On 20.09.2016 19:21, Dono Harjanto wrote:
Hi André,-----Original Message----- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Tuesday, September 20, 2016 12:13 AM To: users@tomcat.apache.org Subject: Re: TLS 1.2 Handshake on Tomcat 7.0.39 Getting Internal Error: Key format must be RAW On 20.09.2016 09:06, André Warnier (tomcat) wrote:On 19.09.2016 18:45, Dono Harjanto wrote:Hi All, We have a web app deployed on 3 different servers, all running Tomcat 7.0.39 and Java 8 (update 101/102). Here is the operating system on eachserver:- Production: CentOS 6.4 - Staging 1: CentOS 6.5 - Staging 2: CentOS 6.7Java versions ?Sorry for the noise, did not read the above carefully enough. Are you sure they are really using the same Java version, though ? (/etc/alternatives and all that)Result from running "ps -ef | grep tomcat" command (truncated) on all instances: Production: 502 29119 1 2 Sep14 ? 03:08:08 /usr/java/latest/bin/java -Djava.util.logging.config.file=/var/www/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms1024m -Xmx20 Staging: 502 25138 1 3 Sep15 ? 03:30:29 /usr/java/latest/bin/java -Djava.util.logging.config.file=/var/www/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms1024m -Xmx2048m -XX:MaxPermS The content of /usr/java/ folder which shows latest is pointing to jre1.8.0_102 instead of jre1.7.0_21. Production: lrwxrwxrwx. 1 root root 16 Apr 26 2013 default -> /usr/java/latest drwxr-xr-x. 6 root root 4096 Apr 26 2013 jre1.7.0_21 drwxr-xr-x. 7 root root 4096 Aug 1 20:43 jre1.8.0_102 lrwxrwxrwx. 1 root root 22 Sep 17 00:22 latest -> /usr/java/jre1.8.0_102 Staging: lrwxrwxrwx. 1 root root 16 Aug 14 2014 default -> /usr/java/latest drwxr-xr-x. 9 root root 4096 Sep 7 18:53 jdk1.8.0_60 drwxr-xr-x. 6 root root 4096 Aug 14 2014 jre1.7.0_60 drwxr-xr-x. 7 root root 4096 Sep 14 21:25 jre1.8.0_102 drwxr-xr-x. 7 root root 4096 Sep 7 18:51 jre1.8.0_60 lrwxrwxrwx. 1 root root 22 Sep 14 21:55 latest -> /usr/java/jre1.8.0_102 So it's definitely using Java 8 instead of Java 7.
The purpose of my question was :- according to your Connector configuration, you are using the Java BIO Connector, hence the Java SSL implementation. - so I wanted to ascertain that a possible hidden difference between the Java version used on the various systems, could not be linked to your issue.
According to the above, that does not seem to be the case (or at least not since Sept 17). On the problem itself unfortunately, I am not qualified to help. Searching Google provides some apparently related links however : http://lmgtfy.com/?q=java.security.InvalidAlgorithmParameterException%3A+Key+format+must+be+RAWNow just a question related to one of these links : are your staging servers and your production server located in the same country ?
When we accessed the web app on Production server, we were able to connect and connected over TLS 1.2 (as expected). However, when we accessed the web app on both Staging servers we were able to connect, but it was connected over TLS 1.1 not TLS 1.2 as TLS 1.2 handshake failed and server sent an Alert (Level: Fatal, Description: Internal Error) response. We enabled SSL debugging on Tomcat and we saw Tomcat threw InvalidAlgorithmParameterException exception in catalina.out as shownbelow:http-bio-8443-exec-1, READ: TLSv1.2 Handshake, length = 70 *** ECDHClientKeyExchange ECDH Public value: { 4, 245, 39, 156, 56, 88, 62, 108, 141, 237, 93, 240, 210, 228, 91, 60, 14, 109, 138, 121, 126, 100, 36, 194, 93, 101, 131, 119, 120, 57, 120, 222, 73, 123, 122, 218, 253, 91, 170, 240, 251, 73, 214, 29, 192, 234, 109, 189, 40, 249, 161, 176, 172, 179, 36, 162, 229, 69, 160, 221, 242, 53, 100, 34, 215 } SESSION KEYGEN: PreMaster Secret: (key bytes not available) RSA master secret generation error: java.security.InvalidAlgorithmParameterException: Key format must beRAWat com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMaster SecretGenerator.java:67) at javax.crypto.KeyGenerator.init(KeyGenerator.java:454) at javax.crypto.KeyGenerator.init(KeyGenerator.java:430) at sun.security.ssl.Handshaker.calculateMasterSecret(UnknownSource)at sun.security.ssl.Handshaker.calculateKeys(Unknown Source) at sun.security.ssl.ServerHandshaker.processMessage(UnknownSource)at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(UnknownSource)at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source) atorg.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFac tory.java:215)atorg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.ja va:298)at java.util.concurrent.ThreadPoolExecutor.runWorker(UnknownSource)at java.util.concurrent.ThreadPoolExecutor$Worker.run(UnknownSource)at java.lang.Thread.run(Unknown Source) http-bio-8443-exec-1, handling exception:java.security.ProviderException:java.security.InvalidAlgorithmParameterException: Key format must be RAW %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] http-bio-8443-exec-1, SEND TLSv1.2 ALERT: fatal, description = internal_error http-bio-8443-exec-1, WRITE: TLSv1.2 Alert, length = 2 [Raw write]: length = 7 0000: 15 03 03 00 02 02 50 ......P http-bio-8443-exec-1, called closeSocket() http-bio-8443-exec-1, IOException in getSession(): javax.net.ssl.SSLException: java.security.ProviderException: java.security.InvalidAlgorithmParameterException: Key format must be RAW http-bio-8443-exec-1, called close() http-bio-8443-exec-1, called closeInternal(true) Below is the server.xml configuration we have on all servers: <Connector port="8443"protocol="org.apache.coyote.http11.Http11Protocol"SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" useBodyEncodingForURI="true" keystoreType="pkcs12" keystoreFile="/path/to/keystore/.filename.p12" keystorePass="<snip>" /> Any idea why Tomcat not able to do TLS 1.2 handshake and throwing "Key format must be RAW" exception? Did we miss anything here? Thanks for your help, Don--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org