You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/06/21 11:12:30 UTC
[Bug 62479] New: Using pkcs12 format truststore on connector yields
exception "the trustAnchors parameter must be non-empty"
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
Bug ID: 62479
Summary: Using pkcs12 format truststore on connector yields
exception "the trustAnchors parameter must be
non-empty"
Product: Tomcat 9
Version: 9.0.1
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: nicolas.therrien@motorolasolutions.com
Target Milestone: -----
Created attachment 35977
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35977&action=edit
Generate-Certificates.ps1
I have set up a Tomcat 9 server with TLS client authentication
(certificateRequired) and noticed that if we try to use a pkcs12 truststore we
get a fatal exception that says "the trustAnchors parameter must be non-empty".
This exception does not occur when using jks instead of pkcs12 as the container
type.
Same certificates, same generation methods, just a different keystore type.
I am attaching:
server.xml
server_truststore.p12
server_truststore.jks
Generate-Certificates.ps1 script
And here are the command lines used to generate those files:
&$jdkpath\bin\keytool.exe -importcert -file
$certificates_dir/simulators_server.crt -alias simulators_server -trustcacerts
-noprompt -keystore $certificates_dir/server_truststore.jks -storepass
$storepassword
&$jdkpath\bin\keytool.exe -importcert -file
$certificates_dir/simulators_server.crt -alias simulators_server -trustcacerts
-noprompt -keystore $certificates_dir/server_truststore.p12 -storetype pkcs12
-storepass $storepassword
Password for the stores is P@33word!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |INVALID
--- Comment #9 from Mark Thomas <ma...@apache.org> ---
The problem is easily re-producible on Linux.
The steps to reproduce are over complex. The .p12 truststore (and any valid TLS
config for the rest) is all that is required.
The issue is reproducible with the latest release and with the current state of
trunk.
There are reports of similar errors on the users list. They appear to have
different root causes but there is a general theme of JSSE having strict
expectations for what it finds in a p12 file. OpenSSL is known to be more
relaxed.
If you follow the stack trace you will see that JSSE iterates through the
certificate store. To be treated as a trust anchor each entry must be:
- a certificate entry
- an instance of an X509certificate
The p12 store attached to this ticket returns an empty enumeration for
keystore.aliases(). Test code that simply accesses the keystore returns the
same result. This is a JSSE bug or a mal-formed keystore and not a Tomcat
issue.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] Using pkcs12 format truststore on connector yields
exception "the trustAnchors parameter must be non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
--- Comment #3 from Nicolas Therrien <ni...@motorolasolutions.com> ---
Created attachment 35981
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35981&action=edit
server.xml
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
Nicolas Therrien <ni...@motorolasolutions.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |---
Status|RESOLVED |REOPENED
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
--- Comment #6 from Nicolas Therrien <ni...@motorolasolutions.com> ---
Created attachment 35982
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35982&action=edit
all logs produced by the server for this use case
Adding logs as requested.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] Using pkcs12 format truststore on connector yields
exception "the trustAnchors parameter must be non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
--- Comment #1 from Nicolas Therrien <ni...@motorolasolutions.com> ---
Created attachment 35978
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35978&action=edit
server_truststore.jks
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
--- Comment #12 from Nicolas Therrien <ni...@motorolasolutions.com> ---
Thanks for looking into it. I understand what you are saying and it could be an
explanation.
I'm looking at this page:
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig
It appears that I have the proper configuration according to that. Or maybe im
missing something?
Could you tell me which attribute names are wrong? You didn`t say which ones.
Thanks
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #7 from Remy Maucherat <re...@apache.org> ---
Ok. It is exclusively an issue loading your trust store, I get the same
exception on JSSE and trunk with it, and it is:
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
at
java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
at
java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
at
org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:389)
at
org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:313)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 19 more
Please investigate on the Tomcat user list the reason for the truststore
problem, I don't see why the Tomcat code would be involved in that particular
failure.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] Using pkcs12 format truststore on connector yields
exception "the trustAnchors parameter must be non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
--- Comment #2 from Nicolas Therrien <ni...@motorolasolutions.com> ---
Created attachment 35979
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35979&action=edit
server_truststore.p12
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
Nicolas Therrien <ni...@motorolasolutions.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |---
Status|RESOLVED |REOPENED
--- Comment #8 from Nicolas Therrien <ni...@motorolasolutions.com> ---
I get the feeling this is being dismissed too quickly. It took me several hours
to narrow down the issue and prepare a setup that exposes this problem and come
up with steps to reproduce. This ticket was closed 15 minutes after I
submitted the log... I personally would not be able to review code thoroughly
and be confident of my diagnosis in only 15 minutes.
What did you mean by "tried it on the trunk"? Did you mean that you tried the
truststore using the latest version of Tomcat? If that is the case, then it
does not prove it is not a bug... It could be simply that the bug is still
there?
Before this issue is dismissed as a configuration issue, could you/someone look
at the tomcat code and try to understand why the code behaves differently with
a PKCS12 container vs JKS?
I went to great length in creating this ticket with as much proof as possible
as I could gather.
Consider the following:
1) I do not have this issue on another system based on linux.
2) I included the scripts used to generate the truststores so you can see the
only difference between the problem and non-problem is the keystore type. If
there's anything wrong with the command used to generate PKCS12, then I don`t
see it.
3) Just in case I had a bug in my command line to generate the truststore, I
did the following: I opened the working JDK truststore with Keystore Explorer,
and saved it as a PKCS12 truststore. Still didn`t work and further nudge
towards a particular problem with PKCS12 truststore support on windows.
4) Interestingly, in the same server.xml, I use a PKCS12 keystore for the
server key pair. No problem there. This issue only affects the truststore.
5) Truststore is only used when setting up mutual authentication, which I think
is a much less frequently used configuration, especially combined with the fact
it is a windows installation. Could the unit test for this have missed this
particular use case? I think it`s possible and hence why i went into the
trouble of creating this ticket.
I would appreciate it if we could investigate this a bit more thoroughly.
Thanks,
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |INVALID
--- Comment #11 from Mark Thomas <ma...@apache.org> ---
Found it. The root cause is invalid configuration.
Check your attribute names against the documentation, noting the differences
between the old 8.0.x style config and the new 8.5.x/9.0.x style.
It would help if JSSE threw an exception in this scenario but it doesn't.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
Nicolas Therrien <ni...@motorolasolutions.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |---
Status|RESOLVED |REOPENED
--- Comment #14 from Nicolas Therrien <ni...@motorolasolutions.com> ---
I'm sorry for the misunderstanding.
The reason I reopen the ticket is because I cannot verify what you are saying.
As far as I can tell, there could still be a bug.
Where I am from, bug tickets remain open until they are verified by either the
person who opened the bug or by someone from the test team.
For the sake of argument, let's say I'm the one to blame here and that I made a
mistake somewhere in my setup. Could a tester read this bug report and be able
to verify that it is indeed resolved? Would the tester easily understand what
went wrong and be able to test your claim that it is a configuration error?
I'm not convinced the tester would be happy about the state of this ticket.
There's a good chance he would send it back to you for comment/query to ask you
what to look for.
I am okay with being proven wrong, but like I said, I did check the
documentation and cannot verify what you are saying. I've been working with
Tomcat for a long time and, if you're right, I expect to hit myself on the
forehead when I finally see the problem :)
So, to move this conversation forward, I am copy pasting the attribute names
that I am referring to in the documentation.
Under the SSLHostConfig section (see the link I provided earlier)
truststoreFile The trust store file to use to validate client certificates.
truststorePassword The password to access the trust store.
truststoreType The type of key store used for the trust store. for which
PKCS12 (all caps) is a valid value.
Unless there's a typo in the server.xml file that I didn`t see, these are the
same I've been using.
Also, I'm quite curious to see what's wrong and what would explain why
everything works if I use JKS instead of PKCS12... The attribute names are the
same in both cases!
Thanks for your time and I promise I'll leave this ticket alone once I can
verify that it is indeed a configuration problem.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
Nicolas Therrien <ni...@motorolasolutions.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Using pkcs12 format |TLS Mutual Authentication
|truststore on connector |use case: Using pkcs12
|yields exception "the |format truststore on
|trustAnchors parameter must |connector yields exception
|be non-empty" |"the trustAnchors parameter
| |must be non-empty"
OS| |All
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |---
Status|RESOLVED |REOPENED
--- Comment #10 from Mark Thomas <ma...@apache.org> ---
Hmm. Scratch that. I was using an older JRE with my stand-alone test case. If I
use a recent Java 8 JRE it works as expected. Need to dig a little deeper.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|REOPENED |RESOLVED
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |INVALID
--- Comment #13 from Mark Thomas <ma...@apache.org> ---
This is a configuration error.
There is no Tomcat bug here.
Bugzilla is not a support forum.
I could tell you where the error is but I am not going to. You will learn more
by figuring it out for yourself. Comparing the configuration to the
documentation and/or looking at the log files are both good places to start.
If you still can't see the error, the users list is the place to seek help.
Do not re-open this issue.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
--- Comment #4 from Nicolas Therrien <ni...@motorolasolutions.com> ---
I didnt know how to edit the description so I'm putting steps to reproduce
here:
(on windows )
1) Extract tomcat 9.0.1 to a folder
2) Change the Generate-Certificates script as to output both p12 and jks
formats on the last line (see description). (just copy paste the last line and
adjust)
2) Run the Generate-Certificates.ps1 powershell script, with the IP of the
machine.
3) Copy the server_truststore.p12, server_truststore.jks and
server_keystore.p12 files to the conf folder of the tomcat installation.
4) Overwrite default server.xml file with the one provided in this ticket.
5) Set up tomcat to run as service by calling the service.bat script (see
documentation for details, but i think we need to set CATALINA_HOME and the run
service.bat install Tomcat9
6) Start the server
7) Open catalina.out and notice the exception about truststore anchors being
empty. Server connector failed to start, so any requests sent to the address
will timeout.
8) Stop the server
9) Change server.xml as to use jks truststore.
10) Clear the logs
11) Start the server again
12) Open catalina.out and notice how the exception is now gone.
Using keystore explorer tool (keystore-explorer.org) it is possible to verify
that the contents of both containers are the same.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
--- Comment #5 from Remy Maucherat <re...@apache.org> ---
Please provide the complete server start log when submitting a bug report like
this.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
--- Comment #16 from Nicolas Therrien <ni...@motorolasolutions.com> ---
Ha! I could NOT see the difference! Must have been blind to it from using
version 8 for so long.
Thank you for providing the information. I have verified the PKCS12 truststore
is loaded successfully now.
I am still curious as to why the JKS version works with the "old" attribute
name.
Anyhow, this case is closed. Thanks for your time.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62479] TLS Mutual Authentication use case: Using pkcs12 format
truststore on connector yields exception "the trustAnchors parameter must be
non-empty"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62479
--- Comment #15 from Konstantin Kolinko <kn...@gmail.com> ---
(In reply to Nicolas Therrien from comment #14)
> truststorePassword The password to access the trust store.
The above one is misspelled.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org