JIRA
  1. JIRA
  2. JRA-24488

Change of Tomcat binary package for Windows breaks HTTPS

    Details

      Description

      As of JIRA 4.3.1 we are upgrading Tomcat to 6.0.32. In the same time we seem to change Tomcat's binary package for Windows from apache-tomcat-6.0.20.zip to apache-tomcat-6.0.32-windows-x86.zip.

      https://maven.atlassian.com/content/groups/internal/org/apache/tomcat/apache-tomcat/6.0.32/
      http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.32/bin/

      This change introduce requirement for new way of configuring of HTTPS as Tomcat uses Apache Portable Runtime (APR) based Native library for Tomcat.

      Tomcat can use the Apache Portable Runtime to provide superior scalability, performance, and better integration with native server technologies. The Apache Portable Runtime is a highly portable library that is at the heart of Apache HTTP Server 2.x. APR has many uses, including access to advanced IO functionality (such as sendfile, epoll and OpenSSL), OS level functionality (random number generation, system status, etc), and native process handling (shared memory, NT pipes and Unix sockets).

      These features allows making Tomcat a general purpose webserver, will enable much better integration with other native web technologies, and overall make Java much more viable as a full fledged webserver platform rather than simply a backend focused technology.

      If this is intended change we should alter our docs to indicate and warn users. Pages such as release notes and Running JIRA over SSL or HTTPS are just two possible candidates for the update.

      As of JIRA 4.3.1 the HTTPS connector needs to be configured in a completely different way with help of OpenSSL:

      <Connector port="443" maxHttpHeaderSize="8192"
                     maxThreads="150"
                     enableLookups="false" disableUploadTimeout="true"
                     acceptCount="100" scheme="https" secure="true"
                     SSLEnabled="true" 
                     SSLCertificateFile="${catalina.base}/conf/localhost.crt"
                     SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" />
      

      http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS
      http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL

      Moreover, we need to ensure that we are consistent across the boarder and JIRA's Linux distribution also uses Apache Tomcat Native.

        Issue Links

          Activity

          Hide
          Bogdan Dziedzic [Atlassian] added a comment -

          If HTTPS is configured according to our doco page, the following is observed:

          • Browser times out while waiting for HTTPS respond.
          • HTTP can be accessed without any problems.
          • Errors are reported in stderr jira<date time>-stderr.<date>.log:
            03/05/2011 11:34:08 AM org.apache.coyote.http11.Http11AprProtocol init
            SEVERE: Error initializing endpoint
            java.lang.Exception: No Certificate file specified or invalid file format
            	at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
            	at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:723)
            	at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107)
            	at org.apache.catalina.connector.Connector.initialize(Connector.java:1022)
            	at org.apache.catalina.core.StandardService.initialize(StandardService.java:703)
            	at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838)
            	at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
            	at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
            	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            	at java.lang.reflect.Method.invoke(Method.java:597)
            	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
            	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
            03/05/2011 11:34:08 AM org.apache.catalina.core.StandardService initialize
            SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
            LifecycleException:  Protocol handler initialization failed: java.lang.Exception: No Certificate file specified or invalid file format
            	at org.apache.catalina.connector.Connector.initialize(Connector.java:1024)
            	at org.apache.catalina.core.StandardService.initialize(StandardService.java:703)
            	at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838)
            	at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
            	at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
            	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            	at java.lang.reflect.Method.invoke(Method.java:597)
            	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
            	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
            
          Show
          Bogdan Dziedzic [Atlassian] added a comment - If HTTPS is configured according to our doco page, the following is observed: Browser times out while waiting for HTTPS respond. HTTP can be accessed without any problems. Errors are reported in stderr jira<date time>-stderr.<date>.log : 03/05/2011 11:34:08 AM org.apache.coyote.http11.Http11AprProtocol init SEVERE: Error initializing endpoint java.lang.Exception: No Certificate file specified or invalid file format at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:723) at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:107) at org.apache.catalina.connector.Connector.initialize(Connector.java:1022) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) 03/05/2011 11:34:08 AM org.apache.catalina.core.StandardService initialize SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] LifecycleException: Protocol handler initialization failed: java.lang.Exception: No Certificate file specified or invalid file format at org.apache.catalina.connector.Connector.initialize(Connector.java:1024) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
          Hide
          James Winters [Atlassian] added a comment -

          This is the 32 bit APR for Windows, what plans do we have to bundle a 64 bit version? Or do we just update the docs and let the customer download it?

          Show
          James Winters [Atlassian] added a comment - This is the 32 bit APR for Windows, what plans do we have to bundle a 64 bit version? Or do we just update the docs and let the customer download it?
          Hide
          Tom Lucas added a comment -

          Interestingly I was able to get around this for the moment by commenting out the following line in the server.xml file.

          <!-Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/->

          Doing this appears to bring back the old behavior. APR uses new syntax for OpenSSL.

          Show
          Tom Lucas added a comment - Interestingly I was able to get around this for the moment by commenting out the following line in the server.xml file. <!- Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/ -> Doing this appears to bring back the old behavior. APR uses new syntax for OpenSSL.
          Hide
          Valentijn Scholten added a comment -

          Also ran into this. For APR-newbies it can be time consuming to find out what exactly needs to be changed.

          Show
          Valentijn Scholten added a comment - Also ran into this. For APR-newbies it can be time consuming to find out what exactly needs to be changed.
          Hide
          Bogdan Dziedzic [Atlassian] added a comment - - edited

          Be careful when followingTom's provided workaround. you must be careful to comment out the entire line:

          <Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
          

          If instead you set SSLEngine to off, this will silently disactivate SSL engine on your HTTPS connector. The browser will still exchange the certificates and establish connection on the secured port, but data won't be encrypted.

          While this problem is being investigated, please follow the tomcat's doco on configuring HTTPS:

          http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS

          Show
          Bogdan Dziedzic [Atlassian] added a comment - - edited Be careful when following Tom's provided workaround . you must be careful to comment out the entire line: <Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/> If instead you set SSLEngine to off, this will silently disactivate SSL engine on your HTTPS connector. The browser will still exchange the certificates and establish connection on the secured port, but data won't be encrypted. While this problem is being investigated, please follow the tomcat's doco on configuring HTTPS: http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS
          Hide
          James Winters [Atlassian] added a comment - - edited

          The easiest workaround is to simply add the protocol argument to the connector configuration, so your Connnector will be configured like

              <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               	  maxHttpHeaderSize="8192" SSLEnabled="true"
                        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                        enableLookups="false" disableUploadTimeout="true"
                        acceptCount="100" scheme="https" secure="true"
                        clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"/>
                  
          
          Show
          James Winters [Atlassian] added a comment - - edited The easiest workaround is to simply add the protocol argument to the connector configuration, so your Connnector will be configured like <Connector port= "8443" protocol= "org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize= "8192" SSLEnabled= " true " maxThreads= "150" minSpareThreads= "25" maxSpareThreads= "75" enableLookups= " false " disableUploadTimeout= " true " acceptCount= "100" scheme= "https" secure= " true " clientAuth= " false " sslProtocol= "TLS" useBodyEncodingForURI= " true " />
          Show
          James Winters [Atlassian] added a comment - See documentation at http://confluence.atlassian.com/display/JIRA043/Running+JIRA+over+SSL+or+HTTPS#RunningJIRAoverSSLorHTTPS-UsingApachePortableRuntime

            People

            • Assignee:
              Peter Leschev [Atlassian] - Recovering JIRA Bugmaster
              Reporter:
              Bogdan Dziedzic [Atlassian]
            • Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: