HTTPS FIPS Connector Using Apache Portable Runtime (APR) Fails to Start
Summary
The Apache Portable Runtime (APR) based Native library for Tomcat is throwing an exception because it cannot load libssl.so.3. It looks like the upstream APR library used in the upstream is built with OpenSSL 3 as opposed to OpenSSL 1.1. The UBI 8 image has OpenSSL 1.1, not OpenSSL 3.
Note
Relates to tomcat9-openjdk11 issue: [tomcat9-openjdk11#79 (closed)], but that Dockerfile was further updated to compile the APR library in [tomcat9-openjdk11@36d6edbf]
Steps to reproduce
- Enable APR in server.xml:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
- Configure HTTPS Listener in server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslEnabledProtocols="TLSv1.2,TLSv1.3" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" />
What is the current bug behavior?
HTTPS listener fails to start with linked native library failure. See log message below.
What is the expected correct behavior?
On Tomcat 9
18-Oct-2022 19:46:47.710 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.35] using APR version [1.6.3].
18-Oct-2022 19:46:47.712 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
18-Oct-2022 19:46:47.713 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
18-Oct-2022 19:46:47.746 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k FIPS 25 Mar 2021]Relevant logs and/or screenshots
06-Jan-2023 03:48:50.921 WARNING [main] org.apache.catalina.core.AprLifecycleListener.init The Apache Tomcat Native library failed to load. The error reported was [/usr/local/tomcat/native-jni-lib/libtcnative-2.so.0.0.2: libssl.so.3: cannot open shared object file: No such file or directory]
java.lang.UnsatisfiedLinkError: /usr/local/tomcat/native-jni-lib/libtcnative-2.so.0.0.2: libssl.so.3: cannot open shared object file: No such file or directory
at java.base/jdk.internal.loader.NativeLibraries.load(Native Method)
at java.base/jdk.internal.loader.NativeLibraries$NativeLibraryImpl.open(NativeLibraries.java:388)
at java.base/jdk.internal.loader.NativeLibraries.loadLibrary(NativeLibraries.java:232)
at java.base/jdk.internal.loader.NativeLibraries.loadLibrary(NativeLibraries.java:174)
at java.base/jdk.internal.loader.NativeLibraries.findFromPaths(NativeLibraries.java:315)
at java.base/jdk.internal.loader.NativeLibraries.loadLibrary(NativeLibraries.java:287)
at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2422)
at java.base/java.lang.Runtime.loadLibrary0(Runtime.java:818)
at java.base/java.lang.System.loadLibrary(System.java:1989)
at org.apache.tomcat.jni.Library.<init>(Library.java:64)
at org.apache.tomcat.jni.Library.initialize(Library.java:148)
at org.apache.catalina.core.AprLifecycleListener.init(AprLifecycleListener.java:200)
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:138)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:135)
at org.apache.catalina.startup.Catalina.load(Catalina.java:747)
at org.apache.catalina.startup.Catalina.load(Catalina.java:769)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
06-Jan-2023 03:48:52.267 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
06-Jan-2023 03:48:52.431 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"]
06-Jan-2023 03:48:52.479 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1058)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1015)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:747)
at org.apache.catalina.startup.Catalina.load(Catalina.java:769)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
Caused by: java.lang.IllegalArgumentException: No SSLHostConfig element was found with the hostName [_default_] to match the defaultSSLHostConfigName for the connector [https-jsse-nio-8443]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:75)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:206)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1172)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1185)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:78)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1055)
... 13 more
06-Jan-2023 03:48:52.483 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [2515] milliseconds10.1.4 – OpenSSL 3
bash-4.4$ ldd /usr/local/tomcat/native-jni-lib/libtcnative-2.so
libssl.so.3 => not found
libcrypto.so.3 => not found
libapr-1.so.0 => /lib64/libapr-1.so.0 (0x0000004001a51000)
libc.so.6 => /lib64/libc.so.6 (0x0000004001c8b000)
libuuid.so.1 => /lib64/libuuid.so.1 (0x0000004002051000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0000004002259000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x0000004002482000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000040026a4000)
/lib64/ld-linux-x86-64.so.2 (0x0000004000000000)Possible fixes
Update Dockerfile to compile APR as the Tomcat 9 Docker image is now doing: [tomcat9-openjdk11@36d6edbf]