Bug 50744

Summary: When Tomcat was updated from version 5.5.27 to 5.5.32, SSL support for Tomcat does not work on AIX 5.3 TL-11 SP-2
Product: Tomcat 5 Reporter: Sridhar Murthy <murthys>
Component: Servlet & JSP APIAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: major CC: murthys
Priority: P2    
Version: 5.5.32   
Target Milestone: ---   
Hardware: Other   
OS: AIX   
Attachments: Catalina Log
This server.xml works correctly for both SSL and non-SSL port for Tomcat 5.5.27 and fails to serve Tomcat on SSL port for Tomcat 5.5.32
2011-02-11_tc55_50744_JSSESocketFactory.patch
2011-02-14_tc55_50744_JSSESocketFactory.patch
2011-02-14 Binary version of the patch for 5.5.33 (unofficial)

Description Sridhar Murthy 2011-02-09 09:56:37 UTC 
_1_)
In response to CVE-2011-0013 ( and also to resolve other security issues) we decided to update Tomcat from Verion 5.5.27  to 5.5.32

_2_)
The process to enable SSL for Tomcat documented at URL http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html was followed for setting up the SSL at Version 5.5.27.

_2_a_)

The following command was used to generate the Certificate Keystore

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA \
  -keystore /home/tomcat/.keystore

(However we used our customized password rather than  the deafult one changeit)

_2_b_)
 
The following entry was added to server.xml :

    <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
               clientAuth="false" sslProtocol="SSL"
               keystoreFile="/home/tomcat/.keystore"
               keystorePass="<Known Password>" algorithm="IbmX509" />

_2_c_)
This process has worked correctly for serving Tomcat without SSL on port 8080 and  with SSL  on port 8443

_3_)
Similar process was used to setup SSL for Tomcat 5.5.32. However Tomcat starts with some errors serving Tomcat on non-SSL  port 8080 correctly and the SSL port on 8443 does not work. (Catalina logs have some errors and I have attached the log to this BUG report).

_4_)
What changed between version 5.5.27 and 5.5.32  that resulted in this failure?

Thank you for your help and support in this matter.
Comment 1 Sridhar Murthy 2011-02-09 10:23:33 UTC 
The download source for Tomcat 5.5.32 is:

http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.32/bin/

The files that were downloaded are:

_1_)
apache-tomcat-5.5.32-compat.tar.gz       2011-01-23 20:52  1.6M  

_2_)
apache-tomcat-5.5.32.tar.gz              2011-01-23 20:54  7.8M  

The chsums matched and there is no corruption of any of the binaries/files.
Comment 2 Konstantin Kolinko 2011-02-09 13:26:54 UTC 
(In reply to comment #0)
> Catalina logs have some errors and I have attached the log to this BUG report).

There is no attachment. Without seeing the actual error it is hard to help.
Comment 3 Christopher Schultz 2011-02-09 13:43:52 UTC 
You are going to provide some more information.

This isn't a bug report: it's a request for help. Please post to the user list before filing a bug. If this is determined to be a bug, please re-open.
Comment 4 Sridhar Murthy 2011-02-09 14:02:44 UTC 
Created attachment 26628 [details]
Catalina Log
Comment 5 Sridhar Murthy 2011-02-09 14:14:21 UTC 
I personally think that it is not a help request. 

We had a server.xml file working for both SSL port and Non-SSL port for Tomcat Version 5.5.27

We updated  the Tomcat to Version 5.5.32 and used the same server.xml file. With that the  SSL port of Tomcat stopped working.

The O/S and all the other things have remained the same on the server on which  Tomcat update was performed and that leads me to believe that something changed in Tomcat that caused the failure.

I have upload the catalina log for your  perusal. Kindly review the log and let me know if in fact it is a configuartion issue and I need to pursue it with user group.

Thank you for your help and support in this matter.
Comment 6 Konstantin Kolinko 2011-02-09 14:23:42 UTC 
From the log:

Feb 8, 2011 8:40:32 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Feb 8, 2011 8:40:34 PM org.apache.coyote.http11.Http11BaseProtocol init
SEVERE: Error initializing endpoint
java.net.SocketException: Unbound server sockets not implemented
	at javax.net.ServerSocketFactory.createServerSocket(Unknown Source)
	at org.apache.tomcat.util.compat.Jdk14Compat.getUnboundSocket(Jdk14Compat.java:130)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:393)
	at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:127)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:96)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:293)
	at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:139)
	at org.apache.catalina.connector.Connector.initialize(Connector.java:1002)
(...)
Comment 7 Sridhar Murthy 2011-02-09 14:26:44 UTC 
Created attachment 26629 [details]
This server.xml works correctly for both SSL and non-SSL port for Tomcat 5.5.27 and fails to serve Tomcat on SSL port for Tomcat 5.5.32

Sumitting the server.xml  file that works correctly for both SSL and non-SSL port for Tomcat 5.5.27 and fails to serve Tomcat on SSL port for Tomcat 5.5.32.

If Tomcat 5.5.32 is working correctly then should the server.xml that I have attached work corrctly (which worked as per the design on Tomcat 5.5.27) ?
Comment 8 Sridhar Murthy 2011-02-09 20:54:40 UTC 
Hi Konstantin:

If all the configuartions  required for the Tomcat to start services on both SSL port ( 8443) and non-SSL port (8080) are put in place in server.xml  and when Tomcat server is started the services on port 8443 are not started with Tomcat  5.5.32

Here is the deal:

root@svmciqa002 $ netstat -an | grep 8443
root@svmciqa002 $ netstat -an | grep 8080
tcp        0      0  *.8080                 *.*                    LISTEN
root@svmciqa002 $ 

I configure Tomcat 5.5.27 and use the same server.xml that was used for 5.5.32. Guess what - both  ports (8443 and 8080) are listening as per the design:

root@svmciqa002 $ netstat -an | grep 8443
tcp        0      0  *.8443                 *.*                    LISTEN
root@svmciqa002 $ netstat -an | grep 8080
tcp        0      0  *.8080                 *.*                    LISTEN
root@svmciqa002 $ 

I disagree with your argument that  I have incorrect syntax with my server.xml file.

If what you suspect is true, then I would not see the services  on port 8443  for both Tomcat Versions (5.5.27 as well as 5.5.32)

Kindly get back to me with your thoughts on this.

Thank you for your help and support in this matter.

Sri
Comment 9 Konstantin Kolinko 2011-02-09 21:30:57 UTC 
Created attachment 26630 [details]
2011-02-11_tc55_50744_JSSESocketFactory.patch

(In reply to comment #8)
> I disagree with your argument that  I have incorrect syntax with my server.xml
> file.

Whom do you disagree with? I never said the above.

The issue here is that the 1.4 JVM that you are using does not implement a feature of "unbound server sockets" that the current code uses.

Looking at Jdk14Compat.java that probably stems from
http://svn.apache.org/viewvc?view=revision&revision=778258
that apparently is a fix for
https://issues.apache.org/bugzilla/show_bug.cgi?id=45528

which is about 1,5 years ago.


I am attaching a patch (for the current tc5.5.x, as of 5.5.33) that will probably fix this issue.
Comment 10 Sridhar Murthy 2011-02-10 10:23:00 UTC 
Hi Konstantin:

Thank you very much for working on this issue, identifying the problem and also providing a patch.

I will download the patch and test it out before COB today. 

I missed the fact that Christopher Schultz made an update and inadvertantly I assumed that you indicated that "This isn't a bug report". I apologize for my mistake.


Regards,

Sridhar
Comment 11 Konstantin Kolinko 2011-02-14 10:04:07 UTC 
Created attachment 26651 [details]
2011-02-14_tc55_50744_JSSESocketFactory.patch

A better patch. Now it includes debug logging.
Comment 12 Konstantin Kolinko 2011-02-14 10:22:04 UTC 
Created attachment 26652 [details]
2011-02-14 Binary version of the patch for 5.5.33 (unofficial)

Compiled classes that match the 2011-02-14_tc55_50744_JSSESocketFactory.patch patch, for Tomcat 5.5.33.

To install:
1) Install Tomcat 5.5.33
2) Unzip the archive into $CATALINA_HOME/server/classes

To enable debug logging in JSSESocketFactory, if you are using the default (JULI) logging, add the following line into $CATALINA_BASE/conf/logging.properties:

org.apache.tomcat.util.net.jsse.JSSESocketFactory.level=FINE

Note, that this is an unofficial patch and it is not released by ASF. Use it on your own risk.
Comment 13 Sridhar Murthy 2011-02-16 09:50:33 UTC 
I will test this out next week and let you know if the issue reported is resolved. Thank you very much Konstantin for helping me with the patch.

Regards,
Sri
Comment 14 Mark Thomas 2011-08-18 16:44:51 UTC 
This has been fixed in 5.5.x and will be included in 5.5.34 onwards.