This is nice to know. Thank you for the details. You may want to check the contents of the "java.security" file, to assess, if they have configured BC like this :
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider Number 10 can be some other number in your environment. If you see BC configured in here, you can comment (or remove ) that line. Recycle the JVM and test again. Thanks, -Raghu -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Tuesday, June 15, 2021 4:10 PM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ezsra, On 6/15/21 17:43, Ezsra McDonald wrote: > Sorry for the delay. > > I was finally able to track down the location of the BouncyCastle library. > It is located in the individual application libraries and cannot be > disabled. There are newer versions of BC available and I have asked > the software developers to consider upgrading the applications. > > Disabling RSASSA-PSS alone did not work. I had to also disable > TLSv1.3. I tried only disabling TLSv1.3 but the instance continued to > show the same issues. So, I had to disable both. > > The error occurred across all browsers. There was some earlier > confusion when I had the HTTPS connector configured incorrectly. Now > the connector works for all browsers initially until one of the apps > loads the BouncyCastle library. At that point the SSL handshake begins > to fail for any browser. Disabling the RSASSA-PSS and TLSv1.3 > protocols and ciphers is a temporary work around. It is my hope that > upgrading the BC jar will resolve the conflicts. > > I am open to any other suggestions but for now my instances have > stabilized and I am in a holding pattern waiting for the software > developers to upgrade BC in the individual applications. > > Thanks to everyone who assisted me with this issue. I will keep you > posted on results of the BC upgrade. Sounds good. I don't see any place in Tomcat to specify the JSSE provider. Perhaps we should expose that to the administrator in some way. -chris > On Thu, May 27, 2021 at 11:23 AM Mysore, Raghunath > <rmys...@visa.com.invalid> > wrote: > >> Hi Ezsra, >> I concur with suggestions from Chris Schultz. >> Would you clarify the following items ? >> The current focus is to understand the prevailing environment >> configuration, in context of the stack trace you shared earlier. >> >> (1) To go back, did you check for ".jar" files with names like "bouncy" >> ? >> The point here is - to understand where BC is configured (to assess >> if it can be commented) >> (2) Apart from considering to turnoff BC, have you tried disabling >> RSASSA-PSS algorithm ? >> (3) When you test using a Safari browser - is the application on a >> happy path (meaning SSL works all fine) ? >> And you have the issue only when testing from a Chrome browser ? >> >> Thanks, >> -Raghu >> >> -----Original Message----- >> From: Ezsra McDonald <ezsra.mcdon...@gmail.com> >> Sent: Thursday, May 27, 2021 8:56 AM >> To: Tomcat Users List <users@tomcat.apache.org> >> Subject: Re: Tomcat SSL stops working after an undetermined amount of >> time >> >> Thanks for the responses, >> >> So, I need to understand a little more about Bouncycastle. I >> inherited the tomcat environment so I do not know how or why BC came >> to be installed in the containers. I will do some research on BC so I >> understand it better. My assumption from the responses is that BC is >> not a standard part of Tomcat or Java install. >> >> If the BC is part of an application running in the container and >> comes from a war file, can it be causing this issue? Or is BC most >> likely loaded when the container starts? >> >> --Ez >> >> On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >>> Raghunath, >>> >>> On 5/26/21 19:08, Mysore, Raghunath wrote: >>>> To track if BC is configured in your environment, you may want to >>>> assess if BC is listed as a "security.provider" in the following >>>> "java.security" file >>>> >>>> >>>> >>>> File : ..../jre/lib/security/java.security >>>> >>>> Check for record (example below) : >>>> >>>> security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProv >>>> i >>>> der >>>> >>>> >>>> >>>> >>>> Note the Number 10, above may be something different in your >>>> environment's "java.security" file (presuming BC is configured >>>> here) >>> >>> Well, the error being encountered is definite within BC, so I'd >>> venture a guess that BC is indeed being used. >>> >>> -chris >>> >>>> -----Original Message----- From: Christopher Schultz >>>> <ch...@christopherschultz.net> Sent: Wednesday, May 26, 2021 4:35 >>>> PM >>>> To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working >>>> after an undetermined amount of time >>>> >>>> >>>> >>>> Ezsra, >>>> >>>> >>>> >>>> On 5/26/21 18:11, Ezsra McDonald wrote: >>>> >>>>> Well, I still have issues. I think it is the same thing hit by >>>>> these guys: >>>> >>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2F >>>>> j >>>>> ira >>>> >>>>> >>>>> .atlassian.com >> %2Fbrowse%2FBAM-21157&data=04%7C01%7Crmysore%40visa. >>>> >>>>> >>>>> com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1 >>>>> c >>>>> 477 >>>> >>>>> >>>>> d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM >>>>> C >>>>> 4wL >>>> >>>>> >>>>> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&s >>>>> d >>>>> ata >>>> >>>>> >>>>> =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3D&reserved=0 >>>> >>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2F >>>>> s >>>>> tac >>>> >>>>> >>>>> koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org >>>>> - >>>>> bou >>>> >>>>> >>>>> ncycastle-crypto-signers-psssigner-generatesignat&data=04%7C01 >>>>> % >>>>> 7Cr >>>> >>>>> >>>>> mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15 >>>>> d >>>>> 4ee >>>> >>>>> >>>>> 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZ >>>>> s >>>>> b3d >>>> >>>>> >>>>> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3 >>>>> D >>>>> %7C >>>> >>>>> >>>>> 1000&sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D& >>>>> a >>>>> mp; >>>> >>>>> reserved=0 >>>> >>>>> >>>> >>>>> I'll try their fix. My main concern is that I do not want to >>>>> disable >>>> >>>>> TLSv1.3. >>>> >>>> >>>> >>>> If you don't want to disable TLSv1.3, then you want: >>>> >>>> >>>> >>>> <Connector .... >>>> >>>> protocols="TLSv1.2,TLSv1.3" >>>> >>>> /> >>>> >>>> >>>> >>>> If BC is failing you, I'd want to find out if you really need BC. >>>> >>>> >>>> >>>> That first link above seems to suggest that when using Tomcat you >>>> MUST disable TLSv1.3. That seems odd. What version of BC are you >>>> using? >>>> >>>> Search for .jar files with names like "bouncy". >>>> >>>> >>>> >>>> Do you have the option to downgrade Java? >>>> >>>> >>>> >>>> Have you tried disabling the RSASSA-PSS algorithm as per their >>>> instructions? It seems ... far-fetched that would fix the problem, >>>> but ... okay. >>>> >>>> >>>> >>>> Note that at some time in the past, Java 1.8 did not support >>>> TLSv1.3 and lots of people who were stuck on Java 1.8 decided to >>>> switch to BC which did have TLSv1.3 support. With that version of >>>> Java 1.8 (_281), you should have native JDK support for TLSv1.3. >>>> Perhaps BC is not necessary at all. >>>> >>>> >>>> >>>> -chris >>>> >>>> >>>> >>>>> On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald >>>> >>>>> <ezsra.mcdon...@gmail.com<mailto:ezsra.mcdon...@gmail.com>> >>>> >>>>> wrote: >>>> >>>>> >>>> >>>>>> Lots of good information was provided. >>>> >>>>>> >>>> >>>>>> This afternoon I plan to test the "sslProtocol" to "protocols" >>>> >>>>>> change in our lower environments. I will reply back with any >>>>>> findings. >>>> >>>>>> >>>> >>>>>> Thank you everyone for your responses. >>>> >>>>>> >>>> >>>>>> regards, >>>> >>>>>> >>>> >>>>>> -- Ez >>>> >>>>>> >>>> >>>>>> On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath >>>> >>>>>> <rmys...@visa.com.invalid<mailto:rmys...@visa.com.invalid>> >>>>>> wrote: >>>> >>>>>> >>>> >>>>>>> Hi Chris, >>>> >>>>>>> >>>> >>>>>>> -----Original Message----- >>>> >>>>>>> From: Christopher Schultz >>>>>>> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.ne >>>>>>> t >>>>>>>>> >>>> >>>>>>> Sent: Tuesday, May 25, 2021 9:10 AM >>>> >>>>>>> To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> >>>> >>>>>>> Subject: Re: Tomcat SSL stops working after an undetermined >>>>>>> amount >>>> >>>>>>> of time >>>> >>>>>>> >>>> >>>>>>> Ronald, >>>> >>>>>>> >>>> >>>>>>> On 5/25/21 09:31, Roskens, Ronald wrote: >>>> >>>>>>>> >>>> >>>>>>>>> -----Original Message----- >>>> >>>>>>>>> From: Christopher Schultz >>>>>>>>> <ch...@christopherschultz.net<mailto:chris@christopherschultz. >>>>>>>>> n >>>>>>>>> et>> >>>> >>>>>>>>> Sent: Monday, May 24, 2021 1:56 PM >>>> >>>>>>>>> To: >>>>>>>>> users@tomcat.apache.org<mailto:users@tomcat.apache.org> >>>> >>>>>>>>> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an >>>> >>>>>>>>> undetermined amount of time >>>> >>>>>>>>> >>>> >>>>>>>>> CAUTION: This email originated from outside of the >>>>>>>>> organization. >>>> >>>>>>>>> DO NOT CLICK on links or open attachments unless you recognize >>>>>>>>> the >>>> >>>>>>>>> sender and know the content is safe. >>>> >>>>>>>>> >>>> >>>>>>>>> Ezsra, >>>> >>>>>>>>> >>>> >>>>>>>>> On 5/24/21 10:30, Ezsra McDonald wrote: >>>> >>>>>>>>>> I am enabling SSL debugging this morning. I did catch this in >>>>>>>>>> the >>>> >>>>>>>>>> log for an instance that started erroring out this morning. >>>>>>>>>> Seems >>>> >>>>>>>>>> like it may be too generic to help solve my problem. Here it >>>>>>>>>> is: >>>> >>>>>>>>>> >>>> >>>>>>>>>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] >>>> >>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>>> >>>>>>>>>> java.lang.NullPointerException >>>> >>>>>>>>>> at >>>> >>>>>>>>>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(U >>>>>>>>>> n >>>>>>>>>> kno >>>> >>>>>>>>>> wn >>>> >>>>>>>>>> Source) >>>> >>>>>>>>>> at >>>>>>>>>> org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown >>>> >>>>>>>>>> Source) >>>> >>>>>>>>> >>>> >>>>>>>>> Oh. You are using BouncyCastle. I've never tried to do that. >>>>>>>>> I'm >>>> >>>>>>>>> not sure how well BC will work with Tomcat. We don't >>>>>>>>> officially >>>> >>>>>>>>> support that configuration, but that doesn't mean we won't try >>>>>>>>> to help. >>>> >>>>>>>> >>>> >>>>>>>> This isn't a Tomcat issue but an interoperability issue between >>>> >>>>>>> BouncyCastle & OpenJDK. >>>> >>>>>>>> >>>> >>>>>>>> * >>>> >>>>>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F >>>>>>>> % >>>>>>>> 2Fg >>>> >>>>>>>> ith >>>> >>>>>>>> ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633&data=04%7C01%7Crmys >>>>>>>> o >>>>>>>> re% >>>> >>>>>>>> 40v >>>> >>>>>>>> isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888 >>>>>>>> b >>>>>>>> 9c4 >>>> >>>>>>>> db1 >>>> >>>>>>>> c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8ey >>>>>>>> J >>>>>>>> WIj >>>> >>>>>>>> oiM >>>> >>>>>>>> C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C100 >>>>>>>> 0 >>>>>>>> &am >>>> >>>>>>>> p;s >>>> >>>>>>>> data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3D&reserve >>>>>>>> d >>>>>>>> =0 >>>> >>>>>>>> * >>>> >>>>>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F >>>>>>>> % >>>>>>>> 2Fb >>>> >>>>>>>> ugs >>>> >>>>>>>> .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmy >>>>>>>> s >>>>>>>> ore >>>> >>>>>>>> %40 >>>> >>>>>>>> visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee88 >>>>>>>> 8 >>>>>>>> b9c >>>> >>>>>>>> 4db >>>> >>>>>>>> 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8e >>>>>>>> y >>>>>>>> JWI >>>> >>>>>>>> joi >>>> >>>>>>>> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C10 >>>>>>>> 0 >>>>>>>> 0&a >>>> >>>>>>>> mp; >>>> >>>>>>>> sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3D&rese >>>>>>>> r >>>>>>>> ved >>>> >>>>>>>> =0 >>>> >>>>>>> >>>> >>>>>>> Oh, great. Looks like a BC upgrade will fix the NPE. But >>>>>>> possibly >>>> >>>>>>> something downstream will still fail... >>>> >>>>>>> >>>> >>>>>>> Just to add my 2 cents here : >>>> >>>>>>> >>>> >>>>>>> Per the problem posed in the very first email, we see the >>>>>>> SSL/TLS >>>> >>>>>>> issue between Oracle JDK 8 and Tomcat 8.5 >>>> >>>>>>> Environment: >>>> >>>>>>> OS: CentOS 7 >>>> >>>>>>> Apache: apache-tomcat-8.5.65 >>>> >>>>>>> Java: jdk1.8.0_281 >>>> >>>>>>> >>>> >>>>>>> Note that the following link - talks about issues between >>>>>>> OpenJDK >>>>>>> 11 >>>> >>>>>>> and BC. >>>> >>>>>>> >>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbu >>> gs >>> .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore% >>> 40 >>> visa.com%7Cd2f44778194f48b3ae6408d9211f942f%7C38305e12e15d4ee888b9c4 >>> db >>> 1c477d76%7C0%7C0%7C637577242212420591%7CUnknown%7CTWFpbGZsb3d8eyJWIj >>> oi >>> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&am >>> p; >>> sdata=tiSMVu4GwqWFR%2F%2FE9PuidwM69irnSVtC5RP3qQA4YCI%3D&reserve >>> d= >>> 0 >>> . >>>> >>>>>>> >>>>>>> >>>> >>>>>>> This morning's suggestion (about changing from "sslProtocol" >>>>>>> to >>>> >>>>>>> "protocols" ) from Christopher Schultz, sounds promising, in >>>>>>> that >>>> >>>>>>> the interaction between the Browser-clients and Tomcat 8.5.x >>>>>>> server, >>>> >>>>>>> will be limited only to TLS1.2 Making this change, will preclude >>>> >>>>>>> other old protocols - like TLS 1, TLS >>>> >>>>>>> 11 etc in communication between the clients and the Tomcat >>>>>>> server. >>>> >>>>>>> We will need tests after making the change to "protocols" >>>>>>> attribute >>>> >>>>>>> in the HTTPS connector block. >>>> >>>>>>> In context of the above mentioned change -we may not need any >>>> >>>>>>> editing of "java.security" file contents (discussed last >>>>>>> evening). >>>> >>>>>>> >>>> >>>>>>> Thanks, >>>> >>>>>>> -Raghu >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> ---------------------------------------------------------------- >>>>>>> - >>>>>>> --- >>>> >>>>>>> - To unsubscribe, e-mail: >>>>>>> users-unsubscr...@tomcat.apache.org<mailto: >>> users-unsubscr...@tomcat.apache.org> >>>> >>>>>>> For additional commands, e-mail: >>>>>>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org >>>>>>> > >>>> >>>>>>> >>>>>>> >>>> >>>>>>> >>>> >>>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------- >>>> - >>>> - >>>> >>>> To unsubscribe, e-mail: >>>> users-unsubscr...@tomcat.apache.org<mailto: >>> users-unsubscr...@tomcat.apache.org> >>>> >>>> For additional commands, e-mail: >>>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> >>>> >>>> >>>> >>> >>> -------------------------------------------------------------------- >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
