You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rick Trudeau <ri...@gmail.com> on 2018/03/05 02:02:05 UTC
SSL and IPv6 when using address to set a specific IP
Hi,
I'm having some problems using SSL on my connector when binding it to
a specific IPv6 address.
I'm trying this on Tomcat v 8.5.28, Ubuntu 14.04, JVM v1.8.0_161-b12.
My connector config looks like this:
<Connector port="8443"
maxThreads="150"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/opt/keystore/keystore"
keystorePass="secret"
clientAuth="false"
keyAlias="myAlias"
sslProtocol="TLS"
address="fe80::a00:27ff:fe13:ca0d"/>
catalina.out shows this exception immediately after startup. I think
it indicates there are some parsing errors when parsing the IPv6
address.
05-Mar-2018 01:11:11.141 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["https-jsse-nio-fe80:0:0:0:a00:27ff:fe13:ca0d-8443"]
05-Mar-2018 01:11:11.709 INFO
[main]org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector
Using a shared selector for servlet write/read
05-Mar-2018 01:11:11.724 WARNING [main]
org.apache.tomcat.util.net.AbstractEndpoint.registerJmx Unable to
generate a valid JMX object name for the SSLHostConfig associated
withhost [_default_]
javax.management.MalformedObjectNameException: Invalid character ':'
in value part of property
at javax.management.ObjectName.construct(ObjectName.java:618)
at javax.management.ObjectName.<init>(ObjectName.java:1382)
at org.apache.tomcat.util.net.AbstractEndpoint.registerJmx(AbstractEndpoint.java:1105)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1095)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
If I remove address attribute to allow binding on all interfaces,
things are good. But my use case, however, requires binding to a
specific IPv6 address.
Since these SSL attributes are deprecated from what I've read, I've
also tried moving the SSL configs to the newer SSLHostConfig block,
but the same error remains.
Has anyone had any success binding to a specific IPv6 literal address
when using SSL?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL and IPv6 when using address to set a specific IP
Posted by Rick Trudeau <ri...@gmail.com>.
On Mon, Mar 5, 2018 at 10:35 AM, Mark Thomas <ma...@apache.org> wrote:
> On 05/03/18 15:00, Mark Thomas wrote:
>> On 05/03/18 02:02, Rick Trudeau wrote:
>>> Hi,
>>> I'm having some problems using SSL on my connector when binding it to
>>> a specific IPv6 address.
>>> I'm trying this on Tomcat v 8.5.28, Ubuntu 14.04, JVM v1.8.0_161-b12.
>
> <snip/>
>
>>> 05-Mar-2018 01:11:11.724 WARNING [main]
>>> org.apache.tomcat.util.net.AbstractEndpoint.registerJmx Unable to
>>> generate a valid JMX object name for the SSLHostConfig associated
>>> withhost [_default_]
>>> javax.management.MalformedObjectNameException: Invalid character ':'
>>> in value part of property
>
> <snip/>
>
>>> Has anyone had any success binding to a specific IPv6 literal address
>>> when using SSL?
>>
>> Ah. That looks like a bug generating the MBean name from the address
>> attribute. Let me take a look.
>
> The good news is that that error shouldn't stop the TLS connector
> working although it won't be exposed via JMX.
>
> I've fixed this but unfortunately the next set of releases were tagged
> this morning so the fix won't be available until 9.0.7 / 8.5.30 which -
> unless the current releases fail for some reason - most likely won't be
> available until early next month.
>
> Mark
>
Well that's certainly a quick turnaround!
Thanks for you help with this Mark, we'll keep our eyes open for 8.5.30.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL and IPv6 when using address to set a specific IP
Posted by Mark Thomas <ma...@apache.org>.
On 05/03/18 15:00, Mark Thomas wrote:
> On 05/03/18 02:02, Rick Trudeau wrote:
>> Hi,
>> I'm having some problems using SSL on my connector when binding it to
>> a specific IPv6 address.
>> I'm trying this on Tomcat v 8.5.28, Ubuntu 14.04, JVM v1.8.0_161-b12.
<snip/>
>> 05-Mar-2018 01:11:11.724 WARNING [main]
>> org.apache.tomcat.util.net.AbstractEndpoint.registerJmx Unable to
>> generate a valid JMX object name for the SSLHostConfig associated
>> withhost [_default_]
>> javax.management.MalformedObjectNameException: Invalid character ':'
>> in value part of property
<snip/>
>> Has anyone had any success binding to a specific IPv6 literal address
>> when using SSL?
>
> Ah. That looks like a bug generating the MBean name from the address
> attribute. Let me take a look.
The good news is that that error shouldn't stop the TLS connector
working although it won't be exposed via JMX.
I've fixed this but unfortunately the next set of releases were tagged
this morning so the fix won't be available until 9.0.7 / 8.5.30 which -
unless the current releases fail for some reason - most likely won't be
available until early next month.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL and IPv6 when using address to set a specific IP
Posted by Mark Thomas <ma...@apache.org>.
On 05/03/18 02:02, Rick Trudeau wrote:
> Hi,
> I'm having some problems using SSL on my connector when binding it to
> a specific IPv6 address.
> I'm trying this on Tomcat v 8.5.28, Ubuntu 14.04, JVM v1.8.0_161-b12.
>
> My connector config looks like this:
> <Connector port="8443"
> maxThreads="150"
> scheme="https"
> secure="true"
> SSLEnabled="true"
> keystoreFile="/opt/keystore/keystore"
> keystorePass="secret"
> clientAuth="false"
> keyAlias="myAlias"
> sslProtocol="TLS"
> address="fe80::a00:27ff:fe13:ca0d"/>
>
> catalina.out shows this exception immediately after startup. I think
> it indicates there are some parsing errors when parsing the IPv6
> address.
>
> 05-Mar-2018 01:11:11.141 INFO [main]
> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> ["https-jsse-nio-fe80:0:0:0:a00:27ff:fe13:ca0d-8443"]
> 05-Mar-2018 01:11:11.709 INFO
> [main]org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector
> Using a shared selector for servlet write/read
> 05-Mar-2018 01:11:11.724 WARNING [main]
> org.apache.tomcat.util.net.AbstractEndpoint.registerJmx Unable to
> generate a valid JMX object name for the SSLHostConfig associated
> withhost [_default_]
> javax.management.MalformedObjectNameException: Invalid character ':'
> in value part of property
> at javax.management.ObjectName.construct(ObjectName.java:618)
> at javax.management.ObjectName.<init>(ObjectName.java:1382)
> at org.apache.tomcat.util.net.AbstractEndpoint.registerJmx(AbstractEndpoint.java:1105)
> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1095)
> at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
> at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
>
> If I remove address attribute to allow binding on all interfaces,
> things are good. But my use case, however, requires binding to a
> specific IPv6 address.
> Since these SSL attributes are deprecated from what I've read, I've
> also tried moving the SSL configs to the newer SSLHostConfig block,
> but the same error remains.
>
> Has anyone had any success binding to a specific IPv6 literal address
> when using SSL?
Ah. That looks like a bug generating the MBean name from the address
attribute. Let me take a look.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org