Thanks for the responses, So, I need to understand a little more about Bouncycastle. I inherited the tomcat environment so I do not know how or why BC came to be installed in the containers. I will do some research on BC so I understand it better. My assumption from the responses is that BC is not a standard part of Tomcat or Java install.
If the BC is part of an application running in the container and comes from a war file, can it be causing this issue? Or is BC most likely loaded when the container starts? --Ez On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Raghunath, > > On 5/26/21 19:08, Mysore, Raghunath wrote: > > To track if BC is configured in your environment, you may want to > > assess if BC is listed as a "security.provider" in the following > > "java.security" file > > > > > > > > File : ..../jre/lib/security/java.security > > > > Check for record (example below) : > > > > security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider > > > > > > > > > > Note the Number 10, above may be something different in your > > environment's "java.security" file (presuming BC is configured here) > > Well, the error being encountered is definite within BC, so I'd venture > a guess that BC is indeed being used. > > -chris > > > -----Original Message----- From: Christopher Schultz > > <ch...@christopherschultz.net> Sent: Wednesday, May 26, 2021 4:35 PM > > To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working > > after an undetermined amount of time > > > > > > > > Ezsra, > > > > > > > > On 5/26/21 18:11, Ezsra McDonald wrote: > > > >> Well, I still have issues. I think it is the same thing hit by > >> these guys: > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira > > > >> > >> .atlassian.com%2Fbrowse%2FBAM-21157&data=04%7C01%7Crmysore%40visa. > > > >> > >> com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477 > > > >> > >> d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL > > > >> > >> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata > > > >> > >> =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3D&reserved=0 > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstac > > > >> > >> koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org-bou > > > >> > >> ncycastle-crypto-signers-psssigner-generatesignat&data=04%7C01%7Cr > > > >> > >> mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee > > > >> > >> 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d > > > >> > >> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C > > > >> > >> 1000&sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D& > > > >> reserved=0 > > > >> > > > >> I'll try their fix. My main concern is that I do not want to > >> disable > > > >> TLSv1.3. > > > > > > > > If you don't want to disable TLSv1.3, then you want: > > > > > > > > <Connector .... > > > > protocols="TLSv1.2,TLSv1.3" > > > > /> > > > > > > > > If BC is failing you, I'd want to find out if you really need BC. > > > > > > > > That first link above seems to suggest that when using Tomcat you > > MUST disable TLSv1.3. That seems odd. What version of BC are you > > using? > > > > Search for .jar files with names like "bouncy". > > > > > > > > Do you have the option to downgrade Java? > > > > > > > > Have you tried disabling the RSASSA-PSS algorithm as per their > > instructions? It seems ... far-fetched that would fix the problem, > > but ... okay. > > > > > > > > Note that at some time in the past, Java 1.8 did not support TLSv1.3 > > and lots of people who were stuck on Java 1.8 decided to switch to BC > > which did have TLSv1.3 support. With that version of Java 1.8 (_281), > > you should have native JDK support for TLSv1.3. Perhaps BC is not > > necessary at all. > > > > > > > > -chris > > > > > > > >> On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald > > > >> <ezsra.mcdon...@gmail.com<mailto:ezsra.mcdon...@gmail.com>> > > > >> wrote: > > > >> > > > >>> Lots of good information was provided. > > > >>> > > > >>> This afternoon I plan to test the "sslProtocol" to "protocols" > > > >>> change in our lower environments. I will reply back with any > >>> findings. > > > >>> > > > >>> Thank you everyone for your responses. > > > >>> > > > >>> regards, > > > >>> > > > >>> -- Ez > > > >>> > > > >>> On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath > > > >>> <rmys...@visa.com.invalid<mailto:rmys...@visa.com.invalid>> > >>> wrote: > > > >>> > > > >>>> Hi Chris, > > > >>>> > > > >>>> -----Original Message----- > > > >>>> From: Christopher Schultz > >>>> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> > > > >>>> Sent: Tuesday, May 25, 2021 9:10 AM > > > >>>> To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> > > > >>>> Subject: Re: Tomcat SSL stops working after an undetermined > >>>> amount > > > >>>> of time > > > >>>> > > > >>>> Ronald, > > > >>>> > > > >>>> On 5/25/21 09:31, Roskens, Ronald wrote: > > > >>>>> > > > >>>>>> -----Original Message----- > > > >>>>>> From: Christopher Schultz > >>>>>> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> > > > >>>>>> Sent: Monday, May 24, 2021 1:56 PM > > > >>>>>> To: > >>>>>> users@tomcat.apache.org<mailto:users@tomcat.apache.org> > > > >>>>>> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an > > > >>>>>> undetermined amount of time > > > >>>>>> > > > >>>>>> CAUTION: This email originated from outside of the > >>>>>> organization. > > > >>>>>> DO NOT CLICK on links or open attachments unless you > >>>>>> recognize the > > > >>>>>> sender and know the content is safe. > > > >>>>>> > > > >>>>>> Ezsra, > > > >>>>>> > > > >>>>>> On 5/24/21 10:30, Ezsra McDonald wrote: > > > >>>>>>> I am enabling SSL debugging this morning. I did catch > >>>>>>> this in the > > > >>>>>>> log for an instance that started erroring out this > >>>>>>> morning. Seems > > > >>>>>>> like it may be too generic to help solve my problem. Here > >>>>>>> it is: > > > >>>>>>> > > > >>>>>>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > > > >>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > > > >>>>>>> java.lang.NullPointerException > > > >>>>>>> at > > > >>>>>>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unkno > > > >>>>>>> wn > > > >>>>>>> Source) > > > >>>>>>> at > >>>>>>> org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown > > > >>>>>>> Source) > > > >>>>>> > > > >>>>>> Oh. You are using BouncyCastle. I've never tried to do > >>>>>> that. I'm > > > >>>>>> not sure how well BC will work with Tomcat. We don't > >>>>>> officially > > > >>>>>> support that configuration, but that doesn't mean we won't > >>>>>> try to help. > > > >>>>> > > > >>>>> This isn't a Tomcat issue but an interoperability issue > >>>>> between > > > >>>> BouncyCastle & OpenJDK. > > > >>>>> > > > >>>>> * > > > >>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fg > > > >>>>> ith > > > >>>>> ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633&data=04%7C01%7Crmysore% > > > >>>>> 40v > > > >>>>> isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4 > > > >>>>> db1 > > > >>>>> c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIj > > > >>>>> oiM > > > >>>>> C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&am > > > >>>>> p;s > > > >>>>> data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3D&reserved=0 > > > >>>>> * > > > >>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fb > > > >>>>> ugs > > > >>>>> .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore > > > >>>>> %40 > > > >>>>> visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c > > > >>>>> 4db > > > >>>>> 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWI > > > >>>>> joi > > > >>>>> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&a > > > >>>>> mp; > > > >>>>> sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3D&reserved > > > >>>>> =0 > > > >>>> > > > >>>> Oh, great. Looks like a BC upgrade will fix the NPE. But > >>>> possibly > > > >>>> something downstream will still fail... > > > >>>> > > > >>>> Just to add my 2 cents here : > > > >>>> > > > >>>> Per the problem posed in the very first email, we see the > >>>> SSL/TLS > > > >>>> issue between Oracle JDK 8 and Tomcat 8.5 > > > >>>> Environment: > > > >>>> OS: CentOS 7 > > > >>>> Apache: apache-tomcat-8.5.65 > > > >>>> Java: jdk1.8.0_281 > > > >>>> > > > >>>> Note that the following link - talks about issues between > >>>> OpenJDK 11 > > > >>>> and BC. > > > >>>> > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nvQ%2B4briJBvmFejj4LNOWNksbG1E7EVW65PKXYNYYkg%3D&reserved=0 > . > > > >>>> > >>>> > > > >>>> This morning's suggestion (about changing from "sslProtocol" > >>>> to > > > >>>> "protocols" ) from Christopher Schultz, sounds promising, in > >>>> that > > > >>>> the interaction between the Browser-clients and Tomcat 8.5.x > >>>> server, > > > >>>> will be limited only to TLS1.2 Making this change, will > >>>> preclude > > > >>>> other old protocols - like TLS 1, TLS > > > >>>> 11 etc in communication between the clients and the Tomcat > >>>> server. > > > >>>> We will need tests after making the change to "protocols" > >>>> attribute > > > >>>> in the HTTPS connector block. > > > >>>> In context of the above mentioned change -we may not need any > > > >>>> editing of "java.security" file contents (discussed last > >>>> evening). > > > >>>> > > > >>>> Thanks, > > > >>>> -Raghu > > > >>>> > > > >>>> > > > >>>> -------------------------------------------------------------------- > > > >>>> - To unsubscribe, e-mail: > >>>> users-unsubscr...@tomcat.apache.org<mailto: > users-unsubscr...@tomcat.apache.org> > > > >>>> For additional commands, e-mail: > >>>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > > > >>>> > >>>> > > > >>>> > > > >> > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: > > users-unsubscr...@tomcat.apache.org<mailto: > users-unsubscr...@tomcat.apache.org> > > > > For additional commands, e-mail: > > users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
