Re: AW: Too many certificates in chain?!? Help!
On 5/23/23 10:02 AM, Rob Sargent wrote: Does pathLen:0 mean "no limit" or "no go"? Well given that the "Basic Constraints" are exactly the same, across the board, in *both* the keystores that worked fine and the keystore that blew up, I don't think that's a factor. And the fact that the keystore that blew up changed file length on the outbound FTP trip and changed back to the original file length on the inbound binary-mode FTP trip (and is the only time I can recall *ever* seeing a keystore change file length) probably *is* a factor. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Too many certificates in chain?!? Help!
On 5/23/23 10:13, James H. H. Lampert wrote: On 5/23/23 8:31 AM, Christopher Schultz wrote: Can you dump the whole cert (e.g. keytool -list -v -alias 'certname') for each cert and see if any of the certificates specify a maximum chain length somewhere? Evidently, it's an extension to the X.509 spec: Comparing one that worked with one that blew up, they have the same values for all of the "basic constraints" sections: the site cert shows BasicConstraints:[ CA:false PathLen: undefined ] the intermediate cert shows BasicConstraints:[ CA:true PathLen:0 ] Does pathLen:0 mean "no limit" or "no go"? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Too many certificates in chain?!? Help!
On 5/23/23 8:31 AM, Christopher Schultz wrote: Can you dump the whole cert (e.g. keytool -list -v -alias 'certname') for each cert and see if any of the certificates specify a maximum chain length somewhere? Evidently, it's an extension to the X.509 spec: Comparing one that worked with one that blew up, they have the same values for all of the "basic constraints" sections: the site cert shows BasicConstraints:[ CA:false PathLen: undefined ] the intermediate cert shows BasicConstraints:[ CA:true PathLen:0 ] and the root cert shows BasicConstraints:[ CA:true PathLen: no limit ] As I said last week, given that (1) I could not reproduce the problem in four different attempts, and (2) the file size on the "problem" keystore changed when the keystore was sent to the customer box, *and then changed back* when I sent it back, I'm chalking this up to an extremely freaky fluke. But thanks, Christopher, for taking a look at the problem. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Too many certificates in chain?!? Help!
James, On 5/18/23 16:01, James H. H. Lampert wrote: On 5/18/23 12:18 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote: Which version of tomcat do you use? Is the stack trace truncated in your mail? Is there a "caused by ..." further down the stacktrace? It looks like the error is thrown deeper in SSLUtil when creating the ssl context. Maybe you can post the full stack trace. It just gets weirder. FYI, The customer box is on Tomcat 8.5.73, running under IBM Java 8.0.7.20 - pap6480sr7fp20-20221020_01(SR7 FP20), under OS/400 V7R3M0. I fired up one of our on-site AS/400s (V6R1M0), with a Tomcat server (7.0.108, running under Java 6), and started plugging in keystores. First, I plugged in the initial self-signed keystore. No problem; launched just fine. Then I plugged in the signed-and-chained keystore. Still no problem; launched just fine. Then I plugged in a copy of the signed-and-chained keystore that I'd sent back from the customer box. STILL no problem! I also did a "keytool -list -v -keystore x.ks" on both the new keystore and the one that worked, on my own Mac. No problems at all, and they looked very similar. But when I tried doing it on the customer AS/400, I got very similar error messages to what's in catalina.out. I don't ordinarily send attachments to list servers, but the "how to ask questions the smart way" said it should be OK, if small and relevant, and stacktraces tend to get a bit garbled if sent inline, so I've attached a brief catalina.out excerpt. The Connector failing to initialize is org.apache.coyote.http11.Http11Protocol-443 so that's the one configure for port 443. Please double-check the configuration to see where your keystore is located and verify that you have a small number of certificates in that keystore. "Too many" implies that the chain is too long and usually the "too long" number is something reasonable like 10 or so. A chain of 3 certificates should definitely be okay. Can you dump the whole cert (e.g. keytool -list -v -alias 'certname') for each cert and see if any of the certificates specify a maximum chain length somewhere? Evidently, it's an extension to the X.509 spec: https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#getBasicConstraints-- Otherwise, you might want to check the value of the system property jdk.tls.maxCertificateChainLength. The default is 10[1] but it can probably be set to something lower. It's possible someone decided that cert chains in that environment should be very short. You might be able to override using CATALINA_OPTS or equivalent on OS/400. -chris [1] https://www.oracle.com/java/technologies/javase/8u271-relnotes.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: AW: Too many certificates in chain?!? Help!
Maybe just a bad keystore or binary copy or some type of corruption. Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: James H. H. Lampert > Sent: Thursday, May 18, 2023 3:42 PM > To: Tomcat Users List > Subject: Re: AW: Too many certificates in chain?!? Help! > > Weirder and weirder. (And hopefully, my previous email, with a catalina.out > excerpt as an attachment, actually got distributed to the > List.) > > I copied the cert and the unsigned keystore from my new Mac (M2 Mini, > running Ventura) to my old Mac (2017 iMac, running Catalina), and signing > and chaining it there (again, in KeyStore Explorer). > > I did a diff on the two signed/chained keystores. The file lengths are the > same, but diff found (but didn't specify) the differences. > > I put the version from the iMac on the customer box, and tried a keytool -list > -v on it, from the customer box. It choked on the one from yesterday, signed > and chained on the M2 Mini, but it liked the one from today, signed and > chained on the 2017 iMac. > > I installed "Hex Fiend," and did a binary comparison of the two signed, > chained keystores. It showed *A LOT* of red. > > -- > JHHL > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Too many certificates in chain?!? Help!
Weirder and weirder. (And hopefully, my previous email, with a catalina.out excerpt as an attachment, actually got distributed to the List.) I copied the cert and the unsigned keystore from my new Mac (M2 Mini, running Ventura) to my old Mac (2017 iMac, running Catalina), and signing and chaining it there (again, in KeyStore Explorer). I did a diff on the two signed/chained keystores. The file lengths are the same, but diff found (but didn't specify) the differences. I put the version from the iMac on the customer box, and tried a keytool -list -v on it, from the customer box. It choked on the one from yesterday, signed and chained on the M2 Mini, but it liked the one from today, signed and chained on the 2017 iMac. I installed "Hex Fiend," and did a binary comparison of the two signed, chained keystores. It showed *A LOT* of red. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: AW: Too many certificates in chain?!? Help!
Hi James, Take a look at this URL: https://stackoverflow.com/questions/64721644/javax-net-ssl-sslprotocolexception-the-certificate-chain-length-11-exceeds-th It may help, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: James H. H. Lampert > Sent: Thursday, May 18, 2023 3:01 PM > To: Tomcat Users List > Subject: Re: AW: Too many certificates in chain?!? Help! > > On 5/18/23 12:18 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote: > > Which version of tomcat do you use? > > Is the stack trace truncated in your mail? Is there a "caused by ..." > > further > down the stacktrace? > > > > It looks like the error is thrown deeper in SSLUtil when creating the ssl > context. > > Maybe you can post the full stack trace. > > It just gets weirder. > > FYI, The customer box is on Tomcat 8.5.73, running under IBM Java > 8.0.7.20 - pap6480sr7fp20-20221020_01(SR7 FP20), under OS/400 V7R3M0. > > I fired up one of our on-site AS/400s (V6R1M0), with a Tomcat server > (7.0.108, running under Java 6), and started plugging in keystores. > First, I plugged in the initial self-signed keystore. No problem; launched > just > fine. Then I plugged in the signed-and-chained keystore. > Still no problem; launched just fine. Then I plugged in a copy of the signed- > and-chained keystore that I'd sent back from the customer box. > STILL no problem! > > I also did a "keytool -list -v -keystore x.ks" on both the new keystore > and > the one that worked, on my own Mac. No problems at all, and they looked > very similar. But when I tried doing it on the customer AS/400, I got very > similar error messages to what's in catalina.out. > > I don't ordinarily send attachments to list servers, but the "how to ask > questions the smart way" said it should be OK, if small and relevant, and > stacktraces tend to get a bit garbled if sent inline, so I've attached a brief > catalina.out excerpt. > > -- > JHHL
Re: AW: Too many certificates in chain?!? Help!
On 5/18/23 12:18 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote: Which version of tomcat do you use? Is the stack trace truncated in your mail? Is there a "caused by ..." further down the stacktrace? It looks like the error is thrown deeper in SSLUtil when creating the ssl context. Maybe you can post the full stack trace. It just gets weirder. FYI, The customer box is on Tomcat 8.5.73, running under IBM Java 8.0.7.20 - pap6480sr7fp20-20221020_01(SR7 FP20), under OS/400 V7R3M0. I fired up one of our on-site AS/400s (V6R1M0), with a Tomcat server (7.0.108, running under Java 6), and started plugging in keystores. First, I plugged in the initial self-signed keystore. No problem; launched just fine. Then I plugged in the signed-and-chained keystore. Still no problem; launched just fine. Then I plugged in a copy of the signed-and-chained keystore that I'd sent back from the customer box. STILL no problem! I also did a "keytool -list -v -keystore x.ks" on both the new keystore and the one that worked, on my own Mac. No problems at all, and they looked very similar. But when I tried doing it on the customer AS/400, I got very similar error messages to what's in catalina.out. I don't ordinarily send attachments to list servers, but the "how to ask questions the smart way" said it should be OK, if small and relevant, and stacktraces tend to get a bit garbled if sent inline, so I've attached a brief catalina.out excerpt. -- JHHL17-May-2023 19:33:28.162 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-443"] JVMDUMP039I Processing dump event "systhrow", detail "java/lang/OutOfMemoryError" at 2023/05/17 19:33:32 - please wait. JVMDUMP032I JVM requested System dump using '//core.20230517.193332.26378.0001.dmp' in response to an event JVMDUMP010I System dump written to //core.20230517.193332.26378.0001.dmp JVMDUMP032I JVM requested Heap dump using '//heapdump.20230517.193332.26378.0002.phd' in response to an event JVMDUMP010I Heap dump written to //heapdump.20230517.193332.26378.0002.phd JVMDUMP032I JVM requested Java dump using '//javacore.20230517.193332.26378.0003.txt' in response to an event JVMDUMP010I Java dump written to //javacore.20230517.193332.26378.0003.txt JVMDUMP032I JVM requested Snap dump using '//Snap.20230517.193332.26378.0004.trc' in response to an event JVMDUMP010I Snap dump written to //Snap.20230517.193332.26378.0004.trc JVMDUMP013I Processed dump event "systhrow", detail "java/lang/OutOfMemoryError". 17-May-2023 19:34:12.173 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[org.apache.coyote.http11.Http11Protocol-443]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1076) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:843) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:639) at org.apache.catalina.startup.Catalina.load(Catalina.java:662) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:508) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) Caused by: java.lang.IllegalArgumentException: Too many certificates in chain at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:246) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1161) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1074) ... 13 more Caused by: java.io.IOException: Too many certificates in chain at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source) at com.ibm.crypto.provider.bg.engineLoad(Unknown Source) at com.ibm.crypto.provider.JavaKeyStore$DualFormatJKS.engineLoad(Unknown Source) at