Well, I still have issues. I think it is the same thing hit by these guys: https://jira.atlassian.com/browse/BAM-21157 https://stackoverflow.com/questions/65691480/nullpointerexception-at-org-bouncycastle-crypto-signers-psssigner-generatesignat
I'll try their fix. My main concern is that I do not want to disable TLSv1.3. Any other suggestions? --Ez On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > Lots of good information was provided. > > This afternoon I plan to test the "sslProtocol" to "protocols" change in > our lower environments. I will reply back with any findings. > > Thank you everyone for your responses. > > regards, > > -- Ez > > On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath > <rmys...@visa.com.invalid> wrote: > >> Hi Chris, >> >> -----Original Message----- >> From: Christopher Schultz <ch...@christopherschultz.net> >> Sent: Tuesday, May 25, 2021 9:10 AM >> To: users@tomcat.apache.org >> Subject: Re: Tomcat SSL stops working after an undetermined amount of time >> >> Ronald, >> >> On 5/25/21 09:31, Roskens, Ronald wrote: >> > >> >> -----Original Message----- >> >> From: Christopher Schultz <ch...@christopherschultz.net> >> >> Sent: Monday, May 24, 2021 1:56 PM >> >> To: users@tomcat.apache.org >> >> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an >> >> undetermined amount of time >> >> >> >> CAUTION: This email originated from outside of the organization. DO >> >> NOT CLICK on links or open attachments unless you recognize the >> >> sender and know the content is safe. >> >> >> >> Ezsra, >> >> >> >> On 5/24/21 10:30, Ezsra McDonald wrote: >> >>> I am enabling SSL debugging this morning. I did catch this in the >> >>> log for an instance that started erroring out this morning. Seems >> >>> like it may be too generic to help solve my problem. Here it is: >> >>> >> >>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] >> >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >> >>> java.lang.NullPointerException >> >>> at >> >>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown >> >>> Source) >> >>> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown >> >>> Source) >> >> >> >> Oh. You are using BouncyCastle. I've never tried to do that. I'm not >> >> sure how well BC will work with Tomcat. We don't officially support >> >> that configuration, but that doesn't mean we won't try to help. >> > >> > This isn't a Tomcat issue but an interoperability issue between >> BouncyCastle & OpenJDK. >> > >> > * >> > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith >> > ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633&data=04%7C01%7Crmysore%40v >> > isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db1 >> > c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM >> > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&s >> > data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3D&reserved=0 >> > * >> > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs >> > .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore%40 >> > visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db >> > 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi >> > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000& >> > sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3D&reserved=0 >> >> Oh, great. Looks like a BC upgrade will fix the NPE. But possibly >> something downstream will still fail... >> >> Just to add my 2 cents here : >> >> Per the problem posed in the very first email, we see the SSL/TLS issue >> between Oracle JDK 8 and Tomcat 8.5 >> Environment: >> OS: CentOS 7 >> Apache: apache-tomcat-8.5.65 >> Java: jdk1.8.0_281 >> >> Note that the following link - talks about issues between OpenJDK 11 and >> BC. >> https://bugs.openjdk.java.net/browse/JDK-8216039. >> >> This morning's suggestion (about changing from "sslProtocol" to >> "protocols" ) from Christopher Schultz, sounds promising, in that the >> interaction between the Browser-clients and Tomcat 8.5.x server, will be >> limited only to TLS1.2 >> Making this change, will preclude other old protocols - like TLS 1, TLS >> 11 etc in communication between the clients and the Tomcat server. >> We will need tests after making the change to "protocols" attribute in >> the HTTPS connector block. >> In context of the above mentioned change -we may not need any editing of >> "java.security" file contents (discussed last evening). >> >> Thanks, >> -Raghu >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >>
