Hi Chris, -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Tuesday, May 25, 2021 9:10 AM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time
Ronald, On 5/25/21 09:31, Roskens, Ronald wrote: > >> -----Original Message----- >> From: Christopher Schultz <ch...@christopherschultz.net> >> Sent: Monday, May 24, 2021 1:56 PM >> To: users@tomcat.apache.org >> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an >> undetermined amount of time >> >> CAUTION: This email originated from outside of the organization. DO >> NOT CLICK on links or open attachments unless you recognize the >> sender and know the content is safe. >> >> Ezsra, >> >> On 5/24/21 10:30, Ezsra McDonald wrote: >>> I am enabling SSL debugging this morning. I did catch this in the >>> log for an instance that started erroring out this morning. Seems >>> like it may be too generic to help solve my problem. Here it is: >>> >>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>> java.lang.NullPointerException >>> at >>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown >>> Source) >>> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown >>> Source) >> >> Oh. You are using BouncyCastle. I've never tried to do that. I'm not >> sure how well BC will work with Tomcat. We don't officially support >> that configuration, but that doesn't mean we won't try to help. > > This isn't a Tomcat issue but an interoperability issue between BouncyCastle > & OpenJDK. > > * > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633&data=04%7C01%7Crmysore%40v > isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db1 > c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&s > data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3D&reserved=0 > * > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs > .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore%40 > visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db > 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000& > sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3D&reserved=0 Oh, great. Looks like a BC upgrade will fix the NPE. But possibly something downstream will still fail... Just to add my 2 cents here : Per the problem posed in the very first email, we see the SSL/TLS issue between Oracle JDK 8 and Tomcat 8.5 Environment: OS: CentOS 7 Apache: apache-tomcat-8.5.65 Java: jdk1.8.0_281 Note that the following link - talks about issues between OpenJDK 11 and BC. https://bugs.openjdk.java.net/browse/JDK-8216039. This morning's suggestion (about changing from "sslProtocol" to "protocols" ) from Christopher Schultz, sounds promising, in that the interaction between the Browser-clients and Tomcat 8.5.x server, will be limited only to TLS1.2 Making this change, will preclude other old protocols - like TLS 1, TLS 11 etc in communication between the clients and the Tomcat server. We will need tests after making the change to "protocols" attribute in the HTTPS connector block. In context of the above mentioned change -we may not need any editing of "java.security" file contents (discussed last evening). Thanks, -Raghu --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
