Re: Trouble with TLS/SSL and Tomcat 8.5.23
On 23 November 2017 at 17:20, Christopher Schultzwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Richard, > > On 11/23/17 8:28 AM, Richard Tearle wrote: >> Yes I read through that thread, but we don't really like Java key >> stores, and I don't think the work around would work for us. > > Java keystores are ... awful. > >> Instead, I did what perhaps I should have done a while ago (on >> version 8.0.x), and built Tomcat Native libraries, deployed, and >> changed the certificate references in the connector to use our .PEM >> files (which the PKCS12 files are built from), and fingers crossed, >> its looking OK at the moment. > > So are you using the APR connector, then? > > You do have some other options: > > 1. JSSE with a PKCS12 keystore. OpenSSL can work with those types of > keystores. > > 2. JSSE with PEM-encoded DER files. I prefer PEM-encoded DER files for > everything, simply because they are so easy to work with. > > 3. JSSE+OpenSSL with PEM-encoded DER files. > > Option #3 will get you the performance of OpenSSL's crypto but without > using the APR connector (which isn't quite as efficient as the > pure-Java NIO connector). Java's crypto seems to be hobbled for some > reason... some kind of mistake in the native-optimization that ends up > falling-back to pure-Java crypto which ... simply isn't fast enough > for real-world workloads). > > I think the APR connector is likely to disappear with the next major > release of Tomcat (10.x I would guess) as the NIO+OpenSSL combination > is becoming more mature and offers better performance and scalability. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloXA2AACgkQHPApP6U8 > pFilzA/9E5R4NjcoB1yE6oQ2sXb7TURJg/WDJls00Y7RjwSN1UmkiiAdwktcuH0T > hL6+2M71yrJ+rnCLbyQGEmPdJdFSAv4rTy+eoHJqDTf9jakUYvLC+XvIdWgz/p6i > tWhIRZAS/sr4JmwFgrIY4I4iKcmJ/pGjrQHLu59H0gEYFdOCoA+WpsNgmIiFLUr6 > IWochlde/ahxP6vNOZJLYxBb8kQ8JUBWXHN+2jGiD5GU7jav3DmwlFKeaoelbclk > DUUbzc+no83pSIcwzsNsIcPjxdh9fSIzP3nAdNDlIJtGF3SDwwu6HyP0cEb+r+rg > l9LjDwUrcIFB7pAas38bUpf8DjSysRLk5Jh013BhxUJIcB5hZflrUqeq6Nb+JonC > EepZoUNSWFiblB36ofNmyJUXaRshBqVfD/x1teJXpoLVJ/HUY8A84T3DlLIzHMAS > lMfJ4CaCYyDqeA5KL9PZMyEpiPivn4aqeMeVEkrz/DHamLvWhJ649mfRb9BNOBE0 > 3uJvLHOYanORuVWAyQc6nmpSFuda3lgUCZVN9/jhRNW6AszBjLi/9xb7vP/EE41I > jXZYnJgra1tdL2wq85cqR3NRIf2HrZrvaVsQOikn+MqHR19Pwm5T3xrlIN9hT4EP > t9LeqizK0vK0cz0/tDBVmqXjASyP5ArJ0dz6uJqijJtGjUWe+gM= > =bf9o > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > Hi I think Option #1 was what I was trying to achieve originally. I'll take a look at option #3 tomorrow. Thanks for the heads up Richard. -- This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s). If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact Northgate Public Services immediately on +44(0)1442 768445 quoting the name of the sender and the addressee then delete it from your system. Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses. Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NW. Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 41. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble with TLS/SSL and Tomcat 8.5.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Richard, On 11/23/17 8:28 AM, Richard Tearle wrote: > Yes I read through that thread, but we don't really like Java key > stores, and I don't think the work around would work for us. Java keystores are ... awful. > Instead, I did what perhaps I should have done a while ago (on > version 8.0.x), and built Tomcat Native libraries, deployed, and > changed the certificate references in the connector to use our .PEM > files (which the PKCS12 files are built from), and fingers crossed, > its looking OK at the moment. So are you using the APR connector, then? You do have some other options: 1. JSSE with a PKCS12 keystore. OpenSSL can work with those types of keystores. 2. JSSE with PEM-encoded DER files. I prefer PEM-encoded DER files for everything, simply because they are so easy to work with. 3. JSSE+OpenSSL with PEM-encoded DER files. Option #3 will get you the performance of OpenSSL's crypto but without using the APR connector (which isn't quite as efficient as the pure-Java NIO connector). Java's crypto seems to be hobbled for some reason... some kind of mistake in the native-optimization that ends up falling-back to pure-Java crypto which ... simply isn't fast enough for real-world workloads). I think the APR connector is likely to disappear with the next major release of Tomcat (10.x I would guess) as the NIO+OpenSSL combination is becoming more mature and offers better performance and scalability. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloXA2AACgkQHPApP6U8 pFilzA/9E5R4NjcoB1yE6oQ2sXb7TURJg/WDJls00Y7RjwSN1UmkiiAdwktcuH0T hL6+2M71yrJ+rnCLbyQGEmPdJdFSAv4rTy+eoHJqDTf9jakUYvLC+XvIdWgz/p6i tWhIRZAS/sr4JmwFgrIY4I4iKcmJ/pGjrQHLu59H0gEYFdOCoA+WpsNgmIiFLUr6 IWochlde/ahxP6vNOZJLYxBb8kQ8JUBWXHN+2jGiD5GU7jav3DmwlFKeaoelbclk DUUbzc+no83pSIcwzsNsIcPjxdh9fSIzP3nAdNDlIJtGF3SDwwu6HyP0cEb+r+rg l9LjDwUrcIFB7pAas38bUpf8DjSysRLk5Jh013BhxUJIcB5hZflrUqeq6Nb+JonC EepZoUNSWFiblB36ofNmyJUXaRshBqVfD/x1teJXpoLVJ/HUY8A84T3DlLIzHMAS lMfJ4CaCYyDqeA5KL9PZMyEpiPivn4aqeMeVEkrz/DHamLvWhJ649mfRb9BNOBE0 3uJvLHOYanORuVWAyQc6nmpSFuda3lgUCZVN9/jhRNW6AszBjLi/9xb7vP/EE41I jXZYnJgra1tdL2wq85cqR3NRIf2HrZrvaVsQOikn+MqHR19Pwm5T3xrlIN9hT4EP t9LeqizK0vK0cz0/tDBVmqXjASyP5ArJ0dz6uJqijJtGjUWe+gM= =bf9o -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble with TLS/SSL and Tomcat 8.5.23
On 23 November 2017 at 05:33, Christopher Schultzwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Richard, > > On 11/22/17 8:40 AM, Richard Tearle wrote: >> Hello >> >> Apache Tomcat 8.5.23 Centos 7.4 (3.10.0-514.16.1.el7.x86_64) Java >> 1.8.0_152 (with jce) Running in Docker Container >> >> I'm upgrading our applications from Apache Tomcat 8.0.47 to >> 8.5.23, but when trying to get TLS/SSL working on a connector I get >> the following error: >> >> 22-Nov-2017 11:52:46.098 SEVERE [main] >> org.apache.coyote.AbstractProtocol.init Failed to initialize end >> point associated with ProtocolHandler ["https-jsse-nio2-18443"] >> java.lang.IllegalArgumentException: >> java.security.InvalidAlgorithmParameterException: the trustAnchors >> parameter must be non-empty at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr > actJsseEndpoint.java:115) >> >> > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJs > seEndpoint.java:86) >> at >> org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163) >> >> > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:9 > 82) >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo > int.java:245) >> >> > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620) >> at >> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro > tocol.java:66) >> >> > at org.apache.catalina.connector.Connector.initInternal(Connector.java:9 > 97) >> at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> >> > at > org.apache.catalina.core.StandardService.initInternal(StandardService.ja > va:549) >> at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> >> > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java > :875) >> at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> >> > at org.apache.catalina.startup.Catalina.load(Catalina.java:621) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:644) at >> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j > ava:62) >> >> > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor > Impl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) at >> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) >> Caused by: java.security.InvalidAlgorithmParameterException: the >> trustAnchors parameter must be non-empty at >> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java: > 200) >> >> > at java.security.cert.PKIXParameters.(PKIXParameters.java:157) >> at >> java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters. > java:130) >> >> > at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java: > 368) >> at >> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.jav > a:292) >> >> > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstrac > tJsseEndpoint.java:113) >> ... 20 more >> >> I've changed the connector configuration to use >> SSLHostConfig/Certificate, but our certificate generation process >> (self signed certificates) has remained the same. I did a quick >> internet search, and saw that other people had similar, but not >> exact issues, and going back to 8.5.4 "solved" the issue. So I did >> this as a quick test, so at least I could see that our >> configuration changes where correct, and yes the application ran ok >> with Tomcat 8.5.4. The connector configuration is: >> >> > protocol="org.apache.coyote.http11.Http11Nio2Protocol" >> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >> server="Apache" maxPostSize="10"> > certificateVerification="none" sslProtocol="TLSv1.2" >> protocols="TLSv1.2" >> truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12" >> truststoreType="PKCS12" truststorePassword="${truststore.pass}" >> honorCipherOrder="true" >> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AE > S_256_GCM_SHA384, >> >> >> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_S > HA384, >> >> >> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM > _SHA256, >> >> >> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_S > HA256, >> >> >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC > _SHA384, >> >> >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SH > A, >> >> >> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_S > HA384, >> >> >> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, >> >> >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC > _SHA256, >> >> >>
Re: Trouble with TLS/SSL and Tomcat 8.5.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Richard, On 11/22/17 8:40 AM, Richard Tearle wrote: > Hello > > Apache Tomcat 8.5.23 Centos 7.4 (3.10.0-514.16.1.el7.x86_64) Java > 1.8.0_152 (with jce) Running in Docker Container > > I'm upgrading our applications from Apache Tomcat 8.0.47 to > 8.5.23, but when trying to get TLS/SSL working on a connector I get > the following error: > > 22-Nov-2017 11:52:46.098 SEVERE [main] > org.apache.coyote.AbstractProtocol.init Failed to initialize end > point associated with ProtocolHandler ["https-jsse-nio2-18443"] > java.lang.IllegalArgumentException: > java.security.InvalidAlgorithmParameterException: the trustAnchors > parameter must be non-empty at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr actJsseEndpoint.java:115) > > at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJs seEndpoint.java:86) > at > org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163) > > at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:9 82) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo int.java:245) > > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro tocol.java:66) > > at org.apache.catalina.connector.Connector.initInternal(Connector.java:9 97) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at org.apache.catalina.core.StandardService.initInternal(StandardService.ja va:549) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java :875) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:621) > at org.apache.catalina.startup.Catalina.load(Catalina.java:644) at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j ava:62) > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > Caused by: java.security.InvalidAlgorithmParameterException: the > trustAnchors parameter must be non-empty at > java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java: 200) > > at java.security.cert.PKIXParameters.(PKIXParameters.java:157) > at > java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters. java:130) > > at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java: 368) > at > org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.jav a:292) > > at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstrac tJsseEndpoint.java:113) > ... 20 more > > I've changed the connector configuration to use > SSLHostConfig/Certificate, but our certificate generation process > (self signed certificates) has remained the same. I did a quick > internet search, and saw that other people had similar, but not > exact issues, and going back to 8.5.4 "solved" the issue. So I did > this as a quick test, so at least I could see that our > configuration changes where correct, and yes the application ran ok > with Tomcat 8.5.4. The connector configuration is: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > server="Apache" maxPostSize="10"> certificateVerification="none" sslProtocol="TLSv1.2" > protocols="TLSv1.2" > truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12" > truststoreType="PKCS12" truststorePassword="${truststore.pass}" > honorCipherOrder="true" > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AE S_256_GCM_SHA384, > > > TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_S HA384, > > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM _SHA256, > > > TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_S HA256, > > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC _SHA384, > > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SH A, > > > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_S HA384, > > > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, > > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA256, > > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SH A, > > > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_S HA256, > > > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" > > > certificateKeyAlias="tomcat-ssl"
Re: Trouble with TLS/SSL and Tomcat 8.5.23
Peter On 22 November 2017 at 15:08, Peter Kreuser <l...@kreuser.name> wrote: > > > > > Richard, > > > > > >> Gesendet: Mittwoch, 22. November 2017 um 14:40 Uhr >> Von: "Richard Tearle" >> <richard.tea...@northgateps.com[mailto:richard.tea...@northgateps.com]> >> An: users@tomcat.apache.org[mailto:users@tomcat.apache.org] >> Betreff: Trouble with TLS/SSL and Tomcat 8.5.23 >> Hello >> >> Apache Tomcat 8.5.23 >> Centos 7.4 (3.10.0-514.16.1.el7.x86_64) >> Java 1.8.0_152 (with jce) >> Running in Docker Container >> >> I'm upgrading our applications from Apache Tomcat 8.0.47 to 8.5.23, >> but when trying to get TLS/SSL working on a connector I get the >> following error: >> >> 22-Nov-2017 11:52:46.098 SEVERE [main] >> org.apache.coyote.AbstractProtocol.init Failed to initialize end point >> associated with ProtocolHandler ["https-jsse-nio2-18443"] >> java.lang.IllegalArgumentException: >> java.security.InvalidAlgorithmParameterException: the trustAnchors >> parameter must be non-empty >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115) >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86) >> at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163) >> at >> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982) >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:245) >> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620) >> at >> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66) >> at org.apache.catalina.connector.Connector.initInternal(Connector.java:997) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at >> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at >> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:621) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:644) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) >> Caused by: java.security.InvalidAlgorithmParameterException: the >> trustAnchors parameter must be non-empty >> at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) >> at java.security.cert.PKIXParameters.(PKIXParameters.java:157) >> at >> java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:130) >> at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:368) >> at >> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:292) >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) >> ... 20 more >> >> I've changed the connector configuration to use >> SSLHostConfig/Certificate, but our certificate generation process >> (self signed certificates) has remained the same. I did a quick >> internet search, and saw that other people had similar, but not exact >> issues, and going back to 8.5.4 "solved" the issue. So I did this as a >> quick test, so at least I could see that our configuration changes >> where correct, and yes the application ran ok with Tomcat 8.5.4. The >> connector configuration is: >> >> > protocol="org.apache.coyote.http11.Http11Nio2Protocol" >> maxThreads="150" SSLEnabled="true" scheme="https" >> secure="true" server="Apache" maxPostSize="10"> >> > sslProtocol="TLSv1.2" protocols="TLSv1.2" >> truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12" >> truststoreType="PKCS12" >> truststorePassword="${truststore.pass}" honorCipherOrder="true" > > The error message says that either the file simply is not there or the cert
Aw: Trouble with TLS/SSL and Tomcat 8.5.23
Richard, > Gesendet: Mittwoch, 22. November 2017 um 14:40 Uhr > Von: "Richard Tearle" > <richard.tea...@northgateps.com[mailto:richard.tea...@northgateps.com]> > An: users@tomcat.apache.org[mailto:users@tomcat.apache.org] > Betreff: Trouble with TLS/SSL and Tomcat 8.5.23 > Hello > > Apache Tomcat 8.5.23 > Centos 7.4 (3.10.0-514.16.1.el7.x86_64) > Java 1.8.0_152 (with jce) > Running in Docker Container > > I'm upgrading our applications from Apache Tomcat 8.0.47 to 8.5.23, > but when trying to get TLS/SSL working on a connector I get the > following error: > > 22-Nov-2017 11:52:46.098 SEVERE [main] > org.apache.coyote.AbstractProtocol.init Failed to initialize end point > associated with ProtocolHandler ["https-jsse-nio2-18443"] > java.lang.IllegalArgumentException: > java.security.InvalidAlgorithmParameterException: the trustAnchors > parameter must be non-empty > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86) > at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163) > at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:245) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66) > at org.apache.catalina.connector.Connector.initInternal(Connector.java:997) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at org.apache.catalina.startup.Catalina.load(Catalina.java:621) > at org.apache.catalina.startup.Catalina.load(Catalina.java:644) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > Caused by: java.security.InvalidAlgorithmParameterException: the > trustAnchors parameter must be non-empty > at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) > at java.security.cert.PKIXParameters.(PKIXParameters.java:157) > at > java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:130) > at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:368) > at > org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:292) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) > ... 20 more > > I've changed the connector configuration to use > SSLHostConfig/Certificate, but our certificate generation process > (self signed certificates) has remained the same. I did a quick > internet search, and saw that other people had similar, but not exact > issues, and going back to 8.5.4 "solved" the issue. So I did this as a > quick test, so at least I could see that our configuration changes > where correct, and yes the application ran ok with Tomcat 8.5.4. The > connector configuration is: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" server="Apache" maxPostSize="10"> > sslProtocol="TLSv1.2" protocols="TLSv1.2" > truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12" > truststoreType="PKCS12" > truststorePassword="${truststore.pass}" honorCipherOrder="true" The error message says that either the file simply is not there or the cert that you expect is not in the keystore, maybe even empty... Peter > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > > TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Trouble with TLS/SSL and Tomcat 8.5.23
Hello Apache Tomcat 8.5.23 Centos 7.4 (3.10.0-514.16.1.el7.x86_64) Java 1.8.0_152 (with jce) Running in Docker Container I'm upgrading our applications from Apache Tomcat 8.0.47 to 8.5.23, but when trying to get TLS/SSL working on a connector I get the following error: 22-Nov-2017 11:52:46.098 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio2-18443"] java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:245) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66) at org.apache.catalina.connector.Connector.initInternal(Connector.java:997) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:621) at org.apache.catalina.startup.Catalina.load(Catalina.java:644) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.(PKIXParameters.java:157) at java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:130) at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:368) at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:292) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) ... 20 more I've changed the connector configuration to use SSLHostConfig/Certificate, but our certificate generation process (self signed certificates) has remained the same. I did a quick internet search, and saw that other people had similar, but not exact issues, and going back to 8.5.4 "solved" the issue. So I did this as a quick test, so at least I could see that our configuration changes where correct, and yes the application ran ok with Tomcat 8.5.4. The connector configuration is: Setting javax.net.debug=all in CATALINA_OPTS and viewing the resultant logging, seems to indicate that the certificate is being loaded, but not the trust store, with the only truststore loaded coming from: /opt/jre1.8.0_152/lib/security/cacerts Best Regards Richard -- This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s). If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact Northgate Public Services immediately on +44(0)1442 768445 quoting the name of the sender and the addressee then delete it from your system. Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses. Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NW. Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered