Ah ok, that's a little clearer then. Here's the full stack trace:
2013-05-16 12:31:18,334 [main] ERROR org.apache.catalina.connector.Connector -
Protocol handler instantiation failed
java.lang.ClassNotFoundException: Http11NioProtocol
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:186)
at org.apache.catalina.connector.Connector.<init>(Connector.java:72)
at
org.apache.catalina.startup.ConnectorCreateRule.begin(ConnectorCreateRule.java:62)
at
org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276)
at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown
Source)
at
org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanStartElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
Source)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1537)
at org.apache.catalina.startup.Catalina.load(Catalina.java:610)
at org.apache.catalina.startup.Catalina.load(Catalina.java:658)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)
2013-05-16 12:31:18,349 [main] ERROR org.apache.tomcat.util.digester.Digester -
Begin event threw exception
java.lang.NullPointerException
at
org.apache.catalina.startup.ConnectorCreateRule._setExecutor(ConnectorCreateRule.java:69)
at
org.apache.catalina.startup.ConnectorCreateRule.begin(ConnectorCreateRule.java:63)
at
org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276)
at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown
Source)
at
org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanStartElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
Source)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1537)
at org.apache.catalina.startup.Catalina.load(Catalina.java:610)
at org.apache.catalina.startup.Catalina.load(Catalina.java:658)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)
2013-05-16 12:31:18,349 [main] WARN org.apache.catalina.startup.Catalina -
Catalina.start using conf/server.xml: Error at (37, 37) : null
2013-05-16 12:31:18,349 [main] ERROR org.apache.catalina.connector.Connector -
Protocol handler instantiation failed
java.lang.ClassNotFoundException: Http11NioProtocol
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:186)
at org.apache.catalina.connector.Connector.<init>(Connector.java:72)
at
org.apache.catalina.startup.ConnectorCreateRule.begin(ConnectorCreateRule.java:62)
at
org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276)
at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown
Source)
at
org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanStartElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
Source)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1537)
at org.apache.catalina.startup.Catalina.load(Catalina.java:610)
at org.apache.catalina.startup.Catalina.start(Catalina.java:672)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:451)
2013-05-16 12:31:18,349 [main] ERROR org.apache.tomcat.util.digester.Digester -
Begin event threw exception
java.lang.NullPointerException
at
org.apache.catalina.startup.ConnectorCreateRule._setExecutor(ConnectorCreateRule.java:69)
at
org.apache.catalina.startup.ConnectorCreateRule.begin(ConnectorCreateRule.java:63)
at
org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276)
at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown
Source)
at
org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanStartElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
Source)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1537)
at org.apache.catalina.startup.Catalina.load(Catalina.java:610)
at org.apache.catalina.startup.Catalina.start(Catalina.java:672)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:451)
2013-05-16 12:31:18,349 [main] WARN org.apache.catalina.startup.Catalina -
Catalina.start using conf/server.xml: Error at (37, 37) : null
2013-05-16 12:31:18,349 [main] FATAL org.apache.catalina.startup.Catalina -
Cannot start server. Server instance is not configured.
Our auditors actually raised the issue with us, claiming it is a vulnerability
of ours. We then used the method here to check the port, which shows
Renegotiation is supplied.
http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html
SSL handshake has read 5985 bytes and written 511 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Many Thanks,
Mike
-----Original Message-----
From: Mark Thomas [mailto:[email protected]]
Sent: 16 May 2013 14:35
To: Tomcat Users List
Subject: Re: Switching from APR to NIO connection on Tomcat 7.0.32
On 16/05/2013 14:23, Michael Martin wrote:
> Hello,
>
> We're looking at a known issue with Tomcat 7.0.32's APR connector
> (which users OpenSSL), as documented here -
> http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat
> (TLS SSL Man in Middle).
Are you sure there is a vulnerability here you need to avoid? What version of
APR/native are you using? What version of OpenSSL is it built with? I'd expect
just using the latest version would protect against this.
> A solution this offers is switching to the NIO connector. From what
> iv'e read, this should be as simple as amending the server.xml. This
> is what we now changed for the SSL:
>
> <Connector executor="tomcatThreadPool" port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> SSLEnabled="true"
>
> However, upon restarting out Tomcat with these setting, we get the
> following in our error log:
>
> 2013-05-16 12:31:18,334 [main] INFO
> org.apache.catalina.core.AprLifecycleListener - Loaded APR based
> Apache Tomcat Native library 1.1.24 using APR version 1.4.6.
OK. You are definitely protected against client initiated renegotiations.
A later version of Tomcat would tell you the OpenSSL version as well.
> 2013-05-16 12:31:18,334 [main] INFO
> org.apache.catalina.core.AprLifecycleListener - APR capabilities:
> IPv6 [true], sendfile [true], accept filters [false], random [true].
> 2013-05-16 12:31:18,334 [main] ERROR
> org.apache.catalina.connector.Connector - Protocol handler
> instantiation failed java.lang.ClassNotFoundException:
> Http11NioProtocol at
> java.net.URLClassLoader$1.run(URLClassLoader.java:366) at
> java.net.URLClassLoader$1.run(URLClassLoader.java:355) at
> java.security.AccessController.doPrivileged(Native Method) at
> java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>
> So looks like it can't be found, and still says its loading "APR
> based" Tomcat...anyone have any ideas on how to fix this, or what I've
> missed?
Loading the APR library does not mean that it will be used for a connector. The
logs will tell you which connector is being used once you get past the CNFE
problem.
Is there some more to that stack trace? It looks like the protocol attribute in
server.xml isn't the one you quoted but there might be something else going on
- that is why the full stack trace would be helpful.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
