tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: TLSv1.2 handshake failure on outgoing connections
Date Fri, 29 Jan 2016 22:34:31 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan,

On 1/29/16 3:55 PM, Hrivnak, Dan wrote:
> In case anyone was following this or seeing similar issues, I was 
> able to track it down. When debugging into the Axis library code 
> itself I was able to see one more frame of the stack trace 
> (java.security.InvalidAlgorithmParameterException: parameter
> object not a ECParameterSpec) before it got swallowed up, which led
> me to this article: 
> http://iwang.github.io/support/2014/03/14/cxf-cause-https-error.html
>
> 
> 
> Basically, my classpath had a version of the bouncycastle library 
> meant for JDK 1.4, causing the issue with the ECDH key exchange 
> during the TLS handshake. Removing it solved the problem!

Oh, man. That'll definitely do it.

> Now, in case you are still reading, I can explain why the problem 
> only appeared in the context of running inside Tomcat. Looking at
> the maven dependency tree to see where bouncycastle for JDK 1.4
> came from, I learned that jfreechart listed it as a dependency.

Nice! I'm always careful to make sure that all my charts are
encrypted, so it's great that jFreeChart pulls BC as a dependency. (WTF?
)

> Axis, on the other hand, listed bouncycastle for JDK 1.5+ in its 
> transitive dependencies. Since my unit test was inside a module
> that wasn’t concerned with jfreechart, its classpath only had the
> newer bouncycastle library. But Tomcat, since its classpath
> contained everything my entire application cared about, had both
> versions of bouncycastle. And apparently the classloader decided to
> pick up the old one at runtime.

Heisenbugs all the way down.

> The moral of the story is that Byteman will be a great tool to
> keep handy for times when a stack trace is dropped on the floor by
> code you don’t control.

Looks like a handy tool, especially being able to predictably stall
programs for multi-threaded testing. Force the JVM to behave like
those theoretical "thread A does this then thread B does this"
interleave diagrams that show the potential for deadlock/whatever? Sweet
.

I'm glad you got to the bottom of this.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlar6PcACgkQ9CaO5/Lv0PBd9wCgrN/jOVqqiTazXN5YSKvUn2hh
l1sAnjcD9/pwcZyAcz2yb6Bw7wSJGHG+
=cNHp
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message