Re: TLS 1.3 with client auth fails with NOT_HANDSHAKING during handshake

Wed, 30 Oct 2019 02:07:19 -0700 

On 30/10/2019 07:47, Mathias S wrote:
> Hi all,
> 
> i installed Tomcat 9.0.27 on my Windows 7 machine and using the following 
> java runtime to get support for TLSv1.3
> 
> Server built:          Oct 7 2019 09:57:22 UTC
> Server version number: 9.0.27.0
> Architecture:          amd64
> JVM Version:           13.0.1+9
> JVM Vendor:            Oracle Corporation
> 
> 
> My TLS connector is configured with client auth.
>       <Connector port="8443" 
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>                  maxThreads="150" SSLEnabled="true" 
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>                  keystoreFile="conf/keys/server.jks" keystoreType="JKS" 
> keystorePass="" keyAlias="server"
>                  clientAuth="true" truststoreFile="conf/keys/clients.jks" 
> truststorePass="" sslProtocol="TLS">
>    </Connector>
> 
> If i connect with a browser i can choose my client key but get an error 
> afterwards.
> 
> The following error happens in SecureNioChannel:
> 28-Oct-2019 10:04:27.939 FINE [https-jsse-nio-8443-exec-4] 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun Error during SSL 
> handshake
>       java.io.IOException: NOT_HANDSHAKING during handshake
>               at 
> org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
>               at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1556)
>               at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>               at 
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>               at 
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>               at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>               at java.base/java.lang.Thread.run(Thread.java:830)
> 
> With java runtime 8 everything works fine but i do not have TLSv1.3 there, so 
> only a TLSv1.2 handshake is done.
> 
> Is there anything wrong with my configuration for TLSv1.3 or is it a bug?

That looks like a bug. Please open a Bugzilla issue.

JSSE doesn't implement post-handshake authentication for TLSv1.3 but as
the Connector is configured with clientAuth="true" authentication should
be happening during the initial handshake and, therefore, should work.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to