Rainer,
I recently had some weirdness with TLS connections as well. Please see
my post titled "SSLException after Java upgrade".
"Recently", Java moved certain EC curves to the attic and won't
handshake properly anymore.
Another investigation of my own product running into a network exception
that hadn't been generated before. It looks like a change to the JRE.
https://bugs.openjdk.java.net/browse/JDK-8215102
This was initially reported as an error with MySQL connections but it
appears that the driver's involvement was unnecessary. Please see
Severin Gehwolf's comments from 2019-01-25.
I'm not sure if either of these issues are related to yours, but I
wanted to make suer you were aware of them.
Hope that helps,
-chris
On 10/28/20 08:09, Rainer Jung wrote:
Hi all,
I tested TC 7.0.106 plus a few patches from git with a variety of JVMs
on a few Linux distributions. I observed:
- org.apache.tomcat.util.net.TestClientCertTls13 now fails for Java
1.8.0_272 be it OpenJDK, Adopt or Zulu on all Linux distros I tested.
TLSv1.3 was backported to Java 8 in the recently released Patchlevel 272
and is enabled on the server side by default, but not on the client
side. The test succeeds as soon as I add
"-Djdk.tls.client.protocols=TLSv1.3". I guess correct TLS1.3 detection
during test gets moire and more complicated ...
- Only on RHEL 8 (e.g. not RHEL 6 or 7) and only with Red Hat provided
Java 1.8.0 and 11 (but not for other distributions of Java 1.8.0 or 11),
lots of TLS tests fail. For example TestSsl test testSimpleSsl show the
following when started with -Djavax.net.debug=all und Red Hat Java 11:
[junit] Oct 28, 2020 12:55:26 PM org.apache.coyote.AbstractProtocol
start
[junit] INFO: Starting ProtocolHandler
["http-bio-127.0.0.1-auto-1-43799"]
[junit] javax.net.ssl|DEBUG|03|Finalizer|2020-10-28 12:55:26.265
CET|SSLSocketImpl.java:473|duplex close of SSLSocket
[junit] javax.net.ssl|WARNING|03|Finalizer|2020-10-28 12:55:26.273
CET|SSLSocketImpl.java:494|SSLSocket duplex close failed (
[junit] "throwable" : {
[junit] java.net.SocketException: Socket is not connected
[junit] at
java.base/java.net.Socket.shutdownOutput(Socket.java:1553)
[junit] at
java.base/sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:232)
[junit] at
java.base/sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561)
[junit] at
java.base/sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479)
[junit] at
java.base/sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:275)
[junit] at
java.base/java.lang.System$2.invokeFinalize(System.java:2117)
[junit] at
java.base/java.lang.ref.Finalizer.runFinalizer(Finalizer.java:87)
[junit] at
java.base/java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:171)}
[junit]
[junit] )
[junit] javax.net.ssl|ERROR|01|main|2020-10-28 12:55:26.304
CET|TransportContext.java:313|Fatal (HANDSHAKE_FAILURE): Couldn't
kickstart handshaking (
[junit] "throwable" : {
[junit] javax.net.ssl.SSLHandshakeException: No appropriate
protocol (protocol is disabled or cipher suites are inappropriate)
[junit] at
java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:163)
[junit] at
java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:95)
[junit] at
java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:217)
[junit] at
java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395)
[junit] at
java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
[junit] at
java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
[junit] at
java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:163)
[junit] at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:665)
[junit] at
org.apache.catalina.startup.TomcatBaseTest.methodUrl(TomcatBaseTest.java:639)
[junit] at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:633)
[junit] at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:627)
[junit] at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:612)
[junit] at
org.apache.catalina.startup.TomcatBaseTest.getUrl(TomcatBaseTest.java:606)
[junit] at
org.apache.tomcat.util.net.TestSsl.testSimpleSsl(TestSsl.java:60)
Dont know whether the error in the finalizer really is the root cause
and it might well be a JDK error, but I at least wanted to provide the
info here.
Best regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org