We are in the process of upgrading Tomcat 5.5 to Tomcat 7.0. These Tomcat
deployments use a custom FIPS 140-2 certified JSSE implementation for their SSL
Connectors.
In Tomcat 5.5, the Connectors are configured like this:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port specified by the
installer (default 41443) -->
<Connector port="41443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
redirectPort="41443"
acceptCount="100" debug="0" scheme="https" secure="true"
connectionTimeout="60000"
useURIValidationHack="false" clientAuth="false"
sslProtocol="SSLv2Hello,TLSv1"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
keystorePass="symantec" keystoreFile="/data/bcc/conf/keystore"
SSLImplementation="com.symantec.smg.controlcenter.internal.security.ssl.BrightmailSSLImplementation"
/>
which works fine. ( a listener appears on 41443 and one can do HTTPS to it)
In Tomcat 7.0.23 we are trying to use
<!-- Define a SSL Coyote HTTP/1.1 Connector on port specified by the
installer (default 41443) -->
<Connector port="41443" enableLookups="true" disableUploadTimeout="true"
redirectPort="41443" acceptCount="100" scheme="https" secure="true"
connectionTimeout="60000" clientAuth="false" sslProtocol="SSLv2Hello,TLSv1"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
keystorePass="symantec" keystoreFile="/data/bcc/conf/keystore"
sslImplementationName="com.symantec.smg.controlcenter.internal.security.ssl.BrightmailSSLImplementation"
SSLEnabled="true"/>
but this does not work (no listener appears on 41443) and catalina.out has this:
Jan 6, 2012 8:09:14 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector
[Connector[HTTP/1.1-41443]]org.apache.catalina.LifecycleException: Failed to
initialize component [Connector[HTTP/1.1-41443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at org.apache.catalina.core.StandardService.initInternal(StandardService
.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.j
ava:781)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initializati
on failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
39)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.io.IOException: SSLv2Hello,TLSv1 SSLContext not available
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:475)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
37)
... 13 more
Caused by: java.security.NoSuchAlgorithmException: SSLv2Hello,TLSv1 SSLContext n
ot available
at sun.security.jca.GetInstance.getInstance(Unknown Source)
at javax.net.ssl.SSLContext.getInstance(Unknown Source)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JS
SESocketFactory.java:488) at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:448)
... 19 more
It seems that tomcat is trying the default JSSE implementation despite the
sslImplementationName attribute being set. Are there internal precedence
controls or does the classloader hierarchy matter or what?
