tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: TLSv1.2 handshake failure on outgoing connections
Date Fri, 29 Jan 2016 22:34:31 GMT
Hash: SHA1


On 1/29/16 3:55 PM, Hrivnak, Dan wrote:
> In case anyone was following this or seeing similar issues, I was 
> able to track it down. When debugging into the Axis library code 
> itself I was able to see one more frame of the stack trace 
> ( parameter
> object not a ECParameterSpec) before it got swallowed up, which led
> me to this article: 
> Basically, my classpath had a version of the bouncycastle library 
> meant for JDK 1.4, causing the issue with the ECDH key exchange 
> during the TLS handshake. Removing it solved the problem!

Oh, man. That'll definitely do it.

> Now, in case you are still reading, I can explain why the problem 
> only appeared in the context of running inside Tomcat. Looking at
> the maven dependency tree to see where bouncycastle for JDK 1.4
> came from, I learned that jfreechart listed it as a dependency.

Nice! I'm always careful to make sure that all my charts are
encrypted, so it's great that jFreeChart pulls BC as a dependency. (WTF?

> Axis, on the other hand, listed bouncycastle for JDK 1.5+ in its 
> transitive dependencies. Since my unit test was inside a module
> that wasn’t concerned with jfreechart, its classpath only had the
> newer bouncycastle library. But Tomcat, since its classpath
> contained everything my entire application cared about, had both
> versions of bouncycastle. And apparently the classloader decided to
> pick up the old one at runtime.

Heisenbugs all the way down.

> The moral of the story is that Byteman will be a great tool to
> keep handy for times when a stack trace is dropped on the floor by
> code you don’t control.

Looks like a handy tool, especially being able to predictably stall
programs for multi-threaded testing. Force the JVM to behave like
those theoretical "thread A does this then thread B does this"
interleave diagrams that show the potential for deadlock/whatever? Sweet

I'm glad you got to the bottom of this.

- -chris
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message