Hi, I have some weird problem or bug with the HTTPS Connector. In our product, that ships with tomcat we want to achieve the following: There is one keystore where the customer puts its server certificate for HTTPs as well as (if intended) zero or one certificate for client authentication. The certificate for client authentication can be self-signed and the customer can setup its own certificate authority for this. For this I put the following code for configuring the connector in the server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" bindOnInit="false" clientAuth="false" sslProtocol="TLS" keystoreFile="/diagdata/keystore.jks" keystorePass="custo1234" keyAlias="main" truststoreFile="/diagdata/keystore.jks" truststorePassword="custo1234" /> (The real clientAuth is done in the deployed application because it is more complicated, I just need the feature to be enabled). This gives me the following error: org.apache.catalina.LifecycleException: Protocol handler start failed <2> at org.apache.catalina.connector.Connector.startInternal(Connector.java:1038) <2> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) <2> at org.apache.catalina.core.StandardService.startInternal(StandardService.java:438) <2> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) <2> at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930) <2> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) <2> at org.apache.catalina.startup.Catalina.start(Catalina.java:633) <2> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) <2> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) <2> at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) <2> at java.base/java.lang.reflect.Method.invoke(Method.java:564) <2> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) <2> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478) <2>Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty <2> at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) <2> at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) <2> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217) <2> at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141) <2> at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1227) <2> at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592) <2> at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035) <2> ... 12 more <2>Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty <2> at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) <2> at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) <2> at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) <2> at org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:494) <2> at org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:425) <2> at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) <2> at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) <2> ... 18 more The error goes away when I remove truststoreFile and truststorePassword. Now comes the interesting part: The same configuration works under Windows (with other paths of course) using the Windows-Store as truststore for HTTPS connections to other servers. The same configuration worked with Tomcat 8.5.4 and the error just popped up from version 8.5.5. The error also seems not to be based on the java version, I tried it with Java 8 and Java 14. Under Windows we use Java 9... Is this a Linux specific bug? What is a trust anchor anyway? Thanks in advance, David --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org