To track if BC is configured in your environment, you may want to assess if BC is listed as a "security.provider" in the following "java.security" file
File : ..../jre/lib/security/java.security Check for record (example below) : security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider Note the Number 10, above may be something different in your environment's "java.security" file (presuming BC is configured here) -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Wednesday, May 26, 2021 4:35 PM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ezsra, On 5/26/21 18:11, Ezsra McDonald wrote: > Well, I still have issues. I think it is the same thing hit by these guys: > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira > .atlassian.com%2Fbrowse%2FBAM-21157&data=04%7C01%7Crmysore%40visa. > com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477 > d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata > =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3D&reserved=0 > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstac > koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org-bou > ncycastle-crypto-signers-psssigner-generatesignat&data=04%7C01%7Cr > mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee > 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d > 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C > 1000&sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D& > reserved=0 > > I'll try their fix. My main concern is that I do not want to disable > TLSv1.3. If you don't want to disable TLSv1.3, then you want: <Connector .... protocols="TLSv1.2,TLSv1.3" /> If BC is failing you, I'd want to find out if you really need BC. That first link above seems to suggest that when using Tomcat you MUST disable TLSv1.3. That seems odd. What version of BC are you using? Search for .jar files with names like "bouncy". Do you have the option to downgrade Java? Have you tried disabling the RSASSA-PSS algorithm as per their instructions? It seems ... far-fetched that would fix the problem, but ... okay. Note that at some time in the past, Java 1.8 did not support TLSv1.3 and lots of people who were stuck on Java 1.8 decided to switch to BC which did have TLSv1.3 support. With that version of Java 1.8 (_281), you should have native JDK support for TLSv1.3. Perhaps BC is not necessary at all. -chris > On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald > <ezsra.mcdon...@gmail.com<mailto:ezsra.mcdon...@gmail.com>> > wrote: > >> Lots of good information was provided. >> >> This afternoon I plan to test the "sslProtocol" to "protocols" >> change in our lower environments. I will reply back with any findings. >> >> Thank you everyone for your responses. >> >> regards, >> >> -- Ez >> >> On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath >> <rmys...@visa.com.invalid<mailto:rmys...@visa.com.invalid>> wrote: >> >>> Hi Chris, >>> >>> -----Original Message----- >>> From: Christopher Schultz >>> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> >>> Sent: Tuesday, May 25, 2021 9:10 AM >>> To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> >>> Subject: Re: Tomcat SSL stops working after an undetermined amount >>> of time >>> >>> Ronald, >>> >>> On 5/25/21 09:31, Roskens, Ronald wrote: >>>> >>>>> -----Original Message----- >>>>> From: Christopher Schultz >>>>> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> >>>>> Sent: Monday, May 24, 2021 1:56 PM >>>>> To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> >>>>> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an >>>>> undetermined amount of time >>>>> >>>>> CAUTION: This email originated from outside of the organization. >>>>> DO NOT CLICK on links or open attachments unless you recognize the >>>>> sender and know the content is safe. >>>>> >>>>> Ezsra, >>>>> >>>>> On 5/24/21 10:30, Ezsra McDonald wrote: >>>>>> I am enabling SSL debugging this morning. I did catch this in the >>>>>> log for an instance that started erroring out this morning. Seems >>>>>> like it may be too generic to help solve my problem. Here it is: >>>>>> >>>>>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] >>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>>>>> java.lang.NullPointerException >>>>>> at >>>>>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unkno >>>>>> wn >>>>>> Source) >>>>>> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown >>>>>> Source) >>>>> >>>>> Oh. You are using BouncyCastle. I've never tried to do that. I'm >>>>> not sure how well BC will work with Tomcat. We don't officially >>>>> support that configuration, but that doesn't mean we won't try to help. >>>> >>>> This isn't a Tomcat issue but an interoperability issue between >>> BouncyCastle & OpenJDK. >>>> >>>> * >>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fg >>>> ith >>>> ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633&data=04%7C01%7Crmysore% >>>> 40v >>>> isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4 >>>> db1 >>>> c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIj >>>> oiM >>>> C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&am >>>> p;s >>>> data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3D&reserved=0 >>>> * >>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fb >>>> ugs >>>> .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore >>>> %40 >>>> visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c >>>> 4db >>>> 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWI >>>> joi >>>> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&a >>>> mp; >>>> sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3D&reserved >>>> =0 >>> >>> Oh, great. Looks like a BC upgrade will fix the NPE. But possibly >>> something downstream will still fail... >>> >>> Just to add my 2 cents here : >>> >>> Per the problem posed in the very first email, we see the SSL/TLS >>> issue between Oracle JDK 8 and Tomcat 8.5 >>> Environment: >>> OS: CentOS 7 >>> Apache: apache-tomcat-8.5.65 >>> Java: jdk1.8.0_281 >>> >>> Note that the following link - talks about issues between OpenJDK 11 >>> and BC. >>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nvQ%2B4briJBvmFejj4LNOWNksbG1E7EVW65PKXYNYYkg%3D&reserved=0. >>> >>> This morning's suggestion (about changing from "sslProtocol" to >>> "protocols" ) from Christopher Schultz, sounds promising, in that >>> the interaction between the Browser-clients and Tomcat 8.5.x server, >>> will be limited only to TLS1.2 Making this change, will preclude >>> other old protocols - like TLS 1, TLS >>> 11 etc in communication between the clients and the Tomcat server. >>> We will need tests after making the change to "protocols" attribute >>> in the HTTPS connector block. >>> In context of the above mentioned change -we may not need any >>> editing of "java.security" file contents (discussed last evening). >>> >>> Thanks, >>> -Raghu >>> >>> >>> -------------------------------------------------------------------- >>> - To unsubscribe, e-mail: >>> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> >>> For additional commands, e-mail: >>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> >>> >>> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
