On 28/04/2016 09:51, Kreuser, Peter wrote:
> Mark,
> 
>>
>> On 27/04/2016 10:01, Kreuser, Peter wrote:
>>> Mark,
>>>
>>> I read that you ported all the new SSL functionality to 8.5, so my first 
>>> guess was, that if that problem was new, you might want to know what's 
>>> wrong ;-).
>>>
>>>> On 25/04/2016 17:10, Kreuser, Peter wrote:
>>>>> Hi there,
>>>>>
>>>>> I have setup Tomcat 8.5 with the all new SSL Config and HTTP/2.
>>>>>
>>>>> To test the setup I use testssl.sh (https://testssl.sh ) . The scan is 
>>>>> successful, also stating HTTP/2 is working. So far so good.
>>>>>
>>>>> However I see the following exception in the Logs:
>>>>>
>>>>> 25-Apr-2016 17:36:16.697 SEVERE [https-nio2-8443-exec-6] 
>>>>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process Error 
>>>>> reading request, ignored
>>>>> java.lang.IllegalStateException: Failed to create Processor for 
>>>>> negotiated protocol [""]
>>
>> <snip/>
>>
>>>> This is on my radar but I'd love to see someone else (I'm looking at you
>>>> Peter) take a look. My suggestion is to find out:
>>>> a) what protocols Tomcat is advertising
>>>> b) what protocols the client is requesting
>>>> c) how Tomcat combines a) and b) to get "".
>>>>
>>>> a) and b) should be easy to log from the existing code.
>>>>
>>>> Mark
>>>>
>>>
>>> I will try to look into that and maybe I can trace some of the request that 
>>> cause the problem.
>>> Any hints on how to get more debug output without compiling the code myself?
>>
>> I took a quick look at the relevant code and there does not appear to be
>> any useful debug logging for this. It looks like you'll have to add some
>> additional debug logging and build Tomcat locally.
>>
>> Mark
>>
> 
> I have recompile 8.5.1 and using testssl.sh I see two problems:
> 
> Debugging to the exception I see
> a) org.apache.tomcat.util.net.openssl.OpenSSLEngine is used even though I 
> intend to use JSSE. JSSE is supposed to be the default, but unless you set 
> sslImplementationName="...JSSE", openssl is used once the 
> AprLifecycleListener is activated. The exception is gone once the 
> AprLifecycleListener is not used or sslImplementationName is explicitly set 
> to JSSE.

That is as expected for 8.5.x and is documented in the configuration docs.

> b) I found the testcase to this problem: after solving a) connect to an 
> OpenSSL connector with
>       > openssl s_client -host localhost -port 8843 -nextprotoneg '""'
> OpenSSL will carry the nextprotoneg with "" (empty String) down to 
> AbstractProtocol.java:725. There it falls through all ifs -> Boom.
> This is not the case with JSSE, where negotiatedProtocol is null! BTW: I have 
> no clue what the "" should do. But it's there.
> 
> Hope you find this information useful.

That is very useful, thank you. Narrowing down exactly what triggers the
problem should speed up the process of fixing it.

We need to check what the specs say should happen in this case. My guess
is either it is an error condition or that the server's default should
be used.

Fancy digging into the TLS ALPN spec to see what is says?

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to