Thursday, March 05, 2026
Playing with Tomcat and PQC (using keytool)
As explained in my previous post the JVM doesn't have the TLS support yet.
But the keytool can be used to create the keystore and tomcat will use OpenSSL to do the TLS crypto part.
Create the keytool (I have used java25):
# key/cert signer for certificates.
keytool -keystore keystore -storepass changeit \
-genkeypair -alias ec -keyalg EC \
-dname CN=CA_test -ext bc
# key/cert ML-DSA to use for test.
keytool -keystore keystore -storepass changeit -genkeypair -alias mldsa -keyalg ML-DSA -groupname ML-DSA-65 -dname CN=localhost -signer ec
# traditional key/cert to use for test.
keytool -keystore keystore -storepass changeit -genkeypair -alias mykey -keyalg RSA -dname CN=localhost -signer ec
In the tomcat connector:
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/keystore"
certificateKeyAlias="mykey"
certificateKeystorePassword="changeit" type="RSA" />
<Certificate certificateKeystoreFile="conf//keystore"
certificateKeyAlias="mldsa"
certificateKeystorePassword="changeit" type="MLDSA" />
</SSLHostConfig>
To test use FFM and curl:
curl -ivk --curves X25519 https://localhost:8443 -o /dev/null
The certificate will be the ML-DSA one:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ml-dsa-65
and later in the trace:
* Certificate level 0: Public key type ML-DSA-65 (15616/192 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
curl -ivk --curves X25519 --sigalgs RSA-PSS+SHA256 https://localhost:8443 -o /dev/null
The cerficate will the other/traditional one:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
and later in the trace:
* Certificate level 0: Public key type RSA (3072/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
Tuesday, March 03, 2026
Playing with Tomcat and PQC
To use PQC in tomcat you need to use OpenSSL at least version 3.5, either with the APR connector, with the OpenSSLImplementation or FFM, the current version of the JVM are not supporting TLS and PQC so we have to use OpenSSL.
Based on my previous posts, create a RSA key/cert pair and an MLDSA-65 one for PQC.
Configure a connector with 2 key/cert pairs:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateFile="conf/localhost-mldsa.crt"
certificateKeyFile="conf/localhost-mldsa.key"
type="MLDSA" />
<Certificate certificateFile="conf/localhost/localhost.crt"
certificateKeyFile="conf/localhost/localhost.key"
type="RSA" />
</SSLHostConfig>
</Connector>
Make sure to have tc-native or FFM configured
tc-native:
You need a libtcnative*.so linked with OpenSSL 3.5+ in the path of LD_LIBRARY_PATH or in bin directory of your tomcat installation and the listener in server.xml:
<Listener className="org.apache.catalina.core.AprLifecycleListener" />
FFM:
You need a "recent" version of the JVM (at least 22), OpenSSL 3.5+ libraries in the LD_LIBRARY_PATH and the following in server.xml:
<Listener className="org.apache.catalina.core.OpenSSLLifecycleListener"
To test:
Start Tomcat and test with curl for example:
You can also tell a PQC enabled curl to use x25519 and ask for a classical RSA key/cert:Thursday, September 11, 2025
Playing with Apache httpd and PQC
At the time of the writing browsers like Firefox and Google Chrome only support PQC for key exchange, curl when compiling with openssl 3.5.x supports the exchange and the cert/key.
Based on my previous post, create a RSA key/cert pair for the browsers.
Create an MLDSA-65 for curl tests:
openssl req \
-x509 \
-newkey mldsa65 \
-keyout localhost-mldsa-65.key \
-subj /CN=localhost \
-addext subjectAltName=DNS:localhost \
-days 30 \
-nodes \
-out localhost-mldsa-65.crt
Configure httpd.conf:
Listen 4433
<VirtualHost *:4433>
SSLEngine on
SSLCertificateFile localhost.crt
SSLCertificateKeyFile localhost.key
# PQC cert/key
SSLCertificateFile localhost-mldsa-65.crt
SSLCertificateKeyFile localhost-mldsa-65.key
</VirtualHost>
Start Apache httpd.
Test with Firefox, accept the self-signed certificate and you will get the "It works!" page.
Test with curl:
curl -k -v https://localhost:4433/
you get:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ml-dsa-65
Use a curl that doesn't support PQC (compiled with a 3.2.x openssl for example):
curl -k -v https://localhost:4433/
you get:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
You can also tell a PQC curl to use x25519 and ask for an RSA key/cert:
curl -k -v --curves X25519 --sigalgs RSA-PSS+SHA256 https://localhost:4433/
Or X25519MLKEM768 and ask for an RSA key/cert:
curl -k -v --curves X25519MLKEM768 --sigalgs RSA-PSS+SHA256 https://localhost:4433/
Playing with openssl 3.5.x and PQC
PQC = Post Quantum Cryptography
PQC can be used in 2 places: the key exchange and the key/cert themselves.
For the moment browsers like firefox and google chrome only supprt the key exchange part.
Create a PQC key/cert using openssl:
openssl req \
-x509 \
-newkey mldsa65 \
-keyout localhost-mldsa.key \
-subj /CN=localhost \
-addext subjectAltName=DNS:localhost \
-days 30 \
-nodes \
-out localhost-mldsa.crt
Start openssl s_server:
openssl s_server \
-cert localhost-mldsa.crt -key localhost-mldsa.key \
-trace -port 4433
Use curl to test:
curl -k -v https://localhost:4433/
you will get:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ml-dsa-65
If you try firefox you will get an error:
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
that is expected as Firefox doesn't support the key/cert openssl is using.
Create a RSA key/cert using openssl:
openssl req \
-x509 \
-keyout localhost.key \
-subj /CN=localhost \
-addext subjectAltName=DNS:localhost \
-days 30 \
-nodes \
-out localhost.crt
Start openssl s_server using the 2 keys and 2 certificates:
openssl s_server \
-cert localhost-mldsa.crt -key localhost-mldsa.key \
-dcert localhost.crt -dkey localhost.key \
-trace -port 4433
Check that curl is working and using the PQC key/cert pair:
curl -k -v https://localhost:4433/
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ml-dsa-65
Try Firefox now, the certificate is self-signed but now Firefox accepts it.
Saturday, December 21, 2019
Using RTL8812AU (AWUS036ACH) on Fedora 31
+++
[root@pc-86 ~]# lsusb
Bus 001 Device 004: ID 0bda:8812 Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter
Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp. SMSC9512/9514 Fast Ethernet Adapter
Bus 001 Device 002: ID 0424:9514 Standard Microsystems Corp. SMC9514 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
+++
Clone the source (you need make, dkms, git etc):
+++
git clone https://github.com/gnab/rtl8812au.git
dkms add ./rtl8812au
+++
[root@pc-86 ~]# dkms add ./rtl8812au
Creating symlink /var/lib/dkms/8812au/4.2.3/source ->
/usr/src/8812au-4.2.3
+++
check it:
+++
[root@pc-86 ~]# dkms status
8812au, 4.2.3: added
+++
build it...
+++
ln -s /usr/src/kernels/5.3.16-300.fc31.aarch64/arch/arm64 /usr/src/kernels/5.3.16-300.fc31.aarch64/arch/aarch64
dkms build 8812au/4.2.3
+++
check it:
+++
[root@pc-86 ~]# dkms status
8812au, 4.2.3, 5.3.16-300.fc31.aarch64, aarch64: built
+++
install it...
+++
dkms install 8812au/4.2.3
+++
check it:
+++
[root@pc-86 ~]# dkms status
8812au, 4.2.3, 5.3.16-300.fc31.aarch64, aarch64: installed
and:
+++
[root@pc-86 ~]# lsmod | grep 8812au
8812au 1150976 0
[root@pc-86 ~]# iwconfig
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=31 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
wlan1 unassociated Nickname:"
Mode:Auto Frequency=2.412 GHz Access Point: Not-Associated
Sensitivity:0/0
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
eth0 no wireless extensions.
lo no wireless extensions.
+++
Then:
+++
yum install wpa_supplicant NetworkManager-tui
systemctl start wpa_supplicant
nmtui
+++
DONE!!!
Sunday, November 24, 2019
RPI3 with Fedora31
Get the image and install it:
https://dl.fedoraproject.org/pub/fedora/linux/releases/31/Server/aarch64/images/Fedora-Server-31-1.9.aarch64.raw.xzCopy to SD card:
arm-image-installer --image=/home/jfclere/Downloads/Fedora-Server-31-1.9.aarch64.raw.xz --target=rpi3 --media=/dev/mmcblk0 --norootpass --addkey=/home/jfclere/.ssh/id_rsa.pub --resizefs --relabel --selinux=ON
Easy but see https://bugzilla.redhat.com/show_bug.cgi?id=1785109
Boot it and using ssh to connect to it.
DS1307 on RPI3 with fedora 31:
yum install i2c-toolsAdd in /boot/efi/config.txt:
dtoverlay=i2c-rtc,ds1307
Check dmesg:
++
[root@pc-75 ~]# dmesg | grep rtc
[ 7.407923] hctosys: unable to open rtc device (rtc0)
[ 15.057637] rtc-ds1307 1-0068: registered as rtc0
+++
Adjust /etc/chrony.conf:
+++
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Serve time even if not synchronized to any NTP server.
local stratum 10
+++
Create a /etc/systemd/system/hwclock.service to get the hard clock set at the RPI3 start time
+++
[Unit]
Description=Setup date and time via hwclock
[Service]
Type=oneshot
ExecStart=/usr/sbin/hwclock --hctosys
[Install]
WantedBy=multi-user.target
+++
Enable it and check it:
+++
[root@pc-75 ~]# systemctl enable hwclock
Created symlink /etc/systemd/system/multi-user.target.wants/hwclock.service → /etc/systemd/system/hwclock.service.
[root@pc-75 ~]# timedatectl set-local-rtc 0
[root@pc-75 ~]# timedatectl status
Local time: Sun 2019-11-24 16:08:08 CET
Universal time: Sun 2019-11-24 15:08:08 UTC
RTC time: Sun 2019-11-24 15:08:07
Time zone: Europe/Zurich (CET, +0100)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
+++
Set the firewall so we can send the date :D
+++
[root@pc-75 ~]# firewall-cmd --get-default-zone
FedoraServer
[root@pc-75 ~]# firewall-cmd --permanent --zone=FedoraServer --add-port=123/udp
success
[root@pc-75 ~]# firewall-cmd --reload
success
+++
Prepare the wifi:
All looked good but not working...+++
[root@pc-75 ~]# cd /lib/firmware/brcm/
[root@pc-75 brcm]# ls -lt brcmfmac43430-sdio.txt
ls: cannot access 'brcmfmac43430-sdio.txt': No such file or directory
[root@pc-75 brcm]# ls -lt brcmfmac43430-sdio.raspberrypi,3-model-b.txt
-rw-r--r--. 1 root root 872 Sep 24 15:53 brcmfmac43430-sdio.raspberrypi,3-model-b.txt
[root@pc-75 brcm]# cp brcmfmac43430-sdio.raspberrypi,3-model-b.txt brcmfmac43430-sdio.txt
+++
init 0 and wait...
+++
[root@pc-75 ~]# nmcli dev show wlan0
GENERAL.DEVICE: wlan0
GENERAL.TYPE: wifi
GENERAL.HWADDR: E2:65:23:25:88:06
GENERAL.MTU: 1500
GENERAL.STATE: 20 (unavailable)
GENERAL.CONNECTION: --
GENERAL.CON-PATH: --
+++
weird looks broken...
looking with other usb wifi and same for nmcli dev show wlan1:
+++
Nov 24 18:04:13 pc-75.home NetworkManager[832]:
Nov 24 18:04:13 pc-75.home NetworkManager[832]:
Nov 24 18:04:13 pc-75.home NetworkManager[832]:
Nov 24 18:04:14 pc-75.home NetworkManager[832]:
+++
looking to wpa_supplicant: it is stopped, not even installed!!! Problem fixed :D
+++
[root@pc-75 ~]# journalctl -b -u NetworkManager | grep wpa
Nov 24 17:35:54 localhost.localdomain NetworkManager[832]:
+++
Install "yum install wpa_supplicant" and start it:
[root@pc-75 ~]# systemctl enable wpa_supplicant
Created symlink /etc/systemd/system/multi-user.target.wants/wpa_supplicant.service → /usr/lib/systemd/system/wpa_supplicant.service.
[root@pc-75 ~]# systemctl start wpa_supplicant
[root@pc-75 ~]# journalctl -b -u NetworkManager | grep wpa
Nov 24 17:35:54 localhost.localdomain NetworkManager[832]:
Nov 24 18:23:53 pc-75.home NetworkManager[832]:
[root@pc-75 ~]# nmtui
+++
Working!!!
Friday, May 11, 2018
RPI3 fedora 27, hyperion relay and fun with the latch of street door
Use the installer:
arm-image-installer --image=Fedora-Server-armhfp-27-1.6-sda.raw.xz --media=/dev/mmcblk0 --target=rpi3 --norootpass --addkey=/home/jfclere/.ssh/id_rsa.pub
resize the image with the graphic tool:
gparted /dev/mmcblk0
boot the PI and find its address:
nmap -sn 192.168.1.0/24 (ifconfig to get the laptop address).Nmap scan report for 192.168.1.39
Host is up (-0.057s latency).
MAC Address: B8:27:EB:D4:2E:85 (Raspberry Pi Foundation)
ssh -l root 192.168.1.39 you are in!!!
remove the auto configure
/bin/systemctl disable initial-setup.servicesetting timezone:
ls -lt /usr/share/zoneinfo/Europe/Zurichrm /etc/localtime
ln -s /usr/share/zoneinfo/Europe/Zurich /etc/localtime
install wifi: (PI3)
curl https://fedora.roving-it.com/brcmfmac43430-sdio.txt -o /lib/firmware/brcm/brcmfmac43430-sdio.txtreboot
Done:
+++
root@localhost ~]# nmcli device status
DEVICE TYPE STATE CONNECTION
eth0 ethernet connected eth0
lo loopback unmanaged --
wlan0 wifi unmanaged --
+++
nmtui
SSID PI2
Mode
Channel
Security
Addresses 10.0.0.201/24
[X] Never use this network for default route
[X] Require IPv4 addressing for this connection
[X] Automatically connect
+++
add dhcp server and configure it.
yum install dhcp-serveruse https://github.com/jfclere/tomcatPI/blob/master/conf/master/dhcpd.conf
enable and start it.
/bin/systemctl enable dhcpd
/bin/systemctl start dhcpd
add named and configure it.
use https://github.com/jfclere/tomcatPI/blob/master/conf/master/named.confcopy the configuration files in /etc/bind (mkdir /etc/bind)
enable and start it.
/bin/systemctl enable named
/bin/systemctl start named
Don't forget the firewall on the PI:
firewall-cmd --permanent --zone=FedoraServer --add-port=53/tcp
firewall-cmd --permanent --zone=FedoraServer --add-port=53/udp
firewall-cmd --reload
Look to the previous blog and enable the services
/bin/systemctl disable initial-setup.service/bin/systemctl enable named
/bin/systemctl enable dhcpd
Getting the GPIO working...
+++[root@localhost ~]# yum search gpio
Last metadata expiration check: 2:55:33 ago on Mon 30 Apr 2018 06:50:28 CEST.
=================================================================== Summary & Name Matched: gpio ===================================================================
libgpiod-utils.armv7hl : Utilities for GPIO
sgpio.armv7hl : SGPIO captive backplane tool
libgpiod-devel.armv7hl : Development package for libgpiod
python2-RPi.GPIO.armv7hl : A class to control the GPIO on a Raspberry Pi
python3-RPi.GPIO.armv7hl : A class to control the GPIO on a Raspberry Pi
libgpiod.armv7hl : C library and tools for interacting with linux GPIO char device
+++
install + try:
+++
[root@localhost ~]# python3 jfcgpio.py
Segmentation fault (core dumped)
+++
Oops... broken :-(
install libgpiod-utils trying...
+++[root@localhost ~]# /usr/bin/gpioinfo
gpiochip0 - 54 lines:
line 0: unnamed unused input active-high
line 1: unnamed unused input active-high
...
+++
[root@localhost ~]# /usr/bin/gpiodetect
gpiochip0 [pinctrl-bcm2835] (54 lines)
gpiochip1 [raspberrypi-exp-gpio] (8 lines)
+++
Yes:
gpioset -m time -s 1 gpiochip0 18=1
LED ON!!!
install httpd and start it.
/bin/systemctl enable httpd/bin/systemctl start httpd
open firewall for httpd
+++
[root@localhost ~]# firewall-cmd --get-default-zone
FedoraServer
+++
So use FedoraServer ;-)
+++
firewall-cmd --permanent --zone=FedoraServer --add-port=80/tcp
firewall-cmd --reload
+++
Arrange the permission (selinux = tricky).
+++[root@localhost ~]# audit2allow -a
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t gpio_device_t:chr_file { ioctl open read write };
allow httpd_sys_script_t initrc_var_run_t:file { lock open read };
allow httpd_sys_script_t pam_var_run_t:dir { add_name write };
allow httpd_sys_script_t pam_var_run_t:file { create getattr lock open read write };
allow httpd_sys_script_t self:capability { audit_write dac_read_search setgid setuid sys_resource };
allow httpd_sys_script_t self:netlink_audit_socket { create nlmsg_relay };
allow httpd_sys_script_t self:process setrlimit;
allow httpd_sys_script_t shadow_t:file { getattr open read };
allow httpd_sys_script_t sudo_db_t:dir getattr;
allow httpd_sys_script_t system_dbusd_t:dbus send_msg;
allow httpd_sys_script_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ==============
allow systemd_logind_t httpd_sys_script_t:dbus send_msg;
+++
audit2allow -a -M door
semodule -i door.pp
(Not working... Need more time).
disabling selinux :_(
+++[root@localhost ~]# sestatus
SELinux status: disabled
+++
Add apache in sudoers: sudoedit /etc/sudoers add:
apache ALL=NOPASSWD: /usr/bin/gpioset -m time -s 1 gpiochip0 18=1For the details on httpd configuration, html, cgi look to https://github.com/jfclere/door
Sunday, September 10, 2017
Getting DS1307 on RPI3 with fedora 24
dtoverlay=i2c-rtc,ds1307
In dmesg:
+++
[ 5.536541] rtc-ds1307 1-0068: rtc core: registered ds1307 as rtc0
[ 5.540786] rtc-ds1307 1-0068: 56 bytes nvram
+++
the modules are loaded a boot now...
+++
[root@pc-8 ~]# i2cdetect -y 1
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- UU -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --
+++
[root@pc-8 ~]# hwclock -r
2017-09-09 17:58:49.868784+1:00
(well not too bad after 2 months (+~1 minute)
2 - Get chrony to resynchronize my hardware clock (if I have a connection!)
In /etc/chrony.conf:
+++
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Serve time even if not synchronized to any NTP server.
local stratum 10
+++
