James,
On 5/18/23 16:01, James H. H. Lampert wrote:
On 5/18/23 12:18 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote:
Which version of tomcat do you use?
Is the stack trace truncated in your mail? Is there a "caused by ..."
further down the stacktrace?
It looks like the error is thrown deeper in SSLUtil when creating the
ssl context.
Maybe you can post the full stack trace.
It just gets weirder.
FYI, The customer box is on Tomcat 8.5.73, running under IBM Java
8.0.7.20 - pap6480sr7fp20-20221020_01(SR7 FP20), under OS/400 V7R3M0.
I fired up one of our on-site AS/400s (V6R1M0), with a Tomcat server
(7.0.108, running under Java 6), and started plugging in keystores.
First, I plugged in the initial self-signed keystore. No problem;
launched just fine. Then I plugged in the signed-and-chained keystore.
Still no problem; launched just fine. Then I plugged in a copy of the
signed-and-chained keystore that I'd sent back from the customer box.
STILL no problem!
I also did a "keytool -list -v -keystore xxxxx.ks" on both the new
keystore and the one that worked, on my own Mac. No problems at all, and
they looked very similar. But when I tried doing it on the customer
AS/400, I got very similar error messages to what's in catalina.out.
I don't ordinarily send attachments to list servers, but the "how to ask
questions the smart way" said it should be OK, if small and relevant,
and stacktraces tend to get a bit garbled if sent inline, so I've
attached a brief catalina.out excerpt.
The Connector failing to initialize is
org.apache.coyote.http11.Http11Protocol-443 so that's the one configure
for port 443. Please double-check the configuration to see where your
keystore is located and verify that you have a small number of
certificates in that keystore.
"Too many" implies that the chain is too long and usually the "too long"
number is something reasonable like 10 or so. A chain of 3 certificates
should definitely be okay.
Can you dump the whole cert (e.g. keytool -list -v -alias 'certname')
for each cert and see if any of the certificates specify a maximum chain
length somewhere? Evidently, it's an extension to the X.509 spec:
https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#getBasicConstraints--
Otherwise, you might want to check the value of the system property
jdk.tls.maxCertificateChainLength. The default is 10[1] but it can
probably be set to something lower. It's possible someone decided that
cert chains in that environment should be very short. You might be able
to override using CATALINA_OPTS or equivalent on OS/400.
-chris
[1] https://www.oracle.com/java/technologies/javase/8u271-relnotes.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
