2016년 3월 7일자로 1.2.5가 release 되었습니다.

Changelog에 의하면 configure 시 기본으로 OpenSSL 버전 check를 한다고 합니다.

정말 그런지 확인해 보겠습니다.

< 1.1.33 버전 (Tomcat 7.0.68에 포함되어 있음) >

checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.1.33
checking for chosen layout... tcnative
checking for APR... yes
  setting CC to "gcc"
  setting CC to "gcc"
  setting CPP to "gcc -E"
checking for JDK location (please wait)... /sw/jdk1.7.0_79
checking Java platform... checking Java platform...
checking for sablevm... NONE
  adding "-I/sw/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking os_type directory...  linux
  adding "-I/sw/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from /usr/lib and /usr/include
checking OpenSSL library version... ok
checking for OpenSSL DSA support... yes
  setting TCNATIVE_LDFLAGS to "-lssl -lcrypto"
  adding "-DHAVE_OPENSSL" to CFLAGS
  setting TCNATIVE_LIBS to ""
  setting TCNATIVE_LIBS to " /sw/apr-1.5.1/libapr-1.la -lrt -lcrypt  -lpthread"
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands

< 1.2.5 버전 (이번에 release 됨) >

checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking for working mkdir -p... yes
Tomcat Native Version: 1.2.5
checking for chosen layout... tcnative
checking for APR... yes
configure: APR 1.5.1 detected.
  setting CC to "gcc"
  setting CPP to "gcc -E"
checking JAVA_HOME... /sw/jdk1.7.0_79
  adding "-I/sw/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES
checking for JDK os include directory...  linux
checking for JDK os include directory...  linux
  adding "-I/sw/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for OpenSSL library... using openssl from /usr/lib and /usr/include
checking OpenSSL library version >= 1.0.2...
 
Found   OPENSSL_VERSION_NUMBER 0x1000105f (OpenSSL 1.0.1e 11 Feb 2013)
Require OPENSSL_VERSION_NUMBER 0x1000200f or greater (1.0.2)
 
not compatible
checking for OpenSSL DSA support... yes
  setting TCNATIVE_LDFLAGS to "-lssl -lcrypto"
  adding "-DHAVE_OPENSSL" to CFLAGS
  setting TCNATIVE_LIBS to ""
  setting TCNATIVE_LIBS to " /sw/apr-1.5.1/libapr-1.la -lrt -lcrypt  -lpthread"
checking for apr_pollset_wakeup in -lapr-1... no
configure: creating ./config.status
config.status: creating tcnative.pc
config.status: creating Makefile
config.status: executing default commands

참고로 Tomcat Native 1.2.x 버전은 OpenSSL 1.0.2 이상을 요구합니다. 따라서 위와 같이 compatible 오류가 발생합니다.

configure 시에 --disable-openssl-version-check 옵션을 사용하면 OpenSSL 버전 check를 하지 않는다고 하는데요, 그 결과 다음과 같습니다.

checking for OpenSSL library... using openssl from /usr/lib and /usr/include
Skipped OpenSSL version check
checking for OpenSSL DSA support... yes

Skip하는 것을 확인할 수 있습니다. 

만약 요구되는 버전인 1.0.2 미만의 OpenSSL 상에서, --disable-openssl-version-check 옵션을 통해 버전 체크를 하지 않고 어쨌든 configure를 통과한 상황에서, make를 진행하면 어떻게 될까요?

/bin/sh /sw/apr-1.5.1/libtool --silent --mode=compile gcc -g -O2 -pthread   -DHAVE_CONFIG_H  -DLINUX -D_REENTRANT -D_GNU_SOURCE   -g -O2 -DHAVE_OPENSSL   -I/sw/apache-tomcat-7.0.68/bin/tomcat-native-1.2.5-src/native/include -I/sw/jdk1.7.0_79/include -I/sw/jdk1.7.0_79/include/linux  -I/sw/apr-1.5.1/include   -o src/sslcontext.lo -c src/sslcontext.c &amp;&amp; touch src/sslcontext.lo
src/sslcontext.c: In function 'Java_org_apache_tomcat_jni_SSLContext_setCertificateRaw':
src/sslcontext.c:1079: error: 'eckey' undeclared (first use in this function)
src/sslcontext.c:1079: error: (Each undeclared identifier is reported only once
src/sslcontext.c:1079: error: for each function it appears in.)
make[1]: *** [src/sslcontext.lo] 오류 1
make[1]: Leaving directory `/sw/apache-tomcat-7.0.68/bin/tomcat-native-1.2.5-src/native'
make: *** [all-recursive] 오류 1

 

이 밖에 Tomcat에서 OpenSSL 버전을 나타낼 때 이전 버전까지는 컴파일 시점의 버전을 나타냈지만 1.2.5 버전부터는 런타임 환경의 버전을 나타내는 것으로 바뀌었습니다. Bug 59024(https://bz.apache.org/bugzilla/show_bug.cgi?id=59024)와 관련된 내용입니다. 1.2.4와 1.2.5의 ssl.c 파일을 비교해 보겠습니다.

< 1.2.4 >

    267 TCN_IMPLEMENT_CALL(jint, SSL, version)(TCN_STDARGS)
    268 {
    269     UNREFERENCED_STDARGS;
    270     return OPENSSL_VERSION_NUMBER;
    271 }
    272
    273 TCN_IMPLEMENT_CALL(jstring, SSL, versionString)(TCN_STDARGS)
    274 {
    275     UNREFERENCED(o);
    276     return AJP_TO_JSTRING(OPENSSL_VERSION_TEXT);
    277 }
    664     CRYPTO_malloc_init();

< 1.2.5 >

    267 TCN_IMPLEMENT_CALL(jint, SSL, version)(TCN_STDARGS)
    268 {
    269     UNREFERENCED_STDARGS;
    270 #if OPENSSL_VERSION_NUMBER < 0x10100000L
    271     return OPENSSL_VERSION_NUMBER;
    272 #else
    273     return OpenSSL_version_num();
    274 #endif
    275 }
    276
    277 TCN_IMPLEMENT_CALL(jstring, SSL, versionString)(TCN_STDARGS)
    278 {
    279     UNREFERENCED(o);
    280 #if OPENSSL_VERSION_NUMBER < 0x10100000L
    281     return AJP_TO_JSTRING(SSLeay_version(SSLEAY_VERSION));
    282 #else
    283     return AJP_TO_JSTRING(OpenSSL_version(OPENSSL_VERSION));
    284 #endif
    285 }
    672 #if OPENSSL_VERSION_NUMBER < 0x10100000L
    673     CRYPTO_malloc_init();
    674 #else
    675     OPENSSL_malloc_init();
    676 #endif