You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ezsra McDonald <ez...@gmail.com> on 2021/06/15 21:43:42 UTC
Re: Tomcat SSL stops working after an undetermined amount of time
Sorry for the delay.
I was finally able to track down the location of the BouncyCastle library.
It is located in the individual application libraries and cannot be
disabled. There are newer versions of BC available and I have asked the
software developers to consider upgrading the applications.
Disabling RSASSA-PSS alone did not work. I had to also disable TLSv1.3. I
tried only disabling TLSv1.3 but the instance continued to show the same
issues. So, I had to disable both.
The error occurred across all browsers. There was some earlier confusion
when I had the HTTPS connector configured incorrectly. Now the connector
works for all browsers initially until one of the apps loads the
BouncyCastle library. At that point the SSL handshake begins to fail for
any browser. Disabling the RSASSA-PSS and TLSv1.3 protocols and ciphers is
a temporary work around. It is my hope that upgrading the BC jar will
resolve the conflicts.
I am open to any other suggestions but for now my instances have stabilized
and I am in a holding pattern waiting for the software developers to
upgrade BC in the individual applications.
Thanks to everyone who assisted me with this issue. I will keep you posted
on results of the BC upgrade.
-Ez
On Thu, May 27, 2021 at 11:23 AM Mysore, Raghunath <rm...@visa.com.invalid>
wrote:
> Hi Ezsra,
> I concur with suggestions from Chris Schultz.
> Would you clarify the following items ?
> The current focus is to understand the prevailing environment
> configuration, in context of the stack trace you shared earlier.
>
> (1) To go back, did you check for ".jar" files with names like "bouncy"
> ?
> The point here is - to understand where BC is configured (to assess if it
> can be commented)
> (2) Apart from considering to turnoff BC, have you tried disabling
> RSASSA-PSS algorithm ?
> (3) When you test using a Safari browser - is the application on a happy
> path (meaning SSL works all fine) ?
> And you have the issue only when testing from a Chrome browser ?
>
> Thanks,
> -Raghu
>
> -----Original Message-----
> From: Ezsra McDonald <ez...@gmail.com>
> Sent: Thursday, May 27, 2021 8:56 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Tomcat SSL stops working after an undetermined amount of time
>
> Thanks for the responses,
>
> So, I need to understand a little more about Bouncycastle. I inherited the
> tomcat environment so I do not know how or why BC came to be installed in
> the containers. I will do some research on BC so I understand it better. My
> assumption from the responses is that BC is not a standard part of Tomcat
> or Java install.
>
> If the BC is part of an application running in the container and comes
> from a war file, can it be causing this issue? Or is BC most likely loaded
> when the container starts?
>
> --Ez
>
> On Thu, May 27, 2021 at 8:37 AM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> > Raghunath,
> >
> > On 5/26/21 19:08, Mysore, Raghunath wrote:
> > > To track if BC is configured in your environment, you may want to
> > > assess if BC is listed as a "security.provider" in the following
> > > "java.security" file
> > >
> > >
> > >
> > > File : ..../jre/lib/security/java.security
> > >
> > > Check for record (example below) :
> > >
> > > security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvi
> > > der
> > >
> > >
> > >
> > >
> > > Note the Number 10, above may be something different in your
> > > environment's "java.security" file (presuming BC is configured here)
> >
> > Well, the error being encountered is definite within BC, so I'd
> > venture a guess that BC is indeed being used.
> >
> > -chris
> >
> > > -----Original Message----- From: Christopher Schultz
> > > <ch...@christopherschultz.net> Sent: Wednesday, May 26, 2021 4:35 PM
> > > To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working
> > > after an undetermined amount of time
> > >
> > >
> > >
> > > Ezsra,
> > >
> > >
> > >
> > > On 5/26/21 18:11, Ezsra McDonald wrote:
> > >
> > >> Well, I still have issues. I think it is the same thing hit by
> > >> these guys:
> > >
> > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fj
> > >> ira
> > >
> > >>
> > >> .atlassian.com
> %2Fbrowse%2FBAM-21157&data=04%7C01%7Crmysore%40visa.
> > >
> > >>
> > >> com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c
> > >> 477
> > >
> > >>
> > >> d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
> > >> 4wL
> > >
> > >>
> > >> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sd
> > >> ata
> > >
> > >>
> > >> =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3D&reserved=0
> > >
> > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs
> > >> tac
> > >
> > >>
> > >> koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org-
> > >> bou
> > >
> > >>
> > >> ncycastle-crypto-signers-psssigner-generatesignat&data=04%7C01%
> > >> 7Cr
> > >
> > >>
> > >> mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d
> > >> 4ee
> > >
> > >>
> > >> 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZs
> > >> b3d
> > >
> > >>
> > >> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
> > >> %7C
> > >
> > >>
> > >> 1000&sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D&a
> > >> mp;
> > >
> > >> reserved=0
> > >
> > >>
> > >
> > >> I'll try their fix. My main concern is that I do not want to
> > >> disable
> > >
> > >> TLSv1.3.
> > >
> > >
> > >
> > > If you don't want to disable TLSv1.3, then you want:
> > >
> > >
> > >
> > > <Connector ....
> > >
> > > protocols="TLSv1.2,TLSv1.3"
> > >
> > > />
> > >
> > >
> > >
> > > If BC is failing you, I'd want to find out if you really need BC.
> > >
> > >
> > >
> > > That first link above seems to suggest that when using Tomcat you
> > > MUST disable TLSv1.3. That seems odd. What version of BC are you
> > > using?
> > >
> > > Search for .jar files with names like "bouncy".
> > >
> > >
> > >
> > > Do you have the option to downgrade Java?
> > >
> > >
> > >
> > > Have you tried disabling the RSASSA-PSS algorithm as per their
> > > instructions? It seems ... far-fetched that would fix the problem,
> > > but ... okay.
> > >
> > >
> > >
> > > Note that at some time in the past, Java 1.8 did not support TLSv1.3
> > > and lots of people who were stuck on Java 1.8 decided to switch to
> > > BC which did have TLSv1.3 support. With that version of Java 1.8
> > > (_281), you should have native JDK support for TLSv1.3. Perhaps BC
> > > is not necessary at all.
> > >
> > >
> > >
> > > -chris
> > >
> > >
> > >
> > >> On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald
> > >
> > >> <ez...@gmail.com>>
> > >
> > >> wrote:
> > >
> > >>
> > >
> > >>> Lots of good information was provided.
> > >
> > >>>
> > >
> > >>> This afternoon I plan to test the "sslProtocol" to "protocols"
> > >
> > >>> change in our lower environments. I will reply back with any
> > >>> findings.
> > >
> > >>>
> > >
> > >>> Thank you everyone for your responses.
> > >
> > >>>
> > >
> > >>> regards,
> > >
> > >>>
> > >
> > >>> -- Ez
> > >
> > >>>
> > >
> > >>> On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath
> > >
> > >>> <rm...@visa.com.invalid>>
> > >>> wrote:
> > >
> > >>>
> > >
> > >>>> Hi Chris,
> > >
> > >>>>
> > >
> > >>>> -----Original Message-----
> > >
> > >>>> From: Christopher Schultz
> > >>>> <chris@christopherschultz.net<mailto:chris@christopherschultz.net
> > >>>> >>
> > >
> > >>>> Sent: Tuesday, May 25, 2021 9:10 AM
> > >
> > >>>> To: users@tomcat.apache.org<ma...@tomcat.apache.org>
> > >
> > >>>> Subject: Re: Tomcat SSL stops working after an undetermined
> > >>>> amount
> > >
> > >>>> of time
> > >
> > >>>>
> > >
> > >>>> Ronald,
> > >
> > >>>>
> > >
> > >>>> On 5/25/21 09:31, Roskens, Ronald wrote:
> > >
> > >>>>>
> > >
> > >>>>>> -----Original Message-----
> > >
> > >>>>>> From: Christopher Schultz
> > >>>>>> <chris@christopherschultz.net<mailto:chris@christopherschultz.n
> > >>>>>> et>>
> > >
> > >>>>>> Sent: Monday, May 24, 2021 1:56 PM
> > >
> > >>>>>> To:
> > >>>>>> users@tomcat.apache.org<ma...@tomcat.apache.org>
> > >
> > >>>>>> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an
> > >
> > >>>>>> undetermined amount of time
> > >
> > >>>>>>
> > >
> > >>>>>> CAUTION: This email originated from outside of the
> > >>>>>> organization.
> > >
> > >>>>>> DO NOT CLICK on links or open attachments unless you recognize
> > >>>>>> the
> > >
> > >>>>>> sender and know the content is safe.
> > >
> > >>>>>>
> > >
> > >>>>>> Ezsra,
> > >
> > >>>>>>
> > >
> > >>>>>> On 5/24/21 10:30, Ezsra McDonald wrote:
> > >
> > >>>>>>> I am enabling SSL debugging this morning. I did catch this in
> > >>>>>>> the
> > >
> > >>>>>>> log for an instance that started erroring out this morning.
> > >>>>>>> Seems
> > >
> > >>>>>>> like it may be too generic to help solve my problem. Here it
> > >>>>>>> is:
> > >
> > >>>>>>>
> > >
> > >>>>>>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51]
> > >
> > >>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
> > >
> > >>>>>>> java.lang.NullPointerException
> > >
> > >>>>>>> at
> > >
> > >>>>>>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Un
> > >>>>>>> kno
> > >
> > >>>>>>> wn
> > >
> > >>>>>>> Source)
> > >
> > >>>>>>> at
> > >>>>>>> org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown
> > >
> > >>>>>>> Source)
> > >
> > >>>>>>
> > >
> > >>>>>> Oh. You are using BouncyCastle. I've never tried to do that.
> > >>>>>> I'm
> > >
> > >>>>>> not sure how well BC will work with Tomcat. We don't officially
> > >
> > >>>>>> support that configuration, but that doesn't mean we won't try
> > >>>>>> to help.
> > >
> > >>>>>
> > >
> > >>>>> This isn't a Tomcat issue but an interoperability issue between
> > >
> > >>>> BouncyCastle & OpenJDK.
> > >
> > >>>>>
> > >
> > >>>>> *
> > >
> > >>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%
> > >>>>> 2Fg
> > >
> > >>>>> ith
> > >
> > >>>>> ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633&data=04%7C01%7Crmyso
> > >>>>> re%
> > >
> > >>>>> 40v
> > >
> > >>>>> isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b
> > >>>>> 9c4
> > >
> > >>>>> db1
> > >
> > >>>>> c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJ
> > >>>>> WIj
> > >
> > >>>>> oiM
> > >
> > >>>>> C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000
> > >>>>> &am
> > >
> > >>>>> p;s
> > >
> > >>>>> data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3D&reserved
> > >>>>> =0
> > >
> > >>>>> *
> > >
> > >>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%
> > >>>>> 2Fb
> > >
> > >>>>> ugs
> > >
> > >>>>> .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmys
> > >>>>> ore
> > >
> > >>>>> %40
> > >
> > >>>>> visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888
> > >>>>> b9c
> > >
> > >>>>> 4db
> > >
> > >>>>> 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8ey
> > >>>>> JWI
> > >
> > >>>>> joi
> > >
> > >>>>> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C100
> > >>>>> 0&a
> > >
> > >>>>> mp;
> > >
> > >>>>> sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3D&reser
> > >>>>> ved
> > >
> > >>>>> =0
> > >
> > >>>>
> > >
> > >>>> Oh, great. Looks like a BC upgrade will fix the NPE. But possibly
> > >
> > >>>> something downstream will still fail...
> > >
> > >>>>
> > >
> > >>>> Just to add my 2 cents here :
> > >
> > >>>>
> > >
> > >>>> Per the problem posed in the very first email, we see the SSL/TLS
> > >
> > >>>> issue between Oracle JDK 8 and Tomcat 8.5
> > >
> > >>>> Environment:
> > >
> > >>>> OS: CentOS 7
> > >
> > >>>> Apache: apache-tomcat-8.5.65
> > >
> > >>>> Java: jdk1.8.0_281
> > >
> > >>>>
> > >
> > >>>> Note that the following link - talks about issues between OpenJDK
> > >>>> 11
> > >
> > >>>> and BC.
> > >
> > >>>>
> > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs
> > .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore%40
> > visa.com%7Cd2f44778194f48b3ae6408d9211f942f%7C38305e12e15d4ee888b9c4db
> > 1c477d76%7C0%7C0%7C637577242212420591%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
> > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
> > sdata=tiSMVu4GwqWFR%2F%2FE9PuidwM69irnSVtC5RP3qQA4YCI%3D&reserved=
> > 0
> > .
> > >
> > >>>>
> > >>>>
> > >
> > >>>> This morning's suggestion (about changing from "sslProtocol"
> > >>>> to
> > >
> > >>>> "protocols" ) from Christopher Schultz, sounds promising, in
> > >>>> that
> > >
> > >>>> the interaction between the Browser-clients and Tomcat 8.5.x
> > >>>> server,
> > >
> > >>>> will be limited only to TLS1.2 Making this change, will preclude
> > >
> > >>>> other old protocols - like TLS 1, TLS
> > >
> > >>>> 11 etc in communication between the clients and the Tomcat
> > >>>> server.
> > >
> > >>>> We will need tests after making the change to "protocols"
> > >>>> attribute
> > >
> > >>>> in the HTTPS connector block.
> > >
> > >>>> In context of the above mentioned change -we may not need any
> > >
> > >>>> editing of "java.security" file contents (discussed last
> > >>>> evening).
> > >
> > >>>>
> > >
> > >>>> Thanks,
> > >
> > >>>> -Raghu
> > >
> > >>>>
> > >
> > >>>>
> > >
> > >>>> -----------------------------------------------------------------
> > >>>> ---
> > >
> > >>>> - To unsubscribe, e-mail:
> > >>>> users-unsubscribe@tomcat.apache.org<mailto:
> > users-unsubscribe@tomcat.apache.org>
> > >
> > >>>> For additional commands, e-mail:
> > >>>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
> > >
> > >>>>
> > >>>>
> > >
> > >>>>
> > >
> > >>
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > -
> > >
> > > To unsubscribe, e-mail:
> > > users-unsubscribe@tomcat.apache.org<mailto:
> > users-unsubscribe@tomcat.apache.org>
> > >
> > > For additional commands, e-mail:
> > > users-help@tomcat.apache.org<ma...@tomcat.apache.org>
> > >
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Tomcat SSL stops working after an undetermined amount of time
Posted by "Mysore, Raghunath" <rm...@visa.com.INVALID>.
This is nice to know.
Thank you for the details.
You may want to check the contents of the "java.security" file, to assess, if they have configured BC like this :
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
Number 10 can be some other number in your environment.
If you see BC configured in here, you can comment (or remove ) that line.
Recycle the JVM and test again.
Thanks,
-Raghu
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, June 15, 2021 4:10 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat SSL stops working after an undetermined amount of time
Ezsra,
On 6/15/21 17:43, Ezsra McDonald wrote:
> Sorry for the delay.
>
> I was finally able to track down the location of the BouncyCastle library.
> It is located in the individual application libraries and cannot be
> disabled. There are newer versions of BC available and I have asked
> the software developers to consider upgrading the applications.
>
> Disabling RSASSA-PSS alone did not work. I had to also disable
> TLSv1.3. I tried only disabling TLSv1.3 but the instance continued to
> show the same issues. So, I had to disable both.
>
> The error occurred across all browsers. There was some earlier
> confusion when I had the HTTPS connector configured incorrectly. Now
> the connector works for all browsers initially until one of the apps
> loads the BouncyCastle library. At that point the SSL handshake begins
> to fail for any browser. Disabling the RSASSA-PSS and TLSv1.3
> protocols and ciphers is a temporary work around. It is my hope that
> upgrading the BC jar will resolve the conflicts.
>
> I am open to any other suggestions but for now my instances have
> stabilized and I am in a holding pattern waiting for the software
> developers to upgrade BC in the individual applications.
>
> Thanks to everyone who assisted me with this issue. I will keep you
> posted on results of the BC upgrade.
Sounds good.
I don't see any place in Tomcat to specify the JSSE provider. Perhaps we should expose that to the administrator in some way.
-chris
> On Thu, May 27, 2021 at 11:23 AM Mysore, Raghunath
> <rm...@visa.com.invalid>
> wrote:
>
>> Hi Ezsra,
>> I concur with suggestions from Chris Schultz.
>> Would you clarify the following items ?
>> The current focus is to understand the prevailing environment
>> configuration, in context of the stack trace you shared earlier.
>>
>> (1) To go back, did you check for ".jar" files with names like "bouncy"
>> ?
>> The point here is - to understand where BC is configured (to assess
>> if it can be commented)
>> (2) Apart from considering to turnoff BC, have you tried disabling
>> RSASSA-PSS algorithm ?
>> (3) When you test using a Safari browser - is the application on a
>> happy path (meaning SSL works all fine) ?
>> And you have the issue only when testing from a Chrome browser ?
>>
>> Thanks,
>> -Raghu
>>
>> -----Original Message-----
>> From: Ezsra McDonald <ez...@gmail.com>
>> Sent: Thursday, May 27, 2021 8:56 AM
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> Subject: Re: Tomcat SSL stops working after an undetermined amount of
>> time
>>
>> Thanks for the responses,
>>
>> So, I need to understand a little more about Bouncycastle. I
>> inherited the tomcat environment so I do not know how or why BC came
>> to be installed in the containers. I will do some research on BC so I
>> understand it better. My assumption from the responses is that BC is
>> not a standard part of Tomcat or Java install.
>>
>> If the BC is part of an application running in the container and
>> comes from a war file, can it be causing this issue? Or is BC most
>> likely loaded when the container starts?
>>
>> --Ez
>>
>> On Thu, May 27, 2021 at 8:37 AM Christopher Schultz <
>> chris@christopherschultz.net> wrote:
>>
>>> Raghunath,
>>>
>>> On 5/26/21 19:08, Mysore, Raghunath wrote:
>>>> To track if BC is configured in your environment, you may want to
>>>> assess if BC is listed as a "security.provider" in the following
>>>> "java.security" file
>>>>
>>>>
>>>>
>>>> File : ..../jre/lib/security/java.security
>>>>
>>>> Check for record (example below) :
>>>>
>>>> security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProv
>>>> i
>>>> der
>>>>
>>>>
>>>>
>>>>
>>>> Note the Number 10, above may be something different in your
>>>> environment's "java.security" file (presuming BC is configured
>>>> here)
>>>
>>> Well, the error being encountered is definite within BC, so I'd
>>> venture a guess that BC is indeed being used.
>>>
>>> -chris
>>>
>>>> -----Original Message----- From: Christopher Schultz
>>>> <ch...@christopherschultz.net> Sent: Wednesday, May 26, 2021 4:35
>>>> PM
>>>> To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working
>>>> after an undetermined amount of time
>>>>
>>>>
>>>>
>>>> Ezsra,
>>>>
>>>>
>>>>
>>>> On 5/26/21 18:11, Ezsra McDonald wrote:
>>>>
>>>>> Well, I still have issues. I think it is the same thing hit by
>>>>> these guys:
>>>>
>>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2F
>>>>> j
>>>>> ira
>>>>
>>>>>
>>>>> .atlassian.com
>> %2Fbrowse%2FBAM-21157&data=04%7C01%7Crmysore%40visa.
>>>>
>>>>>
>>>>> com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1
>>>>> c
>>>>> 477
>>>>
>>>>>
>>>>> d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM
>>>>> C
>>>>> 4wL
>>>>
>>>>>
>>>>> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&s
>>>>> d
>>>>> ata
>>>>
>>>>>
>>>>> =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3D&reserved=0
>>>>
>>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2F
>>>>> s
>>>>> tac
>>>>
>>>>>
>>>>> koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org
>>>>> -
>>>>> bou
>>>>
>>>>>
>>>>> ncycastle-crypto-signers-psssigner-generatesignat&data=04%7C01
>>>>> %
>>>>> 7Cr
>>>>
>>>>>
>>>>> mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15
>>>>> d
>>>>> 4ee
>>>>
>>>>>
>>>>> 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZ
>>>>> s
>>>>> b3d
>>>>
>>>>>
>>>>> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3
>>>>> D
>>>>> %7C
>>>>
>>>>>
>>>>> 1000&sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D&
>>>>> a
>>>>> mp;
>>>>
>>>>> reserved=0
>>>>
>>>>>
>>>>
>>>>> I'll try their fix. My main concern is that I do not want to
>>>>> disable
>>>>
>>>>> TLSv1.3.
>>>>
>>>>
>>>>
>>>> If you don't want to disable TLSv1.3, then you want:
>>>>
>>>>
>>>>
>>>> <Connector ....
>>>>
>>>> protocols="TLSv1.2,TLSv1.3"
>>>>
>>>> />
>>>>
>>>>
>>>>
>>>> If BC is failing you, I'd want to find out if you really need BC.
>>>>
>>>>
>>>>
>>>> That first link above seems to suggest that when using Tomcat you
>>>> MUST disable TLSv1.3. That seems odd. What version of BC are you
>>>> using?
>>>>
>>>> Search for .jar files with names like "bouncy".
>>>>
>>>>
>>>>
>>>> Do you have the option to downgrade Java?
>>>>
>>>>
>>>>
>>>> Have you tried disabling the RSASSA-PSS algorithm as per their
>>>> instructions? It seems ... far-fetched that would fix the problem,
>>>> but ... okay.
>>>>
>>>>
>>>>
>>>> Note that at some time in the past, Java 1.8 did not support
>>>> TLSv1.3 and lots of people who were stuck on Java 1.8 decided to
>>>> switch to BC which did have TLSv1.3 support. With that version of
>>>> Java 1.8 (_281), you should have native JDK support for TLSv1.3.
>>>> Perhaps BC is not necessary at all.
>>>>
>>>>
>>>>
>>>> -chris
>>>>
>>>>
>>>>
>>>>> On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald
>>>>
>>>>> <ez...@gmail.com>>
>>>>
>>>>> wrote:
>>>>
>>>>>
>>>>
>>>>>> Lots of good information was provided.
>>>>
>>>>>>
>>>>
>>>>>> This afternoon I plan to test the "sslProtocol" to "protocols"
>>>>
>>>>>> change in our lower environments. I will reply back with any
>>>>>> findings.
>>>>
>>>>>>
>>>>
>>>>>> Thank you everyone for your responses.
>>>>
>>>>>>
>>>>
>>>>>> regards,
>>>>
>>>>>>
>>>>
>>>>>> -- Ez
>>>>
>>>>>>
>>>>
>>>>>> On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath
>>>>
>>>>>> <rm...@visa.com.invalid>>
>>>>>> wrote:
>>>>
>>>>>>
>>>>
>>>>>>> Hi Chris,
>>>>
>>>>>>>
>>>>
>>>>>>> -----Original Message-----
>>>>
>>>>>>> From: Christopher Schultz
>>>>>>> <chris@christopherschultz.net<mailto:chris@christopherschultz.ne
>>>>>>> t
>>>>>>>>>
>>>>
>>>>>>> Sent: Tuesday, May 25, 2021 9:10 AM
>>>>
>>>>>>> To: users@tomcat.apache.org<ma...@tomcat.apache.org>
>>>>
>>>>>>> Subject: Re: Tomcat SSL stops working after an undetermined
>>>>>>> amount
>>>>
>>>>>>> of time
>>>>
>>>>>>>
>>>>
>>>>>>> Ronald,
>>>>
>>>>>>>
>>>>
>>>>>>> On 5/25/21 09:31, Roskens, Ronald wrote:
>>>>
>>>>>>>>
>>>>
>>>>>>>>> -----Original Message-----
>>>>
>>>>>>>>> From: Christopher Schultz
>>>>>>>>> <chris@christopherschultz.net<mailto:chris@christopherschultz.
>>>>>>>>> n
>>>>>>>>> et>>
>>>>
>>>>>>>>> Sent: Monday, May 24, 2021 1:56 PM
>>>>
>>>>>>>>> To:
>>>>>>>>> users@tomcat.apache.org<ma...@tomcat.apache.org>
>>>>
>>>>>>>>> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an
>>>>
>>>>>>>>> undetermined amount of time
>>>>
>>>>>>>>>
>>>>
>>>>>>>>> CAUTION: This email originated from outside of the
>>>>>>>>> organization.
>>>>
>>>>>>>>> DO NOT CLICK on links or open attachments unless you recognize
>>>>>>>>> the
>>>>
>>>>>>>>> sender and know the content is safe.
>>>>
>>>>>>>>>
>>>>
>>>>>>>>> Ezsra,
>>>>
>>>>>>>>>
>>>>
>>>>>>>>> On 5/24/21 10:30, Ezsra McDonald wrote:
>>>>
>>>>>>>>>> I am enabling SSL debugging this morning. I did catch this in
>>>>>>>>>> the
>>>>
>>>>>>>>>> log for an instance that started erroring out this morning.
>>>>>>>>>> Seems
>>>>
>>>>>>>>>> like it may be too generic to help solve my problem. Here it
>>>>>>>>>> is:
>>>>
>>>>>>>>>>
>>>>
>>>>>>>>>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51]
>>>>
>>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
>>>>
>>>>>>>>>> java.lang.NullPointerException
>>>>
>>>>>>>>>> at
>>>>
>>>>>>>>>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(U
>>>>>>>>>> n
>>>>>>>>>> kno
>>>>
>>>>>>>>>> wn
>>>>
>>>>>>>>>> Source)
>>>>
>>>>>>>>>> at
>>>>>>>>>> org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown
>>>>
>>>>>>>>>> Source)
>>>>
>>>>>>>>>
>>>>
>>>>>>>>> Oh. You are using BouncyCastle. I've never tried to do that.
>>>>>>>>> I'm
>>>>
>>>>>>>>> not sure how well BC will work with Tomcat. We don't
>>>>>>>>> officially
>>>>
>>>>>>>>> support that configuration, but that doesn't mean we won't try
>>>>>>>>> to help.
>>>>
>>>>>>>>
>>>>
>>>>>>>> This isn't a Tomcat issue but an interoperability issue between
>>>>
>>>>>>> BouncyCastle & OpenJDK.
>>>>
>>>>>>>>
>>>>
>>>>>>>> *
>>>>
>>>>>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F
>>>>>>>> %
>>>>>>>> 2Fg
>>>>
>>>>>>>> ith
>>>>
>>>>>>>> ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633&data=04%7C01%7Crmys
>>>>>>>> o
>>>>>>>> re%
>>>>
>>>>>>>> 40v
>>>>
>>>>>>>> isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888
>>>>>>>> b
>>>>>>>> 9c4
>>>>
>>>>>>>> db1
>>>>
>>>>>>>> c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8ey
>>>>>>>> J
>>>>>>>> WIj
>>>>
>>>>>>>> oiM
>>>>
>>>>>>>> C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C100
>>>>>>>> 0
>>>>>>>> &am
>>>>
>>>>>>>> p;s
>>>>
>>>>>>>> data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3D&reserve
>>>>>>>> d
>>>>>>>> =0
>>>>
>>>>>>>> *
>>>>
>>>>>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F
>>>>>>>> %
>>>>>>>> 2Fb
>>>>
>>>>>>>> ugs
>>>>
>>>>>>>> .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmy
>>>>>>>> s
>>>>>>>> ore
>>>>
>>>>>>>> %40
>>>>
>>>>>>>> visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee88
>>>>>>>> 8
>>>>>>>> b9c
>>>>
>>>>>>>> 4db
>>>>
>>>>>>>> 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8e
>>>>>>>> y
>>>>>>>> JWI
>>>>
>>>>>>>> joi
>>>>
>>>>>>>> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C10
>>>>>>>> 0
>>>>>>>> 0&a
>>>>
>>>>>>>> mp;
>>>>
>>>>>>>> sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3D&rese
>>>>>>>> r
>>>>>>>> ved
>>>>
>>>>>>>> =0
>>>>
>>>>>>>
>>>>
>>>>>>> Oh, great. Looks like a BC upgrade will fix the NPE. But
>>>>>>> possibly
>>>>
>>>>>>> something downstream will still fail...
>>>>
>>>>>>>
>>>>
>>>>>>> Just to add my 2 cents here :
>>>>
>>>>>>>
>>>>
>>>>>>> Per the problem posed in the very first email, we see the
>>>>>>> SSL/TLS
>>>>
>>>>>>> issue between Oracle JDK 8 and Tomcat 8.5
>>>>
>>>>>>> Environment:
>>>>
>>>>>>> OS: CentOS 7
>>>>
>>>>>>> Apache: apache-tomcat-8.5.65
>>>>
>>>>>>> Java: jdk1.8.0_281
>>>>
>>>>>>>
>>>>
>>>>>>> Note that the following link - talks about issues between
>>>>>>> OpenJDK
>>>>>>> 11
>>>>
>>>>>>> and BC.
>>>>
>>>>>>>
>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbu
>>> gs
>>> .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore%
>>> 40
>>> visa.com%7Cd2f44778194f48b3ae6408d9211f942f%7C38305e12e15d4ee888b9c4
>>> db
>>> 1c477d76%7C0%7C0%7C637577242212420591%7CUnknown%7CTWFpbGZsb3d8eyJWIj
>>> oi
>>> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&am
>>> p;
>>> sdata=tiSMVu4GwqWFR%2F%2FE9PuidwM69irnSVtC5RP3qQA4YCI%3D&reserve
>>> d=
>>> 0
>>> .
>>>>
>>>>>>>
>>>>>>>
>>>>
>>>>>>> This morning's suggestion (about changing from "sslProtocol"
>>>>>>> to
>>>>
>>>>>>> "protocols" ) from Christopher Schultz, sounds promising, in
>>>>>>> that
>>>>
>>>>>>> the interaction between the Browser-clients and Tomcat 8.5.x
>>>>>>> server,
>>>>
>>>>>>> will be limited only to TLS1.2 Making this change, will preclude
>>>>
>>>>>>> other old protocols - like TLS 1, TLS
>>>>
>>>>>>> 11 etc in communication between the clients and the Tomcat
>>>>>>> server.
>>>>
>>>>>>> We will need tests after making the change to "protocols"
>>>>>>> attribute
>>>>
>>>>>>> in the HTTPS connector block.
>>>>
>>>>>>> In context of the above mentioned change -we may not need any
>>>>
>>>>>>> editing of "java.security" file contents (discussed last
>>>>>>> evening).
>>>>
>>>>>>>
>>>>
>>>>>>> Thanks,
>>>>
>>>>>>> -Raghu
>>>>
>>>>>>>
>>>>
>>>>>>>
>>>>
>>>>>>> ----------------------------------------------------------------
>>>>>>> -
>>>>>>> ---
>>>>
>>>>>>> - To unsubscribe, e-mail:
>>>>>>> users-unsubscribe@tomcat.apache.org<mailto:
>>> users-unsubscribe@tomcat.apache.org>
>>>>
>>>>>>> For additional commands, e-mail:
>>>>>>> users-help@tomcat.apache.org<mailto:users-help@tomcat.apache.org
>>>>>>> >
>>>>
>>>>>>>
>>>>>>>
>>>>
>>>>>>>
>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------
>>>> -
>>>> -
>>>>
>>>> To unsubscribe, e-mail:
>>>> users-unsubscribe@tomcat.apache.org<mailto:
>>> users-unsubscribe@tomcat.apache.org>
>>>>
>>>> For additional commands, e-mail:
>>>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>>>>
>>>>
>>>>
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Ezsra,
On 6/15/21 17:43, Ezsra McDonald wrote:
> Sorry for the delay.
>
> I was finally able to track down the location of the BouncyCastle library.
> It is located in the individual application libraries and cannot be
> disabled. There are newer versions of BC available and I have asked the
> software developers to consider upgrading the applications.
>
> Disabling RSASSA-PSS alone did not work. I had to also disable TLSv1.3. I
> tried only disabling TLSv1.3 but the instance continued to show the same
> issues. So, I had to disable both.
>
> The error occurred across all browsers. There was some earlier confusion
> when I had the HTTPS connector configured incorrectly. Now the connector
> works for all browsers initially until one of the apps loads the
> BouncyCastle library. At that point the SSL handshake begins to fail for
> any browser. Disabling the RSASSA-PSS and TLSv1.3 protocols and ciphers is
> a temporary work around. It is my hope that upgrading the BC jar will
> resolve the conflicts.
>
> I am open to any other suggestions but for now my instances have stabilized
> and I am in a holding pattern waiting for the software developers to
> upgrade BC in the individual applications.
>
> Thanks to everyone who assisted me with this issue. I will keep you posted
> on results of the BC upgrade.
Sounds good.
I don't see any place in Tomcat to specify the JSSE provider. Perhaps we
should expose that to the administrator in some way.
-chris
> On Thu, May 27, 2021 at 11:23 AM Mysore, Raghunath <rm...@visa.com.invalid>
> wrote:
>
>> Hi Ezsra,
>> I concur with suggestions from Chris Schultz.
>> Would you clarify the following items ?
>> The current focus is to understand the prevailing environment
>> configuration, in context of the stack trace you shared earlier.
>>
>> (1) To go back, did you check for ".jar" files with names like "bouncy"
>> ?
>> The point here is - to understand where BC is configured (to assess if it
>> can be commented)
>> (2) Apart from considering to turnoff BC, have you tried disabling
>> RSASSA-PSS algorithm ?
>> (3) When you test using a Safari browser - is the application on a happy
>> path (meaning SSL works all fine) ?
>> And you have the issue only when testing from a Chrome browser ?
>>
>> Thanks,
>> -Raghu
>>
>> -----Original Message-----
>> From: Ezsra McDonald <ez...@gmail.com>
>> Sent: Thursday, May 27, 2021 8:56 AM
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> Subject: Re: Tomcat SSL stops working after an undetermined amount of time
>>
>> Thanks for the responses,
>>
>> So, I need to understand a little more about Bouncycastle. I inherited the
>> tomcat environment so I do not know how or why BC came to be installed in
>> the containers. I will do some research on BC so I understand it better. My
>> assumption from the responses is that BC is not a standard part of Tomcat
>> or Java install.
>>
>> If the BC is part of an application running in the container and comes
>> from a war file, can it be causing this issue? Or is BC most likely loaded
>> when the container starts?
>>
>> --Ez
>>
>> On Thu, May 27, 2021 at 8:37 AM Christopher Schultz <
>> chris@christopherschultz.net> wrote:
>>
>>> Raghunath,
>>>
>>> On 5/26/21 19:08, Mysore, Raghunath wrote:
>>>> To track if BC is configured in your environment, you may want to
>>>> assess if BC is listed as a "security.provider" in the following
>>>> "java.security" file
>>>>
>>>>
>>>>
>>>> File : ..../jre/lib/security/java.security
>>>>
>>>> Check for record (example below) :
>>>>
>>>> security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvi
>>>> der
>>>>
>>>>
>>>>
>>>>
>>>> Note the Number 10, above may be something different in your
>>>> environment's "java.security" file (presuming BC is configured here)
>>>
>>> Well, the error being encountered is definite within BC, so I'd
>>> venture a guess that BC is indeed being used.
>>>
>>> -chris
>>>
>>>> -----Original Message----- From: Christopher Schultz
>>>> <ch...@christopherschultz.net> Sent: Wednesday, May 26, 2021 4:35 PM
>>>> To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working
>>>> after an undetermined amount of time
>>>>
>>>>
>>>>
>>>> Ezsra,
>>>>
>>>>
>>>>
>>>> On 5/26/21 18:11, Ezsra McDonald wrote:
>>>>
>>>>> Well, I still have issues. I think it is the same thing hit by
>>>>> these guys:
>>>>
>>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fj
>>>>> ira
>>>>
>>>>>
>>>>> .atlassian.com
>> %2Fbrowse%2FBAM-21157&data=04%7C01%7Crmysore%40visa.
>>>>
>>>>>
>>>>> com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c
>>>>> 477
>>>>
>>>>>
>>>>> d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
>>>>> 4wL
>>>>
>>>>>
>>>>> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sd
>>>>> ata
>>>>
>>>>>
>>>>> =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3D&reserved=0
>>>>
>>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs
>>>>> tac
>>>>
>>>>>
>>>>> koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org-
>>>>> bou
>>>>
>>>>>
>>>>> ncycastle-crypto-signers-psssigner-generatesignat&data=04%7C01%
>>>>> 7Cr
>>>>
>>>>>
>>>>> mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d
>>>>> 4ee
>>>>
>>>>>
>>>>> 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZs
>>>>> b3d
>>>>
>>>>>
>>>>> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
>>>>> %7C
>>>>
>>>>>
>>>>> 1000&sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D&a
>>>>> mp;
>>>>
>>>>> reserved=0
>>>>
>>>>>
>>>>
>>>>> I'll try their fix. My main concern is that I do not want to
>>>>> disable
>>>>
>>>>> TLSv1.3.
>>>>
>>>>
>>>>
>>>> If you don't want to disable TLSv1.3, then you want:
>>>>
>>>>
>>>>
>>>> <Connector ....
>>>>
>>>> protocols="TLSv1.2,TLSv1.3"
>>>>
>>>> />
>>>>
>>>>
>>>>
>>>> If BC is failing you, I'd want to find out if you really need BC.
>>>>
>>>>
>>>>
>>>> That first link above seems to suggest that when using Tomcat you
>>>> MUST disable TLSv1.3. That seems odd. What version of BC are you
>>>> using?
>>>>
>>>> Search for .jar files with names like "bouncy".
>>>>
>>>>
>>>>
>>>> Do you have the option to downgrade Java?
>>>>
>>>>
>>>>
>>>> Have you tried disabling the RSASSA-PSS algorithm as per their
>>>> instructions? It seems ... far-fetched that would fix the problem,
>>>> but ... okay.
>>>>
>>>>
>>>>
>>>> Note that at some time in the past, Java 1.8 did not support TLSv1.3
>>>> and lots of people who were stuck on Java 1.8 decided to switch to
>>>> BC which did have TLSv1.3 support. With that version of Java 1.8
>>>> (_281), you should have native JDK support for TLSv1.3. Perhaps BC
>>>> is not necessary at all.
>>>>
>>>>
>>>>
>>>> -chris
>>>>
>>>>
>>>>
>>>>> On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald
>>>>
>>>>> <ez...@gmail.com>>
>>>>
>>>>> wrote:
>>>>
>>>>>
>>>>
>>>>>> Lots of good information was provided.
>>>>
>>>>>>
>>>>
>>>>>> This afternoon I plan to test the "sslProtocol" to "protocols"
>>>>
>>>>>> change in our lower environments. I will reply back with any
>>>>>> findings.
>>>>
>>>>>>
>>>>
>>>>>> Thank you everyone for your responses.
>>>>
>>>>>>
>>>>
>>>>>> regards,
>>>>
>>>>>>
>>>>
>>>>>> -- Ez
>>>>
>>>>>>
>>>>
>>>>>> On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath
>>>>
>>>>>> <rm...@visa.com.invalid>>
>>>>>> wrote:
>>>>
>>>>>>
>>>>
>>>>>>> Hi Chris,
>>>>
>>>>>>>
>>>>
>>>>>>> -----Original Message-----
>>>>
>>>>>>> From: Christopher Schultz
>>>>>>> <chris@christopherschultz.net<mailto:chris@christopherschultz.net
>>>>>>>>>
>>>>
>>>>>>> Sent: Tuesday, May 25, 2021 9:10 AM
>>>>
>>>>>>> To: users@tomcat.apache.org<ma...@tomcat.apache.org>
>>>>
>>>>>>> Subject: Re: Tomcat SSL stops working after an undetermined
>>>>>>> amount
>>>>
>>>>>>> of time
>>>>
>>>>>>>
>>>>
>>>>>>> Ronald,
>>>>
>>>>>>>
>>>>
>>>>>>> On 5/25/21 09:31, Roskens, Ronald wrote:
>>>>
>>>>>>>>
>>>>
>>>>>>>>> -----Original Message-----
>>>>
>>>>>>>>> From: Christopher Schultz
>>>>>>>>> <chris@christopherschultz.net<mailto:chris@christopherschultz.n
>>>>>>>>> et>>
>>>>
>>>>>>>>> Sent: Monday, May 24, 2021 1:56 PM
>>>>
>>>>>>>>> To:
>>>>>>>>> users@tomcat.apache.org<ma...@tomcat.apache.org>
>>>>
>>>>>>>>> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an
>>>>
>>>>>>>>> undetermined amount of time
>>>>
>>>>>>>>>
>>>>
>>>>>>>>> CAUTION: This email originated from outside of the
>>>>>>>>> organization.
>>>>
>>>>>>>>> DO NOT CLICK on links or open attachments unless you recognize
>>>>>>>>> the
>>>>
>>>>>>>>> sender and know the content is safe.
>>>>
>>>>>>>>>
>>>>
>>>>>>>>> Ezsra,
>>>>
>>>>>>>>>
>>>>
>>>>>>>>> On 5/24/21 10:30, Ezsra McDonald wrote:
>>>>
>>>>>>>>>> I am enabling SSL debugging this morning. I did catch this in
>>>>>>>>>> the
>>>>
>>>>>>>>>> log for an instance that started erroring out this morning.
>>>>>>>>>> Seems
>>>>
>>>>>>>>>> like it may be too generic to help solve my problem. Here it
>>>>>>>>>> is:
>>>>
>>>>>>>>>>
>>>>
>>>>>>>>>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51]
>>>>
>>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
>>>>
>>>>>>>>>> java.lang.NullPointerException
>>>>
>>>>>>>>>> at
>>>>
>>>>>>>>>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Un
>>>>>>>>>> kno
>>>>
>>>>>>>>>> wn
>>>>
>>>>>>>>>> Source)
>>>>
>>>>>>>>>> at
>>>>>>>>>> org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown
>>>>
>>>>>>>>>> Source)
>>>>
>>>>>>>>>
>>>>
>>>>>>>>> Oh. You are using BouncyCastle. I've never tried to do that.
>>>>>>>>> I'm
>>>>
>>>>>>>>> not sure how well BC will work with Tomcat. We don't officially
>>>>
>>>>>>>>> support that configuration, but that doesn't mean we won't try
>>>>>>>>> to help.
>>>>
>>>>>>>>
>>>>
>>>>>>>> This isn't a Tomcat issue but an interoperability issue between
>>>>
>>>>>>> BouncyCastle & OpenJDK.
>>>>
>>>>>>>>
>>>>
>>>>>>>> *
>>>>
>>>>>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%
>>>>>>>> 2Fg
>>>>
>>>>>>>> ith
>>>>
>>>>>>>> ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633&data=04%7C01%7Crmyso
>>>>>>>> re%
>>>>
>>>>>>>> 40v
>>>>
>>>>>>>> isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b
>>>>>>>> 9c4
>>>>
>>>>>>>> db1
>>>>
>>>>>>>> c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJ
>>>>>>>> WIj
>>>>
>>>>>>>> oiM
>>>>
>>>>>>>> C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000
>>>>>>>> &am
>>>>
>>>>>>>> p;s
>>>>
>>>>>>>> data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3D&reserved
>>>>>>>> =0
>>>>
>>>>>>>> *
>>>>
>>>>>>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%
>>>>>>>> 2Fb
>>>>
>>>>>>>> ugs
>>>>
>>>>>>>> .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmys
>>>>>>>> ore
>>>>
>>>>>>>> %40
>>>>
>>>>>>>> visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888
>>>>>>>> b9c
>>>>
>>>>>>>> 4db
>>>>
>>>>>>>> 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8ey
>>>>>>>> JWI
>>>>
>>>>>>>> joi
>>>>
>>>>>>>> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C100
>>>>>>>> 0&a
>>>>
>>>>>>>> mp;
>>>>
>>>>>>>> sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3D&reser
>>>>>>>> ved
>>>>
>>>>>>>> =0
>>>>
>>>>>>>
>>>>
>>>>>>> Oh, great. Looks like a BC upgrade will fix the NPE. But possibly
>>>>
>>>>>>> something downstream will still fail...
>>>>
>>>>>>>
>>>>
>>>>>>> Just to add my 2 cents here :
>>>>
>>>>>>>
>>>>
>>>>>>> Per the problem posed in the very first email, we see the SSL/TLS
>>>>
>>>>>>> issue between Oracle JDK 8 and Tomcat 8.5
>>>>
>>>>>>> Environment:
>>>>
>>>>>>> OS: CentOS 7
>>>>
>>>>>>> Apache: apache-tomcat-8.5.65
>>>>
>>>>>>> Java: jdk1.8.0_281
>>>>
>>>>>>>
>>>>
>>>>>>> Note that the following link - talks about issues between OpenJDK
>>>>>>> 11
>>>>
>>>>>>> and BC.
>>>>
>>>>>>>
>>> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs
>>> .openjdk.java.net%2Fbrowse%2FJDK-8216039&data=04%7C01%7Crmysore%40
>>> visa.com%7Cd2f44778194f48b3ae6408d9211f942f%7C38305e12e15d4ee888b9c4db
>>> 1c477d76%7C0%7C0%7C637577242212420591%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
>>> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&
>>> sdata=tiSMVu4GwqWFR%2F%2FE9PuidwM69irnSVtC5RP3qQA4YCI%3D&reserved=
>>> 0
>>> .
>>>>
>>>>>>>
>>>>>>>
>>>>
>>>>>>> This morning's suggestion (about changing from "sslProtocol"
>>>>>>> to
>>>>
>>>>>>> "protocols" ) from Christopher Schultz, sounds promising, in
>>>>>>> that
>>>>
>>>>>>> the interaction between the Browser-clients and Tomcat 8.5.x
>>>>>>> server,
>>>>
>>>>>>> will be limited only to TLS1.2 Making this change, will preclude
>>>>
>>>>>>> other old protocols - like TLS 1, TLS
>>>>
>>>>>>> 11 etc in communication between the clients and the Tomcat
>>>>>>> server.
>>>>
>>>>>>> We will need tests after making the change to "protocols"
>>>>>>> attribute
>>>>
>>>>>>> in the HTTPS connector block.
>>>>
>>>>>>> In context of the above mentioned change -we may not need any
>>>>
>>>>>>> editing of "java.security" file contents (discussed last
>>>>>>> evening).
>>>>
>>>>>>>
>>>>
>>>>>>> Thanks,
>>>>
>>>>>>> -Raghu
>>>>
>>>>>>>
>>>>
>>>>>>>
>>>>
>>>>>>> -----------------------------------------------------------------
>>>>>>> ---
>>>>
>>>>>>> - To unsubscribe, e-mail:
>>>>>>> users-unsubscribe@tomcat.apache.org<mailto:
>>> users-unsubscribe@tomcat.apache.org>
>>>>
>>>>>>> For additional commands, e-mail:
>>>>>>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>>>>
>>>>>>>
>>>>>>>
>>>>
>>>>>>>
>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --------------------------------------------------------------------
>>>> -
>>>>
>>>> To unsubscribe, e-mail:
>>>> users-unsubscribe@tomcat.apache.org<mailto:
>>> users-unsubscribe@tomcat.apache.org>
>>>>
>>>> For additional commands, e-mail:
>>>> users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>>>>
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org