|Summary:||When Tomcat was updated from version 5.5.27 to 5.5.32, SSL support for Tomcat does not work on AIX 5.3 TL-11 SP-2|
|Product:||Tomcat 5||Reporter:||Sridhar Murthy <murthys>|
|Component:||Servlet & JSP API||Assignee:||Tomcat Developers Mailing List <dev>|
This server.xml works correctly for both SSL and non-SSL port for Tomcat 5.5.27 and fails to serve Tomcat on SSL port for Tomcat 5.5.32
2011-02-14 Binary version of the patch for 5.5.33 (unofficial)
Description Sridhar Murthy 2011-02-09 09:56:37 UTC
_1_) In response to CVE-2011-0013 ( and also to resolve other security issues) we decided to update Tomcat from Verion 5.5.27 to 5.5.32 _2_) The process to enable SSL for Tomcat documented at URL http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html was followed for setting up the SSL at Version 5.5.27. _2_a_) The following command was used to generate the Certificate Keystore $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA \ -keystore /home/tomcat/.keystore (However we used our customized password rather than the deafult one changeit) _2_b_) The following entry was added to server.xml : <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="SSL" keystoreFile="/home/tomcat/.keystore" keystorePass="<Known Password>" algorithm="IbmX509" /> _2_c_) This process has worked correctly for serving Tomcat without SSL on port 8080 and with SSL on port 8443 _3_) Similar process was used to setup SSL for Tomcat 5.5.32. However Tomcat starts with some errors serving Tomcat on non-SSL port 8080 correctly and the SSL port on 8443 does not work. (Catalina logs have some errors and I have attached the log to this BUG report). _4_) What changed between version 5.5.27 and 5.5.32 that resulted in this failure? Thank you for your help and support in this matter.
Comment 1 Sridhar Murthy 2011-02-09 10:23:33 UTC
The download source for Tomcat 5.5.32 is: http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.32/bin/ The files that were downloaded are: _1_) apache-tomcat-5.5.32-compat.tar.gz 2011-01-23 20:52 1.6M _2_) apache-tomcat-5.5.32.tar.gz 2011-01-23 20:54 7.8M The chsums matched and there is no corruption of any of the binaries/files.
Comment 2 Konstantin Kolinko 2011-02-09 13:26:54 UTC
(In reply to comment #0) > Catalina logs have some errors and I have attached the log to this BUG report). There is no attachment. Without seeing the actual error it is hard to help.
Comment 3 Christopher Schultz 2011-02-09 13:43:52 UTC
You are going to provide some more information. This isn't a bug report: it's a request for help. Please post to the user list before filing a bug. If this is determined to be a bug, please re-open.
Comment 5 Sridhar Murthy 2011-02-09 14:14:21 UTC
I personally think that it is not a help request. We had a server.xml file working for both SSL port and Non-SSL port for Tomcat Version 5.5.27 We updated the Tomcat to Version 5.5.32 and used the same server.xml file. With that the SSL port of Tomcat stopped working. The O/S and all the other things have remained the same on the server on which Tomcat update was performed and that leads me to believe that something changed in Tomcat that caused the failure. I have upload the catalina log for your perusal. Kindly review the log and let me know if in fact it is a configuartion issue and I need to pursue it with user group. Thank you for your help and support in this matter.
Comment 6 Konstantin Kolinko 2011-02-09 14:23:42 UTC
From the log: Feb 8, 2011 8:40:32 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Feb 8, 2011 8:40:34 PM org.apache.coyote.http11.Http11BaseProtocol init SEVERE: Error initializing endpoint java.net.SocketException: Unbound server sockets not implemented at javax.net.ServerSocketFactory.createServerSocket(Unknown Source) at org.apache.tomcat.util.compat.Jdk14Compat.getUnboundSocket(Jdk14Compat.java:130) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:393) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:127) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:96) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:293) at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:139) at org.apache.catalina.connector.Connector.initialize(Connector.java:1002) (...)
Comment 7 Sridhar Murthy 2011-02-09 14:26:44 UTC
Created attachment 26629 [details] This server.xml works correctly for both SSL and non-SSL port for Tomcat 5.5.27 and fails to serve Tomcat on SSL port for Tomcat 5.5.32 Sumitting the server.xml file that works correctly for both SSL and non-SSL port for Tomcat 5.5.27 and fails to serve Tomcat on SSL port for Tomcat 5.5.32. If Tomcat 5.5.32 is working correctly then should the server.xml that I have attached work corrctly (which worked as per the design on Tomcat 5.5.27) ?
Comment 8 Sridhar Murthy 2011-02-09 20:54:40 UTC
Hi Konstantin: If all the configuartions required for the Tomcat to start services on both SSL port ( 8443) and non-SSL port (8080) are put in place in server.xml and when Tomcat server is started the services on port 8443 are not started with Tomcat 5.5.32 Here is the deal: root@svmciqa002 $ netstat -an | grep 8443 root@svmciqa002 $ netstat -an | grep 8080 tcp 0 0 *.8080 *.* LISTEN root@svmciqa002 $ I configure Tomcat 5.5.27 and use the same server.xml that was used for 5.5.32. Guess what - both ports (8443 and 8080) are listening as per the design: root@svmciqa002 $ netstat -an | grep 8443 tcp 0 0 *.8443 *.* LISTEN root@svmciqa002 $ netstat -an | grep 8080 tcp 0 0 *.8080 *.* LISTEN root@svmciqa002 $ I disagree with your argument that I have incorrect syntax with my server.xml file. If what you suspect is true, then I would not see the services on port 8443 for both Tomcat Versions (5.5.27 as well as 5.5.32) Kindly get back to me with your thoughts on this. Thank you for your help and support in this matter. Sri
Comment 9 Konstantin Kolinko 2011-02-09 21:30:57 UTC
Created attachment 26630 [details] 2011-02-11_tc55_50744_JSSESocketFactory.patch (In reply to comment #8) > I disagree with your argument that I have incorrect syntax with my server.xml > file. Whom do you disagree with? I never said the above. The issue here is that the 1.4 JVM that you are using does not implement a feature of "unbound server sockets" that the current code uses. Looking at Jdk14Compat.java that probably stems from http://svn.apache.org/viewvc?view=revision&revision=778258 that apparently is a fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=45528 which is about 1,5 years ago. I am attaching a patch (for the current tc5.5.x, as of 5.5.33) that will probably fix this issue.
Comment 10 Sridhar Murthy 2011-02-10 10:23:00 UTC
Hi Konstantin: Thank you very much for working on this issue, identifying the problem and also providing a patch. I will download the patch and test it out before COB today. I missed the fact that Christopher Schultz made an update and inadvertantly I assumed that you indicated that "This isn't a bug report". I apologize for my mistake. Regards, Sridhar
Comment 11 Konstantin Kolinko 2011-02-14 10:04:07 UTC
Created attachment 26651 [details] 2011-02-14_tc55_50744_JSSESocketFactory.patch A better patch. Now it includes debug logging.
Comment 12 Konstantin Kolinko 2011-02-14 10:22:04 UTC
Created attachment 26652 [details] 2011-02-14 Binary version of the patch for 5.5.33 (unofficial) Compiled classes that match the 2011-02-14_tc55_50744_JSSESocketFactory.patch patch, for Tomcat 5.5.33. To install: 1) Install Tomcat 5.5.33 2) Unzip the archive into $CATALINA_HOME/server/classes To enable debug logging in JSSESocketFactory, if you are using the default (JULI) logging, add the following line into $CATALINA_BASE/conf/logging.properties: org.apache.tomcat.util.net.jsse.JSSESocketFactory.level=FINE Note, that this is an unofficial patch and it is not released by ASF. Use it on your own risk.
Comment 13 Sridhar Murthy 2011-02-16 09:50:33 UTC
I will test this out next week and let you know if the issue reported is resolved. Thank you very much Konstantin for helping me with the patch. Regards, Sri
Comment 14 Mark Thomas 2011-08-18 16:44:51 UTC
This has been fixed in 5.5.x and will be included in 5.5.34 onwards.