RE: Tomcat SSL stops working after an undetermined amount of time
This is nice to know. Thank you for the details. You may want to check the contents of the "java.security" file, to assess, if they have configured BC like this : security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider Number 10 can be some other number in your environment. If you see BC configured in here, you can comment (or remove ) that line. Recycle the JVM and test again. Thanks, -Raghu -Original Message- From: Christopher Schultz Sent: Tuesday, June 15, 2021 4:10 PM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ezsra, On 6/15/21 17:43, Ezsra McDonald wrote: > Sorry for the delay. > > I was finally able to track down the location of the BouncyCastle library. > It is located in the individual application libraries and cannot be > disabled. There are newer versions of BC available and I have asked > the software developers to consider upgrading the applications. > > Disabling RSASSA-PSS alone did not work. I had to also disable > TLSv1.3. I tried only disabling TLSv1.3 but the instance continued to > show the same issues. So, I had to disable both. > > The error occurred across all browsers. There was some earlier > confusion when I had the HTTPS connector configured incorrectly. Now > the connector works for all browsers initially until one of the apps > loads the BouncyCastle library. At that point the SSL handshake begins > to fail for any browser. Disabling the RSASSA-PSS and TLSv1.3 > protocols and ciphers is a temporary work around. It is my hope that > upgrading the BC jar will resolve the conflicts. > > I am open to any other suggestions but for now my instances have > stabilized and I am in a holding pattern waiting for the software > developers to upgrade BC in the individual applications. > > Thanks to everyone who assisted me with this issue. I will keep you > posted on results of the BC upgrade. Sounds good. I don't see any place in Tomcat to specify the JSSE provider. Perhaps we should expose that to the administrator in some way. -chris > On Thu, May 27, 2021 at 11:23 AM Mysore, Raghunath > > wrote: > >> Hi Ezsra, >> I concur with suggestions from Chris Schultz. >> Would you clarify the following items ? >> The current focus is to understand the prevailing environment >> configuration, in context of the stack trace you shared earlier. >> >> (1) To go back, did you check for ".jar" files with names like "bouncy" >> ? >> The point here is - to understand where BC is configured (to assess >> if it can be commented) >> (2) Apart from considering to turnoff BC, have you tried disabling >> RSASSA-PSS algorithm ? >> (3) When you test using a Safari browser - is the application on a >> happy path (meaning SSL works all fine) ? >> And you have the issue only when testing from a Chrome browser ? >> >> Thanks, >> -Raghu >> >> -Original Message- >> From: Ezsra McDonald >> Sent: Thursday, May 27, 2021 8:56 AM >> To: Tomcat Users List >> Subject: Re: Tomcat SSL stops working after an undetermined amount of >> time >> >> Thanks for the responses, >> >> So, I need to understand a little more about Bouncycastle. I >> inherited the tomcat environment so I do not know how or why BC came >> to be installed in the containers. I will do some research on BC so I >> understand it better. My assumption from the responses is that BC is >> not a standard part of Tomcat or Java install. >> >> If the BC is part of an application running in the container and >> comes from a war file, can it be causing this issue? Or is BC most >> likely loaded when the container starts? >> >> --Ez >> >> On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >>> Raghunath, >>> >>> On 5/26/21 19:08, Mysore, Raghunath wrote: >>>> To track if BC is configured in your environment, you may want to >>>> assess if BC is listed as a "security.provider" in the following >>>> "java.security" file >>>> >>>> >>>> >>>> File : /jre/lib/security/java.security >>>> >>>> Check for record (example below) : >>>> >>>> security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProv >>>> i >>>> der >>>> >>>> >>>> >>>> >>>> Note the Number 10, above may be something different in your >&
Re: Tomcat SSL stops working after an undetermined amount of time
Ezsra, On 6/15/21 17:43, Ezsra McDonald wrote: Sorry for the delay. I was finally able to track down the location of the BouncyCastle library. It is located in the individual application libraries and cannot be disabled. There are newer versions of BC available and I have asked the software developers to consider upgrading the applications. Disabling RSASSA-PSS alone did not work. I had to also disable TLSv1.3. I tried only disabling TLSv1.3 but the instance continued to show the same issues. So, I had to disable both. The error occurred across all browsers. There was some earlier confusion when I had the HTTPS connector configured incorrectly. Now the connector works for all browsers initially until one of the apps loads the BouncyCastle library. At that point the SSL handshake begins to fail for any browser. Disabling the RSASSA-PSS and TLSv1.3 protocols and ciphers is a temporary work around. It is my hope that upgrading the BC jar will resolve the conflicts. I am open to any other suggestions but for now my instances have stabilized and I am in a holding pattern waiting for the software developers to upgrade BC in the individual applications. Thanks to everyone who assisted me with this issue. I will keep you posted on results of the BC upgrade. Sounds good. I don't see any place in Tomcat to specify the JSSE provider. Perhaps we should expose that to the administrator in some way. -chris On Thu, May 27, 2021 at 11:23 AM Mysore, Raghunath wrote: Hi Ezsra, I concur with suggestions from Chris Schultz. Would you clarify the following items ? The current focus is to understand the prevailing environment configuration, in context of the stack trace you shared earlier. (1) To go back, did you check for ".jar" files with names like "bouncy" ? The point here is - to understand where BC is configured (to assess if it can be commented) (2) Apart from considering to turnoff BC, have you tried disabling RSASSA-PSS algorithm ? (3) When you test using a Safari browser - is the application on a happy path (meaning SSL works all fine) ? And you have the issue only when testing from a Chrome browser ? Thanks, -Raghu -Original Message- From: Ezsra McDonald Sent: Thursday, May 27, 2021 8:56 AM To: Tomcat Users List Subject: Re: Tomcat SSL stops working after an undetermined amount of time Thanks for the responses, So, I need to understand a little more about Bouncycastle. I inherited the tomcat environment so I do not know how or why BC came to be installed in the containers. I will do some research on BC so I understand it better. My assumption from the responses is that BC is not a standard part of Tomcat or Java install. If the BC is part of an application running in the container and comes from a war file, can it be causing this issue? Or is BC most likely loaded when the container starts? --Ez On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < ch...@christopherschultz.net> wrote: Raghunath, On 5/26/21 19:08, Mysore, Raghunath wrote: To track if BC is configured in your environment, you may want to assess if BC is listed as a "security.provider" in the following "java.security" file File : /jre/lib/security/java.security Check for record (example below) : security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvi der Note the Number 10, above may be something different in your environment's "java.security" file (presuming BC is configured here) Well, the error being encountered is definite within BC, so I'd venture a guess that BC is indeed being used. -chris -Original Message- From: Christopher Schultz Sent: Wednesday, May 26, 2021 4:35 PM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ezsra, On 5/26/21 18:11, Ezsra McDonald wrote: Well, I still have issues. I think it is the same thing hit by these guys: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fj ira .atlassian.com %2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c 477 d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC 4wL jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sd ata =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3Dreserved=0 https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs tac koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org- bou ncycastle-crypto-signers-psssigner-generatesignatdata=04%7C01% 7Cr mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d 4ee 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZs b3d 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D %7C 1000sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D mp; reserved=0 I'll try their fix. My
Re: Tomcat SSL stops working after an undetermined amount of time
Sorry for the delay. I was finally able to track down the location of the BouncyCastle library. It is located in the individual application libraries and cannot be disabled. There are newer versions of BC available and I have asked the software developers to consider upgrading the applications. Disabling RSASSA-PSS alone did not work. I had to also disable TLSv1.3. I tried only disabling TLSv1.3 but the instance continued to show the same issues. So, I had to disable both. The error occurred across all browsers. There was some earlier confusion when I had the HTTPS connector configured incorrectly. Now the connector works for all browsers initially until one of the apps loads the BouncyCastle library. At that point the SSL handshake begins to fail for any browser. Disabling the RSASSA-PSS and TLSv1.3 protocols and ciphers is a temporary work around. It is my hope that upgrading the BC jar will resolve the conflicts. I am open to any other suggestions but for now my instances have stabilized and I am in a holding pattern waiting for the software developers to upgrade BC in the individual applications. Thanks to everyone who assisted me with this issue. I will keep you posted on results of the BC upgrade. -Ez On Thu, May 27, 2021 at 11:23 AM Mysore, Raghunath wrote: > Hi Ezsra, > I concur with suggestions from Chris Schultz. > Would you clarify the following items ? > The current focus is to understand the prevailing environment > configuration, in context of the stack trace you shared earlier. > > (1) To go back, did you check for ".jar" files with names like "bouncy" > ? > The point here is - to understand where BC is configured (to assess if it > can be commented) > (2) Apart from considering to turnoff BC, have you tried disabling > RSASSA-PSS algorithm ? > (3) When you test using a Safari browser - is the application on a happy > path (meaning SSL works all fine) ? > And you have the issue only when testing from a Chrome browser ? > > Thanks, > -Raghu > > -Original Message- > From: Ezsra McDonald > Sent: Thursday, May 27, 2021 8:56 AM > To: Tomcat Users List > Subject: Re: Tomcat SSL stops working after an undetermined amount of time > > Thanks for the responses, > > So, I need to understand a little more about Bouncycastle. I inherited the > tomcat environment so I do not know how or why BC came to be installed in > the containers. I will do some research on BC so I understand it better. My > assumption from the responses is that BC is not a standard part of Tomcat > or Java install. > > If the BC is part of an application running in the container and comes > from a war file, can it be causing this issue? Or is BC most likely loaded > when the container starts? > > --Ez > > On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > Raghunath, > > > > On 5/26/21 19:08, Mysore, Raghunath wrote: > > > To track if BC is configured in your environment, you may want to > > > assess if BC is listed as a "security.provider" in the following > > > "java.security" file > > > > > > > > > > > > File : /jre/lib/security/java.security > > > > > > Check for record (example below) : > > > > > > security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvi > > > der > > > > > > > > > > > > > > > Note the Number 10, above may be something different in your > > > environment's "java.security" file (presuming BC is configured here) > > > > Well, the error being encountered is definite within BC, so I'd > > venture a guess that BC is indeed being used. > > > > -chris > > > > > -Original Message- From: Christopher Schultz > > > Sent: Wednesday, May 26, 2021 4:35 PM > > > To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working > > > after an undetermined amount of time > > > > > > > > > > > > Ezsra, > > > > > > > > > > > > On 5/26/21 18:11, Ezsra McDonald wrote: > > > > > >> Well, I still have issues. I think it is the same thing hit by > > >> these guys: > > > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fj > > >> ira > > > > > >> > > >> .atlassian.com > %2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. > > > > > >> > > >> com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c > > >> 477 >
RE: Tomcat SSL stops working after an undetermined amount of time
Hi Ezsra, I concur with suggestions from Chris Schultz. Would you clarify the following items ? The current focus is to understand the prevailing environment configuration, in context of the stack trace you shared earlier. (1) To go back, did you check for ".jar" files with names like "bouncy" ? The point here is - to understand where BC is configured (to assess if it can be commented) (2) Apart from considering to turnoff BC, have you tried disabling RSASSA-PSS algorithm ? (3) When you test using a Safari browser - is the application on a happy path (meaning SSL works all fine) ? And you have the issue only when testing from a Chrome browser ? Thanks, -Raghu -Original Message- From: Ezsra McDonald Sent: Thursday, May 27, 2021 8:56 AM To: Tomcat Users List Subject: Re: Tomcat SSL stops working after an undetermined amount of time Thanks for the responses, So, I need to understand a little more about Bouncycastle. I inherited the tomcat environment so I do not know how or why BC came to be installed in the containers. I will do some research on BC so I understand it better. My assumption from the responses is that BC is not a standard part of Tomcat or Java install. If the BC is part of an application running in the container and comes from a war file, can it be causing this issue? Or is BC most likely loaded when the container starts? --Ez On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Raghunath, > > On 5/26/21 19:08, Mysore, Raghunath wrote: > > To track if BC is configured in your environment, you may want to > > assess if BC is listed as a "security.provider" in the following > > "java.security" file > > > > > > > > File : /jre/lib/security/java.security > > > > Check for record (example below) : > > > > security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvi > > der > > > > > > > > > > Note the Number 10, above may be something different in your > > environment's "java.security" file (presuming BC is configured here) > > Well, the error being encountered is definite within BC, so I'd > venture a guess that BC is indeed being used. > > -chris > > > -Original Message- From: Christopher Schultz > > Sent: Wednesday, May 26, 2021 4:35 PM > > To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working > > after an undetermined amount of time > > > > > > > > Ezsra, > > > > > > > > On 5/26/21 18:11, Ezsra McDonald wrote: > > > >> Well, I still have issues. I think it is the same thing hit by > >> these guys: > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fj > >> ira > > > >> > >> .atlassian.com%2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. > > > >> > >> com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c > >> 477 > > > >> > >> d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC > >> 4wL > > > >> > >> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sd > >> ata > > > >> > >> =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3Dreserved=0 > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs > >> tac > > > >> > >> koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org- > >> bou > > > >> > >> ncycastle-crypto-signers-psssigner-generatesignatdata=04%7C01% > >> 7Cr > > > >> > >> mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d > >> 4ee > > > >> > >> 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZs > >> b3d > > > >> > >> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D > >> %7C > > > >> > >> 1000sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D > >> mp; > > > >> reserved=0 > > > >> > > > >> I'll try their fix. My main concern is that I do not want to > >> disable > > > >> TLSv1.3. > > > > > > > > If you don't want to disable TLSv1.3, then you want: > > > > > > > > > > > protocols="TLSv1.2,TLSv1.3" > > > > /> > > > > > > > > If BC is failing you, I'd want to find out if you really need BC. > > > > > > > > That first link above seems
Re: Tomcat SSL stops working after an undetermined amount of time
Thanks for the responses, So, I need to understand a little more about Bouncycastle. I inherited the tomcat environment so I do not know how or why BC came to be installed in the containers. I will do some research on BC so I understand it better. My assumption from the responses is that BC is not a standard part of Tomcat or Java install. If the BC is part of an application running in the container and comes from a war file, can it be causing this issue? Or is BC most likely loaded when the container starts? --Ez On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Raghunath, > > On 5/26/21 19:08, Mysore, Raghunath wrote: > > To track if BC is configured in your environment, you may want to > > assess if BC is listed as a "security.provider" in the following > > "java.security" file > > > > > > > > File : /jre/lib/security/java.security > > > > Check for record (example below) : > > > > security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider > > > > > > > > > > Note the Number 10, above may be something different in your > > environment's "java.security" file (presuming BC is configured here) > > Well, the error being encountered is definite within BC, so I'd venture > a guess that BC is indeed being used. > > -chris > > > -Original Message- From: Christopher Schultz > > Sent: Wednesday, May 26, 2021 4:35 PM > > To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working > > after an undetermined amount of time > > > > > > > > Ezsra, > > > > > > > > On 5/26/21 18:11, Ezsra McDonald wrote: > > > >> Well, I still have issues. I think it is the same thing hit by > >> these guys: > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira > > > >> > >> .atlassian.com%2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. > > > >> > >> com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477 > > > >> > >> d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL > > > >> > >> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata > > > >> > >> =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3Dreserved=0 > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstac > > > >> > >> koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org-bou > > > >> > >> ncycastle-crypto-signers-psssigner-generatesignatdata=04%7C01%7Cr > > > >> > >> mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee > > > >> > >> 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d > > > >> > >> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C > > > >> > >> 1000sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D > > > >> reserved=0 > > > >> > > > >> I'll try their fix. My main concern is that I do not want to > >> disable > > > >> TLSv1.3. > > > > > > > > If you don't want to disable TLSv1.3, then you want: > > > > > > > > > > > protocols="TLSv1.2,TLSv1.3" > > > > /> > > > > > > > > If BC is failing you, I'd want to find out if you really need BC. > > > > > > > > That first link above seems to suggest that when using Tomcat you > > MUST disable TLSv1.3. That seems odd. What version of BC are you > > using? > > > > Search for .jar files with names like "bouncy". > > > > > > > > Do you have the option to downgrade Java? > > > > > > > > Have you tried disabling the RSASSA-PSS algorithm as per their > > instructions? It seems ... far-fetched that would fix the problem, > > but ... okay. > > > > > > > > Note that at some time in the past, Java 1.8 did not support TLSv1.3 > > and lots of people who were stuck on Java 1.8 decided to switch to BC > > which did have TLSv1.3 support. With that version of Java 1.8 (_281), > > you should have native JDK support for TLSv1.3. Perhaps BC is not > > necessary at all. > > > > > > > > -chris > > > > > > > >> On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald > > > >> mailto:ezsra.mcdon...@gmail.com>> > > > >> wrote: >
Re: Tomcat SSL stops working after an undetermined amount of time
Raghunath, On 5/26/21 19:08, Mysore, Raghunath wrote: To track if BC is configured in your environment, you may want to assess if BC is listed as a "security.provider" in the following "java.security" file File : /jre/lib/security/java.security Check for record (example below) : security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider Note the Number 10, above may be something different in your environment's "java.security" file (presuming BC is configured here) Well, the error being encountered is definite within BC, so I'd venture a guess that BC is indeed being used. -chris -Original Message- From: Christopher Schultz Sent: Wednesday, May 26, 2021 4:35 PM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ezsra, On 5/26/21 18:11, Ezsra McDonald wrote: Well, I still have issues. I think it is the same thing hit by these guys: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira .atlassian.com%2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477 d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3Dreserved=0 https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstac koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org-bou ncycastle-crypto-signers-psssigner-generatesignatdata=04%7C01%7Cr mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C 1000sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D reserved=0 I'll try their fix. My main concern is that I do not want to disable TLSv1.3. If you don't want to disable TLSv1.3, then you want: If BC is failing you, I'd want to find out if you really need BC. That first link above seems to suggest that when using Tomcat you MUST disable TLSv1.3. That seems odd. What version of BC are you using? Search for .jar files with names like "bouncy". Do you have the option to downgrade Java? Have you tried disabling the RSASSA-PSS algorithm as per their instructions? It seems ... far-fetched that would fix the problem, but ... okay. Note that at some time in the past, Java 1.8 did not support TLSv1.3 and lots of people who were stuck on Java 1.8 decided to switch to BC which did have TLSv1.3 support. With that version of Java 1.8 (_281), you should have native JDK support for TLSv1.3. Perhaps BC is not necessary at all. -chris On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald mailto:ezsra.mcdon...@gmail.com>> wrote: Lots of good information was provided. This afternoon I plan to test the "sslProtocol" to "protocols" change in our lower environments. I will reply back with any findings. Thank you everyone for your responses. regards, -- Ez On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath mailto:rmys...@visa.com.invalid>> wrote: Hi Chris, -Original Message- From: Christopher Schultz mailto:ch...@christopherschultz.net>> Sent: Tuesday, May 25, 2021 9:10 AM To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ronald, On 5/25/21 09:31, Roskens, Ronald wrote: -Original Message- From: Christopher Schultz mailto:ch...@christopherschultz.net>> Sent: Monday, May 24, 2021 1:56 PM To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an undetermined amount of time CAUTION: This email originated from outside of the organization. DO NOT CLICK on links or open attachments unless you recognize the sender and know the content is safe. Ezsra, On 5/24/21 10:30, Ezsra McDonald wrote: I am enabling SSL debugging this morning. I did catch this in the log for an instance that started erroring out this morning. Seems like it may be too generic to help solve my problem. Here it is: 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.NullPointerException at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unkno wn Source) at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) Oh. You are using BouncyCastle. I've never tried to do that. I'm not sure how well BC will work with Tomcat. We don't officially support that configuration, but that d
RE: Tomcat SSL stops working after an undetermined amount of time
To track if BC is configured in your environment, you may want to assess if BC is listed as a "security.provider" in the following "java.security" file File : /jre/lib/security/java.security Check for record (example below) : security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider Note the Number 10, above may be something different in your environment's "java.security" file (presuming BC is configured here) -Original Message- From: Christopher Schultz Sent: Wednesday, May 26, 2021 4:35 PM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ezsra, On 5/26/21 18:11, Ezsra McDonald wrote: > Well, I still have issues. I think it is the same thing hit by these guys: > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira > .atlassian.com%2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. > com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477 > d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata > =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3Dreserved=0 > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstac > koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org-bou > ncycastle-crypto-signers-psssigner-generatesignatdata=04%7C01%7Cr > mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee > 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d > 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C > 1000sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D > reserved=0 > > I'll try their fix. My main concern is that I do not want to disable > TLSv1.3. If you don't want to disable TLSv1.3, then you want: If BC is failing you, I'd want to find out if you really need BC. That first link above seems to suggest that when using Tomcat you MUST disable TLSv1.3. That seems odd. What version of BC are you using? Search for .jar files with names like "bouncy". Do you have the option to downgrade Java? Have you tried disabling the RSASSA-PSS algorithm as per their instructions? It seems ... far-fetched that would fix the problem, but ... okay. Note that at some time in the past, Java 1.8 did not support TLSv1.3 and lots of people who were stuck on Java 1.8 decided to switch to BC which did have TLSv1.3 support. With that version of Java 1.8 (_281), you should have native JDK support for TLSv1.3. Perhaps BC is not necessary at all. -chris > On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald > mailto:ezsra.mcdon...@gmail.com>> > wrote: > >> Lots of good information was provided. >> >> This afternoon I plan to test the "sslProtocol" to "protocols" >> change in our lower environments. I will reply back with any findings. >> >> Thank you everyone for your responses. >> >> regards, >> >> -- Ez >> >> On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath >> mailto:rmys...@visa.com.invalid>> wrote: >> >>> Hi Chris, >>> >>> -Original Message- >>> From: Christopher Schultz >>> mailto:ch...@christopherschultz.net>> >>> Sent: Tuesday, May 25, 2021 9:10 AM >>> To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> >>> Subject: Re: Tomcat SSL stops working after an undetermined amount >>> of time >>> >>> Ronald, >>> >>> On 5/25/21 09:31, Roskens, Ronald wrote: >>>> >>>>> -Original Message- >>>>> From: Christopher Schultz >>>>> mailto:ch...@christopherschultz.net>> >>>>> Sent: Monday, May 24, 2021 1:56 PM >>>>> To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> >>>>> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an >>>>> undetermined amount of time >>>>> >>>>> CAUTION: This email originated from outside of the organization. >>>>> DO NOT CLICK on links or open attachments unless you recognize the >>>>> sender and know the content is safe. >>>>> >>>>> Ezsra, >>>>> >>>>> On 5/24/21 10:30, Ezsra McDonald wrote: >>>>>> I am enabling SSL debugging this morning. I did catch this in the >>>>>> log for an instance that started erroring out this morning. Seems >>>>>> like it may be too generic to help solve my problem. Here it is: >>>>>>
Re: Tomcat SSL stops working after an undetermined amount of time
Ezsra, On 5/26/21 18:11, Ezsra McDonald wrote: Well, I still have issues. I think it is the same thing hit by these guys: https://jira.atlassian.com/browse/BAM-21157 https://stackoverflow.com/questions/65691480/nullpointerexception-at-org-bouncycastle-crypto-signers-psssigner-generatesignat I'll try their fix. My main concern is that I do not want to disable TLSv1.3. If you don't want to disable TLSv1.3, then you want: If BC is failing you, I'd want to find out if you really need BC. That first link above seems to suggest that when using Tomcat you MUST disable TLSv1.3. That seems odd. What version of BC are you using? Search for .jar files with names like "bouncy". Do you have the option to downgrade Java? Have you tried disabling the RSASSA-PSS algorithm as per their instructions? It seems ... far-fetched that would fix the problem, but ... okay. Note that at some time in the past, Java 1.8 did not support TLSv1.3 and lots of people who were stuck on Java 1.8 decided to switch to BC which did have TLSv1.3 support. With that version of Java 1.8 (_281), you should have native JDK support for TLSv1.3. Perhaps BC is not necessary at all. -chris On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald wrote: Lots of good information was provided. This afternoon I plan to test the "sslProtocol" to "protocols" change in our lower environments. I will reply back with any findings. Thank you everyone for your responses. regards, -- Ez On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath wrote: Hi Chris, -Original Message- From: Christopher Schultz Sent: Tuesday, May 25, 2021 9:10 AM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ronald, On 5/25/21 09:31, Roskens, Ronald wrote: -Original Message- From: Christopher Schultz Sent: Monday, May 24, 2021 1:56 PM To: users@tomcat.apache.org Subject: [EXTERNAL] Re: Tomcat SSL stops working after an undetermined amount of time CAUTION: This email originated from outside of the organization. DO NOT CLICK on links or open attachments unless you recognize the sender and know the content is safe. Ezsra, On 5/24/21 10:30, Ezsra McDonald wrote: I am enabling SSL debugging this morning. I did catch this in the log for an instance that started erroring out this morning. Seems like it may be too generic to help solve my problem. Here it is: 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.NullPointerException at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown Source) at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) Oh. You are using BouncyCastle. I've never tried to do that. I'm not sure how well BC will work with Tomcat. We don't officially support that configuration, but that doesn't mean we won't try to help. This isn't a Tomcat issue but an interoperability issue between BouncyCastle & OpenJDK. * https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633data=04%7C01%7Crmysore%40v isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db1 c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000s data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3Dreserved=0 * https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs .openjdk.java.net%2Fbrowse%2FJDK-8216039data=04%7C01%7Crmysore%40 visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000 sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3Dreserved=0 Oh, great. Looks like a BC upgrade will fix the NPE. But possibly something downstream will still fail... Just to add my 2 cents here : Per the problem posed in the very first email, we see the SSL/TLS issue between Oracle JDK 8 and Tomcat 8.5 Environment: OS: CentOS 7 Apache: apache-tomcat-8.5.65 Java: jdk1.8.0_281 Note that the following link - talks about issues between OpenJDK 11 and BC. https://bugs.openjdk.java.net/browse/JDK-8216039. This morning's suggestion (about changing from "sslProtocol" to "protocols" ) from Christopher Schultz, sounds promising, in that the interaction between the Browser-clients and Tomcat 8.5.x server, will be limited only to TLS1.2 Making this change, will preclude other old protocols - like TLS 1, TLS 11 etc in communication between the clients and the Tomcat server. We will need tests after making the change to "protocols" attribute in the HTTPS connector block. In context of the above mentioned change -we may not need any editing of "java.security" file contents (discussed last evening). Thanks, -Raghu --
Re: Tomcat SSL stops working after an undetermined amount of time
Well, I still have issues. I think it is the same thing hit by these guys: https://jira.atlassian.com/browse/BAM-21157 https://stackoverflow.com/questions/65691480/nullpointerexception-at-org-bouncycastle-crypto-signers-psssigner-generatesignat I'll try their fix. My main concern is that I do not want to disable TLSv1.3. Any other suggestions? --Ez On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald wrote: > Lots of good information was provided. > > This afternoon I plan to test the "sslProtocol" to "protocols" change in > our lower environments. I will reply back with any findings. > > Thank you everyone for your responses. > > regards, > > -- Ez > > On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath > wrote: > >> Hi Chris, >> >> -Original Message- >> From: Christopher Schultz >> Sent: Tuesday, May 25, 2021 9:10 AM >> To: users@tomcat.apache.org >> Subject: Re: Tomcat SSL stops working after an undetermined amount of time >> >> Ronald, >> >> On 5/25/21 09:31, Roskens, Ronald wrote: >> > >> >> -Original Message----- >> >> From: Christopher Schultz >> >> Sent: Monday, May 24, 2021 1:56 PM >> >> To: users@tomcat.apache.org >> >> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an >> >> undetermined amount of time >> >> >> >> CAUTION: This email originated from outside of the organization. DO >> >> NOT CLICK on links or open attachments unless you recognize the >> >> sender and know the content is safe. >> >> >> >> Ezsra, >> >> >> >> On 5/24/21 10:30, Ezsra McDonald wrote: >> >>> I am enabling SSL debugging this morning. I did catch this in the >> >>> log for an instance that started erroring out this morning. Seems >> >>> like it may be too generic to help solve my problem. Here it is: >> >>> >> >>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] >> >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >> >>> java.lang.NullPointerException >> >>> at >> >>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown >> >>> Source) >> >>> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown >> >>> Source) >> >> >> >> Oh. You are using BouncyCastle. I've never tried to do that. I'm not >> >> sure how well BC will work with Tomcat. We don't officially support >> >> that configuration, but that doesn't mean we won't try to help. >> > >> > This isn't a Tomcat issue but an interoperability issue between >> BouncyCastle & OpenJDK. >> > >> > * >> > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith >> > ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633data=04%7C01%7Crmysore%40v >> > isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db1 >> > c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM >> > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000s >> > data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3Dreserved=0 >> > * >> > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs >> > .openjdk.java.net%2Fbrowse%2FJDK-8216039data=04%7C01%7Crmysore%40 >> > visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db >> > 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi >> > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000 >> > sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3Dreserved=0 >> >> Oh, great. Looks like a BC upgrade will fix the NPE. But possibly >> something downstream will still fail... >> >> Just to add my 2 cents here : >> >> Per the problem posed in the very first email, we see the SSL/TLS issue >> between Oracle JDK 8 and Tomcat 8.5 >> Environment: >> OS: CentOS 7 >> Apache: apache-tomcat-8.5.65 >> Java: jdk1.8.0_281 >> >> Note that the following link - talks about issues between OpenJDK 11 and >> BC. >> https://bugs.openjdk.java.net/browse/JDK-8216039. >> >> This morning's suggestion (about changing from "sslProtocol" to >> "protocols" ) from Christopher Schultz, sounds promising, in that the >> interaction between the Browser-clients and Tomcat 8.5.x server, will be >> limited only to TLS1.2 >> Making this change, will preclude other old protocols - like TLS 1, TLS >> 11 etc in communication between the clients and the Tomcat server. >> We will need tests after making the change to "protocols" attribute in >> the HTTPS connector block. >> In context of the above mentioned change -we may not need any editing of >> "java.security" file contents (discussed last evening). >> >> Thanks, >> -Raghu >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >>
Re: Tomcat SSL stops working after an undetermined amount of time
Lots of good information was provided. This afternoon I plan to test the "sslProtocol" to "protocols" change in our lower environments. I will reply back with any findings. Thank you everyone for your responses. regards, -- Ez On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath wrote: > Hi Chris, > > -Original Message- > From: Christopher Schultz > Sent: Tuesday, May 25, 2021 9:10 AM > To: users@tomcat.apache.org > Subject: Re: Tomcat SSL stops working after an undetermined amount of time > > Ronald, > > On 5/25/21 09:31, Roskens, Ronald wrote: > > > >> -Original Message- > >> From: Christopher Schultz > >> Sent: Monday, May 24, 2021 1:56 PM > >> To: users@tomcat.apache.org > >> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an > >> undetermined amount of time > >> > >> CAUTION: This email originated from outside of the organization. DO > >> NOT CLICK on links or open attachments unless you recognize the > >> sender and know the content is safe. > >> > >> Ezsra, > >> > >> On 5/24/21 10:30, Ezsra McDonald wrote: > >>> I am enabling SSL debugging this morning. I did catch this in the > >>> log for an instance that started erroring out this morning. Seems > >>> like it may be too generic to help solve my problem. Here it is: > >>> > >>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > >>> java.lang.NullPointerException > >>> at > >>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > >>> Source) > >>> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown > >>> Source) > >> > >> Oh. You are using BouncyCastle. I've never tried to do that. I'm not > >> sure how well BC will work with Tomcat. We don't officially support > >> that configuration, but that doesn't mean we won't try to help. > > > > This isn't a Tomcat issue but an interoperability issue between > BouncyCastle & OpenJDK. > > > > * > > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > > ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633data=04%7C01%7Crmysore%40v > > isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db1 > > c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM > > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000s > > data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3Dreserved=0 > > * > > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs > > .openjdk.java.net%2Fbrowse%2FJDK-8216039data=04%7C01%7Crmysore%40 > > visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db > > 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi > > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000 > > sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3Dreserved=0 > > Oh, great. Looks like a BC upgrade will fix the NPE. But possibly > something downstream will still fail... > > Just to add my 2 cents here : > > Per the problem posed in the very first email, we see the SSL/TLS issue > between Oracle JDK 8 and Tomcat 8.5 > Environment: > OS: CentOS 7 > Apache: apache-tomcat-8.5.65 > Java: jdk1.8.0_281 > > Note that the following link - talks about issues between OpenJDK 11 and > BC. > https://bugs.openjdk.java.net/browse/JDK-8216039. > > This morning's suggestion (about changing from "sslProtocol" to > "protocols" ) from Christopher Schultz, sounds promising, in that the > interaction between the Browser-clients and Tomcat 8.5.x server, will be > limited only to TLS1.2 > Making this change, will preclude other old protocols - like TLS 1, TLS 11 > etc in communication between the clients and the Tomcat server. > We will need tests after making the change to "protocols" attribute in the > HTTPS connector block. > In context of the above mentioned change -we may not need any editing of > "java.security" file contents (discussed last evening). > > Thanks, > -Raghu > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: Tomcat SSL stops working after an undetermined amount of time
Hi Chris, -Original Message- From: Christopher Schultz Sent: Tuesday, May 25, 2021 9:10 AM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ronald, On 5/25/21 09:31, Roskens, Ronald wrote: > >> -Original Message- >> From: Christopher Schultz >> Sent: Monday, May 24, 2021 1:56 PM >> To: users@tomcat.apache.org >> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an >> undetermined amount of time >> >> CAUTION: This email originated from outside of the organization. DO >> NOT CLICK on links or open attachments unless you recognize the >> sender and know the content is safe. >> >> Ezsra, >> >> On 5/24/21 10:30, Ezsra McDonald wrote: >>> I am enabling SSL debugging this morning. I did catch this in the >>> log for an instance that started erroring out this morning. Seems >>> like it may be too generic to help solve my problem. Here it is: >>> >>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>> java.lang.NullPointerException >>> at >>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown >>> Source) >>> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown >>> Source) >> >> Oh. You are using BouncyCastle. I've never tried to do that. I'm not >> sure how well BC will work with Tomcat. We don't officially support >> that configuration, but that doesn't mean we won't try to help. > > This isn't a Tomcat issue but an interoperability issue between BouncyCastle > & OpenJDK. > > * > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633data=04%7C01%7Crmysore%40v > isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db1 > c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000s > data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3Dreserved=0 > * > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs > .openjdk.java.net%2Fbrowse%2FJDK-8216039data=04%7C01%7Crmysore%40 > visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db > 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000 > sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3Dreserved=0 Oh, great. Looks like a BC upgrade will fix the NPE. But possibly something downstream will still fail... Just to add my 2 cents here : Per the problem posed in the very first email, we see the SSL/TLS issue between Oracle JDK 8 and Tomcat 8.5 Environment: OS: CentOS 7 Apache: apache-tomcat-8.5.65 Java: jdk1.8.0_281 Note that the following link - talks about issues between OpenJDK 11 and BC. https://bugs.openjdk.java.net/browse/JDK-8216039. This morning's suggestion (about changing from "sslProtocol" to "protocols" ) from Christopher Schultz, sounds promising, in that the interaction between the Browser-clients and Tomcat 8.5.x server, will be limited only to TLS1.2 Making this change, will preclude other old protocols - like TLS 1, TLS 11 etc in communication between the clients and the Tomcat server. We will need tests after making the change to "protocols" attribute in the HTTPS connector block. In context of the above mentioned change -we may not need any editing of "java.security" file contents (discussed last evening). Thanks, -Raghu - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
Ronald, On 5/25/21 09:31, Roskens, Ronald wrote: -Original Message- From: Christopher Schultz Sent: Monday, May 24, 2021 1:56 PM To: users@tomcat.apache.org Subject: [EXTERNAL] Re: Tomcat SSL stops working after an undetermined amount of time CAUTION: This email originated from outside of the organization. DO NOT CLICK on links or open attachments unless you recognize the sender and know the content is safe. Ezsra, On 5/24/21 10:30, Ezsra McDonald wrote: I am enabling SSL debugging this morning. I did catch this in the log for an instance that started erroring out this morning. Seems like it may be too generic to help solve my problem. Here it is: 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.NullPointerException at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown Source) at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) Oh. You are using BouncyCastle. I've never tried to do that. I'm not sure how well BC will work with Tomcat. We don't officially support that configuration, but that doesn't mean we won't try to help. This isn't a Tomcat issue but an interoperability issue between BouncyCastle & OpenJDK. * https://github.com/bcgit/bc-java/issues/633 * https://bugs.openjdk.java.net/browse/JDK-8216039 Oh, great. Looks like a BC upgrade will fix the NPE. But possibly something downstream will still fail... -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
Ezsra, On 5/24/21 11:18, Ezsra McDonald wrote: I was unable to identify the issue with debug enabled. I started looking closer at the error I was getting in the various browsers. Apparently the SSL is working. The browsers are blocking it because the server is using something other than TLSv1.2 or better. I was able to prove this using Safari. When I enabled the older TLS options I was able to connect. This is excellent information to have. Tomcat (or BC) should not be throwing NPE under any circumstances, though. The odd thing is that I have the connector configured for TLSv1.2. So, that is where I need to concentrate my efforts now. Why is tomcat not using the TLSv1.2 protocol? As a refresher, I have the following configured for the connector. Aha. You are using "sslProtocol" which is, unfortunately, a nearly worthless configuration attribute and *always* causes confusion for anyone who has never had to deal with the JSSE TLS API. The configuration attribute you really want to use is: protocols="TLSv1.2" The default is "all" which means "SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3", so all protocols should be enabled by default. A SSLscan of the server port shows the following requests were accepted. Some are TLSv1.2. sslscan target.host.com:8080|grep Accepted Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA Accepted TLS11 256 bits DHE-RSA-AES256-SHA Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA Accepted TLS11 128 bits DHE-RSA-AES128-SHA Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits DHE-RSA-AES256-SHA256 Accepted TLS12 256 bits DHE-RSA-AES256-SHA Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA Most browsers will ignore some subset of the above. The only "safe" cipher suite listed above is ECDHE-RSA-AES128-GCM-SHA256 and everyone should support *at least* that for the time being. Hmm. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
> -Original Message- > From: Christopher Schultz > Sent: Monday, May 24, 2021 1:56 PM > To: users@tomcat.apache.org > Subject: [EXTERNAL] Re: Tomcat SSL stops working after an undetermined > amount of time > > CAUTION: This email originated from outside of the organization. DO NOT > CLICK on links or open attachments unless you recognize the sender and > know the content is safe. > > Ezsra, > > On 5/24/21 10:30, Ezsra McDonald wrote: > > I am enabling SSL debugging this morning. I did catch this in the log > > for an instance that started erroring out this morning. Seems like it > > may be too generic to help solve my problem. Here it is: > > > > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > > java.lang.NullPointerException > > at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > > Source) > > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown > > Source) > > Oh. You are using BouncyCastle. I've never tried to do that. I'm not > sure how well BC will work with Tomcat. We don't officially support that > configuration, but that doesn't mean we won't try to help. This isn't a Tomcat issue but an interoperability issue between BouncyCastle & OpenJDK. * https://github.com/bcgit/bc-java/issues/633 * https://bugs.openjdk.java.net/browse/JDK-8216039 Ron Disclaimer This e-mail message is being sent solely for use by the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by phone or reply by e-mail, delete the original message and destroy all copies. Thank you.
RE: Tomcat SSL stops working after an undetermined amount of time
Hi Ezsra, This is an answer to your query - " Why is Tomcat not using the TLSv1.2 protocol?" I assume you are using Oracle JDK v8u281 You may want to review the following line in the file : /jre/lib/security/ java.security jdk.tls.disabledAlgorithms=?? The following old SSL versions are listed here. Examples : SSLv3, TLSv1, TLSv1.1 etc This, in my opinion, will ensure Tomcat will honor TLS1.2 protocol (by eliminating others ) Also are you observing that Safari browser is giving good response, while Chrome is causing the SSL issue ? Hope this helps, -Raghu -Original Message- From: Ed Rouse Sent: Monday, May 24, 2021 2:26 PM To: Tomcat Users List Subject: RE: Tomcat SSL stops working after an undetermined amount of time This works for me. In server.xml: From: Ezsra McDonald Sent: Monday, May 24, 2021 4:10 PM To: Tomcat Users List Subject: Re: Tomcat SSL stops working after an undetermined amount of time [External email: Use caution! Do not open attachments or click on links from unknown senders or unexpected emails.] Chris, Thanks for your response. These Tomcat servers are something I inherited. I do not know what this bouncycastle.crypto is. If it is making my setup complicated how do I get around it? Is it part of the org.apache.coyote.http11.Http11NioProtocol? What would you recommend I use instead? My end goal is to just enable TLS/SSL on the connectors. --Ez On Mon, May 24, 2021 at 1:56 PM Christopher Schultz < ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> wrote: > Ezsra, > > On 5/24/21 10:30, Ezsra McDonald wrote: > > I am enabling SSL debugging this morning. I did catch this in the > > log for an instance that started erroring out this morning. Seems > > like it may be too generic to help solve my problem. Here it is: > > > > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > > java.lang.NullPointerException > > at > > org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > > Source) > > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown > > Source) > > Oh. You are using BouncyCastle. I've never tried to do that. I'm not > sure how well BC will work with Tomcat. We don't officially support > that configuration, but that doesn't mean we won't try to help. > > There will be a presentation at this year's ApacheCon @Home 2021 about > configuring Tomcat for FIPS and it will include how to configure > Tomcat with BC (including FIPS). Obviously, you don't want to wait > around until the conference to get things working, but perhaps the > presenter is lurking on the list ... ? > > I don't have an email address for the presenter, so I can't give you a > reference. :/ > > -chris > > - > To unsubscribe, e-mail: > users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.ap > ache.org> For additional commands, e-mail: > users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > >
RE: Tomcat SSL stops working after an undetermined amount of time
This works for me. In server.xml: From: Ezsra McDonald Sent: Monday, May 24, 2021 4:10 PM To: Tomcat Users List Subject: Re: Tomcat SSL stops working after an undetermined amount of time [External email: Use caution! Do not open attachments or click on links from unknown senders or unexpected emails.] Chris, Thanks for your response. These Tomcat servers are something I inherited. I do not know what this bouncycastle.crypto is. If it is making my setup complicated how do I get around it? Is it part of the org.apache.coyote.http11.Http11NioProtocol? What would you recommend I use instead? My end goal is to just enable TLS/SSL on the connectors. --Ez On Mon, May 24, 2021 at 1:56 PM Christopher Schultz < ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> wrote: > Ezsra, > > On 5/24/21 10:30, Ezsra McDonald wrote: > > I am enabling SSL debugging this morning. I did catch this in the log for > > an instance that started erroring out this morning. Seems like it may be > > too generic to help solve my problem. Here it is: > > > > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > > java.lang.NullPointerException > > at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > > Source) > > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) > > Oh. You are using BouncyCastle. I've never tried to do that. I'm not > sure how well BC will work with Tomcat. We don't officially support that > configuration, but that doesn't mean we won't try to help. > > There will be a presentation at this year's ApacheCon @Home 2021 about > configuring Tomcat for FIPS and it will include how to configure Tomcat > with BC (including FIPS). Obviously, you don't want to wait around until > the conference to get things working, but perhaps the presenter is > lurking on the list ... ? > > I don't have an email address for the presenter, so I can't give you a > reference. :/ > > -chris > > - > To unsubscribe, e-mail: > users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: > users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > >
Re: Tomcat SSL stops working after an undetermined amount of time
Chris, Thanks for your response. These Tomcat servers are something I inherited. I do not know what this bouncycastle.crypto is. If it is making my setup complicated how do I get around it? Is it part of the org.apache.coyote.http11.Http11NioProtocol? What would you recommend I use instead? My end goal is to just enable TLS/SSL on the connectors. --Ez On Mon, May 24, 2021 at 1:56 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Ezsra, > > On 5/24/21 10:30, Ezsra McDonald wrote: > > I am enabling SSL debugging this morning. I did catch this in the log for > > an instance that started erroring out this morning. Seems like it may be > > too generic to help solve my problem. Here it is: > > > > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > > java.lang.NullPointerException > > at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > > Source) > > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) > > Oh. You are using BouncyCastle. I've never tried to do that. I'm not > sure how well BC will work with Tomcat. We don't officially support that > configuration, but that doesn't mean we won't try to help. > > There will be a presentation at this year's ApacheCon @Home 2021 about > configuring Tomcat for FIPS and it will include how to configure Tomcat > with BC (including FIPS). Obviously, you don't want to wait around until > the conference to get things working, but perhaps the presenter is > lurking on the list ... ? > > I don't have an email address for the presenter, so I can't give you a > reference. :/ > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat SSL stops working after an undetermined amount of time
Ezsra, On 5/24/21 10:30, Ezsra McDonald wrote: I am enabling SSL debugging this morning. I did catch this in the log for an instance that started erroring out this morning. Seems like it may be too generic to help solve my problem. Here it is: 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.NullPointerException at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown Source) at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) Oh. You are using BouncyCastle. I've never tried to do that. I'm not sure how well BC will work with Tomcat. We don't officially support that configuration, but that doesn't mean we won't try to help. There will be a presentation at this year's ApacheCon @Home 2021 about configuring Tomcat for FIPS and it will include how to configure Tomcat with BC (including FIPS). Obviously, you don't want to wait around until the conference to get things working, but perhaps the presenter is lurking on the list ... ? I don't have an email address for the presenter, so I can't give you a reference. :/ -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
I was unable to identify the issue with debug enabled. I started looking closer at the error I was getting in the various browsers. Apparently the SSL is working. The browsers are blocking it because the server is using something other than TLSv1.2 or better. I was able to prove this using Safari. When I enabled the older TLS options I was able to connect. The odd thing is that I have the connector configured for TLSv1.2. So, that is where I need to concentrate my efforts now. Why is tomcat not using the TLSv1.2 protocol? As a refresher, I have the following configured for the connector. A SSLscan of the server port shows the following requests were accepted. Some are TLSv1.2. sslscan target.host.com:8080|grep Accepted Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA Accepted TLS11 256 bits DHE-RSA-AES256-SHA Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA Accepted TLS11 128 bits DHE-RSA-AES128-SHA Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits DHE-RSA-AES256-SHA256 Accepted TLS12 256 bits DHE-RSA-AES256-SHA Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA --Ez On Mon, May 24, 2021 at 9:30 AM Ezsra McDonald wrote: > I am enabling SSL debugging this morning. I did catch this in the log for > an instance that started erroring out this morning. Seems like it may be > too generic to help solve my problem. Here it is: > > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > java.lang.NullPointerException > at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > Source) > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) > at java.security.Signature$Delegate.engineSign(Signature.java:1382) > at java.security.Signature.sign(Signature.java:698) > at > sun.security.ssl.CertificateVerify$T13CertificateVerifyMessage.(CertificateVerify.java:931) > at > sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.onProduceCertificateVerify(CertificateVerify.java:1105) > at > sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.produce(CertificateVerify.java:1098) > at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:420) > at > sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1096) > at > sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1032) > at > sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:716) > at > sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:683) > at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376) > at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) > at > sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:983) > at > sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:970) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:917) > at > org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:432) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:496) > at > org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:237) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1611) > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > > > I will let you know what I find in the debug. It may be a while because > the instance works fine initially. > > -- Ez > > > On Thu, May 20, 2021 at 10:55 AM > wrote: > >> It's "ssl,handshake." >> >> >> > -Original Message- >> > From: Ezsra McDonald >&
Re: Tomcat SSL stops working after an undetermined amount of time
I am enabling SSL debugging this morning. I did catch this in the log for an instance that started erroring out this morning. Seems like it may be too generic to help solve my problem. Here it is: 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.NullPointerException at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown Source) at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) at java.security.Signature$Delegate.engineSign(Signature.java:1382) at java.security.Signature.sign(Signature.java:698) at sun.security.ssl.CertificateVerify$T13CertificateVerifyMessage.(CertificateVerify.java:931) at sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.onProduceCertificateVerify(CertificateVerify.java:1105) at sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.produce(CertificateVerify.java:1098) at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:420) at sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1096) at sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1032) at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:716) at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:683) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:983) at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:970) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:917) at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:432) at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:496) at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:237) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1611) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) I will let you know what I find in the debug. It may be a while because the instance works fine initially. -- Ez On Thu, May 20, 2021 at 10:55 AM wrote: > It's "ssl,handshake." > > > > -Original Message- > > From: Ezsra McDonald > > Sent: Thursday, May 20, 2021 10:43 AM > > To: Tomcat Users List > > Subject: Re: Tomcat SSL stops working after an undetermined amount of > > time > > > > Mark, > > > > Thanks for your response. > > > > I did not see anything in the logs. This morning I added ' > > -Djava.net.debug=handshake' to my configuration. I did not see any SSL > > debug information in my logs. Perhaps I did this wrong or need to use a > > different argument? > > > > I expected the debug to be in the access log. Should I be looking > elsewhere? > > I also checked other logs that had timestamps for after the instance was > > restarted. > > > > -- Ez > > > > On Thu, May 20, 2021 at 3:05 AM Mark Thomas wrote: > > > > > On 19/05/2021 20:42, Ezsra McDonald wrote: > > > > Environment: > > > > OS: CentOS 7 > > > > Apache: apache-tomcat-8.5.65 > > > > Java: jdk1.8.0_281 > > > > > > > > Greetings, > > > > > > > > I recently enabled SSL on my Tomcat server HTTP connectors. > > > > Something odd is happening. After some undetermined amount of time > > > > the connector stops responding appropriately to requests. My browser > > > > returns the following > > > > message: > > > > > > > > "An error occurred during a connection to target.host.com:8080. SSL > > > > received a malformed Alert record. > > > > > > > > Error code: SSL_ERROR_RX_MALFORMED_ALERT " > > > > I do not see anything in the logs to clue me in on what is happening. > > > > > > > > I have the following configured for the connector. > > > > > > > port="${http.port}" > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > > maxThreads="50" enableLookups="false" acceptCount="100" > > > > serv
RE: Tomcat SSL stops working after an undetermined amount of time
It's "ssl,handshake." > -Original Message- > From: Ezsra McDonald > Sent: Thursday, May 20, 2021 10:43 AM > To: Tomcat Users List > Subject: Re: Tomcat SSL stops working after an undetermined amount of > time > > Mark, > > Thanks for your response. > > I did not see anything in the logs. This morning I added ' > -Djava.net.debug=handshake' to my configuration. I did not see any SSL > debug information in my logs. Perhaps I did this wrong or need to use a > different argument? > > I expected the debug to be in the access log. Should I be looking elsewhere? > I also checked other logs that had timestamps for after the instance was > restarted. > > -- Ez > > On Thu, May 20, 2021 at 3:05 AM Mark Thomas wrote: > > > On 19/05/2021 20:42, Ezsra McDonald wrote: > > > Environment: > > > OS: CentOS 7 > > > Apache: apache-tomcat-8.5.65 > > > Java: jdk1.8.0_281 > > > > > > Greetings, > > > > > > I recently enabled SSL on my Tomcat server HTTP connectors. > > > Something odd is happening. After some undetermined amount of time > > > the connector stops responding appropriately to requests. My browser > > > returns the following > > > message: > > > > > > "An error occurred during a connection to target.host.com:8080. SSL > > > received a malformed Alert record. > > > > > > Error code: SSL_ERROR_RX_MALFORMED_ALERT " > > > I do not see anything in the logs to clue me in on what is happening. > > > > > > I have the following configured for the connector. > > > > > port="${http.port}" > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > maxThreads="50" enableLookups="false" acceptCount="100" > > > server="Apache" > > > SSLEnabled="true" scheme="https" secure="true" > > > clientAuth="false" sslProtocol="TLSv1.2" > > > keystoreFile="/opt/tomcat/ssl/tomcat_ssl.jks" > > > keyAlias="tomcat" > > > keystorePass="**" > > > connectionTimeout="2"/> > > > > > > When I restart the instance everything works fine for a while. > > > Later, > > when > > > I try to look at the tomcat manager, SSL is no longer functioning > > properly. > > > > > > Any assistance would be appreciated. > > > > Anything in the access logs? > > > > Enable TLS debug logging in the JVM Tomcat is using. You'll get a lot > > of data but you'll be able to see exactly what is happening. > > > > Mark > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
On 20/05/2021 16:42, Ezsra McDonald wrote: Mark, Thanks for your response. I did not see anything in the logs. This morning I added ' -Djava.net.debug=handshake' to my configuration. I did not see any SSL debug information in my logs. Perhaps I did this wrong or need to use a different argument? Try: -Djavax.net.debug=handshake Mark I expected the debug to be in the access log. Should I be looking elsewhere? I also checked other logs that had timestamps for after the instance was restarted. -- Ez On Thu, May 20, 2021 at 3:05 AM Mark Thomas wrote: On 19/05/2021 20:42, Ezsra McDonald wrote: Environment: OS: CentOS 7 Apache: apache-tomcat-8.5.65 Java: jdk1.8.0_281 Greetings, I recently enabled SSL on my Tomcat server HTTP connectors. Something odd is happening. After some undetermined amount of time the connector stops responding appropriately to requests. My browser returns the following message: "An error occurred during a connection to target.host.com:8080. SSL received a malformed Alert record. Error code: SSL_ERROR_RX_MALFORMED_ALERT " I do not see anything in the logs to clue me in on what is happening. I have the following configured for the connector. When I restart the instance everything works fine for a while. Later, when I try to look at the tomcat manager, SSL is no longer functioning properly. Any assistance would be appreciated. Anything in the access logs? Enable TLS debug logging in the JVM Tomcat is using. You'll get a lot of data but you'll be able to see exactly what is happening. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
Mark, Thanks for your response. I did not see anything in the logs. This morning I added ' -Djava.net.debug=handshake' to my configuration. I did not see any SSL debug information in my logs. Perhaps I did this wrong or need to use a different argument? I expected the debug to be in the access log. Should I be looking elsewhere? I also checked other logs that had timestamps for after the instance was restarted. -- Ez On Thu, May 20, 2021 at 3:05 AM Mark Thomas wrote: > On 19/05/2021 20:42, Ezsra McDonald wrote: > > Environment: > > OS: CentOS 7 > > Apache: apache-tomcat-8.5.65 > > Java: jdk1.8.0_281 > > > > Greetings, > > > > I recently enabled SSL on my Tomcat server HTTP connectors. Something odd > > is happening. After some undetermined amount of time the connector stops > > responding appropriately to requests. My browser returns the following > > message: > > > > "An error occurred during a connection to target.host.com:8080. SSL > > received a malformed Alert record. > > > > Error code: SSL_ERROR_RX_MALFORMED_ALERT > > " > > I do not see anything in the logs to clue me in on what is happening. > > > > I have the following configured for the connector. > > > port="${http.port}" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > maxThreads="50" enableLookups="false" acceptCount="100" > > server="Apache" > > SSLEnabled="true" scheme="https" secure="true" > > clientAuth="false" sslProtocol="TLSv1.2" > > keystoreFile="/opt/tomcat/ssl/tomcat_ssl.jks" > > keyAlias="tomcat" > > keystorePass="**" > > connectionTimeout="2"/> > > > > When I restart the instance everything works fine for a while. Later, > when > > I try to look at the tomcat manager, SSL is no longer functioning > properly. > > > > Any assistance would be appreciated. > > Anything in the access logs? > > Enable TLS debug logging in the JVM Tomcat is using. You'll get a lot of > data but you'll be able to see exactly what is happening. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat SSL stops working after an undetermined amount of time
On 19/05/2021 20:42, Ezsra McDonald wrote: Environment: OS: CentOS 7 Apache: apache-tomcat-8.5.65 Java: jdk1.8.0_281 Greetings, I recently enabled SSL on my Tomcat server HTTP connectors. Something odd is happening. After some undetermined amount of time the connector stops responding appropriately to requests. My browser returns the following message: "An error occurred during a connection to target.host.com:8080. SSL received a malformed Alert record. Error code: SSL_ERROR_RX_MALFORMED_ALERT " I do not see anything in the logs to clue me in on what is happening. I have the following configured for the connector. When I restart the instance everything works fine for a while. Later, when I try to look at the tomcat manager, SSL is no longer functioning properly. Any assistance would be appreciated. Anything in the access logs? Enable TLS debug logging in the JVM Tomcat is using. You'll get a lot of data but you'll be able to see exactly what is happening. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl not working
The servers.xml file needs to be configured with the keystore path and file name. Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=D:\\Documents and Settings\\kz616d\\My Documents\\temp\\Jill\\w2jzdr9y01.amer.corp.eds.com.keystore keystorePass=dorkdork clientAuth=false protocol=TLS / /Connector -Original Message- From: AJ Jonen [mailto:[EMAIL PROTECTED] Sent: Thursday, June 01, 2006 3:12 PM To: Tomcat Users List Subject: tomcat ssl not working My tomcat server is not responding when I type in https://localhost:8443. oddly enough it does work when I type in http://localhost:8443 I'm having a bit of an issue getting Tomcat to work on the secure port 8443. What happens is I type https://localhost:8443 and the page never loads. I get no errors (page cannot be found, page cannot be displayed etc). My browser simply looks like it's loading the page, it eventually says that it's done, but my browser home page is still displayed. - The unsecure port (port 8090 in my case, because port 8080 was already in use) works fine. - I generated my keystore file, presumably correctly (I was prompted to enter my name, organization, location, etc), and it is in the correct location (C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf). - Kathy O. looked at my server.xml page and says that everything looks correct. Everything looks right to me too. - I am using Tomcat 5.5 and I am using the correct java version (1.5, not 1.4). Any ideas on what might be preventing the page from loading correctly on the secure port? Rebecca - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat ssl not working
You can have a look here and see if you find any useful tips - this explains how I got SSL to work on Tomcat: http://jack.godau.googlepages.com/jbosscertificatesandopenssl Cheers Jack... On 01/06/06, Mike Sabroff [EMAIL PROTECTED] wrote: I am running 5.5.9 and have no problems with it (except that it is expired) but it still works if I accept it. Mike AJ Jonen wrote: My tomcat server is not responding when I type in https://localhost:8443. oddly enough it does work when I type in http://localhost:8443 I'm having a bit of an issue getting Tomcat to work on the secure port 8443. What happens is I type https://localhost:8443 and the page never loads. I get no errors (page cannot be found, page cannot be displayed etc). My browser simply looks like it's loading the page, it eventually says that it's done, but my browser home page is still displayed. - The unsecure port (port 8090 in my case, because port 8080 was already in use) works fine. - I generated my keystore file, presumably correctly (I was prompted to enter my name, organization, location, etc), and it is in the correct location (C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf). - Kathy O. looked at my server.xml page and says that everything looks correct. Everything looks right to me too. - I am using Tomcat 5.5 and I am using the correct java version (1.5, not 1.4). Any ideas on what might be preventing the page from loading correctly on the secure port? Rebecca - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Mike Sabroff Web Services Developer [EMAIL PROTECTED] 920-568-8379 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Cheers Jack... The claim natural is not synonymous with safe. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]