-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dono,
On 9/19/16 12:45 PM, Dono Harjanto wrote: > Hi All, > > > We have a web app deployed on 3 different servers, all running > Tomcat 7.0.39 and Java 8 (update 101/102). Here is the operating > system on each server: > > - Production: CentOS 6.4 > > - Staging 1: CentOS 6.5 > > - Staging 2: CentOS 6.7 > > > When we accessed the web app on Production server, we were able to > connect and connected over TLS 1.2 (as expected). However, when we > accessed the web app on both Staging servers we were able to > connect, but it was connected over TLS 1.1 not TLS 1.2 as TLS 1.2 > handshake failed and server sent an Alert (Level: Fatal, > Description: Internal Error) response. > > > We enabled SSL debugging on Tomcat and we saw Tomcat threw > InvalidAlgorithmParameterException exception in catalina.out as > shown below: > > > http-bio-8443-exec-1, READ: TLSv1.2 Handshake, length = 70 *** > ECDHClientKeyExchange ECDH Public value: { 4, 245, 39, 156, 56, > 88, 62, 108, 141, 237, 93, 240, 210, 228, 91, 60, 14, 109, 138, > 121, 126, 100, 36, 194, 93, 101, 131, 119, 120, 57, 120, 222, 73, > 123, 122, 218, 253, 91, 170, 240, 251, 73, 214, 29, 192, 234, 109, > 189, 40, 249, 161, 176, 172, 179, 36, 162, 229, 69, 160, 221, 242, > 53, 100, 34, 215 } SESSION KEYGEN: > > PreMaster Secret: (key bytes not available) RSA master secret > generation error: java.security.InvalidAlgorithmParameterException: > Key format must be RAW at > com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMasterS ecretGenerator.java:67) > > at javax.crypto.KeyGenerator.init(KeyGenerator.java:454) > at javax.crypto.KeyGenerator.init(KeyGenerator.java:430) at > sun.security.ssl.Handshaker.calculateMasterSecret(Unknown Source) > at sun.security.ssl.Handshaker.calculateKeys(Unknown Source) at > sun.security.ssl.ServerHandshaker.processMessage(Unknown Source) at > sun.security.ssl.Handshaker.processLoop(Unknown Source) at > sun.security.ssl.Handshaker.process_record(Unknown Source) at > sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown > Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown > Source) at sun.security.ssl.SSLSocketImpl.getSession(Unknown > Source) at > org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocket Factory.java:215) > > at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.j ava:298) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > Source) at > java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > at java.lang.Thread.run(Unknown Source) http-bio-8443-exec-1, > handling exception: java.security.ProviderException: > java.security.InvalidAlgorithmParameterException: Key format must > be RAW %% Invalidated: [Session-1, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] http-bio-8443-exec-1, SEND > TLSv1.2 ALERT: fatal, description = internal_error > http-bio-8443-exec-1, WRITE: TLSv1.2 Alert, length = 2 [Raw write]: > length = 7 0000: 15 03 03 00 02 02 50 > ......P http-bio-8443-exec-1, called closeSocket() > http-bio-8443-exec-1, IOException in getSession(): > javax.net.ssl.SSLException: java.security.ProviderException: > java.security.InvalidAlgorithmParameterException: Key format must > be RAW http-bio-8443-exec-1, called close() http-bio-8443-exec-1, > called closeInternal(true) > > > > Below is the server.xml configuration we have on all servers: > > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11Protocol" > > SSLEnabled="true" scheme="https" secure="true" clientAuth="false" > sslProtocol="TLS" > > maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" useBodyEncodingForURI="true" > > keystoreType="pkcs12" > keystoreFile="/path/to/keystore/.filename.p12" > keystorePass="<snip>" /> > > > > Any idea why Tomcat not able to do TLS 1.2 handshake and throwing > "Key format must be RAW" exception? Did we miss anything here? I've never seen anything like that before. What is the client? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX4ElgAAoJEBzwKT+lPKRY8aIP/j7QKuhxbxAvJdFXT3/0yMvt 5dr1s3Y5Lq8YaeVUjgrcXhWCiC8ncsh5K9PmVW+RWiD1XNMYGLxqo16T+Z6ib9gA zhrcvlhO8ClRXXzmsLQztzdncyfAmq3nijQAekJ82pBLN7zgzY+COoNnPox5Ax7w ZtpNyTFspKCktuEv3hfh9zfhUPaI9c6pW9QSQYshsxmm74TwEyQHg84iXfIKSlAV iB1G2xPTB6Dsdr4ErSWg7qyeAcm9eQsp7Sv3gJ8jRV788L9L45HqyeIZLvyY7UMq VtsABiFLpc5EeP+uDjarkNYU1lYPnxrsHpwM1atlqqAtHcGaUV3e0Kxi8dSI3GNm ffQjFHwjHYitsRiNRp1yMjoMngM+8y+g7dBIIKJHrju7REnq/ztdvYLLyb/pHq5B 0J1MREbp+UDBB+wMmrjOhRajjihFsKyXyH7xM/+B0xpWbIG5jOK3JtxJiySXo8Cn L+3EdINS5ziLjT982jCqOzprXFJEvUhaXo4pdhKszgUqeC0lvclDzox0IYejZ4A2 khRd9tA+jPypGpMaiM15jVyEmOosX2hXSpBSFqeVDDZNJct3H6Yq6gT+nPssORKC /fsRx3BB3WjDKPaXnfgwSmTveoWjZIJsZARPmJBFFxv0FhlsCvDM/IRGGkxsnlWt S8iD1ZjrJhK7NQtvUMSM =OfA9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org