I was unable to identify the issue with debug enabled. I started looking closer at the error I was getting in the various browsers. Apparently the SSL is working. The browsers are blocking it because the server is using something other than TLSv1.2 or better. I was able to prove this using Safari. When I enabled the older TLS options I was able to connect. The odd thing is that I have the connector configured for TLSv1.2. So, that is where I need to concentrate my efforts now. Why is tomcat not using the TLSv1.2 protocol?
As a refresher, I have the following configured for the connector. <Connector executor="tomcatThreadPool" port="${http.port}" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="50" enableLookups="false" acceptCount="100" server="Apache" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" keystoreFile="/opt/tomcat/ssl/tomcat_ssl.jks" keyAlias="tomcat" keystorePass="**************" connectionTimeout="20000"/> A SSLscan of the server port shows the following requests were accepted. Some are TLSv1.2. sslscan target.host.com:8080|grep Accepted Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA Accepted TLS11 256 bits DHE-RSA-AES256-SHA Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA Accepted TLS11 128 bits DHE-RSA-AES128-SHA Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits DHE-RSA-AES256-SHA256 Accepted TLS12 256 bits DHE-RSA-AES256-SHA Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA --Ez On Mon, May 24, 2021 at 9:30 AM Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > I am enabling SSL debugging this morning. I did catch this in the log for > an instance that started erroring out this morning. Seems like it may be > too generic to help solve my problem. Here it is: > > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > java.lang.NullPointerException > at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > Source) > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) > at java.security.Signature$Delegate.engineSign(Signature.java:1382) > at java.security.Signature.sign(Signature.java:698) > at > sun.security.ssl.CertificateVerify$T13CertificateVerifyMessage.<init>(CertificateVerify.java:931) > at > sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.onProduceCertificateVerify(CertificateVerify.java:1105) > at > sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.produce(CertificateVerify.java:1098) > at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:420) > at > sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1096) > at > sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1032) > at > sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:716) > at > sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:683) > at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376) > at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) > at > sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:983) > at > sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:970) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:917) > at > org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:432) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:496) > at > org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:237) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1611) > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > > > I will let you know what I find in the debug. It may be a while because > the instance works fine initially. > > -- Ez > > > On Thu, May 20, 2021 at 10:55 AM <john.e.gr...@wellsfargo.com.invalid> > wrote: > >> It's "ssl,handshake." >> >> >> > -----Original Message----- >> > From: Ezsra McDonald <ezsra.mcdon...@gmail.com> >> > Sent: Thursday, May 20, 2021 10:43 AM >> > To: Tomcat Users List <users@tomcat.apache.org> >> > Subject: Re: Tomcat SSL stops working after an undetermined amount of >> > time >> > >> > Mark, >> > >> > Thanks for your response. >> > >> > I did not see anything in the logs. This morning I added ' >> > -Djava.net.debug=handshake' to my configuration. I did not see any SSL >> > debug information in my logs. Perhaps I did this wrong or need to use a >> > different argument? >> > >> > I expected the debug to be in the access log. Should I be looking >> elsewhere? >> > I also checked other logs that had timestamps for after the instance was >> > restarted. >> > >> > -- Ez >> > >> > On Thu, May 20, 2021 at 3:05 AM Mark Thomas <ma...@apache.org> wrote: >> > >> > > On 19/05/2021 20:42, Ezsra McDonald wrote: >> > > > Environment: >> > > > OS: CentOS 7 >> > > > Apache: apache-tomcat-8.5.65 >> > > > Java: jdk1.8.0_281 >> > > > >> > > > Greetings, >> > > > >> > > > I recently enabled SSL on my Tomcat server HTTP connectors. >> > > > Something odd is happening. After some undetermined amount of time >> > > > the connector stops responding appropriately to requests. My browser >> > > > returns the following >> > > > message: >> > > > >> > > > "An error occurred during a connection to target.host.com:8080. SSL >> > > > received a malformed Alert record. >> > > > >> > > > Error code: SSL_ERROR_RX_MALFORMED_ALERT " >> > > > I do not see anything in the logs to clue me in on what is >> happening. >> > > > >> > > > I have the following configured for the connector. >> > > > <Connector executor="tomcatThreadPool" >> > > > port="${http.port}" >> > > > protocol="org.apache.coyote.http11.Http11NioProtocol" >> > > > maxThreads="50" enableLookups="false" acceptCount="100" >> > > > server="Apache" >> > > > SSLEnabled="true" scheme="https" secure="true" >> > > > clientAuth="false" sslProtocol="TLSv1.2" >> > > > keystoreFile="/opt/tomcat/ssl/tomcat_ssl.jks" >> > > > keyAlias="tomcat" >> > > > keystorePass="**************" >> > > > connectionTimeout="20000"/> >> > > > >> > > > When I restart the instance everything works fine for a while. >> > > > Later, >> > > when >> > > > I try to look at the tomcat manager, SSL is no longer functioning >> > > properly. >> > > > >> > > > Any assistance would be appreciated. >> > > >> > > Anything in the access logs? >> > > >> > > Enable TLS debug logging in the JVM Tomcat is using. You'll get a lot >> > > of data but you'll be able to see exactly what is happening. >> > > >> > > Mark >> > > >> > > --------------------------------------------------------------------- >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> > > For additional commands, e-mail: users-h...@tomcat.apache.org >> > > >> > > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >