You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2021/05/25 14:54:25 UTC
Re: [OT] Tomcat SSL stops working after an undetermined amount of
time
Ed,
On 5/24/21 16:25, Ed Rouse wrote:
> This works for me. In server.xml:
>
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true">
> <SSLHostConfig>
> <Certificate certificateKeystoreFile="C:\Program Files\Java\openjdk_1.8.0.242\jre\lib\security\cacerts"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
If you really put your server's key into C:\Program
Files\Java\openjdk_1.8.0.242\jre\lib\security\cacerts you are making a
mistake IMHO. That file is supposed to contain the JVM's trust store.
You shouldn't be modifying it at all, let alone to put a private key
into it.
-chris
> From: Ezsra McDonald <ez...@gmail.com>
> Sent: Monday, May 24, 2021 4:10 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Tomcat SSL stops working after an undetermined amount of time
>
> [External email: Use caution! Do not open attachments or click on links from unknown senders or unexpected emails.]
> Chris,
>
> Thanks for your response.
>
> These Tomcat servers are something I inherited. I do not know what this
> bouncycastle.crypto is. If it is making my setup complicated how do I get
> around it? Is it part of the org.apache.coyote.http11.Http11NioProtocol?
> What would you recommend I use instead? My end goal is to just enable
> TLS/SSL on the connectors.
>
> --Ez
>
>
> On Mon, May 24, 2021 at 1:56 PM Christopher Schultz <
> chris@christopherschultz.net<ma...@christopherschultz.net>> wrote:
>
>> Ezsra,
>>
>> On 5/24/21 10:30, Ezsra McDonald wrote:
>>> I am enabling SSL debugging this morning. I did catch this in the log for
>>> an instance that started erroring out this morning. Seems like it may be
>>> too generic to help solve my problem. Here it is:
>>>
>>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51]
>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
>>> java.lang.NullPointerException
>>> at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown
>>> Source)
>>> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source)
>>
>> Oh. You are using BouncyCastle. I've never tried to do that. I'm not
>> sure how well BC will work with Tomcat. We don't officially support that
>> configuration, but that doesn't mean we won't try to help.
>>
>> There will be a presentation at this year's ApacheCon @Home 2021 about
>> configuring Tomcat for FIPS and it will include how to configure Tomcat
>> with BC (including FIPS). Obviously, you don't want to wait around until
>> the conference to get things working, but perhaps the presenter is
>> lurking on the list ... ?
>>
>> I don't have an email address for the presenter, so I can't give you a
>> reference. :/
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org