Re: crlFile and SunX509 algorithm in Tomcat 7.0.16
Can you confirm that the patches to apply to solve this issue are the following ones: r1138550 and r1138555? Martin On Wed, Jun 22, 2011 at 5:16 PM, Mark Thomas ma...@apache.org wrote: On 22/06/2011 20:03, Martin Dubuc wrote: Mark, Thanks for looking into this and working to get the patch in for future versions. It will allow us to use later versions of Tomcat and not be stuck on 7.0.10. If you would like me to test the patch, I can rebuild from patched source and test locally. Please. It would be good to get confirmation that it is now working as intended. Mark Martin On Wed, Jun 22, 2011 at 12:46 PM, Mark Thomas ma...@apache.org wrote: Tomcat 6.0.x looks to be OK. There is a copy/paste problem in 7.0.x that I'll fixed shortly. If you are willing to build Tomcat 7.0.x from source (not hard) then it will be easy for you to test the patch. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: crlFile and SunX509 algorithm in Tomcat 7.0.16
On 23/06/2011 16:30, Martin Dubuc wrote: Can you confirm that the patches to apply to solve this issue are the following ones: r1138550 and r1138555? r1138550 is purely cosmetic. r1138555 is the patch that should fix this. Mark Martin On Wed, Jun 22, 2011 at 5:16 PM, Mark Thomas ma...@apache.org wrote: On 22/06/2011 20:03, Martin Dubuc wrote: Mark, Thanks for looking into this and working to get the patch in for future versions. It will allow us to use later versions of Tomcat and not be stuck on 7.0.10. If you would like me to test the patch, I can rebuild from patched source and test locally. Please. It would be good to get confirmation that it is now working as intended. Mark Martin On Wed, Jun 22, 2011 at 12:46 PM, Mark Thomas ma...@apache.org wrote: Tomcat 6.0.x looks to be OK. There is a copy/paste problem in 7.0.x that I'll fixed shortly. If you are willing to build Tomcat 7.0.x from source (not hard) then it will be easy for you to test the patch. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: crlFile and SunX509 algorithm in Tomcat 7.0.16
I can confirm that the patch works. We were able to get Tomcat up and running with the crlFile and the SunX509 algorithm configuration and were able to test that the CRL functionality was working as expected in a patched 7.0.16 version. Thanks, Martin On Thu, Jun 23, 2011 at 11:42 AM, Mark Thomas ma...@apache.org wrote: On 23/06/2011 16:30, Martin Dubuc wrote: Can you confirm that the patches to apply to solve this issue are the following ones: r1138550 and r1138555? r1138550 is purely cosmetic. r1138555 is the patch that should fix this. Mark Martin On Wed, Jun 22, 2011 at 5:16 PM, Mark Thomas ma...@apache.org wrote: On 22/06/2011 20:03, Martin Dubuc wrote: Mark, Thanks for looking into this and working to get the patch in for future versions. It will allow us to use later versions of Tomcat and not be stuck on 7.0.10. If you would like me to test the patch, I can rebuild from patched source and test locally. Please. It would be good to get confirmation that it is now working as intended. Mark Martin On Wed, Jun 22, 2011 at 12:46 PM, Mark Thomas ma...@apache.org wrote: Tomcat 6.0.x looks to be OK. There is a copy/paste problem in 7.0.x that I'll fixed shortly. If you are willing to build Tomcat 7.0.x from source (not hard) then it will be easy for you to test the patch. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: crlFile and SunX509 algorithm in Tomcat 7.0.16
Tomcat 6.0.x looks to be OK. There is a copy/paste problem in 7.0.x that I'll fixed shortly. If you are willing to build Tomcat 7.0.x from source (not hard) then it will be easy for you to test the patch. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: crlFile and SunX509 algorithm in Tomcat 7.0.16
Mark, Thanks for looking into this and working to get the patch in for future versions. It will allow us to use later versions of Tomcat and not be stuck on 7.0.10. If you would like me to test the patch, I can rebuild from patched source and test locally. Martin On Wed, Jun 22, 2011 at 12:46 PM, Mark Thomas ma...@apache.org wrote: Tomcat 6.0.x looks to be OK. There is a copy/paste problem in 7.0.x that I'll fixed shortly. If you are willing to build Tomcat 7.0.x from source (not hard) then it will be easy for you to test the patch. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: crlFile and SunX509 algorithm in Tomcat 7.0.16
On 22/06/2011 20:03, Martin Dubuc wrote: Mark, Thanks for looking into this and working to get the patch in for future versions. It will allow us to use later versions of Tomcat and not be stuck on 7.0.10. If you would like me to test the patch, I can rebuild from patched source and test locally. Please. It would be good to get confirmation that it is now working as intended. Mark Martin On Wed, Jun 22, 2011 at 12:46 PM, Mark Thomas ma...@apache.org wrote: Tomcat 6.0.x looks to be OK. There is a copy/paste problem in 7.0.x that I'll fixed shortly. If you are willing to build Tomcat 7.0.x from source (not hard) then it will be easy for you to test the patch. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: crlFile and SunX509 algorithm in Tomcat 7.0.16
I have done some more analysis of the problem and the exception started to be thrown in version 7.0.11. Something changed between 7.0.10 and 7.0.11 that affected handling of CRL for SunX509 algorithm. In version 7.0.10, although the code in JSSESocketFactory.java to throw the exception is the same as the 7.0.11 version, the exception is not thrown. I imagine that in 7.0.10, the application never calls JSSESocketFactory's getParameter or that somehow the algo that is passed to this method is replaced with PKIX. Would someone know what changed between version 7.0.10 and version 7.0.11? Martin On Thu, Jun 16, 2011 at 8:59 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Martin Dubuc [mailto:martind1...@gmail.com] Subject: crlFile and SunX509 algorithm in Tomcat 7.0.16 Up to Tomcat 7.0.10, I used the crlFile configuration along with the SunX509 algorithm in SSL HTTP connector configuration java.io.IOException: CRLs not supported for type: SunX509 I am using JDK 6 update 26. Haven't looked at the JRE code yet, but I wonder if the new owners in their zeal might have changed the internal class to OracleX509? (Just speculation, and hopefully not correct.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
crlFile and SunX509 algorithm in Tomcat 7.0.16
Up to Tomcat 7.0.10, I used the crlFile configuration along with the SunX509 algorithm in SSL HTTP connector configuration in server.xml. However, when I start Tomcat 7.0.16, I get the following error: Jun 16, 2011 12:22:22 PM org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443] java.io.IOException: CRLs not supported for type: SunX509 at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:476) I am using JDK 6 update 26. Has CRL support been recently removed? Martin
RE: crlFile and SunX509 algorithm in Tomcat 7.0.16
From: Martin Dubuc [mailto:martind1...@gmail.com] Subject: crlFile and SunX509 algorithm in Tomcat 7.0.16 Up to Tomcat 7.0.10, I used the crlFile configuration along with the SunX509 algorithm in SSL HTTP connector configuration java.io.IOException: CRLs not supported for type: SunX509 I am using JDK 6 update 26. Haven't looked at the JRE code yet, but I wonder if the new owners in their zeal might have changed the internal class to OracleX509? (Just speculation, and hopefully not correct.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: crlFile and SunX509 algorithm in Tomcat 7.0.16
I have tried to change the algorithm to Oracle509 to no avail. This value is not recognized. Martin On Thu, Jun 16, 2011 at 8:59 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Martin Dubuc [mailto:martind1...@gmail.com] Subject: crlFile and SunX509 algorithm in Tomcat 7.0.16 Up to Tomcat 7.0.10, I used the crlFile configuration along with the SunX509 algorithm in SSL HTTP connector configuration java.io.IOException: CRLs not supported for type: SunX509 I am using JDK 6 update 26. Haven't looked at the JRE code yet, but I wonder if the new owners in their zeal might have changed the internal class to OracleX509? (Just speculation, and hopefully not correct.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: crlFile and SunX509 algorithm in Tomcat 7.0.16
I would be surprised it would be JRE related since the crlFile configuration works with Tomcat 7.0.10 and the same JDK. Must be something that changed in the Tomcat code. Martin On Thu, Jun 16, 2011 at 8:59 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Martin Dubuc [mailto:martind1...@gmail.com] Subject: crlFile and SunX509 algorithm in Tomcat 7.0.16 Up to Tomcat 7.0.10, I used the crlFile configuration along with the SunX509 algorithm in SSL HTTP connector configuration java.io.IOException: CRLs not supported for type: SunX509 I am using JDK 6 update 26. Haven't looked at the JRE code yet, but I wonder if the new owners in their zeal might have changed the internal class to OracleX509? (Just speculation, and hopefully not correct.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: crlFile and SunX509 algorithm in Tomcat 7.0.16
2011/6/16 Martin Dubuc martind1...@gmail.com: Up to Tomcat 7.0.10, I used the crlFile configuration along with the SunX509 algorithm in SSL HTTP connector configuration in server.xml. However, when I start Tomcat 7.0.16, I get the following error: Jun 16, 2011 12:22:22 PM org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443] java.io.IOException: CRLs not supported for type: SunX509 at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:476) I am using JDK 6 update 26. Has CRL support been recently removed? No, but there were changes in implementation of JSSESocketFactory to support additional configuration options. It was reviewed when backporting the change to 6.0, but it is possible that something was missed. JSSESocketFactory.java:476 wraps an underlying exception with an IOException. Can you see what the underlying exception is? Maybe you can run with a debugger? http://wiki.apache.org/tomcat/FAQ/Developing#Debugging http://wiki.apache.org/tomcat/HowTo#How_do_I_debug_a_Tomcat_application.3F Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: crlFile and SunX509 algorithm in Tomcat 7.0.16
Here is the full stack trace: SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443] java.io.IOException: CRLs not supported for type: SunX509 at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:476) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:378) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:490) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:364) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:910) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.startup.Catalina.load(Catalina.java:572) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.commons.daemon.support.DaemonLoader.load(DaemonLoader.java:188) Caused by: java.security.cert.CRLException: CRLs not supported for type: SunX509 at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getParameters(JSSESocketFactory.java:665) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:620) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:522) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:450) ... 23 more Jun 16, 2011 2:03:10 PM org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:912) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.startup.Catalina.load(Catalina.java:572) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.commons.daemon.support.DaemonLoader.load(DaemonLoader.java:188) Caused by: java.io.IOException: CRLs not supported for type: SunX509 at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:476) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:378) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:490) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:364) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at