tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Lim <mark_...@symantec.com>
Subject migrating Tomcat 5.5 SSL Connector to 7.0
Date Sat, 07 Jan 2012 00:05:09 GMT 
We are in the process of upgrading Tomcat 5.5 to Tomcat 7.0.  These Tomcat =
deployments use a custom FIPS 140-2 certified JSSE implementation for their=
 SSL Connectors.

In Tomcat 5.5, the Connectors are configured like this:

  <!-- Define a SSL Coyote HTTP/1.1 Connector on port specified by the inst=
aller (default 41443) -->
   <Connector port=3D"41443" minProcessors=3D"5" maxProcessors=3D"75"
             enableLookups=3D"true" disableUploadTimeout=3D"true" redirectP=
ort=3D"41443"
             acceptCount=3D"100" debug=3D"0" scheme=3D"https" secure=3D"tru=
e" connectionTimeout=3D"60000"
             useURIValidationHack=3D"false" clientAuth=3D"false" sslProtoco=
l=3D"SSLv2Hello,TLSv1"
             ciphers=3D"TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_C=
BC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS=
_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE=
_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH=
_3DES_EDE_CBC_SHA"
             keystorePass=3D"symantec" keystoreFile=3D"/data/bcc/conf/keyst=
ore"
             SSLImplementation=3D"com.symantec.smg.controlcenter.internal.s=
ecurity.ssl.BrightmailSSLImplementation" />

which works fine. ( a listener appears on 41443 and one can do HTTPS to it)

In Tomcat 7.0.23 we are trying to use

  <!-- Define a SSL Coyote HTTP/1.1 Connector on port specified by the inst=
aller (default 41443) -->
  <Connector port=3D"41443" enableLookups=3D"true" disableUploadTimeout=3D"=
true" redirectPort=3D"41443" acceptCount=3D"100" scheme=3D"https" secure=3D=
"true" connectionTimeout=3D"60000" clientAuth=3D"false" sslProtocol=3D"SSLv=
2Hello,TLSv1" ciphers=3D"TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_=
CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TL=
S_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH=
E_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WIT=
H_3DES_EDE_CBC_SHA" keystorePass=3D"symantec" keystoreFile=3D"/data/bcc/con=
f/keystore" sslImplementationName=3D"com.symantec.smg.controlcenter.interna=
l.security.ssl.BrightmailSSLImplementation" SSLEnabled=3D"true"/>

but this does not work (no listener appears on 41443) and catalina.out has =
this:

Jan 6, 2012 8:09:14 AM org.apache.catalina.core.StandardService initInterna=
l
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-41443]]org.apach=
e.catalina.LifecycleException: Failed to initialize component [Connector[HT=
TP/1.1-41443]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:1=
06)
        at org.apache.catalina.core.StandardService.initInternal(StandardSe=
rvice
.java:559)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:1=
02)
        at org.apache.catalina.core.StandardServer.initInternal(StandardSer=
ver.j
ava:781)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:1=
02)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:573)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:598)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)     =
   at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initial=
izati
on failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.j=
ava:9
39)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:1=
02)
        ... 12 more
Caused by: java.io.IOException: SSLv2Hello,TLSv1 SSLContext not available
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocke=
tFactory.java:475)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(J=
SSESocketFactory.java:158)
        at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369=
)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoin=
t.java:553)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:36=
9)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(Abstrac=
tHttp11JsseProtocol.java:119)
        at org.apache.catalina.connector.Connector.initInternal(Connector.j=
ava:9
37)
        ... 13 more
Caused by: java.security.NoSuchAlgorithmException: SSLv2Hello,TLSv1 SSLCont=
ext n
ot available
        at sun.security.jca.GetInstance.getInstance(Unknown Source)
        at javax.net.ssl.SSLContext.getInstance(Unknown Source)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLConte=
xt(JS
SESocketFactory.java:488)        at org.apache.tomcat.util.net.jsse.JSSESoc=
ketFactory.init(JSSESocketFactory.java:448)        ... 19 more

It seems that tomcat is trying the default JSSE implementation despite the =
sslImplementationName attribute being set.  Are there internal precedence c=
ontrols or does the classloader hierarchy matter or what?
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message