tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: 8.5.4 to 8.5.5 SSL Issue
Date Sun, 23 Oct 2016 22:15:45 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

William,

On 10/21/16 6:08 PM, William Boyd wrote:
> On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz < 
> chris@christopherschultz.net> wrote:
> 
> William,
> 
> On 10/21/16 4:37 PM, William Boyd wrote:
>>>> Hello,
>>>> 
>>>> I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything
>>>> was working great until I enabled SSL with a self-signed
>>>> certificate. I am able to recreated the issue on 8.5.5. I
>>>> finally had to down graded to 8.5.4 to get SSL working with
>>>> identical configuration and cert.
>>>> 
>>>> I want to be sure that this is not a known issue and that I'm
>>>> not doing something wrong before I create a bug report.
>>>> 
>>>> Server version:        Apache Tomcat/8.5.5 64-bit OS Name: 
>>>> Windows 7 JVM Version:           1.8.0_102-b14
>>>> 
>>>> The cert was generated with this command: keytool
>>>> -genkeypair -keyalg RSA -alias tomcat -keystore
>>>> "C:/keys/keystore.jsk" -storepass changeit -validity 360
>>>> -keysize 2048 -dname 
>>>> CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA
>>>> 
>>>> Configuration includes adding 
>>>> -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS
> 
> I think this might be the problem. Tomcat doesn't use 
> javax.net.ssl.trustStore except as a backup in case you haven't 
> specified a trust store in your <Connector>. You have pointed that 
> system property at a keystore, not a trust store. Technically,
> they are the same format, but they are used for different things.
> 
> If you need that for making your own outgoing TLS connections then 
> leave it in there and we'll try to get it to work, otherwise it's
> just confusing and might cause Tomcat to do weird things.
> 
>>>> and using this connector config
>>>> 
>>>> <Connector port="8002" protocol="HTTP/1.1" 
>>>> connectionTimeout="60000" maxThreads="200"
>>>> minSpareThreads="4" enableLookups="false" compression="on"
>>>> server="Apache" scheme="https" secure="true"
>>>> SSLEnabled="true" keystoreFile="c:/keys/keystore.jsk"
>>>> keystorePass="changeit" keyAlias="tomcat" clientAuth="false"
>>>> sslProtocol="TLS"/>
> 
> Looks good so far.
> 
>>>> Here is the exception I get at startup
>>>> 
>>>> 13-Oct-2016 15:05:17.309 SEVERE [main] 
>>>> org.apache.coyote.AbstractProtocol.init Failed to initialize
>>>> end point associated with ProtocolHandler
>>>> ["https-openssl-nio-8001"] 
>>>> java.lang.IllegalArgumentException: 
>>>> java.security.InvalidAlgorithmParameterException: the
>>>> trustAnchors parameter must be non-empty at 
>>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Ab
str
>
>>>> 
actJsseEndpoint.java:103)
>>>> 
>>>> 
> at
>>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstr
act
>
>>>> 
JsseEndpoint.java:81)
>>>> 
>>>> 
> at
> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
>>>> at 
>>>> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.j
ava
>
>>>> 
:866)
>>>> 
>>>> 
> at
>>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEn
dpo
>
>>>> 
int.java:213)
>>>> 
>>>> 
> at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
>>>> at 
>>>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11
Pro
>
>>>> 
tocol.java:65)
>>>> 
>>>> 
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:9
>
> 
44)
>>>> at 
>>>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>>>>
>>>>
>
>>>> 
at
>>>> org.apache.catalina.core.StandardService.initInternal(StandardServi
ce.
>
>>>> 
java:549)
>>>> 
>>>> 
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>>>>
> 
at
>>>> org.apache.catalina.core.StandardServer.initInternal(StandardServer
.ja
>
>>>> 
va:873)
>>>> 
>>>> 
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>>>>
> 
at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at
>>>> org.apache.catalina.startup.Catalina.load(Catalina.java:629)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>> Method) at 
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImp
l.j
>
>>>> 
ava:62)
>>>> 
>>>> 
> at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcc
ess
>
>>>> 
orImpl.java:43)
>>>> 
>>>> 
> at java.lang.reflect.Method.invoke(Method.java:498)
>>>> at
>>>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
>>>>
>>>> 
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
>>>> Caused by: java.security.InvalidAlgorithmParameterException:
>>>> the trustAnchors parameter must be non-empty at 
>>>> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.ja
va:
>
>>>> 
200)
>>>> 
>>>> 
> at
> java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
>>>> at 
>>>> java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParamete
rs.
>
>>>> 
java:130)
>>>> 
>>>> 
> at
>>>> org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.jav
a:3
>
>>>> 
41)
>>>> 
>>>> 
> at
>>>> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.
jav
>
>>>> 
a:273)
>>>> 
>>>> 
> at
>>>> org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(Ope
nSS
>
>>>> 
LUtil.java:93)
>>>> 
>>>> 
> at
>>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Ab
str
>
>>>> 
actJsseEndpoint.java:101)
>>>> 
>>>> 
> ... 20 more
> 
> Tomcat is choking when trying to load the trust managers, which is 
> synonymous with loading the data from the "trust store". You don't 
> need a "trust store", otherwise you'd have specified is in the 
> <Connector>.
> 
> Try just removing that system property and see what happens.
> 
> -chris
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> Hi Christopher,
> 
> Thanks for the quick response.
> 
> I tried your suggestion but when I connect to the site via https,
> tomcat returns a blank page with the SSLHandshakeException in it.
> I’m not entirely sure but this may be a result of our use of AXIS
> for communication between WARs in the deployed application.
> 
> Caught Exception (javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target): ;
> nested exception is: javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> 
> The catalina log contains this stacktrace
> 
> 2016-10-21 14:48:43,517 [ERROR] [mblinkLoginSoapInterface.java:207]
> - org.apache.axis.AxisFault: ; nested exception is: 
> javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target at
> org.apache.axis.AxisFault.makeFault(AxisFault.java:101) 
> ~[axis-1.4.jar:na] at
> org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154)
>
> 
~[axis-1.4.jar:na]
> : : Caused by: javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target at
> sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> ~[na:1.8.0_102] at
> sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) 
> ~[na:1.8.0_102] at
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> ~[na:1.8.0_102] at
> sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> ~[na:1.8.0_102] at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.j
ava:1509)
>
> 
~[na:1.8.0_102]
> at 
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java
:216)
>
> 
~[na:1.8.0_102]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) 
> ~[na:1.8.0_102] at
> sun.security.ssl.Handshaker.process_record(Handshaker.java:914) 
> ~[na:1.8.0_102] at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) 
> ~[na:1.8.0_102] at 
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j
ava:1375)
>
> 
~[na:1.8.0_102]
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>
> 
~[na:1.8.0_102]
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>
> 
~[na:1.8.0_102]
> at 
> org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFact
ory.java:186)
>
> 
~[axis-1.4.jar:na]
> at
> org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:19
1)
>
> 
~[axis-1.4.jar:na]
> at 
> org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.jav
a:404)
>
> 
~[axis-1.4.jar:na]
> at
> org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
>
> 
~[axis-1.4.jar:na]
> ... 38 common frames omitted Caused by:
> sun.security.validator.ValidatorException: PKIX path building 
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>
> 
~[na:1.8.0_102]
> at 
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java
:292)
>
> 
~[na:1.8.0_102]
> at sun.security.validator.Validator.validate(Validator.java:260) 
> ~[na:1.8.0_102] at 
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.ja
va:324)
>
> 
~[na:1.8.0_102]
> at 
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImp
l.java:229)
>
> 
~[na:1.8.0_102]
> at 
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMana
gerImpl.java:124)
>
> 
~[na:1.8.0_102]
> at 
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.j
ava:1491)
>
> 
~[na:1.8.0_102]
> ... 49 common frames omitted Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target at 
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui
lder.java:141)
>
> 
~[na:1.8.0_102]
> at 
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertP
athBuilder.java:126)
>
> 
~[na:1.8.0_102]
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) 
> ~[na:1.8.0_102] at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
>
> 
~[na:1.8.0_102]
> ... 55 common frames omitted


If you need to make outgoing TLS connections to servers with
certificates not trusted by Java's stock trust store, you'll have to
supply your own. Do you have anything in the trust store other than
the server's key and certificate? Are you making loopback connections?

I'm surprised that this either worked in the past or is failing now.
I'm not sure which makes more sense. There's no particular reason why
I "keystore" couldn't be used as a "truststore"... the only difference
is that "keystores" usually contain keys and certs, while
"truststores" usually only contain certificates.

I wonder if it has something to do with the aliases used or something.

If in fact using the keystore as a trust store is tripping-up Tomcat,
I'd say that's a bug that needs to be fixed.

Try this: whatever certificate you need to TRUST needs to be in your
trust store. Try creating a new keystore that contains nothing but the
certificate you expect to trust, then configure *that* as your trust
store (system property), leaving the keystore as-is -- configured as
Tomcat's keystore.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYDTaRAAoJEBzwKT+lPKRYFy4QAI5vHVUofkmImGCO3gth+fQ6
tYk2FatDLqGk332UGZnzLbrJxPXNE+DazzPjOyaIMETFzxInY9z32ABqQqWIZRp0
ItZtLPuUsQTh108UIGU1yVaEG2XhFAE90QfO63JEI5r/d6gzI+lNj6Kfv0aEMNNG
dgvTxUIjBCrEzBekoEPwP3XtYZSGtr2u+CxxO+OMKNKiLLWEGQQHk/CRZjAgosPy
iHsEjAQiDvkqkRaJTMyqpbx43CM/eS5X1facftvWsdYiVTsXgzwgEH3vQXLTuByw
XGjH4IwFsvT92AJ/0C1FgQHcXasGF6HwYKkPMHI/s1cZWMwKmFaDT0EeMdrxC9ll
EbrXui6VQi8Hf3ya5nFWRwrvlN51PshortQ7eEx2MOP7XQFeHr6i8k+5LCmeQBcQ
+STseFmbSIFyUu2SjDKIDluIUWppJhGodIH84hJMj8UCtXlGbE9u2D7wIloQz1El
GzJuooYP6P+Rm5PWaGuT5WNnVAfNkAJ0h9B8CRBc+KQkXYDBFlD3XFx1zL46iU+x
aFWi2UqJJhNKXW3j111HP31CA77XJCHHsbJpwotqEwO3+1ChToK7WV+3tUBzax3w
i8UB+b38e7y2ZlT0B2D5wHu/aPJ+Sx2w/ThJmz5wgpU7EshNkSUW1TBmz7MCFvgW
fJ071CkiXAb1UnBxchZT
=VMdG
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message