Simon, On 11/25/15 12:55 PM, Simon Callan wrote: > The different versions of tomcat all show the same issue. We have this issue > on two systems, and only two systems. We have not been able to reproduce this > on any other system we have access to. > > Having investigated further, I appear to have provoked tomcat into producing > a pair of exception backtraces in the log files: > > 25-Nov-2015 17:28:21.642 SEVERE [http-nio-8443-exec-7] > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > java.lang.RuntimeException: Could not generate DH keypair > at sun.security.ssl.Handshaker.checkThrown(Unknown Source) > at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) > at javax.net.ssl.SSLEngine.unwrap(Unknown Source) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:351) > at > org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:208) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1476) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Unknown Source) > Caused by: java.lang.RuntimeException: Could not generate DH keypair > at sun.security.ssl.ECDHCrypt.<init>(Unknown Source) > at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(Unknown Source) > at sun.security.ssl.ServerHandshaker.trySetCipherSuite(Unknown Source) > at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source) > at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source) > at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source) > at sun.security.ssl.Handshaker.processLoop(Unknown Source) > at sun.security.ssl.Handshaker$1.run(Unknown Source) > at sun.security.ssl.Handshaker$1.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) > at > org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:301) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:359) > ... 7 more > Caused by: java.security.InvalidAlgorithmParameterException: unknown curve > name: 1.2.840.10045.3.1.7 > at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown > Source) > ... 20 more > > 25-Nov-2015 17:28:21.642 SEVERE [http-nio-8443-exec-1] > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > java.lang.RuntimeException: Could not generate DH keypair > at sun.security.ssl.Handshaker.checkThrown(Unknown Source) > at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) > at javax.net.ssl.SSLEngine.unwrap(Unknown Source) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:351) > at > org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:208) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1476) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Unknown Source) > Caused by: java.lang.RuntimeException: Could not generate DH keypair > at sun.security.ssl.ECDHCrypt.<init>(Unknown Source) > at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(Unknown Source) > at sun.security.ssl.ServerHandshaker.trySetCipherSuite(Unknown Source) > at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source) > at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source) > at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source) > at sun.security.ssl.Handshaker.processLoop(Unknown Source) > at sun.security.ssl.Handshaker$1.run(Unknown Source) > at sun.security.ssl.Handshaker$1.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) > at > org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:301) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:359) > ... 7 more > Caused by: java.security.InvalidAlgorithmParameterException: unknown curve > name: 1.2.840.10045.3.1.7 > at org.bouncycastle.jce.provider.JDKKeyPairGenerator$EC.initialize(Unknown > Source) > ... 20 more > > Trying to extract relevant information, gives me: > > java.lang.RuntimeException: Could not generate DH keypair > caused by java.lang.RuntimeException: Could not generate DH keypair > caused by java.security.InvalidAlgorithmParameterException: unknown curve > name: 1.2.840.10045.3.1.7 > > This suggests that we are using an (elliptical?) curve that tomcat does not > recognise.
It's BouncyCastle that isn't recognizing that curve, not Tomcat. Tomcat doesn't perform any of its own crypto; instead, it delegates to the JVM. Here, you appear to have configured BC for crypto instead of using the built-in JSSE provider. > Is this likely to be an issue with the security certificate that we are using? Probably not, but it's possible there is some incompatibility between your certificate and the algorithms you are trying to use. For instance, you can't use DSA cipher suites with an RSA key... > I have checked, and we have the "Unlimited Strength Java > Cryptography Extension Policy Files" installed, so that should not be > an issue. Since you are using BouncyCastle, that "unlimited strength Java Cryptography Extension Policy Files" is probably irrelevant. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
