2016년 3월 7일자로 1.2.5가 release 되었습니다.
Changelog에 의하면 configure 시 기본으로 OpenSSL 버전 check를 한다고 합니다.
정말 그런지 확인해 보겠습니다.
< 1.1.33 버전 (Tomcat 7.0.68에 포함되어 있음) >
checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking target system type... x86_64-unknown-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c checking for working mkdir -p... yes Tomcat Native Version: 1.1.33 checking for chosen layout... tcnative checking for APR... yes setting CC to "gcc" setting CC to "gcc" setting CPP to "gcc -E" checking for JDK location (please wait)... /sw/jdk1.7.0_79 checking Java platform... checking Java platform... checking for sablevm... NONE adding "-I/sw/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES checking os_type directory... linux adding "-I/sw/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for OpenSSL library... using openssl from /usr/lib and /usr/include checking OpenSSL library version... ok checking for OpenSSL DSA support... yes setting TCNATIVE_LDFLAGS to "-lssl -lcrypto" adding "-DHAVE_OPENSSL" to CFLAGS setting TCNATIVE_LIBS to "" setting TCNATIVE_LIBS to " /sw/apr-1.5.1/libapr-1.la -lrt -lcrypt -lpthread" configure: creating ./config.status config.status: creating tcnative.pc config.status: creating Makefile config.status: executing default commands
< 1.2.5 버전 (이번에 release 됨) >
checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking target system type... x86_64-unknown-linux-gnu checking for a BSD-compatible install... /usr/bin/install -c checking for working mkdir -p... yes Tomcat Native Version: 1.2.5 checking for chosen layout... tcnative checking for APR... yes configure: APR 1.5.1 detected. setting CC to "gcc" setting CPP to "gcc -E" checking JAVA_HOME... /sw/jdk1.7.0_79 adding "-I/sw/jdk1.7.0_79/include" to TCNATIVE_PRIV_INCLUDES checking for JDK os include directory... linux checking for JDK os include directory... linux adding "-I/sw/jdk1.7.0_79/include/linux" to TCNATIVE_PRIV_INCLUDES checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for OpenSSL library... using openssl from /usr/lib and /usr/include checking OpenSSL library version >= 1.0.2... Found OPENSSL_VERSION_NUMBER 0x1000105f (OpenSSL 1.0.1e 11 Feb 2013) Require OPENSSL_VERSION_NUMBER 0x1000200f or greater (1.0.2) not compatible checking for OpenSSL DSA support... yes setting TCNATIVE_LDFLAGS to "-lssl -lcrypto" adding "-DHAVE_OPENSSL" to CFLAGS setting TCNATIVE_LIBS to "" setting TCNATIVE_LIBS to " /sw/apr-1.5.1/libapr-1.la -lrt -lcrypt -lpthread" checking for apr_pollset_wakeup in -lapr-1... no configure: creating ./config.status config.status: creating tcnative.pc config.status: creating Makefile config.status: executing default commands
참고로 Tomcat Native 1.2.x 버전은 OpenSSL 1.0.2 이상을 요구합니다. 따라서 위와 같이 compatible 오류가 발생합니다.
configure 시에 --disable-openssl-version-check 옵션을 사용하면 OpenSSL 버전 check를 하지 않는다고 하는데요, 그 결과 다음과 같습니다.
checking for OpenSSL library... using openssl from /usr/lib and /usr/include Skipped OpenSSL version check checking for OpenSSL DSA support... yes
Skip하는 것을 확인할 수 있습니다.
만약 요구되는 버전인 1.0.2 미만의 OpenSSL 상에서, --disable-openssl-version-check 옵션을 통해 버전 체크를 하지 않고 어쨌든 configure를 통과한 상황에서, make를 진행하면 어떻게 될까요?
/bin/sh /sw/apr-1.5.1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -I/sw/apache-tomcat-7.0.68/bin/tomcat-native-1.2.5-src/native/include -I/sw/jdk1.7.0_79/include -I/sw/jdk1.7.0_79/include/linux -I/sw/apr-1.5.1/include -o src/sslcontext.lo -c src/sslcontext.c && touch src/sslcontext.lo src/sslcontext.c: In function 'Java_org_apache_tomcat_jni_SSLContext_setCertificateRaw': src/sslcontext.c:1079: error: 'eckey' undeclared (first use in this function) src/sslcontext.c:1079: error: (Each undeclared identifier is reported only once src/sslcontext.c:1079: error: for each function it appears in.) make[1]: *** [src/sslcontext.lo] 오류 1 make[1]: Leaving directory `/sw/apache-tomcat-7.0.68/bin/tomcat-native-1.2.5-src/native' make: *** [all-recursive] 오류 1
이 밖에 Tomcat에서 OpenSSL 버전을 나타낼 때 이전 버전까지는 컴파일 시점의 버전을 나타냈지만 1.2.5 버전부터는 런타임 환경의 버전을 나타내는 것으로 바뀌었습니다. Bug 59024(https://bz.apache.org/bugzilla/show_bug.cgi?id=59024)와 관련된 내용입니다. 1.2.4와 1.2.5의 ssl.c 파일을 비교해 보겠습니다.
< 1.2.4 >
267 TCN_IMPLEMENT_CALL(jint, SSL, version)(TCN_STDARGS) 268 { 269 UNREFERENCED_STDARGS; 270 return OPENSSL_VERSION_NUMBER; 271 } 272 273 TCN_IMPLEMENT_CALL(jstring, SSL, versionString)(TCN_STDARGS) 274 { 275 UNREFERENCED(o); 276 return AJP_TO_JSTRING(OPENSSL_VERSION_TEXT); 277 }
664 CRYPTO_malloc_init();
< 1.2.5 >
267 TCN_IMPLEMENT_CALL(jint, SSL, version)(TCN_STDARGS) 268 { 269 UNREFERENCED_STDARGS; 270 #if OPENSSL_VERSION_NUMBER < 0x10100000L 271 return OPENSSL_VERSION_NUMBER; 272 #else 273 return OpenSSL_version_num(); 274 #endif 275 } 276 277 TCN_IMPLEMENT_CALL(jstring, SSL, versionString)(TCN_STDARGS) 278 { 279 UNREFERENCED(o); 280 #if OPENSSL_VERSION_NUMBER < 0x10100000L 281 return AJP_TO_JSTRING(SSLeay_version(SSLEAY_VERSION)); 282 #else 283 return AJP_TO_JSTRING(OpenSSL_version(OPENSSL_VERSION)); 284 #endif 285 }
672 #if OPENSSL_VERSION_NUMBER < 0x10100000L 673 CRYPTO_malloc_init(); 674 #else 675 OPENSSL_malloc_init(); 676 #endif