Environments:
* Mac OS X 10.10.5; Tomcat 7.0.67, 8.0.30; Java 1.8.0_60
* RHEL 6 (Kernel 2.6.32); Tomcat 7.0.67; Java 1.8.0_60
Problem:
Making an outgoing HTTPS connection from Axis2 client code living inside the
war, I get a failure during the TLSv1.2 handshake saying “Could not generate DH
keypair”. Unlike most examples I found online, there was no additional
information about the key size. The same client code when run from a unit test
using plain Java works just fine. Below are snippets of one difference I
noticed with the Server key in the logs:
Running from within Tomcat:
*** ECDH ServerKeyExchange
Signature Algorithm SHA1withRSA
Server key: Sun EC public key, 256 bits
public x coord:
112918107330736490567973848952126837545983212398065462286267971433368342872647
public y coord:
30155777565237297899065179509488316850099974838272315813007505317208002177712
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
http-bio-8080-exec-6, handling exception: java.lang.RuntimeException: Could not
generate DH keypair
%% Invalidated: [Session-4, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
http-bio-8080-exec-6, SEND TLSv1.2 ALERT: fatal, description = internal_error
Running from plain Java (within IntelliJ as a JUnit test in case that matters):
*** ECDH ServerKeyExchange
Signature Algorithm SHA1withRSA
Server key: EC Public Key
X: 726ad077a87d97604c4507989bb1d6c4715ee23399e42543e19dc39048abe3cb
Y: 904cde963f872bd32691e86565e6f0ab09ebf833ee93edd0200a9d81299410e2
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value: { 4, 19, 187, 197, 193, 165, 157, 121, 79, 161, 160, 25,
239, 100, 105, 199, 101, 160, 54, 96, 128, 159, 61, 83, 144, 237, 233, 235,
118, 100, 47, 50, 85, 98, 192, 79, 174, 211, 10, 218, 35, 207, 203, 3, 88, 41,
100, 126, 223, 10, 139, 18, 101, 59, 243, 152, 125, 4, 241, 201, 153, 232, 172,
74, 0 }
main, WRITE: TLSv1.2 Handshake, length = 70
Note the difference in the "Server key". Is Tomcat somehow intercepting the
outgoing connection and handling it itself? If so, where would I configure the
security settings for that type of connection? Everything I've been able to
find relates to configuring Tomcat as the server not as the client for
SSL/TLS-related things. Please let me know if there is more information that
would help!
Thank you,
Dan Hrivnak
All information in this message is confidential and may be legally privileged.
Only intended recipients are authorized to use it.
