Reputation: 946
Is it possible to enable HTTPS/TLS for Tomcat using OpenSSL without requiring Native Libraries and APR?
I am trying to get HTTPS/TLS enabled for Tomacat (8.x) preferring the OpenSSL alternative because the cert/key configuration is simpler (compared to the usual JSSE with keystore).
Followed the offical documentation and enabled the connector section like this:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig protocols="TLSv1.2">
<Certificate
certificateKeyFile="conf/MyKey.key"
certificateFile="conf/MyCertificate.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
NOTE that I am still using Http11NioProtocol and not APR Http11AprProtocol connector.
However, startup fails with this configuration as this combination of configuration seems to require Tomcat native libraries to be built and configured:
14-Jun-2019 10:38:46.363 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:621)
at org.apache.catalina.startup.Catalina.load(Catalina.java:644)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.Pool.create(J)J
at org.apache.tomcat.jni.Pool.create(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:70)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols(OpenSSLUtil.java:61)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:53)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.<init>(OpenSSLUtil.java:41)
at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.getSSLUtil(OpenSSLImplementation.java:36)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:104)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1082)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:267)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
I did build and install Tomcat native + APR library and configured in Tomcat env class path which fixed the issue, but that is besides the point. Point is, shouldn't APR/native libraries be only required if I am using Http11AprProtocol which I am not using? What am I missing? Any pointers/help will be much appreciated. Thanks!
Upvotes: 1
Views: 3620
Answers (2)
Reputation: 754
This directive on your Connector: sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
requires tc-native. If you are using this on Tomcat 10, the AprLifecycleListener is still required:
<Listener className="org.apache.catalina.core.AprLifecycleListener" />
tc-native v1 also wants SSLEngine="on" on the <Listener> tag.
Upvotes: 0
Reputation: 946
The mistake I made was that I had explicitly configured sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" in the Connector configuration. This is what causes dependency on native libraries and the error on startup.
Not specifying sslImplementationName leaves it to default which is org.apache.tomcat.util.net.jsse.JSSEImplementation and works fine with OpenSSL style certificate and key configuration. Final config:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig protocols="TLSv1.2">
<Certificate
certificateKeyFile="conf/MyKey.key"
certificateFile="conf/MyCertificate.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
So the answer to the main question: yes it is possible to use pure Java/JSSE style configuration with OpenSSL style SSLHostConfig.
(APR/OpenSSL impl with native libraries are relatively more perform ant, however.)
Upvotes: 2
Related Questions
- SSL certificates configuration query for tomcat APR connector
- Tomcat 8.5 configuration with APR connecter and HTTPS
- How to enable TLS 1.2 in local Tomcat?
- Tomcat with APR still says aprConnector is false
- SSL configuration in tomcat and apr
- Error on Configure tomcat with SSL certificate using APR library on ubuntu
- OpenSSL s_client can't connect to Tomcat 7 via APR
- Tomcat7 enable tlsv1.1 using APR Connector
- Embedded Tomcat instance does not see APR Library
- tomcat ssl apr x509