We are in the process of upgrading Tomcat 5.5 to Tomcat 7.0. These Tomcat deployments use a custom FIPS 140-2 certified JSSE implementation for their SSL Connectors.
In Tomcat 5.5, the Connectors are configured like this: <!-- Define a SSL Coyote HTTP/1.1 Connector on port specified by the installer (default 41443) --> <Connector port="41443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" redirectPort="41443" acceptCount="100" debug="0" scheme="https" secure="true" connectionTimeout="60000" useURIValidationHack="false" clientAuth="false" sslProtocol="SSLv2Hello,TLSv1" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA" keystorePass="symantec" keystoreFile="/data/bcc/conf/keystore" SSLImplementation="com.symantec.smg.controlcenter.internal.security.ssl.BrightmailSSLImplementation" /> which works fine. ( a listener appears on 41443 and one can do HTTPS to it) In Tomcat 7.0.23 we are trying to use <!-- Define a SSL Coyote HTTP/1.1 Connector on port specified by the installer (default 41443) --> <Connector port="41443" enableLookups="true" disableUploadTimeout="true" redirectPort="41443" acceptCount="100" scheme="https" secure="true" connectionTimeout="60000" clientAuth="false" sslProtocol="SSLv2Hello,TLSv1" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA" keystorePass="symantec" keystoreFile="/data/bcc/conf/keystore" sslImplementationName="com.symantec.smg.controlcenter.internal.security.ssl.BrightmailSSLImplementation" SSLEnabled="true"/> but this does not work (no listener appears on 41443) and catalina.out has this: Jan 6, 2012 8:09:14 AM org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[HTTP/1.1-41443]]org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-41443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService .java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.j ava:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:573) at org.apache.catalina.startup.Catalina.load(Catalina.java:598) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) Caused by: org.apache.catalina.LifecycleException: Protocol handler initializati on failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:9 39) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) ... 12 more Caused by: java.io.IOException: SSLv2Hello,TLSv1 SSLContext not available at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:475) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:9 37) ... 13 more Caused by: java.security.NoSuchAlgorithmException: SSLv2Hello,TLSv1 SSLContext n ot available at sun.security.jca.GetInstance.getInstance(Unknown Source) at javax.net.ssl.SSLContext.getInstance(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JS SESocketFactory.java:488) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:448) ... 19 more It seems that tomcat is trying the default JSSE implementation despite the sslImplementationName attribute being set. Are there internal precedence controls or does the classloader hierarchy matter or what?