Hi,
I have some weird problem or bug with the HTTPS Connector. In our product, that
ships with tomcat we want to achieve the following:
There is one keystore where the customer puts its server certificate for HTTPs
as well as (if intended) zero or one certificate for client authentication. The
certificate for client authentication can be self-signed and the customer can
setup its own certificate authority for this.
For this I put the following code for configuring the connector in the
server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
bindOnInit="false"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/diagdata/keystore.jks" keystorePass="custo1234" keyAlias="main"
truststoreFile="/diagdata/keystore.jks" truststorePassword="custo1234" />
(The real clientAuth is done in the deployed application because it is more
complicated, I just need the feature to be enabled).
This gives me the following error:
org.apache.catalina.LifecycleException: Protocol handler start failed
<2> at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1038)
<2> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
<2> at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:438)
<2> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
<2> at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
<2> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
<2> at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
<2> at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
<2> at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
<2> at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
<2> at java.base/java.lang.reflect.Method.invoke(Method.java:564)
<2> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
<2> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)
<2>Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter
must be non-empty
<2> at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
<2> at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
<2> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
<2> at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
<2> at
org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1227)
<2> at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592)
<2> at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1035)
<2> ... 12 more
<2>Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
<2> at
java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
<2> at
java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
<2> at
java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
<2> at
org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:494)
<2> at
org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:425)
<2> at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
<2> at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
<2> ... 18 more
The error goes away when I remove truststoreFile and truststorePassword.
Now comes the interesting part: The same configuration works under Windows
(with other paths of course) using the Windows-Store as truststore for HTTPS
connections to other servers. The same configuration worked with Tomcat 8.5.4
and the error just popped up from version 8.5.5. The error also seems not to be
based on the java version, I tried it with Java 8 and Java 14. Under Windows we
use Java 9...
Is this a Linux specific bug? What is a trust anchor anyway?
Thanks in advance,
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
