On 2024/05/14 18:21:36 Andy Arismendi wrote: > Hi, just ran into this today. The JVM is crashing when caCertificatePath is > added to server.xml. I tried the latest Zulu JRE 8 and 11 but still had the > crash. > > > ENVIRONMENT > > Tomcat: 9.0.89 (64-bit Windows zip) > OS: Windows Server 2019 > JVM: > openjdk version "1.8.0_322" > OpenJDK Runtime Environment (Zulu 8.60.0.21-CA-win64) (build 1.8.0_322-b06) > OpenJDK 64-Bit Server VM (Zulu 8.60.0.21-CA-win64) (build 25.322-b06, mixed > mode) > > > CRASH INFO > > When caCertificatePath is present in server.xml and points to a valid > directory (empty or with PEM files) the JVM crashes during Tomcat startup. > This is the JVM console output: > > 14-May-2024 17:34:58.443 INFO [main] org.apache.coyote.AbstractProtocol.init > Initializing ProtocolHandler ["https-openssl-nio2-1.2.3.4-443"] > # > # A fatal error has been detected by the Java Runtime Environment: > # > # EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00000001800ccd10, > pid=1244, tid=0x0000000000000ab0 > # > # JRE version: OpenJDK Runtime Environment (Zulu 8.60.0.21-CA-win64) > (8.0_322-b06) (build 1.8.0_322-b06) > # Java VM: OpenJDK 64-Bit Server VM (25.322-b06 mixed mode windows-amd64 > compressed oops) > # Problematic frame: > # C [tcnative-1.dll+0xccd10] > # > # Core dump written. Default location: D:\Program > Files\apache-tomcat\bin\hs_err_pid1244.mdmp > # > # An error report file with more information is saved as: > # D:\Program Files\apache-tomcat\bin\hs_err_pid1244.log > # > # If you would like to submit a bug report, please visit: > # http://www.azul.com/support/ > # The crash happened outside the Java Virtual Machine in native code. > # See problematic frame for where to report the bug. > # > > > CONFIG INFO > > Here’s the server.xml that causes the JVM crash. > > <Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol" > maxThreads="1000" port="443" scheme="https" secure="true" SSLEnabled="true" > allowTrace="false" xpoweredBy="false" address="1.2.3.4" acceptCount="10000" > socket.rxBufSize="131072" socket.txBufSize="131072" minSpareThreads="100" > maxConnections="10000"> > <SSLHostConfig protocols="TLSv1.2" > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" > disableCompression="true" disableSessionTickets="false" > honorCipherOrder="true" caCertificatePath="C:\PKI\CA"> > <Certificate certificateFile="C:\PKI\server.crt" > certificateKeyFile="C:\PKI\server.key" > certificateChainFile="C:\PKI\server-chain.pem"/> > </SSLHostConfig> > </Connector>
Please provide the log file, the OpenSSL version used and the libtcnative version used. Please note that caCertificatePath expects a directory with certificate hash files. Plain certs won't work. M --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org