Hi,
I have some weird problem or bug with the HTTPS Connector. In our product, that 
ships with tomcat we want to achieve the following:
There is one keystore where the customer puts its server certificate for HTTPs 
as well as (if intended) zero or one certificate for client authentication. The 
certificate for client authentication can be self-signed and the customer can 
setup its own certificate authority for this.
For this I put the following code for configuring the connector in the 
server.xml:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
bindOnInit="false"
               clientAuth="false" sslProtocol="TLS" 
keystoreFile="/diagdata/keystore.jks" keystorePass="custo1234" keyAlias="main" 
truststoreFile="/diagdata/keystore.jks" truststorePassword="custo1234" />

(The real clientAuth is done in the deployed application because it is more 
complicated, I just need the feature to be enabled).
This gives me the following error:
org.apache.catalina.LifecycleException: Protocol handler start failed
<2>    at 
org.apache.catalina.connector.Connector.startInternal(Connector.java:1038)
<2>    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
<2>    at 
org.apache.catalina.core.StandardService.startInternal(StandardService.java:438)
<2>    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
<2>    at 
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
<2>    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
<2>    at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
<2>    at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
<2>    at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
<2>    at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
<2>    at java.base/java.lang.reflect.Method.invoke(Method.java:564)
<2>    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
<2>    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)
<2>Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter 
must be non-empty
<2>    at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
<2>    at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
<2>    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
<2>    at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
<2>    at 
org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1227)
<2>    at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592)
<2>    at 
org.apache.catalina.connector.Connector.startInternal(Connector.java:1035)
<2>    ... 12 more
<2>Caused by: java.security.InvalidAlgorithmParameterException: the 
trustAnchors parameter must be non-empty
<2>    at 
java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
<2>    at 
java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
<2>    at 
java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
<2>    at 
org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:494)
<2>    at 
org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:425)
<2>    at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
<2>    at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
<2>    ... 18 more

The error goes away when I remove truststoreFile and truststorePassword.
Now comes the interesting part: The same configuration works under Windows 
(with other paths of course) using the Windows-Store as truststore for HTTPS 
connections to other servers. The same configuration worked with Tomcat 8.5.4 
and the error just popped up from version 8.5.5. The error also seems not to be 
based on the java version, I tried it with Java 8 and Java 14. Under Windows we 
use Java 9...

Is this a Linux specific bug? What is a trust anchor anyway?

Thanks in advance,
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to