Trouble with TLS/SSL and Tomcat 8.5.23

[Richard Tearle]

Hello

    Apache Tomcat 8.5.23
    Centos 7.4 (3.10.0-514.16.1.el7.x86_64)
    Java 1.8.0_152 (with jce)
    Running in Docker Container

I'm upgrading our applications from Apache Tomcat 8.0.47 to 8.5.23,
but when trying to get TLS/SSL working on a connector I get the
following error:

22-Nov-2017 11:52:46.098 SEVERE [main]
org.apache.coyote.AbstractProtocol.init Failed to initialize end point
associated with ProtocolHandler ["https-jsse-nio2-18443"]
 java.lang.IllegalArgumentException:
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
        at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163)
        at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:245)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
        at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:621)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:644)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
        at 
java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
        at 
java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
        at 
org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:368)
        at 
org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:292)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
        ... 20 more

I've changed the connector configuration to use
SSLHostConfig/Certificate, but our certificate generation process
(self signed certificates) has remained the same. I did a quick
internet search, and saw that other people had similar, but not exact
issues, and going back to 8.5.4 "solved" the issue. So I did this as a
quick test, so at least I could see that our configuration changes
where correct, and yes the application ran ok with Tomcat 8.5.4. The
connector configuration is:

    <Connector port="${servers.port}"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https"
secure="true" server="Apache" maxPostSize="100000">
       <SSLHostConfig certificateVerification="none"
sslProtocol="TLSv1.2" protocols="TLSv1.2"
               truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12"
truststoreType="PKCS12"
               truststorePassword="${truststore.pass}" honorCipherOrder="true"
               
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA">
  <Certificate 
certificateKeystoreFile="/usr/local/tomcat/ssl/server-keystore.p12"
certificateKeyAlias="tomcat-ssl"
                        certificateKeystoreType="PKCS12"
certificateKeystorePassword="${keystore.pass}">
                </Certificate>
 </SSLHostConfig>
    </Connector>

Setting javax.net.debug=all in CATALINA_OPTS and viewing the resultant
logging, seems to indicate that the certificate is being loaded, but
not the trust store, with the only truststore loaded coming from:
/opt/jre1.8.0_152/lib/security/cacerts

Best Regards


Richard

-- 
This email is sent on behalf of Northgate Public Services (UK) Limited and 
its associated companies including Rave Technologies (India) Pvt Limited 
(together "Northgate Public Services") and is strictly confidential and 
intended solely for the addressee(s). 
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use its 
contents in any way or you may be acting unlawfully;  (ii) contact 
Northgate Public Services immediately on +44(0)1442 768445 quoting the name 
of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that 
no viruses are contained in this email, but does not accept any 
responsibility once this email has been transmitted.  You should scan 
attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales 
under number 00968498 with a registered address of Peoplebuilding 2, 
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 
4NW.  Rave Technologies (India) Pvt Limited, registered in India under 
number 117068 with a registered address of 2nd Floor, Ballard House, Adi 
Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org