UNCLASSIFIED - NO CUI

Skip to content

HTTPS FIPS Connector Using Apache Portable Runtime (APR) Fails to Start

Summary

Starting with tomcat9-openjdk11:9.0.68 the Apache Portable Runtime (APR) based Native library for Tomcat is throwing an exception because it cannot load libssl.so.3. It looks like the upstream APR library used in the upstream tomcat:9.0.68-jdk11 is built with OpenSSL 3 as opposed to OpenSSL 1.1. The UBI 8 image has OpenSSL 1.1, not OpenSSL 3.

Steps to reproduce

  1. Enable APR in server.xml:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

  1. Configure HTTPS Listener in server.xml:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslEnabledProtocols="TLSv1.2,TLSv1.3" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" />

What is the current bug behavior?

HTTPS listener fails to start with linked native library failure. See log message below.

What is the expected correct behavior?

On 9.0.67 and earlier, this is the log

18-Oct-2022 19:46:47.710 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.35] using APR version [1.6.3].
18-Oct-2022 19:46:47.712 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
18-Oct-2022 19:46:47.713 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
18-Oct-2022 19:46:47.746 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k  FIPS 25 Mar 2021]

Relevant logs and/or screenshots


19-Oct-2022 01:26:18.092 WARNING [main] org.apache.catalina.core.AprLifecycleListener.init The Apache Tomcat Native library failed to load. The error reported was [/usr/local/tomcat/native-jni-lib/libtcnative-1.so.0.2.35: libssl.so.3: cannot open shared object file: No such file or directory]
	java.lang.UnsatisfiedLinkError: /usr/local/tomcat/native-jni-lib/libtcnative-1.so.0.2.35: libssl.so.3: cannot open shared object file: No such file or directory
		at java.base/java.lang.ClassLoader$NativeLibrary.load0(Native Method)
		at java.base/java.lang.ClassLoader$NativeLibrary.load(ClassLoader.java:2445)
		at java.base/java.lang.ClassLoader$NativeLibrary.loadLibrary(ClassLoader.java:2501)
		at java.base/java.lang.ClassLoader.loadLibrary0(ClassLoader.java:2700)
		at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2662)
		at java.base/java.lang.Runtime.loadLibrary0(Runtime.java:830)
		at java.base/java.lang.System.loadLibrary(System.java:1873)
		at org.apache.tomcat.jni.Library.<init>(Library.java:64)
		at org.apache.tomcat.jni.Library.initialize(Library.java:234)
		at org.apache.catalina.core.AprLifecycleListener.init(AprLifecycleListener.java:201)
		at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:138)
		at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
		at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
		at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:135)
		at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
		at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
		at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at java.base/java.lang.reflect.Method.invoke(Method.java:566)
		at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
		at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
19-Oct-2022 01:26:20.211 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
19-Oct-2022 01:26:20.361 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"]
19-Oct-2022 01:26:20.525 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
	org.apache.catalina.LifecycleException: Protocol handler initialization failed
		at org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
		at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
		at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
		at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
		at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
		at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
		at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
		at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
		at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at java.base/java.lang.reflect.Method.invoke(Method.java:566)
		at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
		at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
	Caused by: java.lang.IllegalArgumentException: java.security.NoSuchAlgorithmException: TLSv1.2,TLSv1.3 SSLContext not available
		at org.apache.tomcat.util.net.jsse.JSSEUtil.initialise(JSSEUtil.java:110)
		at org.apache.tomcat.util.net.jsse.JSSEUtil.getImplementedProtocols(JSSEUtil.java:73)
		at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:92)
		at org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:61)
		at org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:56)
		at org.apache.tomcat.util.net.jsse.JSSEImplementation.getSSLUtil(JSSEImplementation.java:59)
		at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:96)
		at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
		at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:235)
		at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
		at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
		at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
		at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
		at org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
		... 13 more
	Caused by: java.security.NoSuchAlgorithmException: TLSv1.2,TLSv1.3 SSLContext not available
		at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
		at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:168)
		at org.apache.tomcat.util.net.jsse.JSSESSLContext.<init>(JSSESSLContext.java:45)
		at org.apache.tomcat.util.net.jsse.JSSEUtil.initialise(JSSEUtil.java:105)
		... 26 more
19-Oct-2022 01:26:20.534 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [4037] milliseconds

9.0.67 – OpenSSL 1.1

bash-4.4$ ldd /usr/local/tomcat/native-jni-lib/libtcnative-1.so
        libssl.so.1.1 => /lib64/libssl.so.1.1 (0x0000004001a65000)
        libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x0000004001cfb000)
        libapr-1.so.0 => /lib64/libapr-1.so.0 (0x00000040021e4000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x000000400241e000)
        libc.so.6 => /lib64/libc.so.6 (0x000000400263e000)
        libz.so.1 => /lib64/libz.so.1 (0x0000004002a03000)
        libdl.so.2 => /lib64/libdl.so.2 (0x0000004002c1b000)
        libuuid.so.1 => /lib64/libuuid.so.1 (0x0000004002e21000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0000004003029000)
        /lib64/ld-linux-x86-64.so.2 (0x0000004000000000)

9.0.68 – OpenSSL 3

bash-4.4$ ldd /usr/local/tomcat/native-jni-lib/libtcnative-1.so
        libssl.so.3 => not found
        libcrypto.so.3 => not found
        libapr-1.so.0 => /lib64/libapr-1.so.0 (0x0000004001a6a000)
        libc.so.6 => /lib64/libc.so.6 (0x0000004001ca4000)
        libuuid.so.1 => /lib64/libuuid.so.1 (0x0000004002069000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0000004002271000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x000000400249a000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00000040026bc000)
        /lib64/ld-linux-x86-64.so.2 (0x0000004000000000)

Possible fixes

Source of issue:

[]https://repo1.dso.mil/dsop/opensource/apache/tomcat9-openjdk11/-/commit/3247fd9bb97b2e35d21a57a1e0cf043498062fd77)

Based on my testing, to pull Tomcat from one of these two upstream Tomcat tags would provide the OpenSSL 1.1 version of the APR library:

  • tomcat:9.0.68-jdk11-temurin-focal
  • tomcat:9.0.68-jdk11-corretto-al2

Other options include:

  • Compiling and packaging the APR library from source to load into this image
  • Attempting to compile and install OpenSSL 3 into this image

Tasks

  • Bug has been identified and corrected within the container
Edited by Jeff Goldhirsch
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI