I was unable to identify the issue with debug enabled. I started looking
closer at the error I was getting in the various browsers. Apparently the
SSL is working. The browsers are blocking it because the server is using
something other than TLSv1.2 or better. I was able to prove this using
Safari. When I enabled the older TLS options I was able to connect. The odd
thing is that I have the connector configured for TLSv1.2. So, that is
where I need to concentrate my efforts now. Why is tomcat not using the
TLSv1.2 protocol?
As a refresher, I have the following configured for the connector.
<Connector executor="tomcatThreadPool"
port="${http.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="50" enableLookups="false" acceptCount="100"
server="Apache"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2"
keystoreFile="/opt/tomcat/ssl/tomcat_ssl.jks"
keyAlias="tomcat"
keystorePass="**************"
connectionTimeout="20000"/>
A SSLscan of the server port shows the following requests were accepted.
Some are TLSv1.2.
sslscan target.host.com:8080|grep Accepted
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS11 256 bits DHE-RSA-AES256-SHA
Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS11 128 bits DHE-RSA-AES128-SHA
Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits DHE-RSA-AES256-SHA256
Accepted TLS12 256 bits DHE-RSA-AES256-SHA
Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits DHE-RSA-AES128-SHA256
Accepted TLS12 128 bits DHE-RSA-AES128-SHA
--Ez
On Mon, May 24, 2021 at 9:30 AM Ezsra McDonald <ezsra.mcdon...@gmail.com>
wrote:
> I am enabling SSL debugging this morning. I did catch this in the log for
> an instance that started erroring out this morning. Seems like it may be
> too generic to help solve my problem. Here it is:
>
> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51]
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
> java.lang.NullPointerException
> at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown
> Source)
> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source)
> at java.security.Signature$Delegate.engineSign(Signature.java:1382)
> at java.security.Signature.sign(Signature.java:698)
> at
> sun.security.ssl.CertificateVerify$T13CertificateVerifyMessage.<init>(CertificateVerify.java:931)
> at
> sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.onProduceCertificateVerify(CertificateVerify.java:1105)
> at
> sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.produce(CertificateVerify.java:1098)
> at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:420)
> at
> sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1096)
> at
> sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1032)
> at
> sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:716)
> at
> sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:683)
> at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
> at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
> at
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:983)
> at
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:970)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:917)
> at
> org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:432)
> at
> org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:496)
> at
> org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:237)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1611)
> at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
>
>
> I will let you know what I find in the debug. It may be a while because
> the instance works fine initially.
>
> -- Ez
>
>
> On Thu, May 20, 2021 at 10:55 AM <john.e.gr...@wellsfargo.com.invalid>
> wrote:
>
>> It's "ssl,handshake."
>>
>>
>> > -----Original Message-----
>> > From: Ezsra McDonald <ezsra.mcdon...@gmail.com>
>> > Sent: Thursday, May 20, 2021 10:43 AM
>> > To: Tomcat Users List <users@tomcat.apache.org>
>> > Subject: Re: Tomcat SSL stops working after an undetermined amount of
>> > time
>> >
>> > Mark,
>> >
>> > Thanks for your response.
>> >
>> > I did not see anything in the logs. This morning I added '
>> > -Djava.net.debug=handshake' to my configuration. I did not see any SSL
>> > debug information in my logs. Perhaps I did this wrong or need to use a
>> > different argument?
>> >
>> > I expected the debug to be in the access log. Should I be looking
>> elsewhere?
>> > I also checked other logs that had timestamps for after the instance was
>> > restarted.
>> >
>> > -- Ez
>> >
>> > On Thu, May 20, 2021 at 3:05 AM Mark Thomas <ma...@apache.org> wrote:
>> >
>> > > On 19/05/2021 20:42, Ezsra McDonald wrote:
>> > > > Environment:
>> > > > OS: CentOS 7
>> > > > Apache: apache-tomcat-8.5.65
>> > > > Java: jdk1.8.0_281
>> > > >
>> > > > Greetings,
>> > > >
>> > > > I recently enabled SSL on my Tomcat server HTTP connectors.
>> > > > Something odd is happening. After some undetermined amount of time
>> > > > the connector stops responding appropriately to requests. My browser
>> > > > returns the following
>> > > > message:
>> > > >
>> > > > "An error occurred during a connection to target.host.com:8080. SSL
>> > > > received a malformed Alert record.
>> > > >
>> > > > Error code: SSL_ERROR_RX_MALFORMED_ALERT "
>> > > > I do not see anything in the logs to clue me in on what is
>> happening.
>> > > >
>> > > > I have the following configured for the connector.
>> > > > <Connector executor="tomcatThreadPool"
>> > > > port="${http.port}"
>> > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
>> > > > maxThreads="50" enableLookups="false" acceptCount="100"
>> > > > server="Apache"
>> > > > SSLEnabled="true" scheme="https" secure="true"
>> > > > clientAuth="false" sslProtocol="TLSv1.2"
>> > > > keystoreFile="/opt/tomcat/ssl/tomcat_ssl.jks"
>> > > > keyAlias="tomcat"
>> > > > keystorePass="**************"
>> > > > connectionTimeout="20000"/>
>> > > >
>> > > > When I restart the instance everything works fine for a while.
>> > > > Later,
>> > > when
>> > > > I try to look at the tomcat manager, SSL is no longer functioning
>> > > properly.
>> > > >
>> > > > Any assistance would be appreciated.
>> > >
>> > > Anything in the access logs?
>> > >
>> > > Enable TLS debug logging in the JVM Tomcat is using. You'll get a lot
>> > > of data but you'll be able to see exactly what is happening.
>> > >
>> > > Mark
>> > >
>> > > ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> > > For additional commands, e-mail: users-h...@tomcat.apache.org
>> > >
>> > >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
