Thanks! I'll look into the latest OpenSSL.
Best, Mike -----Original Message----- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Friday, April 15, 2016 2:57 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: SSL_CTX_set_alpn_select_cb undefined Am 15.04.2016 um 20:24 schrieb Michael Fox: > Per https://access.redhat.com/solutions/445713, the Apache httpd rpm package > included in RHEL 7 is based on Apache 2.4.6. > > OpenSSL version 1.0.1 is the latest version available from RedHat. > > As you said, "... the current patch level of 1.0.2, which is 1.0.2g has no > known security issues" and" ...symbol SSL_CTX_set_alpn_select_cb only exists > in 1.0.2 and newer ". You are referring to the version of OpenSSL which > available as open source, not from Red Hat, correct? Yes. You can get OpenSSL 1.0.2g (or anything newer at the time of retrieval from openssl.org). You'd have to build it yourself. > If I am still confused, please explain it to me. If not, I would like to > refer to the questions at the end of my original post (below). You are not confused. >> Should I investigate the use of older versions of Tomcat, Java, and Tomcat >> connector? In general "no" and also not because of this problem. >> Should I not use APR with Tomcat (and then use HTTP/1.1)? If you have a need for the APR connector you can use it. >> Should I abandon the RedHat Apache/OpenSSL software and use the latest >> Apache/OpenSSL from apache.org? >> Apache as in "Apache web server" doesn't have anything to do with the topic here. You can create the tcnative libs based on your own compilation of OpenSSL (and if you like also the APR libs) without influencing which OpenSSL or APR version your Linux and your Apache web server coming from this Linux distro uses. If RedHat doesn't provide you OpenSSL 1.0.2 and you'd like to use up-to-date Tomcat (recommended) and you have a need for tcnative, then yes, you'd need to do your own OpenSSL compilation. Regards, Rainer > -----Original Message----- > From: Rainer Jung [mailto:rainer.j...@kippdata.de] > Sent: Friday, April 15, 2016 1:57 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: SSL_CTX_set_alpn_select_cb undefined > > Am 15.04.2016 um 19:37 schrieb Michael Fox: >> I am running Red Hat Linux version 7.2, Apache version 2.4.6, Java JDK >> 1.8.0_65, Tomcat version 9.0.0.M1, Tomcat connector version 1.2.5, and have >> uncommented the HTTP/2 Connector lines in the Tomcat server.xml file. When >> I run the configure command for the Tomcat connector, I get the message: >> >> checking OpenSSL library version >= 1.0.2... >> >> >> >> Found OPENSSL_VERSION_NUMBER 0x1000105f (OpenSSL 1.0.1e 11 Feb 2013) >> >> Require OPENSSL_VERSION_NUMBER 0x1000200f or greater (1.0.2) >> >> >> >> Per Red Hat (https://access.redhat.com/articles/1384453), they consider >> OpenSSL version 1.0.2 to have security issues, and so are not issuing that >> version. > > You misunderstood that text. Version 1.0.2 had security issues, which where > fixed by 1.0.2a. So the current patch level of 1.0.2, which is 1.0.2g has no > known security issues. > > tcnative starting with version 1.2.0 no longer supports OpenSSL older than > 1.0.2. So no support for 0.9.8, 1.0.0 and 1.0.1. You need to build tcnative > 1.2.x against OpenSSL 1.0.2 preferably against 1.0.2g. > > The symbol SSL_CTX_set_alpn_select_cb only exists in 1.0.2 and newer. > > Regards, > > Rainer > >> To be able to configure and make the tcnative library, I run the configure >> command as such: >> >> ./configure --with-apr=/usr/bin/apr-1-config >> --with-java-home=$JAVA_HOME --prefix=$CATALINA_HOME >> --disable-openssl-version-check --with-ssl=yes >> >> >> >> I am able to make and install the library, but when I run the Tomcat >> configtest I get: >> >> INFO: Initializing ProtocolHandler ["https-apr-8443"] >> >> /usr/java/jdk1.8.0_65/bin/java: symbol lookup error: >> /home/tomcat/apache-tomcat-9.0.0.M1-src/output/build/lib/libtcnative- >> 1 >> .so.0.2.5: undefined symbol: SSL_CTX_set_alpn_select_cb >> >> Configuration error detected! >> >> >> >> Is there a way to get around or define this symbol? >> >> Should I investigate the use of older versions of Tomcat, Java, and Tomcat >> connector? >> >> Should I not use APR with Tomcat (and then use HTTP/1.1)? >> >> Should I abandon the RedHat Apache/OpenSSL software and use the latest >> Apache/OpenSSL from apache.org? >> >> >> >> Thanks, >> >> Mike --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
