Tomcat Native library with OpenSSL Engine
Hello users, I am new to Tomcat and to this mailing list. Looked far and wide for a solution to my problem, but couldn't find anything effective. I found other folks asking about similar issues. I then looked through the source and think I got a solution that I'd like to share as a patch. The problem is this: Trying to use Apache Tomcat with an OpenSSL Engine that has proprietary private ECC key format fails. The private key file is not PEM, and only this specific OpenSSL Engine can load such a private ECC key. When the server.xml configuration includes reference to a proprietary format private ECC key, in a Service/Connector/SSLHostConfig/Certificate/certificateKeyFile, the run-time fails to initialize a new SSL context. As a result, TLS doesn't get established, connection fails. I have tried Tomcat7, 9 and 10. To illustrate the configuration in server.xml, it includes elements like these: The logs may include lines like these: 05-Mar-2021 14:37:07.175 INFO [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [/opt/my-keys/server.pem] or its private key [/opt/my-keys/server.key] could not be processed using a JSSE key manager and will be given directly to OpenSSL 05-Mar-2021 14:37:07.176 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context java.lang.Exception: Unable to load certificate key /opt/my-keys/server.key (error:0909006C:PEM routines:get_name:no start line) at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.openssl.OpenSSLContext.addCertificate(OpenSSLContext.java:379) at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:250) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246) at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:401) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:367) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1164) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1177) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1052) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:558) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:747) at org.apache.catalina.startup.Catalina.load(Catalina.java:769) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) My understanding of the root cause is that Tomcat doesn't support a proprietary format of the private ECC key. It insists that the key be in PEM format, in a file or in a keystore. What I needed was support for the "engine" key format. Similar to the feature of the "openssl digest" command in the following invocation: openssl dgst \ -sign my-keys/server.key \ *-keyform ENGINE* \ -engine MySslEngine \ -out signature.bin \ my-input When the key has the form "engine", the key is loaded using the ENGINE_load_private_key API ( https://www.openssl.org/docs/man1.1.0/man3/ENGINE_load_private_key.html). I have come up with a small change to the Tomcat Native library that resolves the problem for me. It is not as general as the "engine" key form in the openssl command line. The change below simply attempts to load the private key through the ENGINE_load_private_key if load_pem_key fails. Please consider the change as a patch to the Tomcat Native library: --- tomcat-native-1.2.26-src/native/include/ssl_private.h 2020-12-10 09:09:19.0 -0800 +++ tomcat-native-1.2.26-src.changed/native/include/ssl_priv
nginx with tomcat nio2 sometimes got "upstream prematurely closed connection"
Hi, I have configured "Http11Nio2Protocol" for tomcat connector. There is a nginx served as reverse proxy before tomcat. I find that sometimes I got "upstream prematurely closed connection while reading response header from upstream" error in nginx error log. This means tomcat server closed the connection with nginx. But when I change to "Http11NioProtocol", there is no such error. What could be the cause for this error? The tomcat version is 8.5.58.
Call for Presentations for ApacheCon 2021 now open
[Note: You are receiving this because you are subscribed to a users@ list on one or more Apache Software Foundation projects.] The ApacheCon Planners and the Apache Software Foundation are pleased to announce that ApacheCon@Home will be held online, September 21-23, 2021. Once again, we’ll be featuring content from dozens of our projects, as well as content about our community, how Apache works, business models around Apache software, the legal aspects of open source, and many other topics. Last year’s virtual ApacheCon@Home event was a big success, with 5,745 registrants from more than 150 countries, spanning every time zone, with the virtual format delivering content to attendees who would never have attended an in-person ApacheCon (83% of post-event poll responders in 2020 indicated this was their first ApacheCon ever)! Given the great participation and excitement for last year’s event, we are announcing the Call for Presentations is now open to presenters from around the world until May 1st. Talks can be focused on the topics above, as well as any of our amazing projects. Submit your talks today! https://www.apachecon.com/acah2021/cfp.html We look forward to reviewing your contribution to one of the most popular open source software events in the world! Rich, for the ApacheCon Planners -- Rich Bowen, VP Conferences The Apache Software Foundation https://apachecon.com/ @apachecon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IDNs emoji replaced by punycode - how to remain with emoji?
Am 08.03.21 um 17:31 schrieb Peter Rader: > Hi, > > I try to support a emoji in a IDN. This is the head of my engine-config: > > > className="org.apache.catalina.realm.LockOutRealm"> > resourceName="UserDatabase"/> > > unpackWARs="true" autoDeploy="true"> > > Both, HTTP and HTTPS connector have the UTF8 encoding: > > > connectionTimeout="2" URIEncoding="UTF-8" > redirectPort="8443" /> > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" scheme="https" > secure="true" SSLEnabled="true" URIEncoding="UTF-8"> > truststorePassword="example" certificateVerification="optionalNoCA" > ciphers="TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" > truststoreType="JKS"> > certificateKeyFile="/example/privkey.pem" > certificateChainFile="/example/chain.pem" type="RSA"/> > > > > > Unfortunately the browser-url redirect to the punycode xn--x7h.example.com in > Chrome, Edge and Firefox (did not test more). > > How to remain with emoji IDN in the browser URL? After a short look around the net, I think you will have no luck here, as it seems to be a restriction posed by the browsers. For Chrome you can read those restrictions at https://chromium.googlesource.com/chromium/src/+/master/docs/idn.md What I understood from that document, you have to stay close to actually characters of your language (or at least stay with one language (script)). Emojis are probably not yet recognized as a language :) Felix > > Kind regards > > Peter Rader > -- > Fachinformatiker AE / IT Software Developer > Peter Rader > Wilsnacker Strasse 17 > 10559 Berlin - GERMANY > Tel: 0049 (0)30 / 6 29 33 29 6 > Fax: 0049 (0)30 / 6 29 33 29 6 > Handy: 0049 (0)176 / 8 7521576 > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
IDNs emoji replaced by punycode - how to remain with emoji?
Hi, I try to support a emoji in a IDN. This is the head of my engine-config: Both, HTTP and HTTPS connector have the UTF8 encoding: Unfortunately the browser-url redirect to the punycode xn--x7h.example.com in Chrome, Edge and Firefox (did not test more). How to remain with emoji IDN in the browser URL? Kind regards Peter Rader -- Fachinformatiker AE / IT Software Developer Peter Rader Wilsnacker Strasse 17 10559 Berlin - GERMANY Tel: 0049 (0)30 / 6 29 33 29 6 Fax: 0049 (0)30 / 6 29 33 29 6 Handy: 0049 (0)176 / 8 7521576 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
