Uploaded image for project: 'JIRA (including JIRA Core)'
  1. JIRA (including JIRA Core)
  2. JRA-24488

Change of Tomcat binary package for Windows breaks HTTPS

    Details

      Description

      As of JIRA 4.3.1 we are upgrading Tomcat to 6.0.32. In the same time we seem to change Tomcat's binary package for Windows from apache-tomcat-6.0.20.zip to apache-tomcat-6.0.32-windows-x86.zip.

      https://maven.atlassian.com/content/groups/internal/org/apache/tomcat/apache-tomcat/6.0.32/
      http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.32/bin/

      This change introduce requirement for new way of configuring of HTTPS as Tomcat uses Apache Portable Runtime (APR) based Native library for Tomcat.

      Tomcat can use the Apache Portable Runtime to provide superior scalability, performance, and better integration with native server technologies. The Apache Portable Runtime is a highly portable library that is at the heart of Apache HTTP Server 2.x. APR has many uses, including access to advanced IO functionality (such as sendfile, epoll and OpenSSL), OS level functionality (random number generation, system status, etc), and native process handling (shared memory, NT pipes and Unix sockets).

      These features allows making Tomcat a general purpose webserver, will enable much better integration with other native web technologies, and overall make Java much more viable as a full fledged webserver platform rather than simply a backend focused technology.

      If this is intended change we should alter our docs to indicate and warn users. Pages such as release notes and Running JIRA over SSL or HTTPS are just two possible candidates for the update.

      As of JIRA 4.3.1 the HTTPS connector needs to be configured in a completely different way with help of OpenSSL:

      <Connector port="443" maxHttpHeaderSize="8192"
                     maxThreads="150"
                     enableLookups="false" disableUploadTimeout="true"
                     acceptCount="100" scheme="https" secure="true"
                     SSLEnabled="true" 
                     SSLCertificateFile="${catalina.base}/conf/localhost.crt"
                     SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" />
      

      http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS
      http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL

      Moreover, we need to ensure that we are consistent across the boarder and JIRA's Linux distribution also uses Apache Tomcat Native.

        Attachments

          Issue Links

            Activity

            Hide
            bdziedzic Bogdan Dziedzic [Atlassian] added a comment -

            If HTTPS is configured according to our doco page, the following is observed:

            • Browser times out while waiting for HTTPS respond.
            • HTTP can be accessed without any problems.
            • Errors are reported in stderr jira<date time>-stderr.<date>.log:
              03/05/2011 11:34:08 AM org.apache.coyote.http11.Http11AprProtocol init
              SEVERE: Error initializing endpoint
              java.lang.Exception: No Certificate file specified or invalid file format
              	at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
              	at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:723)
              	at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107)
              	at org.apache.catalina.connector.Connector.initialize(Connector.java:1022)
              	at org.apache.catalina.core.StandardService.initialize(StandardService.java:703)
              	at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838)
              	at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
              	at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
              	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
              	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
              	at java.lang.reflect.Method.invoke(Method.java:597)
              	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
              	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
              03/05/2011 11:34:08 AM org.apache.catalina.core.StandardService initialize
              SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
              LifecycleException:  Protocol handler initialization failed: java.lang.Exception: No Certificate file specified or invalid file format
              	at org.apache.catalina.connector.Connector.initialize(Connector.java:1024)
              	at org.apache.catalina.core.StandardService.initialize(StandardService.java:703)
              	at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838)
              	at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
              	at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
              	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
              	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
              	at java.lang.reflect.Method.invoke(Method.java:597)
              	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
              	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
              
            Show
            bdziedzic Bogdan Dziedzic [Atlassian] added a comment - If HTTPS is configured according to our doco page, the following is observed: Browser times out while waiting for HTTPS respond. HTTP can be accessed without any problems. Errors are reported in stderr jira<date time>-stderr.<date>.log : 03/05/2011 11:34:08 AM org.apache.coyote.http11.Http11AprProtocol init SEVERE: Error initializing endpoint java.lang.Exception: No Certificate file specified or invalid file format at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:723) at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107) at org.apache.catalina.connector.Connector.initialize(Connector.java:1022) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) 03/05/2011 11:34:08 AM org.apache.catalina.core.StandardService initialize SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] LifecycleException: Protocol handler initialization failed: java.lang.Exception: No Certificate file specified or invalid file format at org.apache.catalina.connector.Connector.initialize(Connector.java:1024) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
            Hide
            jwinters James Winters [Atlassian] added a comment -

            This is the 32 bit APR for Windows, what plans do we have to bundle a 64 bit version? Or do we just update the docs and let the customer download it?

            Show
            jwinters James Winters [Atlassian] added a comment - This is the 32 bit APR for Windows, what plans do we have to bundle a 64 bit version? Or do we just update the docs and let the customer download it?
            Hide
            lucast Tom Lucas added a comment -

            Interestingly I was able to get around this for the moment by commenting out the following line in the server.xml file.

            <!-Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/->

            Doing this appears to bring back the old behavior. APR uses new syntax for OpenSSL.

            Show
            lucast Tom Lucas added a comment - Interestingly I was able to get around this for the moment by commenting out the following line in the server.xml file. <!- Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/ -> Doing this appears to bring back the old behavior. APR uses new syntax for OpenSSL.
            Hide
            valentijn.scholten Valentijn Scholten added a comment -

            Also ran into this. For APR-newbies it can be time consuming to find out what exactly needs to be changed.

            Show
            valentijn.scholten Valentijn Scholten added a comment - Also ran into this. For APR-newbies it can be time consuming to find out what exactly needs to be changed.
            Hide
            bdziedzic Bogdan Dziedzic [Atlassian] added a comment - - edited

            Be careful when followingTom's provided workaround. you must be careful to comment out the entire line:

            <Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
            

            If instead you set SSLEngine to off, this will silently disactivate SSL engine on your HTTPS connector. The browser will still exchange the certificates and establish connection on the secured port, but data won't be encrypted.

            While this problem is being investigated, please follow the tomcat's doco on configuring HTTPS:

            http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS

            Show
            bdziedzic Bogdan Dziedzic [Atlassian] added a comment - - edited Be careful when following Tom's provided workaround . you must be careful to comment out the entire line: <Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/> If instead you set SSLEngine to off, this will silently disactivate SSL engine on your HTTPS connector. The browser will still exchange the certificates and establish connection on the secured port, but data won't be encrypted. While this problem is being investigated, please follow the tomcat's doco on configuring HTTPS: http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS
            Hide
            jwinters James Winters [Atlassian] added a comment - - edited

            The easiest workaround is to simply add the protocol argument to the connector configuration, so your Connnector will be configured like

                <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                 	  maxHttpHeaderSize="8192" SSLEnabled="true"
                          maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                          enableLookups="false" disableUploadTimeout="true"
                          acceptCount="100" scheme="https" secure="true"
                          clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"/>
                    
            
            Show
            jwinters James Winters [Atlassian] added a comment - - edited The easiest workaround is to simply add the protocol argument to the connector configuration, so your Connnector will be configured like <Connector port= "8443" protocol= "org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize= "8192" SSLEnabled= " true " maxThreads= "150" minSpareThreads= "25" maxSpareThreads= "75" enableLookups= " false " disableUploadTimeout= " true " acceptCount= "100" scheme= "https" secure= " true " clientAuth= " false " sslProtocol= "TLS" useBodyEncodingForURI= " true " />
            Show
            jwinters James Winters [Atlassian] added a comment - See documentation at http://confluence.atlassian.com/display/JIRA043/Running+JIRA+over+SSL+or+HTTPS#RunningJIRAoverSSLorHTTPS-UsingApachePortableRuntime

              People

              • Assignee:
                pleschev Peter Leschev
                Reporter:
                bdziedzic Bogdan Dziedzic [Atlassian]
              • Votes:
                2 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: