Hi Chris, > -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Monday, September 19, 2016 1:24 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: TLS 1.2 Handshake on Tomcat 7.0.39 Getting Internal Error: Key > format must be RAW > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Dono, > > On 9/19/16 12:45 PM, Dono Harjanto wrote: > > Hi All, > > > > > > We have a web app deployed on 3 different servers, all running Tomcat > > 7.0.39 and Java 8 (update 101/102). Here is the operating system on > > each server: > > > > - Production: CentOS 6.4 > > > > - Staging 1: CentOS 6.5 > > > > - Staging 2: CentOS 6.7 > > > > > > When we accessed the web app on Production server, we were able to > > connect and connected over TLS 1.2 (as expected). However, when we > > accessed the web app on both Staging servers we were able to connect, > > but it was connected over TLS 1.1 not TLS 1.2 as TLS 1.2 handshake > > failed and server sent an Alert (Level: Fatal, > > Description: Internal Error) response. > > > > > > We enabled SSL debugging on Tomcat and we saw Tomcat threw > > InvalidAlgorithmParameterException exception in catalina.out as shown > > below: > > > > > > http-bio-8443-exec-1, READ: TLSv1.2 Handshake, length = 70 *** > > ECDHClientKeyExchange ECDH Public value: { 4, 245, 39, 156, 56, 88, > > 62, 108, 141, 237, 93, 240, 210, 228, 91, 60, 14, 109, 138, 121, 126, > > 100, 36, 194, 93, 101, 131, 119, 120, 57, 120, 222, 73, 123, 122, 218, > > 253, 91, 170, 240, 251, 73, 214, 29, 192, 234, 109, 189, 40, 249, 161, > > 176, 172, 179, 36, 162, 229, 69, 160, 221, 242, 53, 100, 34, 215 } > > SESSION KEYGEN: > > > > PreMaster Secret: (key bytes not available) RSA master secret > > generation error: java.security.InvalidAlgorithmParameterException: > > Key format must be RAW at > > com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMasterS > ecretGenerator.java:67) > > > > > at javax.crypto.KeyGenerator.init(KeyGenerator.java:454) > > at javax.crypto.KeyGenerator.init(KeyGenerator.java:430) at > > sun.security.ssl.Handshaker.calculateMasterSecret(Unknown Source) at > > sun.security.ssl.Handshaker.calculateKeys(Unknown Source) at > > sun.security.ssl.ServerHandshaker.processMessage(Unknown Source) at > > sun.security.ssl.Handshaker.processLoop(Unknown Source) at > > sun.security.ssl.Handshaker.process_record(Unknown Source) at > > sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown > > Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown > > Source) at sun.security.ssl.SSLSocketImpl.getSession(Unknown > > Source) at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocket > Factory.java:215) > > > > > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.j > ava:298) > > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > > Source) at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at > > java.lang.Thread.run(Unknown Source) http-bio-8443-exec-1, handling > > exception: java.security.ProviderException: > > java.security.InvalidAlgorithmParameterException: Key format must be > > RAW %% Invalidated: [Session-1, > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] http-bio-8443-exec-1, > SEND > > TLSv1.2 ALERT: fatal, description = internal_error > > http-bio-8443-exec-1, WRITE: TLSv1.2 Alert, length = 2 [Raw write]: > > length = 7 0000: 15 03 03 00 02 02 50 > > ......P http-bio-8443-exec-1, called closeSocket() > > http-bio-8443-exec-1, IOException in getSession(): > > javax.net.ssl.SSLException: java.security.ProviderException: > > java.security.InvalidAlgorithmParameterException: Key format must be > > RAW http-bio-8443-exec-1, called close() http-bio-8443-exec-1, called > > closeInternal(true) > > > > > > > > Below is the server.xml configuration we have on all servers: > > > > > > <Connector port="8443" > > protocol="org.apache.coyote.http11.Http11Protocol" > > > > SSLEnabled="true" scheme="https" secure="true" clientAuth="false" > > sslProtocol="TLS" > > > > maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" > > enableLookups="false" disableUploadTimeout="true" > > acceptCount="100" useBodyEncodingForURI="true" > > > > keystoreType="pkcs12" > > keystoreFile="/path/to/keystore/.filename.p12" > > keystorePass="<snip>" /> > > > > > > > > Any idea why Tomcat not able to do TLS 1.2 handshake and throwing "Key > > format must be RAW" exception? Did we miss anything here? > > > I've never seen anything like that before. > > What is the client?
The client is Chrome/FireFox browser, which connected just fine to the web application hosted on Production server (on public internet) and the connection was using TLS 1.2. Only on staging servers Chrome/FireFox was unable to connect using TLS 1.2, but successfully connected using TLS 1.1. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJX4ElgAAoJEBzwKT+lPKRY8aIP/j7QKuhxbxAvJdFXT3/0yMvt > 5dr1s3Y5Lq8YaeVUjgrcXhWCiC8ncsh5K9PmVW+RWiD1XNMYGLxqo16T+Z6ib > 9gA > zhrcvlhO8ClRXXzmsLQztzdncyfAmq3nijQAekJ82pBLN7zgzY+COoNnPox5Ax7 > w > ZtpNyTFspKCktuEv3hfh9zfhUPaI9c6pW9QSQYshsxmm74TwEyQHg84iXfIKSlA > V > iB1G2xPTB6Dsdr4ErSWg7qyeAcm9eQsp7Sv3gJ8jRV788L9L45HqyeIZLvyY7UM > q > VtsABiFLpc5EeP+uDjarkNYU1lYPnxrsHpwM1atlqqAtHcGaUV3e0Kxi8dSI3GN > m > ffQjFHwjHYitsRiNRp1yMjoMngM+8y+g7dBIIKJHrju7REnq/ztdvYLLyb/pHq5B > 0J1MREbp+UDBB+wMmrjOhRajjihFsKyXyH7xM/+B0xpWbIG5jOK3JtxJiySXo8 > Cn > L+3EdINS5ziLjT982jCqOzprXFJEvUhaXo4pdhKszgUqeC0lvclDzox0IYejZ4A2 > khRd9tA+jPypGpMaiM15jVyEmOosX2hXSpBSFqeVDDZNJct3H6Yq6gT+nPssO > RKC > /fsRx3BB3WjDKPaXnfgwSmTveoWjZIJsZARPmJBFFxv0FhlsCvDM/IRGGkxsnl > Wt > S8iD1ZjrJhK7NQtvUMSM > =OfA9 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org