RE: TLS 1.2 Handshake on Tomcat 7.0.39 Getting Internal Error: Key format must be RAW

Tue, 20 Sep 2016 10:22:46 -0700 

Hi André,

> -----Original Message-----
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Tuesday, September 20, 2016 12:13 AM
> To: users@tomcat.apache.org
> Subject: Re: TLS 1.2 Handshake on Tomcat 7.0.39 Getting Internal Error: Key
> format must be RAW
> 
> On 20.09.2016 09:06, André Warnier (tomcat) wrote:
> > On 19.09.2016 18:45, Dono Harjanto wrote:
> >> Hi All,
> >>
> >>
> >> We have a web app deployed on 3 different servers, all running Tomcat
> >> 7.0.39 and Java 8 (update 101/102). Here is the operating system on each
> server:
> >>
> >> - Production: CentOS 6.4
> >>
> >> - Staging 1: CentOS 6.5
> >>
> >> - Staging 2: CentOS 6.7
> >>
> >>
> >
> > Java versions ?
> 
> Sorry for the noise, did not read the above carefully enough.
> Are you sure they are really using the same Java version, though ?
> (/etc/alternatives and all that)
> 

Result from running "ps -ef | grep tomcat" command (truncated) on all instances:
Production:
502      29119     1  2 Sep14 ?        03:08:08 /usr/java/latest/bin/java 
-Djava.util.logging.config.file=/var/www/tomcat/conf/logging.properties 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms1024m 
-Xmx20

Staging:
502      25138     1  3 Sep15 ?        03:30:29 /usr/java/latest/bin/java 
-Djava.util.logging.config.file=/var/www/tomcat/conf/logging.properties 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms1024m 
-Xmx2048m -XX:MaxPermS

The content of /usr/java/ folder which shows latest is pointing to jre1.8.0_102 
instead of jre1.7.0_21.

Production:
lrwxrwxrwx. 1 root root   16 Apr 26  2013 default -> /usr/java/latest
drwxr-xr-x. 6 root root 4096 Apr 26  2013 jre1.7.0_21
drwxr-xr-x. 7 root root 4096 Aug  1 20:43 jre1.8.0_102
lrwxrwxrwx. 1 root root   22 Sep 17 00:22 latest -> /usr/java/jre1.8.0_102

Staging:
lrwxrwxrwx. 1 root root   16 Aug 14  2014 default -> /usr/java/latest
drwxr-xr-x. 9 root root 4096 Sep  7 18:53 jdk1.8.0_60
drwxr-xr-x. 6 root root 4096 Aug 14  2014 jre1.7.0_60
drwxr-xr-x. 7 root root 4096 Sep 14 21:25 jre1.8.0_102
drwxr-xr-x. 7 root root 4096 Sep  7 18:51 jre1.8.0_60
lrwxrwxrwx. 1 root root   22 Sep 14 21:55 latest -> /usr/java/jre1.8.0_102

So it's definitely using Java 8 instead of Java 7.

> >
> >
> >> When we accessed the web app on Production server, we were able to
> >> connect and connected over TLS 1.2 (as expected). However, when we
> >> accessed the web app on both Staging servers we were able to connect,
> >> but it was connected over TLS 1.1 not TLS 1.2 as TLS
> >> 1.2 handshake failed and server sent an Alert (Level: Fatal,
> >> Description: Internal
> >> Error) response.
> >>
> >>
> >> We enabled SSL debugging on Tomcat and we saw Tomcat threw
> >> InvalidAlgorithmParameterException exception in catalina.out as shown
> below:
> >>
> >>
> >> http-bio-8443-exec-1, READ: TLSv1.2 Handshake, length = 70
> >> *** ECDHClientKeyExchange
> >> ECDH Public value:  { 4, 245, 39, 156, 56, 88, 62, 108, 141, 237, 93,
> >> 240, 210, 228, 91, 60, 14, 109, 138, 121, 126, 100, 36, 194, 93, 101,
> >> 131, 119, 120, 57, 120, 222, 73, 123, 122, 218, 253, 91, 170, 240,
> >> 251, 73, 214, 29, 192, 234, 109, 189, 40, 249, 161, 176, 172, 179,
> >> 36, 162, 229, 69, 160, 221, 242, 53, 100, 34, 215 } SESSION KEYGEN:
> >>
> >> PreMaster Secret:
> >> (key bytes not available)
> >> RSA master secret generation error:
> >> java.security.InvalidAlgorithmParameterException: Key format must be
> RAW
> >>          at
> >> com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMaster
> >> SecretGenerator.java:67)
> >>
> >>          at javax.crypto.KeyGenerator.init(KeyGenerator.java:454)
> >>          at javax.crypto.KeyGenerator.init(KeyGenerator.java:430)
> >>          at sun.security.ssl.Handshaker.calculateMasterSecret(Unknown
> Source)
> >>          at sun.security.ssl.Handshaker.calculateKeys(Unknown Source)
> >>          at sun.security.ssl.ServerHandshaker.processMessage(Unknown
> Source)
> >>          at sun.security.ssl.Handshaker.processLoop(Unknown Source)
> >>          at sun.security.ssl.Handshaker.process_record(Unknown Source)
> >>          at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
> >>          at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown
> Source)
> >>          at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
> >>          at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
> >>          at
> >>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFac
> tory.java:215)
> >>          at
> >>
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.ja
> va:298)
> >>          at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
> >>          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
> >>          at java.lang.Thread.run(Unknown Source)
> >> http-bio-8443-exec-1, handling exception:
> java.security.ProviderException:
> >> java.security.InvalidAlgorithmParameterException: Key format must be
> >> RAW %% Invalidated:  [Session-1,
> >> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> >> http-bio-8443-exec-1, SEND TLSv1.2 ALERT:  fatal, description =
> >> internal_error http-bio-8443-exec-1, WRITE: TLSv1.2 Alert, length = 2
> >> [Raw write]: length = 7
> >> 0000: 15 03 03 00 02 02 50                               ......P
> >> http-bio-8443-exec-1, called closeSocket() http-bio-8443-exec-1,
> >> IOException in getSession():  javax.net.ssl.SSLException:
> >> java.security.ProviderException:
> >> java.security.InvalidAlgorithmParameterException: Key format must be
> >> RAW http-bio-8443-exec-1, called close() http-bio-8443-exec-1, called
> >> closeInternal(true)
> >>
> >>
> >>
> >> Below is the server.xml configuration we have on all servers:
> >>
> >>
> >>      <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol"
> >>
> >>          SSLEnabled="true"
> >>          scheme="https"
> >>          secure="true"
> >>          clientAuth="false"
> >>          sslProtocol="TLS"
> >>
> >>          maxHttpHeaderSize="8192"
> >>          maxThreads="150"
> >>          minSpareThreads="25"
> >>          enableLookups="false"
> >>          disableUploadTimeout="true"
> >>          acceptCount="100"
> >>          useBodyEncodingForURI="true"
> >>
> >>          keystoreType="pkcs12"
> >>          keystoreFile="/path/to/keystore/.filename.p12"
> >>          keystorePass="<snip>" />
> >>
> >>
> >>
> >> Any idea why Tomcat not able to do TLS 1.2 handshake and throwing
> >> "Key format must be RAW" exception? Did we miss anything here?
> >>
> >>
> >>
> >> Thanks for your help,
> >>
> >> Don
> >>
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to