tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: TLS 1.2 Handshake on Tomcat 7.0.39 Getting Internal Error: Key format must be RAW
Date Tue, 20 Sep 2016 07:12:52 GMT
On 20.09.2016 09:06, André Warnier (tomcat) wrote:
> On 19.09.2016 18:45, Dono Harjanto wrote:
>> Hi All,
>>
>>
>> We have a web app deployed on 3 different servers, all running Tomcat 7.0.39 and
Java 8
>> (update 101/102). Here is the operating system on each server:
>>
>> - Production: CentOS 6.4
>>
>> - Staging 1: CentOS 6.5
>>
>> - Staging 2: CentOS 6.7
>>
>>
>
> Java versions ?

Sorry for the noise, did not read the above carefully enough.
Are you sure they are really using the same Java version, though ? (/etc/alternatives and

all that)

>
>
>> When we accessed the web app on Production server, we were able to connect and connected
>> over TLS 1.2 (as expected). However, when we accessed the web app on both Staging
>> servers we were able to connect, but it was connected over TLS 1.1 not TLS 1.2 as
TLS
>> 1.2 handshake failed and server sent an Alert (Level: Fatal, Description: Internal
>> Error) response.
>>
>>
>> We enabled SSL debugging on Tomcat and we saw Tomcat threw
>> InvalidAlgorithmParameterException exception in catalina.out as shown below:
>>
>>
>> http-bio-8443-exec-1, READ: TLSv1.2 Handshake, length = 70
>> *** ECDHClientKeyExchange
>> ECDH Public value:  { 4, 245, 39, 156, 56, 88, 62, 108, 141, 237, 93, 240, 210, 228,
91,
>> 60, 14, 109, 138, 121, 126, 100, 36, 194, 93, 101, 131, 119, 120, 57, 120, 222, 73,
123,
>> 122, 218, 253, 91, 170, 240, 251, 73, 214, 29, 192, 234, 109, 189, 40, 249, 161,
176,
>> 172, 179, 36, 162, 229, 69, 160, 221, 242, 53, 100, 34, 215 }
>> SESSION KEYGEN:
>>
>> PreMaster Secret:
>> (key bytes not available)
>> RSA master secret generation error:
>> java.security.InvalidAlgorithmParameterException: Key format must be RAW
>>          at
>> com.sun.crypto.provider.TlsMasterSecretGenerator.engineInit(TlsMasterSecretGenerator.java:67)
>>
>>          at javax.crypto.KeyGenerator.init(KeyGenerator.java:454)
>>          at javax.crypto.KeyGenerator.init(KeyGenerator.java:430)
>>          at sun.security.ssl.Handshaker.calculateMasterSecret(Unknown Source)
>>          at sun.security.ssl.Handshaker.calculateKeys(Unknown Source)
>>          at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
>>          at sun.security.ssl.Handshaker.processLoop(Unknown Source)
>>          at sun.security.ssl.Handshaker.process_record(Unknown Source)
>>          at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
>>          at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
>>          at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
>>          at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
>>          at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:215)
>>          at
>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:298)
>>          at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
>>          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>>          at java.lang.Thread.run(Unknown Source)
>> http-bio-8443-exec-1, handling exception: java.security.ProviderException:
>> java.security.InvalidAlgorithmParameterException: Key format must be RAW
>> %% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
>> http-bio-8443-exec-1, SEND TLSv1.2 ALERT:  fatal, description = internal_error
>> http-bio-8443-exec-1, WRITE: TLSv1.2 Alert, length = 2
>> [Raw write]: length = 7
>> 0000: 15 03 03 00 02 02 50                               ......P
>> http-bio-8443-exec-1, called closeSocket()
>> http-bio-8443-exec-1, IOException in getSession():  javax.net.ssl.SSLException:
>> java.security.ProviderException: java.security.InvalidAlgorithmParameterException:
Key
>> format must be RAW
>> http-bio-8443-exec-1, called close()
>> http-bio-8443-exec-1, called closeInternal(true)
>>
>>
>>
>> Below is the server.xml configuration we have on all servers:
>>
>>
>>      <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
>>
>>          SSLEnabled="true"
>>          scheme="https"
>>          secure="true"
>>          clientAuth="false"
>>          sslProtocol="TLS"
>>
>>          maxHttpHeaderSize="8192"
>>          maxThreads="150"
>>          minSpareThreads="25"
>>          enableLookups="false"
>>          disableUploadTimeout="true"
>>          acceptCount="100"
>>          useBodyEncodingForURI="true"
>>
>>          keystoreType="pkcs12"
>>          keystoreFile="/path/to/keystore/.filename.p12"
>>          keystorePass="<snip>" />
>>
>>
>>
>> Any idea why Tomcat not able to do TLS 1.2 handshake and throwing "Key format must
be
>> RAW" exception? Did we miss anything here?
>>
>>
>>
>> Thanks for your help,
>>
>> Don
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message