You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Fuchs, John J." <fu...@rpi.edu> on 2016/09/27 15:57:07 UTC

SHA-2 issues with Tomcat 6.0.26

Hi all:

Certainly late on the SHA-2 move from SHA-1 SSL certificates but ours hadn't expired yet and wasn't causing any issues.  Our environment is Windows Server 2008 R2, JVM 1.6.0_22-b04 and Apache Tomcat 6.0.26

I'm testing replacement of my soon to expire SHA-1 certificate with an SHA-2. Regardless of what I give as the SSL HTTP / 1.1 connector description in server.xml I get invalid ssl conf and cipher error messages in the catalina.log file. In server.xml in place of the ciphers= parameter I've tried: the current line which has worked since 2013 with the SHA-1 certificate, removed the ciphers=, ciphers=HIGH, ciphers=RSA, ciphers=ALL and then the same existing line but with all of the 128's as 256's.

The output in catalina.log is:

SEVERE: Error initializing endpoint
java.io.IOException: jsse.invalid_ssl_conf
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
                at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
                at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
                at org.apache.catalina.connector.Connector.initialize(Connector.java:1014)
                at org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
                at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                at java.lang.reflect.Method.invoke(Unknown Source)
                at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
                at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)
                at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)
                ... 15 more

Any resolution from others who have encountered this already or new directions to point me in would be appreciated.

Thanks,

John

John J. Fuchs
IACS - Lead Information Technologist

Rensselaer Polytechnic Institute
J. Bldg. Room 5202
1223 Peoples Avenue
Troy, NY 12180-3590

phone: 518.276.2079
   fax: 518.276.4834
email: fuchsj@rpi.edu

Re: SHA-2 issues with Tomcat 6.0.26

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

John,

On 9/27/16 11:57 AM, Fuchs, John J. wrote:
> Certainly late on the SHA-2 move from SHA-1 SSL certificates but 
> ours hadn't expired yet and wasn't causing any issues. Our 
> environment is Windows Server 2008 R2, JVM 1.6.0_22-b04 and Apache 
> Tomcat 6.0.26.

Heh. You're certainly late on upgrading *everything* ;)

> I'm testing replacement of my soon to expire SHA-1 certificate with
>  an SHA-2. Regardless of what I give as the SSL HTTP / 1.1
> connector description in server.xml I get invalid ssl conf and
> cipher error messages in the catalina.log file. In server.xml in
> place of the ciphers= parameter I've tried: the current line which
> has worked since 2013 with the SHA-1 certificate, removed the
> ciphers=, ciphers=HIGH, ciphers=RSA, ciphers=ALL and then the same
> existing line but with all of the 128's as 256's.

<Connector> configuration? Remember to remove any sensitive passwords,
etc.

What are all the new versions of everything? Or are you still using
the complete old stack with nothing changing but the certificate itself?

> The output in catalina.log is:
> 
> SEVERE: Error initializing endpoint java.io.IOException:
> jsse.invalid_ssl_conf

Well THAT'S a great error message.

> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESock
etFactory.java:755)
>
> 
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory
.java:460)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESoc
ketFactory.java:130)
>
> 
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
> at
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
>
> 
at org.apache.catalina.connector.Connector.initialize(Connector.java:101
4)
> at
> org.apache.catalina.core.StandardService.initialize(StandardService.ja
va:680)
>
> 
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
95)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:524) at
> org.apache.catalina.startup.Catalina.load(Catalina.java:548) at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at
> java.lang.reflect.Method.invoke(Unknown Source) at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) 
> Caused by: javax.net.ssl.SSLException: No available certificate or
> key corresponds to the SSL cipher suites which are enabled. at
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Un
known
> Source) at
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown
> Source) at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESock
etFactory.java:751)
>
> 
... 15 more

Seeing the <Connector> configuration will help, here. This is an RSA
key, right? It's possible that you will need to upgrade Java to get a
set of protocols and

> Any resolution from others who have encountered this already or
> new directions to point me in would be appreciated.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX6uBfAAoJEBzwKT+lPKRYT/YQAJ2b9pSmGpz0WZrJLFTDTJkF
/KnTrhxjnairfVwN5CPYkORE82sYElc1Xmqw8MogXtSoJYKrdMQBb/WQjsAQzUCF
rhg3QuI80hS8bW94943ZwkTeXIVZWSE0ncmbM+ufa3O7/cFMk6BDNyxmMA29c6zs
EWxn0MwaBgjedGDdKwu7NtyE+eb/a444vKLpLDa1PvEBzSWucWVeaeAdW5Xs6oNy
8gcr3wtUpygvbSR5TQMIBrxOLANAz5MBXieUIHxs+R/RSqChgrugr/RqoFOQRBJp
sGXjF1ulziLdFQDf+E+5QdjBcqQ0zLtmHuZ+n1om2bE3kKbYHTiEcVUAIUmzKm+k
TgR8B4MwuUk1RzX+mD7fwMkgfudyWd2PH1+bGyWRit+GIQHvHxuh3aBDBaZX///j
4ywt7QQO1nWvjQaMyGSVz5hnlea0c2RlQqjOYzrHLLqMcvypH9NcIIV73NtpMtNY
+uivW1hFx0LGQ0mty0bc8F6pZYFJFn6lGGMmTiryWDu0CHLgDHHkrvtpgDdq28UJ
cqPLiDA9kKzYZJPdC5upr7ar3xVCjqY2vTUGW2urPsF3OBtA3/ziS1dncTbkCY9B
+lwJn4N3gkx+TI+u7PAnGdYmhCo3+MhBM4JzxpqhXJ7LapbNhCwRGQ/KTfZZExgX
a/53wM4vY1vpwCW9veON
=UlMr
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org