Re: TLS 1.2 Handshake on Tomcat 7.0.39 Getting Internal Error: Key format must be RAW

Mon, 19 Sep 2016 13:25:04 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dono,

On 9/19/16 12:45 PM, Dono Harjanto wrote:
> Hi All,
> 
> 
> We have a web app deployed on 3 different servers, all running
> Tomcat 7.0.39 and Java 8 (update 101/102). Here is the operating
> system on each server:
> 
> - Production: CentOS 6.4
> 
> - Staging 1: CentOS 6.5
> 
> - Staging 2: CentOS 6.7
> 
> 
> When we accessed the web app on Production server, we were able to
> connect and connected over TLS 1.2 (as expected). However, when we
> accessed the web app on both Staging servers we were able to
> connect, but it was connected over TLS 1.1 not TLS 1.2 as TLS 1.2
> handshake failed and server sent an Alert (Level: Fatal,
> Description: Internal Error) response.
> 
> 
> We enabled SSL debugging on Tomcat and we saw Tomcat threw
> InvalidAlgorithmParameterException exception in catalina.out as
> shown below:
> 
> 
> http-bio-8443-exec-1, READ: TLSv1.2 Handshake, length = 70 ***
> ECDHClientKeyExchange ECDH Public value:  { 4, 245, 39, 156, 56,
> 88, 62, 108, 141, 237, 93, 240, 210, 228, 91, 60, 14, 109, 138,
> 121, 126, 100, 36, 194, 93, 101, 131, 119, 120, 57, 120, 222, 73,
> 123, 122, 218, 253, 91, 170, 240, 251, 73, 214, 29, 192, 234, 109,
> 189, 40, 249, 161, 176, 172, 179, 36, 162, 229, 69, 160, 221, 242,
> 53, 100, 34, 215 } SESSION KEYGEN:
> 
> PreMaster Secret: (key bytes not available) RSA master secret
> generation error: java.security.InvalidAlgorithmParameterException:
> Key format must be RAW at
> com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMasterS
ecretGenerator.java:67)
>
> 
at javax.crypto.KeyGenerator.init(KeyGenerator.java:454)
> at javax.crypto.KeyGenerator.init(KeyGenerator.java:430) at
> sun.security.ssl.Handshaker.calculateMasterSecret(Unknown Source) 
> at sun.security.ssl.Handshaker.calculateKeys(Unknown Source) at
> sun.security.ssl.ServerHandshaker.processMessage(Unknown Source) at
> sun.security.ssl.Handshaker.processLoop(Unknown Source) at
> sun.security.ssl.Handshaker.process_record(Unknown Source) at
> sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown
> Source) at sun.security.ssl.SSLSocketImpl.getSession(Unknown
> Source) at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocket
Factory.java:215)
>
> 
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.j
ava:298)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source) at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 
> at java.lang.Thread.run(Unknown Source) http-bio-8443-exec-1,
> handling exception: java.security.ProviderException:
> java.security.InvalidAlgorithmParameterException: Key format must
> be RAW %% Invalidated:  [Session-1,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] http-bio-8443-exec-1, SEND
> TLSv1.2 ALERT:  fatal, description = internal_error 
> http-bio-8443-exec-1, WRITE: TLSv1.2 Alert, length = 2 [Raw write]:
> length = 7 0000: 15 03 03 00 02 02 50
> ......P http-bio-8443-exec-1, called closeSocket() 
> http-bio-8443-exec-1, IOException in getSession():
> javax.net.ssl.SSLException: java.security.ProviderException:
> java.security.InvalidAlgorithmParameterException: Key format must
> be RAW http-bio-8443-exec-1, called close() http-bio-8443-exec-1,
> called closeInternal(true)
> 
> 
> 
> Below is the server.xml configuration we have on all servers:
> 
> 
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol"
> 
> SSLEnabled="true" scheme="https" secure="true" clientAuth="false" 
> sslProtocol="TLS"
> 
> maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" 
> enableLookups="false" disableUploadTimeout="true" 
> acceptCount="100" useBodyEncodingForURI="true"
> 
> keystoreType="pkcs12" 
> keystoreFile="/path/to/keystore/.filename.p12" 
> keystorePass="<snip>" />
> 
> 
> 
> Any idea why Tomcat not able to do TLS 1.2 handshake and throwing
> "Key format must be RAW" exception? Did we miss anything here?


I've never seen anything like that before.

What is the client?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX4ElgAAoJEBzwKT+lPKRY8aIP/j7QKuhxbxAvJdFXT3/0yMvt
5dr1s3Y5Lq8YaeVUjgrcXhWCiC8ncsh5K9PmVW+RWiD1XNMYGLxqo16T+Z6ib9gA
zhrcvlhO8ClRXXzmsLQztzdncyfAmq3nijQAekJ82pBLN7zgzY+COoNnPox5Ax7w
ZtpNyTFspKCktuEv3hfh9zfhUPaI9c6pW9QSQYshsxmm74TwEyQHg84iXfIKSlAV
iB1G2xPTB6Dsdr4ErSWg7qyeAcm9eQsp7Sv3gJ8jRV788L9L45HqyeIZLvyY7UMq
VtsABiFLpc5EeP+uDjarkNYU1lYPnxrsHpwM1atlqqAtHcGaUV3e0Kxi8dSI3GNm
ffQjFHwjHYitsRiNRp1yMjoMngM+8y+g7dBIIKJHrju7REnq/ztdvYLLyb/pHq5B
0J1MREbp+UDBB+wMmrjOhRajjihFsKyXyH7xM/+B0xpWbIG5jOK3JtxJiySXo8Cn
L+3EdINS5ziLjT982jCqOzprXFJEvUhaXo4pdhKszgUqeC0lvclDzox0IYejZ4A2
khRd9tA+jPypGpMaiM15jVyEmOosX2hXSpBSFqeVDDZNJct3H6Yq6gT+nPssORKC
/fsRx3BB3WjDKPaXnfgwSmTveoWjZIJsZARPmJBFFxv0FhlsCvDM/IRGGkxsnlWt
S8iD1ZjrJhK7NQtvUMSM
=OfA9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to