Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Subject: Re: Trouble with TLS/SSL and Tomcat 8.5.23
To: users@tomcat.apache.org
References: <CAJDZKG38wK8WBbdtr1zFqP0KCdNJJ97cj3K5WTsADdHfPyFi1g@mail.gmail.com>
From: Christopher Schultz <chris@christopherschultz.net>
Message-ID: <f02d4eb6-69be-5668-b961-9ad5956cadb1@christopherschultz.net>
Date: Thu, 23 Nov 2017 00:33:36 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0)
 Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CAJDZKG38wK8WBbdtr1zFqP0KCdNJJ97cj3K5WTsADdHfPyFi1g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
archived-at: Thu, 23 Nov 2017 05:33:46 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Richard,

On 11/22/17 8:40 AM, Richard Tearle wrote:
> Hello
> 
> Apache Tomcat 8.5.23 Centos 7.4 (3.10.0-514.16.1.el7.x86_64) Java
> 1.8.0_152 (with jce) Running in Docker Container
> 
> I'm upgrading our applications from Apache Tomcat 8.0.47 to
> 8.5.23, but when trying to get TLS/SSL working on a connector I get
> the following error:
> 
> 22-Nov-2017 11:52:46.098 SEVERE [main] 
> org.apache.coyote.AbstractProtocol.init Failed to initialize end
> point associated with ProtocolHandler ["https-jsse-nio2-18443"] 
> java.lang.IllegalArgumentException: 
> java.security.InvalidAlgorithmParameterException: the trustAnchors 
> parameter must be non-empty at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
actJsseEndpoint.java:115)
>
> 
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJs
seEndpoint.java:86)
> at
> org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163)
>
> 
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:9
82)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo
int.java:245)
>
> 
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
tocol.java:66)
>
> 
at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
97)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>
> 
at
org.apache.catalina.core.StandardService.initInternal(StandardService.ja
va:549)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>
> 
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java
:875)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>
> 
at org.apache.catalina.startup.Catalina.load(Catalina.java:621)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:644) at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
ava:62)
>
> 
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498) at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) 
> Caused by: java.security.InvalidAlgorithmParameterException: the 
> trustAnchors parameter must be non-empty at
> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:
200)
>
> 
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
> at
> java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.
java:130)
>
> 
at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:
368)
> at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.jav
a:292)
>
> 
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstrac
tJsseEndpoint.java:113)
> ... 20 more
> 
> I've changed the connector configuration to use 
> SSLHostConfig/Certificate, but our certificate generation process 
> (self signed certificates) has remained the same. I did a quick 
> internet search, and saw that other people had similar, but not
> exact issues, and going back to 8.5.4 "solved" the issue. So I did
> this as a quick test, so at least I could see that our
> configuration changes where correct, and yes the application ran ok
> with Tomcat 8.5.4. The connector configuration is:
> 
> <Connector port="${servers.port}" 
> protocol="org.apache.coyote.http11.Http11Nio2Protocol" 
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> server="Apache" maxPostSize="100000"> <SSLHostConfig
> certificateVerification="none" sslProtocol="TLSv1.2"
> protocols="TLSv1.2" 
> truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12" 
> truststoreType="PKCS12" truststorePassword="${truststore.pass}"
> honorCipherOrder="true" 
> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AE
S_256_GCM_SHA384,
>
>  
> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_S
HA384,
>
>  
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM
_SHA256,
>
>  
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_S
HA256,
>
>  
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC
_SHA384,
>
>  
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SH
A,
>
>  
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_S
HA384,
>
>  
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
>
>  
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC
_SHA256,
>
>  
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SH
A,
>
>  
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_S
HA256,
>
>  
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
>
>
> 
<Certificate
certificateKeystoreFile="/usr/local/tomcat/ssl/server-keystore.p12"
> certificateKeyAlias="tomcat-ssl" certificateKeystoreType="PKCS12" 
> certificateKeystorePassword="${keystore.pass}"> </Certificate> 
> </SSLHostConfig> </Connector>
> 
> Setting javax.net.debug=all in CATALINA_OPTS and viewing the
> resultant logging, seems to indicate that the certificate is being
> loaded, but not the trust store, with the only truststore loaded
> coming from: /opt/jre1.8.0_152/lib/security/cacerts
> 
> Best Regards

Anything in this thread applicable?

https://lists.apache.org/thread.html/79e5c6010e261ad4f843584287b7c3c0c47
d1c1365cca63c6a1c60ca@%3Cusers.tomcat.apache.org%3E

Looks like we never really came up with any solutions.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloWXa8ACgkQHPApP6U8
pFgJYA/7B/0x3I1fkSpFZWbQYxcI7Cqau/+VPTWSoc9/A4v7GbNaKRZtOdKxUSJz
ziIPqQMQ73DicHC6ZSBNSR880iluzxZmlloOaWIBnT3ovEFV6vvXoEY6HgIXC9Qu
YuT0Wco6nrm9XFv/Qe8hw9fyJTxlTqtdbFx8XdJy52qzJeY9xmyZzhxZHzoX/YzR
gBSzMIHJ11yIv1t5RudGxCqodVeni7mJ2V/qNRKgk54yTdDKmXMC12K37IHxdBHN
NDspuL08uuYGAFU82k2tlqUILbHWweUIeTx2Ktst1OwPf2S8gxTW5NjcEx+nlEJ1
79Svc1Z079stL6FrpTpYDMCD+03Uy2mbG/17d6wPDUJuY8/A3NdOVpwrzPtzRoil
bO3BPMRTAZvpcggEHQkxb5GB863ZM9/gZQx6iD+HYcCjdFmh1hA29cFHKUl79lf9
x4CJIVwf3WGF4AYjeOuN6g//gqnm0Tg5YxOqIuF/NXm6oR3g2M3y6f3F95DtbHlV
DMb5nS8z/hzpXFFQtH8nNTWwFEYchBzCNIWsX5QundmQCqBt7LjscGhTn9joWFpw
af/rqWaTSlFnBnZ8aI4vAwlCuLrZoRfHr+vJl7CehR8tjc/0TmYLK8XskD42VGeV
Bjws6dk78phRFMnZUEX7cK/kHukJL21qX25dJ0ZojeLECw9Q7uI=
=1RdW
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org