Environments: * Mac OS X 10.10.5; Tomcat 7.0.67, 8.0.30; Java 1.8.0_60 * RHEL 6 (Kernel 2.6.32); Tomcat 7.0.67; Java 1.8.0_60
Problem: Making an outgoing HTTPS connection from Axis2 client code living inside the war, I get a failure during the TLSv1.2 handshake saying “Could not generate DH keypair”. Unlike most examples I found online, there was no additional information about the key size. The same client code when run from a unit test using plain Java works just fine. Below are snippets of one difference I noticed with the Server key in the logs: Running from within Tomcat: *** ECDH ServerKeyExchange Signature Algorithm SHA1withRSA Server key: Sun EC public key, 256 bits public x coord: 112918107330736490567973848952126837545983212398065462286267971433368342872647 public y coord: 30155777565237297899065179509488316850099974838272315813007505317208002177712 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) http-bio-8080-exec-6, handling exception: java.lang.RuntimeException: Could not generate DH keypair %% Invalidated: [Session-4, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] http-bio-8080-exec-6, SEND TLSv1.2 ALERT: fatal, description = internal_error Running from plain Java (within IntelliJ as a JUnit test in case that matters): *** ECDH ServerKeyExchange Signature Algorithm SHA1withRSA Server key: EC Public Key X: 726ad077a87d97604c4507989bb1d6c4715ee23399e42543e19dc39048abe3cb Y: 904cde963f872bd32691e86565e6f0ab09ebf833ee93edd0200a9d81299410e2 *** ServerHelloDone *** ECDHClientKeyExchange ECDH Public value: { 4, 19, 187, 197, 193, 165, 157, 121, 79, 161, 160, 25, 239, 100, 105, 199, 101, 160, 54, 96, 128, 159, 61, 83, 144, 237, 233, 235, 118, 100, 47, 50, 85, 98, 192, 79, 174, 211, 10, 218, 35, 207, 203, 3, 88, 41, 100, 126, 223, 10, 139, 18, 101, 59, 243, 152, 125, 4, 241, 201, 153, 232, 172, 74, 0 } main, WRITE: TLSv1.2 Handshake, length = 70 Note the difference in the "Server key". Is Tomcat somehow intercepting the outgoing connection and handling it itself? If so, where would I configure the security settings for that type of connection? Everything I've been able to find relates to configuring Tomcat as the server not as the client for SSL/TLS-related things. Please let me know if there is more information that would help! Thank you, Dan Hrivnak All information in this message is confidential and may be legally privileged. Only intended recipients are authorized to use it.