tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: 8.5.4 to 8.5.5 SSL Issue
Date Fri, 21 Oct 2016 21:05:01 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

William,

On 10/21/16 4:37 PM, William Boyd wrote:
> Hello,
> 
> I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything was
> working great until I enabled SSL with a self-signed certificate. I
> am able to recreated the issue on 8.5.5. I finally had to down
> graded to 8.5.4 to get SSL working with identical configuration and
> cert.
> 
> I want to be sure that this is not a known issue and that I'm not
> doing something wrong before I create a bug report.
> 
> Server version:        Apache Tomcat/8.5.5 64-bit OS Name:
> Windows 7 JVM Version:           1.8.0_102-b14
> 
> The cert was generated with this command: keytool -genkeypair
> -keyalg RSA -alias tomcat -keystore "C:/keys/keystore.jsk"
> -storepass changeit -validity 360 -keysize 2048 -dname
> CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA
> 
> Configuration includes adding 
> -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS

I think this might be the problem. Tomcat doesn't use
javax.net.ssl.trustStore except as a backup in case you haven't
specified a trust store in your <Connector>. You have pointed that
system property at a keystore, not a trust store. Technically, they
are the same format, but they are used for different things.

If you need that for making your own outgoing TLS connections then
leave it in there and we'll try to get it to work, otherwise it's just
confusing and might cause Tomcat to do weird things.

> and using this connector config
> 
> <Connector port="8002" protocol="HTTP/1.1" 
> connectionTimeout="60000" maxThreads="200" minSpareThreads="4" 
> enableLookups="false" compression="on" server="Apache" 
> scheme="https" secure="true" SSLEnabled="true" 
> keystoreFile="c:/keys/keystore.jsk" keystorePass="changeit" 
> keyAlias="tomcat" clientAuth="false" sslProtocol="TLS"/>

Looks good so far.

> Here is the exception I get at startup
> 
> 13-Oct-2016 15:05:17.309 SEVERE [main] 
> org.apache.coyote.AbstractProtocol.init Failed to initialize end
> point associated with ProtocolHandler ["https-openssl-nio-8001"] 
> java.lang.IllegalArgumentException: 
> java.security.InvalidAlgorithmParameterException: the trustAnchors 
> parameter must be non-empty at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
actJsseEndpoint.java:103)
>
> 
at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
JsseEndpoint.java:81)
>
> 
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
> at 
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
:866)
>
> 
at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo
int.java:213)
>
> 
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
> at 
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
tocol.java:65)
>
> 
at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
44)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>
> 
at
> org.apache.catalina.core.StandardService.initInternal(StandardService.
java:549)
>
> 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
va:873)
>
> 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at
> org.apache.catalina.startup.Catalina.load(Catalina.java:629) at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
ava:62)
>
> 
at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
orImpl.java:43)
>
> 
at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) 
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) 
> Caused by: java.security.InvalidAlgorithmParameterException: the 
> trustAnchors parameter must be non-empty at 
> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:
200)
>
> 
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
> at 
> java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.
java:130)
>
> 
at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:3
41)
>
> 
at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.jav
a:273)
>
> 
at
> org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(OpenSS
LUtil.java:93)
>
> 
at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
actJsseEndpoint.java:101)
>
> 
... 20 more

Tomcat is choking when trying to load the trust managers, which is
synonymous with loading the data from the "trust store". You don't
need a "trust store", otherwise you'd have specified is in the
<Connector>.

Try just removing that system property and see what happens.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYCoL9AAoJEBzwKT+lPKRY/U8P/jcDIEa5NGYMTGLdG3d3lfpC
1fFHqFRubEK4HLo+NxT2MSZJMsVN2cHr8CJ5WZ2RuGQcU9ETDHbFFBbAFopTC4Qb
pjLZ6n3B5ATRQ4kkt2vCFqsubkZLXYBhXx559YyprEDgDmDt1HYHoeTnU5mRv+nn
ieQSlBTBXV5Cds1R7/BLFYQqvEtuMnVYTIem173Wi/WOKU4IvZk3qG2Xq/46pB+b
NfbntVMfCSRCYNEePmbr3NufyhgeMTC6VMXQSaPy3Yk3uupz7DXE94xykQP2gf7d
RtjkPkZstypMWwSgDX5v4mOdO+ndRUzEyJD2arvjCCuZACW94V7mjuO5kEg0P3kK
JSnfHO2G7/g/JdMuhCjuJnjDZSMDLPQxFbmnQSmqwe9DlodZC1MswUy5FId8z+Lw
8jzZl1gxqhncUXc8ZqUos3gcztkvl2dCdHF+aLHXEgR4d/NPod8C/qUXLU6vV8xP
Zzq3k2OJL+HcG+MbU+05w/n0pCtGjeJSFkW9/2usAjn+UMaS2WypY2cQLZ1gnpX3
Zn4rl//swfNIszKIzfWi0y2jTF63OBGojH9xnfrsdZqYZ1K0ICb3H2rkz6p7e3R1
UFOyRpEIgajI3SVxBGVXT8ndiUWh8QAn9besOxAWEvgnT66ltsWZhoWG8eHxKiRQ
WZknowyaMfqy58v3e+6o
=ReMj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message