migrating Tomcat 5.5 SSL Connector to 7.0

Fri, 06 Jan 2012 16:05:37 -0800 

We are in the process of upgrading Tomcat 5.5 to Tomcat 7.0.  These Tomcat 
deployments use a custom FIPS 140-2 certified JSSE implementation for their SSL 
Connectors.

In Tomcat 5.5, the Connectors are configured like this:

  <!-- Define a SSL Coyote HTTP/1.1 Connector on port specified by the 
installer (default 41443) -->
   <Connector port="41443" minProcessors="5" maxProcessors="75"
             enableLookups="true" disableUploadTimeout="true" 
redirectPort="41443"
             acceptCount="100" debug="0" scheme="https" secure="true" 
connectionTimeout="60000"
             useURIValidationHack="false" clientAuth="false" 
sslProtocol="SSLv2Hello,TLSv1"
             
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
             keystorePass="symantec" keystoreFile="/data/bcc/conf/keystore"
             
SSLImplementation="com.symantec.smg.controlcenter.internal.security.ssl.BrightmailSSLImplementation"
 />

which works fine. ( a listener appears on 41443 and one can do HTTPS to it)

In Tomcat 7.0.23 we are trying to use

  <!-- Define a SSL Coyote HTTP/1.1 Connector on port specified by the 
installer (default 41443) -->
  <Connector port="41443" enableLookups="true" disableUploadTimeout="true" 
redirectPort="41443" acceptCount="100" scheme="https" secure="true" 
connectionTimeout="60000" clientAuth="false" sslProtocol="SSLv2Hello,TLSv1" 
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
 keystorePass="symantec" keystoreFile="/data/bcc/conf/keystore" 
sslImplementationName="com.symantec.smg.controlcenter.internal.security.ssl.BrightmailSSLImplementation"
 SSLEnabled="true"/>

but this does not work (no listener appears on 41443) and catalina.out has this:

Jan 6, 2012 8:09:14 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector 
[Connector[HTTP/1.1-41443]]org.apache.catalina.LifecycleException: Failed to 
initialize component [Connector[HTTP/1.1-41443]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
        at org.apache.catalina.core.StandardService.initInternal(StandardService
.java:559)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.j
ava:781)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)        
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initializati
on failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
39)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        ... 12 more
Caused by: java.io.IOException: SSLv2Hello,TLSv1 SSLContext not available
        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:475)
        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
        at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)
        at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
        at 
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
37)
        ... 13 more
Caused by: java.security.NoSuchAlgorithmException: SSLv2Hello,TLSv1 SSLContext n
ot available
        at sun.security.jca.GetInstance.getInstance(Unknown Source)
        at javax.net.ssl.SSLContext.getInstance(Unknown Source)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JS
SESocketFactory.java:488)        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:448)
        ... 19 more

It seems that tomcat is trying the default JSSE implementation despite the 
sslImplementationName attribute being set.  Are there internal precedence 
controls or does the classloader hierarchy matter or what?

Reply via email to