tomcat ssl connector error on 4.8.x reporting server

Hi,

Not being a tomcat expert at all, I am baffled by this:

I upgraded idm reporting from 4.7 to 4.8 (and further on to 4.8.3, rpt is 6.6.2.0)
Reporting runs on its own box, along with its own postgresql.

System is SLES12SP5

I do believe that the connector in the server.xml file haven't been changed (and to me it looks fine)

When connecting I get an error in the browser:
---
Secure Connection Failed

An error occurred during a connection to [server.domain.tld]:8443. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG
---

catalina.out says:
22-Jul-2021 09:31:31.716 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
22-Jul-2021 09:31:32.363 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8443"]
22-Jul-2021 09:31:32.440 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"]
22-Jul-2021 09:31:32.441 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
        org.apache.catalina.LifecycleException: Protocol handler initialization failed

AND

22-Jul-2021 09:32:05.736 INFO [http-nio-8443-exec-2] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
        java.lang.IllegalArgumentException: Invalid character found in method name [0x160x030x030x010x100x010x000x010x0c0x030x030xcc[0xc84U0x04Y0xc1H/O0x180x1d0xa30x0f0xd4h0xbb0xd50xa60x10S0xb050x8c0x830xf8C0x7f0xd0G0xf10x000x00d0xc0,0xc0+0xc000x000x9d0xc0.0xc020x000x9f0x000xa30xc0/0x000x9c0xc0-0xc010x000x9e0x000xa20xc0$0xc0(0x00=0xc0&0xc0*0x00k0x00j0xc00x0a0xc00x140x0050xc00x050xc00x0f0x0090x0080xc0#0xc0'0x00<0xc0%0xc0)0x00g0x00@0xc00x090xc00x130x00/0xc00x040xc00x0e0x0030x0020xc00x080xc00x120x000x0a0xc00x030xc00x0d0x000x160x000x130x000xff0x010x000x000x7f0x000x0a0x000x120x000x100x000x170x000x180x000x190x010x000x010x010x010x020x010x030x010x040x000x0b0x000x020x010x000x000x0d0x00(0x00&0x040x030x050x030x060x030x080x040x080x050x080x060x080x090x080x0a0x080x0b0x040x010x050x010x060x010x040x020x030x030x030x010x030x020x020x030x020x010x020x020x0020x00(0x00&0x040x030x050x030x060x030x080x040x080x050x080x060x080x090x080x0a0x080x0b0x040x010x050x010x060x010x040x020x030x030x030x010x030x020x020x030x020x010x020x020x000x170x000x000x00+0x000x030x020x03...]. HTTP method names must be tokens

I tried installing libapr

  • Hi,

    This is the problem: Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]

    There was something about a missing symlink from the openssl (netiq package) to /lib64, but I can't exactly remember what it was about.

  • Hi Casper,

    Thanks.

    So I need to find out which library it is complaining about (which .so file it cannot find), and create a correct symlink, probably with the exact version.

    If I could just somehow find out which library it is looking for.

    I tried comparisons, but that kind of leads to more confusion, for example:

    Working (server with idmapps 4.8.3 installed):

    # l /usr/lib64/ |grep openssl
    lrwxrwxrwx   1 root root       29 May 25  2018 libevent_openssl-2.1.so.6 -> libevent_openssl-2.1.so.6.0.2*
    -rwxr-xr-x   1 root root    27368 May 25  2018 libevent_openssl-2.1.so.6.0.2*

    Not working (server with only reporting from 4.8.3 installed):

    # l /usr/lib64/ |grep openssl
    lrwxrwxrwx 1 root root       29 Jun 12  2020 libevent_openssl-2.0.so.5 -> libevent_openssl-2.0.so.5.1.9*
    -rwxr-xr-x 1 root root    23288 Jan 12  2018 libevent_openssl-2.0.so.5.1.9*
    lrwxrwxrwx 1 root root       28 Jun 12  2020 libxmlsec1-openssl.so -> libxmlsec1-openssl.so.1.2.28*
    lrwxrwxrwx 1 root root       28 Jun 12  2020 libxmlsec1-openssl.so.1 -> libxmlsec1-openssl.so.1.2.28*
    -rwxr-xr-x 1 root root   283496 Mar 23  2020 libxmlsec1-openssl.so.1.2.28*

    Different versions and all.

    A bit peculiar is that tomcat are the same versions:

    netiq-idmtomcat-9.0.41-1.noarch
    netiq-tomcatconfig-4.8.3-2.noarch

    but the openssl versions are not

    Working:

    # rpm -qa|grep openssl
    libopenssl1_0_0-32bit-1.0.2p-3.36.1.x86_64
    libopenssl1_1-1.1.0i-14.12.1.x86_64
    openssl-1.1.0i-3.3.1.noarch
    openssl-1_1-1.1.0i-14.12.1.x86_64
    netiq-openssl-1.0.2x-56.x86_64
    libopenssl1_1-32bit-1.1.0i-14.12.1.x86_64
    netiq-openssl-32bit-1.0.2x-35.x86_64
    libopenssl1_0_0-1.0.2p-3.34.1.x86_64

    Not working:

    # rpm -qa|grep openssl
    libopenssl1_0_0-1.0.2p-3.36.1.x86_64
    openssl-1_0_0-1.0.2p-3.36.1.x86_64
    netiq-openssl-1.0.2t-22.x86_64
    libxmlsec1-openssl1-1.2.28-2.12.1.x86_64
    libopenssl1_0_0-32bit-1.0.2p-3.36.1.x86_64
    openssl-1.0.2p-1.13.noarch

    Wonder if i can align those?

  • Oh.....!
    The issue was actially TWO connector statements in the server.xml file.

    How silly is that?

  • I tried installing libapr

    Did you also install the Apache Tomcat Native Library?

    Does it work if you use pure Java?

    Here's a connector for a standalone reporting server:

     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" maxHttpHeaderSize="65536" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" keystoreFile="conf/server.p12" keystorePass="changeit" sslEnabledProtocols="TLSv1.2" />
  • Thanks.
    The issue was TWO connector entried. That did not work.

  • For the same port? That is an unexpected config!  Double the pleasure, double the fun. Double Mint!