-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Piyush,
On 8/6/18 7:37 PM, Piyush K wrote: > Hi Christopher, > > I am using my own custom OpenSSL engine that I wrote for elliptical > curve doggie Hellman (ECDH) > > I am setting the SSLEngine to my engine name in the Listener in the > tomcat configuration file (conf/server.xml) > > But looks like the engine is not being set in the function call to > SSL_dh_GetParamFromFile(...) which returns the pointer to DH (in > file tomcat-native-1.2.16-arc/native/src/sslcontext.c) , I don't > believe the engine is being set (as SSL_dh_GetParamFromFile(...) > calls PEM_read_bio_DHparams(...). However SSL_dh_GetParamFromFile > doesn't set the ENGINE * parameter inside the structure for DH > (aliased as dh_st). Because ENGINE * is not set the default OpenSSL > implementation for ECDH is getting called. Please correct me if I > am wrong, Just for confirmation, please post your <Listener> and <Connector> configurations, plus the relevant log file lines from catalina.out (or similar) that show the APRLifecycleListener starting up. - -chris >> On Aug 4, 2018, at 8:49 AM, Christopher Schultz >> <ch...@christopherschultz.net> wrote: >> > Piyush, > >>>> On 8/3/18 2:52 PM, Piyush K wrote: >>>> >>>> Dear tomcat community, >>>> >>>> I have a question - I am using tomcat and OpenSSL (with apr >>>> and tomcat= -native-1.2.16). Versions are as follows :- >>>> apr-1-config 1.5.2 tomcat-native-1.2.16 OpenSSL 1.1.0 Tomcat >>>> 8.5.31 >>>> >>>> This works fine with my custom OpenSSL 1.1.0 installation.=20 >>>> Next I wrote my own custom OpenSSL engine for ECDHE >>>> (ephemeral even), howeve= r tomcat native still seems to make >>>> calls to the default ECDHE engine that c= omes with OpenSSL >>>> (instead of using mine, even though I compiled, tested and= >>>> installed the needed shared object in the relevant directory >>>> for OpenSSL e= ngines shared objects). Does the tomcat native >>>> code needs to be modified to support a custom OpenSSL= engine >>>> for ECDHE.=20 If yes, can I get some help on which places and >>>> which files one needs to mod= ify (I have looked at the file >>>> sslcontext.c but it is bit very clear on how t= o tie your >>>> custom OpenSSL ECDHE engine with the EC keys being >>>> generated) > > > Do you have you own "engine" or are you just replacing one of the > cipher suites? > > What does your Tomcat <Connector> configuration and APR <Listener> > look like? > > You probably have to set the "SSLEngine" attribute to identify > your custom engine. > > http://tomcat.apache.org/tomcat-8.5-doc/config/listeners.html#APR_Life cy > > cle_Listener_-_org.apache.catalina.core.AprLifecycleListener > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltpDK0ACgkQHPApP6U8 pFhoGg//Y85TkRhY9IZT692O6hNYxOTnLhzuqmS86pF5oMp3EQQtvYwAUtXt6IRj HNhbyZUzqyY+ISIxTFdRHMzGdahtariAYLUB3ZjiMCKrcVC1dI7+jERzlh8oBiLG ENQdGdR+6RsTMY3o1Kk6QAHXLKQRyVP+ASlfQajrey7TU0ivu5VqjsIcHFBZhQwU hRuruSyDH6Prdx3VvuWA400sgb27ogriPBXWGgG6OmIpeH+maAW+yPyJFC+McP8N fmEKo5inbo9NcL+8ENeAEU2HbvN/xTZWQMpJxKqMDEi3f7yrLGAuDWJX8W0JduVE jm9+HRppl/LeSjLDGpEIqfuCxPBYuZK1r3ZT11sVzVOM23lRHM5ynXFAdw555FfF YOpC+4CZpIp7aKahkgjWhGfsF3knuaXmadKIJ7J5QKlmstLVpf++QtDxbLSp4bzT Uh3L0oLkEFGsOIgfOiOXgK94gS143e+lVLacqMBw28VRptJiZbcSMgBCbEKyo4Cb obxrKm8lnYraj/EkW+HDQNwl/baFYDQx2GzkGyz9YXDraE/uEKbCc3//xyMm7AQH DhDHZ/qP3s+owQ84qS4LHIY+Ea8KZIetGrUlhudD67aiU6rv1c/Rm6zoxEbriaiG pEikGIGXg4Zljnz9YcX49Lx20/akwwNxiNErXjUCjKCdtY6ZMCw= =f6yb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org