2016-09-21 19:16 GMT+02:00 André Warnier (tomcat) <a...@ice-sa.com>: > On 21.09.2016 18:49, Christopher Schultz wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Ron, >> >> On 9/21/16 11:58 AM, Roskens, Ronald wrote: >>>> >>>> -----Original Message----- From: Christopher Schultz >>>> [mailto:ch...@christopherschultz.net] Sent: Wednesday, September >>>> 21, 2016 9:40 AM To: Tomcat Users List Subject: Re: TLS 1.2 >>>> Handshake on Tomcat 7.0.39 Getting Internal Error: Key format >>>> must be RAW >>>> >>> >>> <snipped> >>> >>>> This may be the most promising page on the Internet, but of >>>> course Red Hat wants you to pay to read it: >>>> >>>> https://access.redhat.com/solutions/1309153 >>>> >>>> I can't see the "verified solution", or I'd reprint it here >>>> without permission :) >>> >>> >>> The resolution says to either disable TLS 1.2 or FIPS mode. >>> >>> The root cause is the PKCS#11 implementation included in Java 7 and >>> 8 does not support TLS 1.2 when in FIPS mode as documented in >>> OpenJDK bug JDK-8029661 >>> (https://bugs.openjdk.java.net/browse/JDK-8029661) >>> >>> See also: >>> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/F >> >> IPS.html >> >> Thanks >>> >>> >> for posting this. >> >> Good old FIPS: hobbling real security since 1994. >> > > Thanks also, but does this explain fully the symptoms seen by the OP ? As I > recall, he had 3 apparently similar servers, configured similarly, but where > 2 were seeing the problem and the third one not. > Or was there another difference which he did not tell us about, and where ? > >
I'd try to run cat /proc/sys/crypto/fips_enabled > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
