Re: AW: Too many certificates in chain?!? Help!

2023-05-23 Thread James H. H. Lampert 

On 5/23/23 10:02 AM, Rob Sargent wrote:


Does pathLen:0 mean "no limit" or "no go"?


Well given that the "Basic Constraints" are exactly the same, across the 
board, in *both* the keystores that worked fine and the keystore that 
blew up, I don't think that's a factor. And the fact that the keystore 
that blew up changed file length on the outbound FTP trip and changed 
back to the original file length on the inbound binary-mode FTP trip 
(and is the only time I can recall *ever* seeing a keystore change file 
length) probably *is* a factor.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Too many certificates in chain?!? Help!

2023-05-23 Thread Rob Sargent 




On 5/23/23 10:13, James H. H. Lampert wrote:

On 5/23/23 8:31 AM, Christopher Schultz wrote:
Can you dump the whole cert (e.g. keytool -list -v -alias 'certname') 
for each cert and see if any of the certificates specify a maximum 
chain length somewhere? Evidently, it's an extension to the X.509 spec:


Comparing one that worked with one that blew up, they have the same 
values for all of the "basic constraints" sections: the site cert shows

BasicConstraints:[
  CA:false
  PathLen: undefined
]


the intermediate cert shows

BasicConstraints:[
  CA:true
  PathLen:0
]



Does pathLen:0 mean "no limit" or "no go"?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Too many certificates in chain?!? Help!

2023-05-23 Thread James H. H. Lampert 

On 5/23/23 8:31 AM, Christopher Schultz wrote:
Can you dump the whole cert (e.g. keytool -list -v -alias 'certname') 
for each cert and see if any of the certificates specify a maximum chain 
length somewhere? Evidently, it's an extension to the X.509 spec:


Comparing one that worked with one that blew up, they have the same 
values for all of the "basic constraints" sections: the site cert shows

BasicConstraints:[
  CA:false
  PathLen: undefined
]


the intermediate cert shows

BasicConstraints:[
  CA:true
  PathLen:0
]


and the root cert shows

BasicConstraints:[
  CA:true
  PathLen: no limit
]


As I said last week, given that (1) I could not reproduce the problem in 
four different attempts, and (2) the file size on the "problem" keystore 
changed when the keystore was sent to the customer box, *and then 
changed back* when I sent it back, I'm chalking this up to an extremely 
freaky fluke.


But thanks, Christopher, for taking a look at the problem.

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Too many certificates in chain?!? Help!

2023-05-23 Thread Christopher Schultz 

James,

On 5/18/23 16:01, James H. H. Lampert wrote:

On 5/18/23 12:18 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote:

Which version of tomcat do you use?
Is the stack trace truncated in your mail? Is there a "caused by ..." 
further down the stacktrace?


It looks like the error is thrown deeper in SSLUtil when creating the 
ssl context.

Maybe you can post the full stack trace.


It just gets weirder.

FYI, The customer box is on Tomcat 8.5.73, running under IBM Java 
8.0.7.20 - pap6480sr7fp20-20221020_01(SR7 FP20), under OS/400 V7R3M0.


I fired up one of our on-site AS/400s (V6R1M0), with a Tomcat server 
(7.0.108, running under Java 6), and started plugging in keystores. 
First, I plugged in the initial self-signed keystore. No problem; 
launched just fine. Then I plugged in the signed-and-chained keystore. 
Still no problem; launched just fine. Then I plugged in a copy of the 
signed-and-chained keystore that I'd sent back from the customer box. 
STILL no problem!


I also did a "keytool -list -v -keystore x.ks" on both the new 
keystore and the one that worked, on my own Mac. No problems at all, and 
they looked very similar. But when I tried doing it on the customer 
AS/400, I got very similar error messages to what's in catalina.out.


I don't ordinarily send attachments to list servers, but the "how to ask 
questions the smart way" said it should be OK, if small and relevant, 
and stacktraces tend to get a bit garbled if sent inline, so I've 
attached a brief catalina.out excerpt.


The Connector failing to initialize is 
org.apache.coyote.http11.Http11Protocol-443 so that's the one configure 
for port 443. Please double-check the configuration to see where your 
keystore is located and verify that you have a small number of 
certificates in that keystore.


"Too many" implies that the chain is too long and usually the "too long" 
number is something reasonable like 10 or so. A chain of 3 certificates 
should definitely be okay.


Can you dump the whole cert (e.g. keytool -list -v -alias 'certname') 
for each cert and see if any of the certificates specify a maximum chain 
length somewhere? Evidently, it's an extension to the X.509 spec:


https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#getBasicConstraints--

Otherwise, you might want to check the value of the system property 
jdk.tls.maxCertificateChainLength. The default is 10[1] but it can 
probably be set to something lower. It's possible someone decided that 
cert chains in that environment should be very short. You might be able 
to override using CATALINA_OPTS or equivalent on OS/400.


-chris

[1] https://www.oracle.com/java/technologies/javase/8u271-relnotes.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: AW: Too many certificates in chain?!? Help!

2023-05-18 Thread jonmcalexander 
Maybe just a bad keystore or binary copy or some type of corruption.


Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: James H. H. Lampert 
> Sent: Thursday, May 18, 2023 3:42 PM
> To: Tomcat Users List 
> Subject: Re: AW: Too many certificates in chain?!? Help!
> 
> Weirder and weirder. (And hopefully, my previous email, with a catalina.out
> excerpt as an attachment, actually got distributed to the
> List.)
> 
> I copied the cert and the unsigned keystore from my new Mac (M2 Mini,
> running Ventura) to my old Mac (2017 iMac, running Catalina), and signing
> and chaining it there (again, in KeyStore Explorer).
> 
> I did a diff on the two signed/chained keystores. The file lengths are the
> same, but diff found (but didn't specify) the differences.
> 
> I put the version from the iMac on the customer box, and tried a keytool -list
> -v on it, from the customer box. It choked on the one from yesterday, signed
> and chained on the M2 Mini, but it liked the one from today, signed and
> chained on the 2017 iMac.
> 
> I installed "Hex Fiend," and did a binary comparison of the two signed,
> chained keystores. It showed *A LOT* of red.
> 
> --
> JHHL
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Too many certificates in chain?!? Help!

2023-05-18 Thread James H. H. Lampert 
Weirder and weirder. (And hopefully, my previous email, with a 
catalina.out excerpt as an attachment, actually got distributed to the 
List.)


I copied the cert and the unsigned keystore from my new Mac (M2 Mini, 
running Ventura) to my old Mac (2017 iMac, running Catalina), and 
signing and chaining it there (again, in KeyStore Explorer).


I did a diff on the two signed/chained keystores. The file lengths are 
the same, but diff found (but didn't specify) the differences.


I put the version from the iMac on the customer box, and tried a keytool 
-list -v on it, from the customer box. It choked on the one from 
yesterday, signed and chained on the M2 Mini, but it liked the one from 
today, signed and chained on the 2017 iMac.


I installed "Hex Fiend," and did a binary comparison of the two signed, 
chained keystores. It showed *A LOT* of red.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: AW: Too many certificates in chain?!? Help!

2023-05-18 Thread jonmcalexander 
Hi James,

Take a look at this URL:

https://stackoverflow.com/questions/64721644/javax-net-ssl-sslprotocolexception-the-certificate-chain-length-11-exceeds-th

It may help,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: James H. H. Lampert 
> Sent: Thursday, May 18, 2023 3:01 PM
> To: Tomcat Users List 
> Subject: Re: AW: Too many certificates in chain?!? Help!
> 
> On 5/18/23 12:18 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Which version of tomcat do you use?
> > Is the stack trace truncated in your mail? Is there a "caused by ..." 
> > further
> down the stacktrace?
> >
> > It looks like the error is thrown deeper in SSLUtil when creating the ssl
> context.
> > Maybe you can post the full stack trace.
> 
> It just gets weirder.
> 
> FYI, The customer box is on Tomcat 8.5.73, running under IBM Java
> 8.0.7.20 - pap6480sr7fp20-20221020_01(SR7 FP20), under OS/400 V7R3M0.
> 
> I fired up one of our on-site AS/400s (V6R1M0), with a Tomcat server
> (7.0.108, running under Java 6), and started plugging in keystores.
> First, I plugged in the initial self-signed keystore. No problem; launched 
> just
> fine. Then I plugged in the signed-and-chained keystore.
> Still no problem; launched just fine. Then I plugged in a copy of the signed-
> and-chained keystore that I'd sent back from the customer box.
> STILL no problem!
> 
> I also did a "keytool -list -v -keystore x.ks" on both the new keystore 
> and
> the one that worked, on my own Mac. No problems at all, and they looked
> very similar. But when I tried doing it on the customer AS/400, I got very
> similar error messages to what's in catalina.out.
> 
> I don't ordinarily send attachments to list servers, but the "how to ask
> questions the smart way" said it should be OK, if small and relevant, and
> stacktraces tend to get a bit garbled if sent inline, so I've attached a brief
> catalina.out excerpt.
> 
> --
> JHHL

Re: AW: Too many certificates in chain?!? Help!

2023-05-18 Thread James H. H. Lampert 

On 5/18/23 12:18 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote:

Which version of tomcat do you use?
Is the stack trace truncated in your mail? Is there a "caused by ..." further 
down the stacktrace?

It looks like the error is thrown deeper in SSLUtil when creating the ssl 
context.
Maybe you can post the full stack trace.


It just gets weirder.

FYI, The customer box is on Tomcat 8.5.73, running under IBM Java 
8.0.7.20 - pap6480sr7fp20-20221020_01(SR7 FP20), under OS/400 V7R3M0.


I fired up one of our on-site AS/400s (V6R1M0), with a Tomcat server 
(7.0.108, running under Java 6), and started plugging in keystores. 
First, I plugged in the initial self-signed keystore. No problem; 
launched just fine. Then I plugged in the signed-and-chained keystore. 
Still no problem; launched just fine. Then I plugged in a copy of the 
signed-and-chained keystore that I'd sent back from the customer box. 
STILL no problem!


I also did a "keytool -list -v -keystore x.ks" on both the new 
keystore and the one that worked, on my own Mac. No problems at all, and 
they looked very similar. But when I tried doing it on the customer 
AS/400, I got very similar error messages to what's in catalina.out.


I don't ordinarily send attachments to list servers, but the "how to ask 
questions the smart way" said it should be OK, if small and relevant, 
and stacktraces tend to get a bit garbled if sent inline, so I've 
attached a brief catalina.out excerpt.


--
JHHL17-May-2023 19:33:28.162 INFO [main] org.apache.coyote.AbstractProtocol.init 
Initializing ProtocolHandler ["https-jsse-nio-443"]
JVMDUMP039I Processing dump event "systhrow", detail 
"java/lang/OutOfMemoryError" at 2023/05/17 19:33:32 - please wait.
JVMDUMP032I JVM requested System dump using 
'//core.20230517.193332.26378.0001.dmp' in response to an event
JVMDUMP010I System dump written to //core.20230517.193332.26378.0001.dmp
JVMDUMP032I JVM requested Heap dump using 
'//heapdump.20230517.193332.26378.0002.phd' in response to an event
JVMDUMP010I Heap dump written to //heapdump.20230517.193332.26378.0002.phd
JVMDUMP032I JVM requested Java dump using 
'//javacore.20230517.193332.26378.0003.txt' in response to an event
JVMDUMP010I Java dump written to //javacore.20230517.193332.26378.0003.txt
JVMDUMP032I JVM requested Snap dump using 
'//Snap.20230517.193332.26378.0004.trc' in response to an event
JVMDUMP010I Snap dump written to //Snap.20230517.193332.26378.0004.trc
JVMDUMP013I Processed dump event "systhrow", detail 
"java/lang/OutOfMemoryError".
17-May-2023 19:34:12.173 SEVERE [main] 
org.apache.catalina.core.StandardService.initInternal Failed to initialize 
connector [Connector[org.apache.coyote.http11.Http11Protocol-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1076)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:843)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: Too many certificates in chain
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:246)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1161)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599)
at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1074)
... 13 more
Caused by: java.io.IOException: Too many certificates in chain
at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)
at com.ibm.crypto.provider.bg.engineLoad(Unknown Source)
at com.ibm.crypto.provider.JavaKeyStore$DualFormatJKS.engineLoad(Unknown 
Source)
at