how to use separate shared dlls for OpenSSL, APR, and libtcnative-1...

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

how to use separate shared dlls for OpenSSL, APR, and libtcnative-1...

John Palmer
(I'm new to using TC-native, interested in how to accomplish "In security
conscious production environments, it is recommended to use separate shared
dlls for OpenSSL, APR, and libtcnative-1, and update them as needed
according to security bulletins. "

Apparently I need a concrete example (step-by-step, where to get the dlls,
where to put them (and make sure tomcat finds them) etc...   preferably I
wouldn't have to compile anything myself.

thanks...
Reply | Threaded
Open this post in threaded view
|

Re: how to use separate shared dlls for OpenSSL, APR, and libtcnative-1...

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

John,

On 2/11/19 10:46, John Palmer wrote:
> (I'm new to using TC-native, interested in how to accomplish "In
> security conscious production environments, it is recommended to
> use separate shared dlls for OpenSSL, APR, and libtcnative-1, and
> update them as needed according to security bulletins. "

For Windows, you are better off using the all-in-one statically-linked
DLL provided by the Tomcat team. If you really want separate ones,
you'll need to build everything yourself.

I think that quote is easy to misinterpret. The problem is not the
fact that the library is statically-linked and therefore less secure.
The problem is that the native library bundles 3 separate packages:
Apache Portable Runtime (APR), OpenSSL, and Tomcat's native library
(libtcnative). Because they are bundled together, you cannot upgrade
any single one of them independently of the others.

If APR publishes a fix for a vulnerability, you cannot upgrade just
apr-x.y.z.dll to get that fix. Instead, you'd have to wait for the
Tomcat team to publish an updated bundle that includes that new
version. Save with OpenSSL, etc.

In general, the Tomcat team tries to keep on top of the latest news
and releases from both APR and OpenSSL, so you shouldn't have to wait
too long between a newly-published version of APR or OpenSSL and a new
release of tcnative.

If you have the capability of building your own libraries, then you
can always get the latest from the upstream source and stay even more
up-to-date than you would is you wanted for the releases from Tomcat.

> Apparently I need a concrete example (step-by-step, where to get
> the dlls, where to put them (and make sure tomcat finds them)
> etc...   preferably I wouldn't have to compile anything myself.

If you don't want to compile yourself, you'll need to trust ...
someone else. The Tomcat team only publishes the all-in-one DLL.

I would question whether or not you really need libtcnative at all.
Are you going to be using a Tomcat installation without any kind of
load-balancer or reverse-proxy in between it and your users?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhsygACgkQHPApP6U8
pFj7Rg//f75XYfYrgJSe14KeizoybHnzpDbZ/XDxyZ8ytTBU5hx2YIQBR9ucrYYA
x01ArX6dCU209EBkLnXCThNXqrxv/pOvRo4MUiUw+oUMg5sjNL61cz/DaqwCj4WX
PtzqaYSlUhYmAiRPrdv5zwvmqMR6L8ArHfpTqCw6Tov2fdlyyc9B0Yb+Om98Jn3a
wLj+o24FOMm9Vpuz2EyMuHhslz1xiGK7O7CyiGXGK9ZjigcqFQiR77PtnZYXnlhk
jM0DJKFFo+tMri5zNs7bkAT/2DOhKmlMfD+G3LcTL4PZKbx6r30BqgXNf/b++A+8
gmOtgLHZmCK9/UcI3TX3pk2IciDZbHaCDa7YOLiFAkzSjSd3QpdxnIDJ/aoiqcz2
mkTyXEHeErNClzX+P+gkK2oVyz5B28EeQlC0ls2Q0SecI3DeXx+ZgO9MIsofMzyG
lkG1XL9oNYA/6wOaKXMYB/xA0dbiYtpQZsVCR65I0FjJ3cD7pvvez8UjAzrvYObm
LXi0fVCRrlHSDVfRCt5OZ/P3c8l2/1cz3k0jTbA9k+NEq5+tvmErMuEWnXadd5Y2
aukaVKg3afR6SvGTBpaDS38peyFOFjkR5uJ0+9H4ZKogCqiUqesqVSzh2hhKqIIx
4wqP1VwtsL/rujLm0p3nr9c3HbamzznpCXXQOy9oOAMbZwmeTag=
=9OOQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: how to use separate shared dlls for OpenSSL, APR, and libtcnative-1...

John Palmer
 > For Windows, you are better off using the all-in-one statically-linked
> DLL provided by the Tomcat team.
...
> In general, the Tomcat team tries to keep on top of the latest news
> and releases from both APR and OpenSSL, so you shouldn't have to wait
> too long between a newly-published version of APR or OpenSSL and a new
> release of tcnative.

I'm fine with that... this week we've seen the new TC-Native released and
then tomcat 9 updated Friday and 8.5 updated over the weekend (I think).
Pretty darn quick, in any case.

> I would question whether or not you really need libtcnative at all.

me too. but see below:

> Are you going to be using a Tomcat installation without any kind of
> load-balancer or reverse-proxy in between it and your users?

We're using a load-balancer, but terminating the SSL (TLS) connection at
Tomcat rather than at the load-balancer...
(we need the client certificate info for authentication. I understand that
with a SSL connection terminated at a load balance, the client certificate
info can be forwarded to tomcat - but I don't want to fight that battle
just now).
I'm investigating using tc-native for:
improved SSL (TLS) processing compared to the JSSE implementation (I hope)
TLS1.3 support
HTTP/2 Support
(possibly the use of more mainstream certs/truststore format (Windows
environment) than the JKS format  -
(not that using JKS  format is a big deal, but I have found Key Store
Explorer to be REAL helpful in figuring out problems with keystores or
truststores that weren't real obvious using keytool.exe by itself
and in adding/removing Issuer or Root certs as new ones come into use or
expire).

Thanks.,..

On Mon, Feb 11, 2019 at 11:38 AM Christopher Schultz <
[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> John,
>
> On 2/11/19 10:46, John Palmer wrote:
> > (I'm new to using TC-native, interested in how to accomplish "In
> > security conscious production environments, it is recommended to
> > use separate shared dlls for OpenSSL, APR, and libtcnative-1, and
> > update them as needed according to security bulletins. "
>
> For Windows, you are better off using the all-in-one statically-linked
> DLL provided by the Tomcat team. If you really want separate ones,
> you'll need to build everything yourself.
>
> I think that quote is easy to misinterpret. The problem is not the
> fact that the library is statically-linked and therefore less secure.
> The problem is that the native library bundles 3 separate packages:
> Apache Portable Runtime (APR), OpenSSL, and Tomcat's native library
> (libtcnative). Because they are bundled together, you cannot upgrade
> any single one of them independently of the others.
>
> If APR publishes a fix for a vulnerability, you cannot upgrade just
> apr-x.y.z.dll to get that fix. Instead, you'd have to wait for the
> Tomcat team to publish an updated bundle that includes that new
> version. Save with OpenSSL, etc.
>
> In general, the Tomcat team tries to keep on top of the latest news
> and releases from both APR and OpenSSL, so you shouldn't have to wait
> too long between a newly-published version of APR or OpenSSL and a new
> release of tcnative.
>
> If you have the capability of building your own libraries, then you
> can always get the latest from the upstream source and stay even more
> up-to-date than you would is you wanted for the releases from Tomcat.
>
> > Apparently I need a concrete example (step-by-step, where to get
> > the dlls, where to put them (and make sure tomcat finds them)
> > etc...   preferably I wouldn't have to compile anything myself.
>
> If you don't want to compile yourself, you'll need to trust ...
> someone else. The Tomcat team only publishes the all-in-one DLL.
>
> I would question whether or not you really need libtcnative at all.
> Are you going to be using a Tomcat installation without any kind of
> load-balancer or reverse-proxy in between it and your users?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhsygACgkQHPApP6U8
> pFj7Rg//f75XYfYrgJSe14KeizoybHnzpDbZ/XDxyZ8ytTBU5hx2YIQBR9ucrYYA
> x01ArX6dCU209EBkLnXCThNXqrxv/pOvRo4MUiUw+oUMg5sjNL61cz/DaqwCj4WX
> PtzqaYSlUhYmAiRPrdv5zwvmqMR6L8ArHfpTqCw6Tov2fdlyyc9B0Yb+Om98Jn3a
> wLj+o24FOMm9Vpuz2EyMuHhslz1xiGK7O7CyiGXGK9ZjigcqFQiR77PtnZYXnlhk
> jM0DJKFFo+tMri5zNs7bkAT/2DOhKmlMfD+G3LcTL4PZKbx6r30BqgXNf/b++A+8
> gmOtgLHZmCK9/UcI3TX3pk2IciDZbHaCDa7YOLiFAkzSjSd3QpdxnIDJ/aoiqcz2
> mkTyXEHeErNClzX+P+gkK2oVyz5B28EeQlC0ls2Q0SecI3DeXx+ZgO9MIsofMzyG
> lkG1XL9oNYA/6wOaKXMYB/xA0dbiYtpQZsVCR65I0FjJ3cD7pvvez8UjAzrvYObm
> LXi0fVCRrlHSDVfRCt5OZ/P3c8l2/1cz3k0jTbA9k+NEq5+tvmErMuEWnXadd5Y2
> aukaVKg3afR6SvGTBpaDS38peyFOFjkR5uJ0+9H4ZKogCqiUqesqVSzh2hhKqIIx
> 4wqP1VwtsL/rujLm0p3nr9c3HbamzznpCXXQOy9oOAMbZwmeTag=
> =9OOQ
> -----END PGP SIGNATURE-----
>