: if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) { synchronized (lock) { init(); if (aprAvailable) { try { initializeSSL(); } catch (Throwable t) { ExceptionUtils.handleThrowable(t); log.error(sm.getString(aprListener.sslInit), t); } } } The error is caught, logged, and execution continues. I did not feel that this was an appropriate patch to include changes to exception handling within the AprLivecycleListener. Maybe add explicit FIPS mode status check below the above error handling? Something like: if (on.equalsIgnoreCase(FIPSMode) !fipsModeActive) { fail fatally; } I could certainly do that, but I figured that the listener was written such that it would not fail. I didn't want to alter that behavior just to add FIPS support. -chris signature.asc Description: OpenPGP digital signature