On 28 April 2016 10:04:49 BST, Mark Thomas <ma...@apache.org> wrote: >On 28/04/2016 09:51, Kreuser, Peter wrote: >> Mark, >> >>> >>> On 27/04/2016 10:01, Kreuser, Peter wrote: >>>> Mark, >>>> >>>> I read that you ported all the new SSL functionality to 8.5, so my >first guess was, that if that problem was new, you might want to know >what's wrong ;-). >>>> >>>>> On 25/04/2016 17:10, Kreuser, Peter wrote: >>>>>> Hi there, >>>>>> >>>>>> I have setup Tomcat 8.5 with the all new SSL Config and HTTP/2. >>>>>> >>>>>> To test the setup I use testssl.sh (https://testssl.sh ) . The >scan is successful, also stating HTTP/2 is working. So far so good. >>>>>> >>>>>> However I see the following exception in the Logs: >>>>>> >>>>>> 25-Apr-2016 17:36:16.697 SEVERE [https-nio2-8443-exec-6] >org.apache.coyote.AbstractProtocol$ConnectionHandler.process Error >reading request, ignored >>>>>> java.lang.IllegalStateException: Failed to create Processor for >negotiated protocol [""] >>> >>> <snip/> >>> >>>>> This is on my radar but I'd love to see someone else (I'm looking >at you >>>>> Peter) take a look. My suggestion is to find out: >>>>> a) what protocols Tomcat is advertising >>>>> b) what protocols the client is requesting >>>>> c) how Tomcat combines a) and b) to get "". >>>>> >>>>> a) and b) should be easy to log from the existing code. >>>>> >>>>> Mark >>>>> >>>> >>>> I will try to look into that and maybe I can trace some of the >request that cause the problem. >>>> Any hints on how to get more debug output without compiling the >code myself? >>> >>> I took a quick look at the relevant code and there does not appear >to be >>> any useful debug logging for this. It looks like you'll have to add >some >>> additional debug logging and build Tomcat locally. >>> >>> Mark >>> >> >> I have recompile 8.5.1 and using testssl.sh I see two problems: >> >> Debugging to the exception I see >> a) org.apache.tomcat.util.net.openssl.OpenSSLEngine is used even >though I intend to use JSSE. JSSE is supposed to be the default, but >unless you set sslImplementationName="...JSSE", openssl is used once >the AprLifecycleListener is activated. The exception is gone once the >AprLifecycleListener is not used or sslImplementationName is explicitly >set to JSSE. > >That is as expected for 8.5.x and is documented in the configuration >docs. > >> b) I found the testcase to this problem: after solving a) connect to >an OpenSSL connector with >> > openssl s_client -host localhost -port 8843 -nextprotoneg '""' >> OpenSSL will carry the nextprotoneg with "" (empty String) down to >AbstractProtocol.java:725. There it falls through all ifs -> Boom. >> This is not the case with JSSE, where negotiatedProtocol is null! >BTW: I have no clue what the "" should do. But it's there. >> >> Hope you find this information useful. > >That is very useful, thank you. Narrowing down exactly what triggers >the >problem should speed up the process of fixing it. > >We need to check what the specs say should happen in this case. My >guess >is either it is an error condition or that the server's default should >be used. > >Fancy digging into the TLS ALPN spec to see what is says?
I've done some investigation. It looks like something is going wrong in the native connector. It should be failing the connection on the basis that there is no matching ALPN protocol. For some reason, the protocol specified by the client is returned. I've been through the code and it appears to be ok. I need to add some debugging to figure out what is going on. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
