Re: TLS 1.2 Handshake on Tomcat 7.0.39 Getting Internal Error: Key format must be RAW

Tue, 20 Sep 2016 16:52:13 -0700 

On 20.09.2016 19:21, Dono Harjanto wrote:

Hi André,


-----Original Message-----
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Tuesday, September 20, 2016 12:13 AM
To: users@tomcat.apache.org
Subject: Re: TLS 1.2 Handshake on Tomcat 7.0.39 Getting Internal Error: Key
format must be RAW

On 20.09.2016 09:06, André Warnier (tomcat) wrote:

On 19.09.2016 18:45, Dono Harjanto wrote:

Hi All,


We have a web app deployed on 3 different servers, all running Tomcat
7.0.39 and Java 8 (update 101/102). Here is the operating system on each

server:


- Production: CentOS 6.4

- Staging 1: CentOS 6.5

- Staging 2: CentOS 6.7




Java versions ?


Sorry for the noise, did not read the above carefully enough.
Are you sure they are really using the same Java version, though ?
(/etc/alternatives and all that)



Result from running "ps -ef | grep tomcat" command (truncated) on all instances:
Production:
502      29119     1  2 Sep14 ?        03:08:08 /usr/java/latest/bin/java 
-Djava.util.logging.config.file=/var/www/tomcat/conf/logging.properties 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms1024m 
-Xmx20

Staging:
502      25138     1  3 Sep15 ?        03:30:29 /usr/java/latest/bin/java 
-Djava.util.logging.config.file=/var/www/tomcat/conf/logging.properties 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms1024m 
-Xmx2048m -XX:MaxPermS

The content of /usr/java/ folder which shows latest is pointing to jre1.8.0_102 
instead of jre1.7.0_21.

Production:
lrwxrwxrwx. 1 root root   16 Apr 26  2013 default -> /usr/java/latest
drwxr-xr-x. 6 root root 4096 Apr 26  2013 jre1.7.0_21
drwxr-xr-x. 7 root root 4096 Aug  1 20:43 jre1.8.0_102
lrwxrwxrwx. 1 root root   22 Sep 17 00:22 latest -> /usr/java/jre1.8.0_102

Staging:
lrwxrwxrwx. 1 root root   16 Aug 14  2014 default -> /usr/java/latest
drwxr-xr-x. 9 root root 4096 Sep  7 18:53 jdk1.8.0_60
drwxr-xr-x. 6 root root 4096 Aug 14  2014 jre1.7.0_60
drwxr-xr-x. 7 root root 4096 Sep 14 21:25 jre1.8.0_102
drwxr-xr-x. 7 root root 4096 Sep  7 18:51 jre1.8.0_60
lrwxrwxrwx. 1 root root   22 Sep 14 21:55 latest -> /usr/java/jre1.8.0_102

So it's definitely using Java 8 instead of Java 7.


The purpose of my question was :
- according to your Connector configuration, you are using the Java BIO Connector, hence the Java SSL implementation. - so I wanted to ascertain that a possible hidden difference between the Java version used on the various systems, could not be linked to your issue. 
According to the above, that does not seem to be the case (or at least not 
since Sept 17).

On the problem itself unfortunately, I am not qualified to help.

Searching Google provides some apparently related links however :
http://lmgtfy.com/?q=java.security.InvalidAlgorithmParameterException%3A+Key+format+must+be+RAW
Now just a question related to one of these links : are your staging servers and your production server located in the same country ? 







When we accessed the web app on Production server, we were able to
connect and connected over TLS 1.2 (as expected). However, when we
accessed the web app on both Staging servers we were able to connect,
but it was connected over TLS 1.1 not TLS 1.2 as TLS
1.2 handshake failed and server sent an Alert (Level: Fatal,
Description: Internal
Error) response.


We enabled SSL debugging on Tomcat and we saw Tomcat threw
InvalidAlgorithmParameterException exception in catalina.out as shown

below:



http-bio-8443-exec-1, READ: TLSv1.2 Handshake, length = 70
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 245, 39, 156, 56, 88, 62, 108, 141, 237, 93,
240, 210, 228, 91, 60, 14, 109, 138, 121, 126, 100, 36, 194, 93, 101,
131, 119, 120, 57, 120, 222, 73, 123, 122, 218, 253, 91, 170, 240,
251, 73, 214, 29, 192, 234, 109, 189, 40, 249, 161, 176, 172, 179,
36, 162, 229, 69, 160, 221, 242, 53, 100, 34, 215 } SESSION KEYGEN:

PreMaster Secret:
(key bytes not available)
RSA master secret generation error:
java.security.InvalidAlgorithmParameterException: Key format must be

RAW

          at
com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMaster
SecretGenerator.java:67)

          at javax.crypto.KeyGenerator.init(KeyGenerator.java:454)
          at javax.crypto.KeyGenerator.init(KeyGenerator.java:430)
          at sun.security.ssl.Handshaker.calculateMasterSecret(Unknown

Source)

          at sun.security.ssl.Handshaker.calculateKeys(Unknown Source)
          at sun.security.ssl.ServerHandshaker.processMessage(Unknown

Source)

          at sun.security.ssl.Handshaker.processLoop(Unknown Source)
          at sun.security.ssl.Handshaker.process_record(Unknown Source)
          at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
          at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown

Source)

          at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
          at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
          at


org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFac
tory.java:215)

          at


org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.ja
va:298)

          at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown

Source)

          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown

Source)

          at java.lang.Thread.run(Unknown Source)
http-bio-8443-exec-1, handling exception:

java.security.ProviderException:

java.security.InvalidAlgorithmParameterException: Key format must be
RAW %% Invalidated:  [Session-1,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
http-bio-8443-exec-1, SEND TLSv1.2 ALERT:  fatal, description =
internal_error http-bio-8443-exec-1, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 50                               ......P
http-bio-8443-exec-1, called closeSocket() http-bio-8443-exec-1,
IOException in getSession():  javax.net.ssl.SSLException:
java.security.ProviderException:
java.security.InvalidAlgorithmParameterException: Key format must be
RAW http-bio-8443-exec-1, called close() http-bio-8443-exec-1, called
closeInternal(true)



Below is the server.xml configuration we have on all servers:


      <Connector port="8443"

protocol="org.apache.coyote.http11.Http11Protocol"


          SSLEnabled="true"
          scheme="https"
          secure="true"
          clientAuth="false"
          sslProtocol="TLS"

          maxHttpHeaderSize="8192"
          maxThreads="150"
          minSpareThreads="25"
          enableLookups="false"
          disableUploadTimeout="true"
          acceptCount="100"
          useBodyEncodingForURI="true"

          keystoreType="pkcs12"
          keystoreFile="/path/to/keystore/.filename.p12"
          keystorePass="<snip>" />



Any idea why Tomcat not able to do TLS 1.2 handshake and throwing
"Key format must be RAW" exception? Did we miss anything here?



Thanks for your help,

Don





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to