Peter On 22 November 2017 at 15:08, Peter Kreuser <l...@kreuser.name> wrote: > > > > > Richard, > > > > > >> Gesendet: Mittwoch, 22. November 2017 um 14:40 Uhr >> Von: "Richard Tearle" >> <richard.tea...@northgateps.com[mailto:richard.tea...@northgateps.com]> >> An: users@tomcat.apache.org[mailto:users@tomcat.apache.org] >> Betreff: Trouble with TLS/SSL and Tomcat 8.5.23 >> Hello >> >> Apache Tomcat 8.5.23 >> Centos 7.4 (3.10.0-514.16.1.el7.x86_64) >> Java 1.8.0_152 (with jce) >> Running in Docker Container >> >> I'm upgrading our applications from Apache Tomcat 8.0.47 to 8.5.23, >> but when trying to get TLS/SSL working on a connector I get the >> following error: >> >> 22-Nov-2017 11:52:46.098 SEVERE [main] >> org.apache.coyote.AbstractProtocol.init Failed to initialize end point >> associated with ProtocolHandler ["https-jsse-nio2-18443"] >> java.lang.IllegalArgumentException: >> java.security.InvalidAlgorithmParameterException: the trustAnchors >> parameter must be non-empty >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115) >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86) >> at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163) >> at >> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982) >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:245) >> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620) >> at >> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66) >> at org.apache.catalina.connector.Connector.initInternal(Connector.java:997) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at >> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at >> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:621) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:644) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) >> Caused by: java.security.InvalidAlgorithmParameterException: the >> trustAnchors parameter must be non-empty >> at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) >> at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) >> at >> java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) >> at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:368) >> at >> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:292) >> at >> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) >> ... 20 more >> >> I've changed the connector configuration to use >> SSLHostConfig/Certificate, but our certificate generation process >> (self signed certificates) has remained the same. I did a quick >> internet search, and saw that other people had similar, but not exact >> issues, and going back to 8.5.4 "solved" the issue. So I did this as a >> quick test, so at least I could see that our configuration changes >> where correct, and yes the application ran ok with Tomcat 8.5.4. The >> connector configuration is: >> >> <Connector port="${servers.port}" >> protocol="org.apache.coyote.http11.Http11Nio2Protocol" >> maxThreads="150" SSLEnabled="true" scheme="https" >> secure="true" server="Apache" maxPostSize="100000"> >> <SSLHostConfig certificateVerification="none" >> sslProtocol="TLSv1.2" protocols="TLSv1.2" >> truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12" >> truststoreType="PKCS12" >> truststorePassword="${truststore.pass}" honorCipherOrder="true" > > The error message says that either the file simply is not there or the cert > that you expect is not in the keystore, maybe even empty... > > Peter > >> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, >> >> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, >> >> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, >> >> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, >> >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, >> >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, >> >> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, >> >> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, >> >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, >> >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, >> >> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, >> >> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"> >> <Certificate >> certificateKeystoreFile="/usr/local/tomcat/ssl/server-keystore.p12" >> certificateKeyAlias="tomcat-ssl" >> certificateKeystoreType="PKCS12" >> certificateKeystorePassword="${keystore.pass}"> >> </Certificate> >> </SSLHostConfig> >> </Connector> >> >> Setting javax.net.debug=all in CATALINA_OPTS and viewing the resultant >> logging, seems to indicate that the certificate is being loaded, but >> not the trust store, with the only truststore loaded coming from: >> /opt/jre1.8.0_152/lib/security/cacerts >> >> Best Regards >> >> >> Richard >> >> -- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> users-unsubscr...@tomcat.apache.org[mailto:users-unsubscr...@tomcat.apache.org] >> For additional commands, e-mail: >> users-h...@tomcat.apache.org[mailto:users-h...@tomcat.apache.org] >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Exact same settings, with Apache Tomcat 8.5.4 works, and I've verified that the truststore is present with the password specified. Regards -- This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s). If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact Northgate Public Services immediately on +44(0)1442 768445 quoting the name of the sender and the addressee then delete it from your system. Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses. Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NW. Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
