Lots of good information was provided. This afternoon I plan to test the "sslProtocol" to "protocols" change in our lower environments. I will reply back with any findings.
Thank you everyone for your responses. regards, -- Ez On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath <rmys...@visa.com.invalid> wrote: > Hi Chris, > > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Tuesday, May 25, 2021 9:10 AM > To: users@tomcat.apache.org > Subject: Re: Tomcat SSL stops working after an undetermined amount of time > > Ronald, > > On 5/25/21 09:31, Roskens, Ronald wrote: > > > >> -----Original Message----- > >> From: Christopher Schultz <ch...@christopherschultz.net> > >> Sent: Monday, May 24, 2021 1:56 PM > >> To: users@tomcat.apache.org > >> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an > >> undetermined amount of time > >> > >> CAUTION: This email originated from outside of the organization. DO > >> NOT CLICK on links or open attachments unless you recognize the > >> sender and know the content is safe. > >> > >> Ezsra, > >> > >> On 5/24/21 10:30, Ezsra McDonald wrote: > >>> I am enabling SSL debugging this morning. I did catch this in the > >>> log for an instance that started erroring out this morning. Seems > >>> like it may be too generic to help solve my problem. Here it is: > >>> > >>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > >>> java.lang.NullPointerException > >>> at > >>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > >>> Source) > >>> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown > >>> Source) > >> > >> Oh. You are using BouncyCastle. I've never tried to do that. I'm not > >> sure how well BC will work with Tomcat. We don't officially support > >> that configuration, but that doesn't mean we won't try to help. > > > > This isn't a Tomcat issue but an interoperability issue between > BouncyCastle & OpenJDK. > > > > * > > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > > ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633&data=04%7C01%7Crmysore%40v > > isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db1 > > c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM > > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&s > > data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3D&reserved=0 > > * > > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs > > .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore%40 > > visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db > > 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi > > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000& > > sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3D&reserved=0 > > Oh, great. Looks like a BC upgrade will fix the NPE. But possibly > something downstream will still fail... > > Just to add my 2 cents here : > > Per the problem posed in the very first email, we see the SSL/TLS issue > between Oracle JDK 8 and Tomcat 8.5 > Environment: > OS: CentOS 7 > Apache: apache-tomcat-8.5.65 > Java: jdk1.8.0_281 > > Note that the following link - talks about issues between OpenJDK 11 and > BC. > https://bugs.openjdk.java.net/browse/JDK-8216039. > > This morning's suggestion (about changing from "sslProtocol" to > "protocols" ) from Christopher Schultz, sounds promising, in that the > interaction between the Browser-clients and Tomcat 8.5.x server, will be > limited only to TLS1.2 > Making this change, will preclude other old protocols - like TLS 1, TLS 11 > etc in communication between the clients and the Tomcat server. > We will need tests after making the change to "protocols" attribute in the > HTTPS connector block. > In context of the above mentioned change -we may not need any editing of > "java.security" file contents (discussed last evening). > > Thanks, > -Raghu > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
