Mark,
>
>On 27/04/2016 10:01, Kreuser, Peter wrote:
>> Mark,
>>
>> I read that you ported all the new SSL functionality to 8.5, so my first
>> guess was, that if that problem was new, you might want to know what's wrong
>> ;-).
>>
>>> On 25/04/2016 17:10, Kreuser, Peter wrote:
>>>> Hi there,
>>>>
>>>> I have setup Tomcat 8.5 with the all new SSL Config and HTTP/2.
>>>>
>>>> To test the setup I use testssl.sh (https://testssl.sh ) . The scan is
>>>> successful, also stating HTTP/2 is working. So far so good.
>>>>
>>>> However I see the following exception in the Logs:
>>>>
>>>> 25-Apr-2016 17:36:16.697 SEVERE [https-nio2-8443-exec-6]
>>>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process Error reading
>>>> request, ignored
>>>> java.lang.IllegalStateException: Failed to create Processor for negotiated
>>>> protocol [""]
>
><snip/>
>
>>> This is on my radar but I'd love to see someone else (I'm looking at you
>>> Peter) take a look. My suggestion is to find out:
>>> a) what protocols Tomcat is advertising
>>> b) what protocols the client is requesting
>>> c) how Tomcat combines a) and b) to get "".
>>>
>>> a) and b) should be easy to log from the existing code.
>>>
>>> Mark
>>>
>>
>> I will try to look into that and maybe I can trace some of the request that
>> cause the problem.
>> Any hints on how to get more debug output without compiling the code myself?
>
>I took a quick look at the relevant code and there does not appear to be
>any useful debug logging for this. It looks like you'll have to add some
>additional debug logging and build Tomcat locally.
>
>Mark
>
I have recompile 8.5.1 and using testssl.sh I see two problems:
Debugging to the exception I see
a) org.apache.tomcat.util.net.openssl.OpenSSLEngine is used even though I
intend to use JSSE. JSSE is supposed to be the default, but unless you set
sslImplementationName="...JSSE", openssl is used once the AprLifecycleListener
is activated. The exception is gone once the AprLifecycleListener is not used
or sslImplementationName is explicitly set to JSSE.
b) I found the testcase to this problem: after solving a) connect to an OpenSSL
connector with
> openssl s_client -host localhost -port 8843 -nextprotoneg '""'
OpenSSL will carry the nextprotoneg with "" (empty String) down to
AbstractProtocol.java:725. There it falls through all ifs -> Boom.
This is not the case with JSSE, where negotiatedProtocol is null! BTW: I have
no clue what the "" should do. But it's there.
Hope you find this information useful.
Best regards
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
