Raghunath,
On 5/26/21 19:08, Mysore, Raghunath wrote:
To track if BC is configured in your environment, you may want to
assess if BC is listed as a "security.provider" in the following
"java.security" file
File : ..../jre/lib/security/java.security
Check for record (example below) :
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
Note the Number 10, above may be something different in your
environment's "java.security" file (presuming BC is configured here)
Well, the error being encountered is definite within BC, so I'd venture
a guess that BC is indeed being used.
-chris
-----Original Message----- From: Christopher Schultz
<ch...@christopherschultz.net> Sent: Wednesday, May 26, 2021 4:35 PM
To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working
after an undetermined amount of time
Ezsra,
On 5/26/21 18:11, Ezsra McDonald wrote:
Well, I still have issues. I think it is the same thing hit by
these guys:
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira
.atlassian.com%2Fbrowse%2FBAM-21157&data=04%7C01%7Crmysore%40visa.
com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477
d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata
=QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3D&reserved=0
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstac
koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org-bou
ncycastle-crypto-signers-psssigner-generatesignat&data=04%7C01%7Cr
mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee
888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d
8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
1000&sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D&
reserved=0
I'll try their fix. My main concern is that I do not want to
disable
TLSv1.3.
If you don't want to disable TLSv1.3, then you want:
<Connector ....
protocols="TLSv1.2,TLSv1.3"
/>
If BC is failing you, I'd want to find out if you really need BC.
That first link above seems to suggest that when using Tomcat you
MUST disable TLSv1.3. That seems odd. What version of BC are you
using?
Search for .jar files with names like "bouncy".
Do you have the option to downgrade Java?
Have you tried disabling the RSASSA-PSS algorithm as per their
instructions? It seems ... far-fetched that would fix the problem,
but ... okay.
Note that at some time in the past, Java 1.8 did not support TLSv1.3
and lots of people who were stuck on Java 1.8 decided to switch to BC
which did have TLSv1.3 support. With that version of Java 1.8 (_281),
you should have native JDK support for TLSv1.3. Perhaps BC is not
necessary at all.
-chris
On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald
<ezsra.mcdon...@gmail.com<mailto:ezsra.mcdon...@gmail.com>>
wrote:
Lots of good information was provided.
This afternoon I plan to test the "sslProtocol" to "protocols"
change in our lower environments. I will reply back with any
findings.
Thank you everyone for your responses.
regards,
-- Ez
On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath
<rmys...@visa.com.invalid<mailto:rmys...@visa.com.invalid>>
wrote:
Hi Chris,
-----Original Message-----
From: Christopher Schultz
<ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>>
Sent: Tuesday, May 25, 2021 9:10 AM
To: users@tomcat.apache.org<mailto:users@tomcat.apache.org>
Subject: Re: Tomcat SSL stops working after an undetermined
amount
of time
Ronald,
On 5/25/21 09:31, Roskens, Ronald wrote:
-----Original Message-----
From: Christopher Schultz
<ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>>
Sent: Monday, May 24, 2021 1:56 PM
To:
users@tomcat.apache.org<mailto:users@tomcat.apache.org>
Subject: [EXTERNAL] Re: Tomcat SSL stops working after an
undetermined amount of time
CAUTION: This email originated from outside of the
organization.
DO NOT CLICK on links or open attachments unless you
recognize the
sender and know the content is safe.
Ezsra,
On 5/24/21 10:30, Ezsra McDonald wrote:
I am enabling SSL debugging this morning. I did catch
this in the
log for an instance that started erroring out this
morning. Seems
like it may be too generic to help solve my problem. Here
it is:
24-May-2021 09:25:44.609 SEVERE [catalina-exec-51]
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
java.lang.NullPointerException
at
org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unkno
wn
Source)
at
org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown
Source)
Oh. You are using BouncyCastle. I've never tried to do
that. I'm
not sure how well BC will work with Tomcat. We don't
officially
support that configuration, but that doesn't mean we won't
try to help.
This isn't a Tomcat issue but an interoperability issue
between
BouncyCastle & OpenJDK.
*
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fg
ith
ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633&data=04%7C01%7Crmysore%
40v
isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4
db1
c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIj
oiM
C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&am
p;s
data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3D&reserved=0
*
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fb
ugs
.openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore
%40
visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c
4db
1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWI
joi
MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&a
mp;
sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3D&reserved
=0
Oh, great. Looks like a BC upgrade will fix the NPE. But
possibly
something downstream will still fail...
Just to add my 2 cents here :
Per the problem posed in the very first email, we see the
SSL/TLS
issue between Oracle JDK 8 and Tomcat 8.5
Environment:
OS: CentOS 7
Apache: apache-tomcat-8.5.65
Java: jdk1.8.0_281
Note that the following link - talks about issues between
OpenJDK 11
and BC.
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nvQ%2B4briJBvmFejj4LNOWNksbG1E7EVW65PKXYNYYkg%3D&reserved=0.
This morning's suggestion (about changing from "sslProtocol"
to
"protocols" ) from Christopher Schultz, sounds promising, in
that
the interaction between the Browser-clients and Tomcat 8.5.x
server,
will be limited only to TLS1.2 Making this change, will
preclude
other old protocols - like TLS 1, TLS
11 etc in communication between the clients and the Tomcat
server.
We will need tests after making the change to "protocols"
attribute
in the HTTPS connector block.
In context of the above mentioned change -we may not need any
editing of "java.security" file contents (discussed last
evening).
Thanks,
-Raghu
--------------------------------------------------------------------
- To unsubscribe, e-mail:
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail:
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
---------------------------------------------------------------------
To unsubscribe, e-mail:
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail:
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
