Hi Ezsra,
This is an answer to your query - " Why is Tomcat not using
the TLSv1.2 protocol?"
I assume you are using Oracle JDK v8u281
You may want to review the following line in the file : ..../jre/lib/security/
java.security
jdk.tls.disabledAlgorithms=??
The following old SSL versions are listed here.
Examples : SSLv3, TLSv1, TLSv1.1 etc
This, in my opinion, will ensure Tomcat will honor TLS1.2 protocol (by
eliminating others )
Also are you observing that Safari browser is giving good response, while
Chrome is causing the SSL issue ?
Hope this helps,
-Raghu
-----Original Message-----
From: Ed Rouse <[email protected]>
Sent: Monday, May 24, 2021 2:26 PM
To: Tomcat Users List <[email protected]>
Subject: RE: Tomcat SSL stops working after an undetermined amount of time
This works for me. In server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="C:\Program
Files\Java\openjdk_1.8.0.242\jre\lib\security\cacerts"
type="RSA" />
</SSLHostConfig>
</Connector>
From: Ezsra McDonald <[email protected]>
Sent: Monday, May 24, 2021 4:10 PM
To: Tomcat Users List <[email protected]>
Subject: Re: Tomcat SSL stops working after an undetermined amount of time
[External email: Use caution! Do not open attachments or click on links from
unknown senders or unexpected emails.] Chris,
Thanks for your response.
These Tomcat servers are something I inherited. I do not know what this
bouncycastle.crypto is. If it is making my setup complicated how do I get
around it? Is it part of the org.apache.coyote.http11.Http11NioProtocol?
What would you recommend I use instead? My end goal is to just enable TLS/SSL
on the connectors.
--Ez
On Mon, May 24, 2021 at 1:56 PM Christopher Schultz <
[email protected]<mailto:[email protected]>> wrote:
> Ezsra,
>
> On 5/24/21 10:30, Ezsra McDonald wrote:
> > I am enabling SSL debugging this morning. I did catch this in the
> > log for an instance that started erroring out this morning. Seems
> > like it may be too generic to help solve my problem. Here it is:
> >
> > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51]
> > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
> > java.lang.NullPointerException
> > at
> > org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown
> > Source)
> > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown
> > Source)
>
> Oh. You are using BouncyCastle. I've never tried to do that. I'm not
> sure how well BC will work with Tomcat. We don't officially support
> that configuration, but that doesn't mean we won't try to help.
>
> There will be a presentation at this year's ApacheCon @Home 2021 about
> configuring Tomcat for FIPS and it will include how to configure
> Tomcat with BC (including FIPS). Obviously, you don't want to wait
> around until the conference to get things working, but perhaps the
> presenter is lurking on the list ... ?
>
> I don't have an email address for the presenter, so I can't give you a
> reference. :/
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> [email protected]<mailto:[email protected]
> ache.org> For additional commands, e-mail:
> [email protected]<mailto:[email protected]>
>
>
