Hi All,
We have a web app deployed on 3 different servers, all running Tomcat 7.0.39 and Java 8 (update 101/102). Here is the operating system on each server: - Production: CentOS 6.4 - Staging 1: CentOS 6.5 - Staging 2: CentOS 6.7 When we accessed the web app on Production server, we were able to connect and connected over TLS 1.2 (as expected). However, when we accessed the web app on both Staging servers we were able to connect, but it was connected over TLS 1.1 not TLS 1.2 as TLS 1.2 handshake failed and server sent an Alert (Level: Fatal, Description: Internal Error) response. We enabled SSL debugging on Tomcat and we saw Tomcat threw InvalidAlgorithmParameterException exception in catalina.out as shown below: http-bio-8443-exec-1, READ: TLSv1.2 Handshake, length = 70 *** ECDHClientKeyExchange ECDH Public value: { 4, 245, 39, 156, 56, 88, 62, 108, 141, 237, 93, 240, 210, 228, 91, 60, 14, 109, 138, 121, 126, 100, 36, 194, 93, 101, 131, 119, 120, 57, 120, 222, 73, 123, 122, 218, 253, 91, 170, 240, 251, 73, 214, 29, 192, 234, 109, 189, 40, 249, 161, 176, 172, 179, 36, 162, 229, 69, 160, 221, 242, 53, 100, 34, 215 } SESSION KEYGEN: PreMaster Secret: (key bytes not available) RSA master secret generation error: java.security.InvalidAlgorithmParameterException: Key format must be RAW at com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMasterSecretGenerator.java:67) at javax.crypto.KeyGenerator.init(KeyGenerator.java:454) at javax.crypto.KeyGenerator.init(KeyGenerator.java:430) at sun.security.ssl.Handshaker.calculateMasterSecret(Unknown Source) at sun.security.ssl.Handshaker.calculateKeys(Unknown Source) at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:215) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:298) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) http-bio-8443-exec-1, handling exception: java.security.ProviderException: java.security.InvalidAlgorithmParameterException: Key format must be RAW %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] http-bio-8443-exec-1, SEND TLSv1.2 ALERT: fatal, description = internal_error http-bio-8443-exec-1, WRITE: TLSv1.2 Alert, length = 2 [Raw write]: length = 7 0000: 15 03 03 00 02 02 50 ......P http-bio-8443-exec-1, called closeSocket() http-bio-8443-exec-1, IOException in getSession(): javax.net.ssl.SSLException: java.security.ProviderException: java.security.InvalidAlgorithmParameterException: Key format must be RAW http-bio-8443-exec-1, called close() http-bio-8443-exec-1, called closeInternal(true) Below is the server.xml configuration we have on all servers: <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" useBodyEncodingForURI="true" keystoreType="pkcs12" keystoreFile="/path/to/keystore/.filename.p12" keystorePass="<snip>" /> Any idea why Tomcat not able to do TLS 1.2 handshake and throwing "Key format must be RAW" exception? Did we miss anything here? Thanks for your help, Don