tomcat-native needs recompile to use TLSv1.3 from openssl 1.1
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tomcat-native (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
| Bionic |
Fix Released
|
Medium
|
Dan Streetman | ||
Bug Description
[impact]
the libtcnative-1 package contains both a dynamic libtcnative-1.so lib, as well as a static libtcnative-1.a lib. Normal java applications will use the dynamic library, and it is correctly linked to the system's installed libssl library. However, the static library pulls the build-time libssl library in, and so anything using the static libtcnative-1.a library will use the build-time libssl version, instead of the currently installed libssl library version.
This matters on Bionic since openssl was upgraded from 1.1.0 to 1.1.1; the latest libtcnative-1 build was done with the 1.1.0 version of libssl, so it does not include TLSv1.3 support, since it has ssl 1.1.0 built-in.
Java typically/
https:/
This is what APR does, and tomcat uses APR, so it pulls in the static tcnative-1 library. This causes the current tomcat9 in Bionic to lack support for TLSv1.3.
[test case]
A normal java program can't be used to reproduce/verify this bug - it must be something that uses APR, like tomcat, to pull in the static libtcnative-1.a library.
I haven't set up tomcat myself, and I'm not familiar enough with it to know how to set it up to reproduce this; but the reporter of this bug to me uses this connector to enable TLSv1.3 in their tomcat deployment, and it fails with the current tcnative-1 package:
<Connector port="443" protocol=
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className=
<SSLHostConfig
honorCipherOrde
ciphers=
disableSessionT
<Certificate certificateKeyF
certificateFile
certificateChai
type="RSA" />
</SSLHostConfig>
</Connector>
with a simple no-change rebuild, the tcnative-1 package provides a libtcnative-1.a that does provide TLSv1.3 to their tomcat deployment.
[regression potential]
as this is a rebuild-only, any regression would likely impact tomcat9, especially in the area of supported TLS/SSL ciphers.
[other info]
The impact section description is based on my limited understanding of how tomcat9 and APR work to load the libtcnative-1 library; I have not confirmed that the static libtcnative-1.a lib caches the older libssl version, but I'm not sure what else in the libtcnative-1 package could cache the value. The person who reported this to me did confirm that a simple no-change rebuild of the library fixes this for them.
This isn't technically a regression, as before OpenSSL was upgraded to 1.1 in Bionic, tomcat9 didn't provide TLSv1.3 support; but now that OpenSSL 1.1 is available in Bionic, tomcat9 should support TLSv1.3. As far as I know, this did not actually introduce any errors/failures for anyone currently using tomcat9 with TLSv1.2 or earlier.
I marked this with the tag 'bionic-
This affects only Bionic; Xenial doesn't include libssl 1.1, and the latest tomcat-native in Disco was built with libssl 1.1.1a:
https:/
| Changed in tomcat9 (Ubuntu Bionic): | |
| assignee: | nobody → Dan Streetman (ddstreet) |
| status: | New → In Progress |
| Changed in tomcat9 (Ubuntu): | |
| status: | New → Fix Released |
| Changed in tomcat9 (Ubuntu Bionic): | |
| importance: | Undecided → Medium |
| description: | updated |
| Changed in tomcat-native (Ubuntu Bionic): | |
| status: | New → In Progress |
| assignee: | nobody → Dan Streetman (ddstreet) |
| importance: | Undecided → Medium |
| Changed in tomcat-native (Ubuntu): | |
| status: | New → Fix Released |
| no longer affects: | tomcat9 (Ubuntu) |
| summary: |
- tomcat9 needs recompile to use TLSv1.3 from openssl 1.1 + tomcat-native needs recompile to use TLSv1.3 from openssl 1.1 |
| no longer affects: | tomcat9 (Ubuntu Bionic) |
| tags: | added: bionic-openssl-1.1 sts sts-sponsor sts-sponsor-ddstreet |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| Timo Aaltonen (tjaalton) wrote Please test proposed package | #2 |
| Changed in tomcat-native (Ubuntu Bionic): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed verification-needed-bionic |
| Dan Streetman (ddstreet) wrote | #3 |
| Changed in tomcat-native (Ubuntu): | |
| importance: | Undecided → Medium |
| Dan Streetman (ddstreet) wrote | #4 |
| tags: |
added: verification-done verification-done-bionic removed: sts-sponsor sts-sponsor-ddstreet verification-needed verification-needed-bionic |
| Chris Halse Rogers (raof) wrote Update Released | #5 |
| Launchpad Janitor (janitor) wrote | #6 |
| Changed in tomcat-native (Ubuntu Bionic): | |
| status: | Fix Committed → Fix Released |
I asked tdaitx (java expert) for a quick review:
<ddstreet> tdaitx you're the java guy, right? can you review this upload to make sure i got the facts right? it's a simple no-change rebuild, but i don't have experience with tomcat or static JNI libs so would be good to confirm the explanation of why the rebuild is needed is correct
<ddstreet> by 'this upload' i meant tomcat-native ^
<ddstreet> from lp #1854072
<ubot5> Launchpad bug 1854072 in tomcat-native (Ubuntu Bionic) "tomcat-native needs recompile to use TLSv1.3 from openssl 1.1" [Medium,In progress] https:/
<tdaitx> ddstreet: yeah, given the description I supposed it could fix it, whish there was a better way to reproduce it though, I generated the certs, added the commands to tomcat's server.xml (in /etc) but it starts just fine and even lists openssl 1.1.1 (I wonder if it is using the dynamic lib for any reason)
<tdaitx> I did a quick look at the libtcnative-1.a and rebuild it on bionic, but haven't seem anything different in symbols and such
<ddstreet> tdaitx thanks!