On Thu, Feb 21, 2019 at 10:29 AM <ma...@apache.org> wrote: > Author: markt > Date: Thu Feb 21 09:29:29 2019 > New Revision: 1854025 > > URL: http://svn.apache.org/viewvc?rev=1854025&view=rev > Log: > Refactor creation of SSLContext to include configuration >
There's probably an issue with that strategy. I have one of my test configurations which uses a plain (old) dumb pkcs1 certificate file - the private key uses BEGIN RSA PRIVATE KEY - with OpenSSL. Predictably it doesn't work with this addition + sslContext.init(getKeyManagers(), getTrustManagers(), null); as it calls getKeyManagers(). The OpenSSLContext should probably override getKeyManagers() to work around the issue, right ? [like, actually avoid using a real keystore at all in that case] Beyond that point, I'm pretty sure it would work fine. The exception is: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:983) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:535) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1055) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:585) at org.apache.catalina.startup.Catalina.load(Catalina.java:608) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491) Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:158) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1103) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1116) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74) at org.apache.catalina.connector.Connector.initInternal(Connector.java:980) ... 13 more Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261) at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70) at java.security.KeyStore.setKeyEntry(KeyStore.java:1140) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ... 20 more Rémy > > Modified: > tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java > tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java > tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java > > Modified: > tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java?rev=1854025&r1=1854024&r2=1854025&view=diff > > ============================================================================== > --- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java > (original) > +++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java > Thu Feb 21 09:29:29 2019 > @@ -109,7 +109,6 @@ public abstract class AbstractJsseEndpoi > SSLContext sslContext; > try { > sslContext = > sslUtil.createSSLContext(negotiableProtocols); > - sslContext.init(sslUtil.getKeyManagers(), > sslUtil.getTrustManagers(), null); > } catch (Exception e) { > throw new IllegalArgumentException(e.getMessage(), e); > } > > Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java?rev=1854025&r1=1854024&r2=1854025&view=diff > > ============================================================================== > --- tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java > (original) > +++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java Thu Feb > 21 09:29:29 2019 > @@ -203,6 +203,14 @@ public abstract class SSLUtilBase implem > > > @Override > + public final SSLContext createSSLContext(List<String> > negotiableProtocols) throws Exception { > + SSLContext sslContext = > createSSLContextInternal(negotiableProtocols); > + sslContext.init(getKeyManagers(), getTrustManagers(), null); > + return sslContext; > + } > + > + > + @Override > public String[] getEnabledProtocols() { > return enabledProtocols; > } > @@ -217,4 +225,5 @@ public abstract class SSLUtilBase implem > protected abstract Log getLog(); > protected abstract boolean isTls13Available(); > protected abstract boolean isTls13RenegAuthAvailable(); > + protected abstract SSLContext createSSLContextInternal(List<String> > negotiableProtocols) throws Exception; > } > > Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1854025&r1=1854024&r2=1854025&view=diff > > ============================================================================== > --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java > (original) > +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Thu > Feb 21 09:29:29 2019 > @@ -184,7 +184,8 @@ public class JSSEUtil extends SSLUtilBas > > > @Override > - public SSLContext createSSLContext(List<String> negotiableProtocols) > throws NoSuchAlgorithmException { > + public SSLContext createSSLContextInternal(List<String> > negotiableProtocols) > + throws NoSuchAlgorithmException { > return new JSSESSLContext(sslHostConfig.getSslProtocol()); > } > > > Modified: > tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java?rev=1854025&r1=1854024&r2=1854025&view=diff > > ============================================================================== > --- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java > (original) > +++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java > Thu Feb 21 09:29:29 2019 > @@ -84,10 +84,11 @@ public class OpenSSLUtil extends SSLUtil > > > @Override > - public SSLContext createSSLContext(List<String> negotiableProtocols) > throws Exception { > + public SSLContext createSSLContextInternal(List<String> > negotiableProtocols) throws Exception { > return new OpenSSLContext(certificate, negotiableProtocols); > } > > + > @Override > public KeyManager[] getKeyManagers() throws Exception { > if (jsseUtil != null) { > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >