Richard Tearle
2018-11-13 13:50:05 UTC
Hi
Our applications are all working fine with Tomcat 8.5.34 and Tomcat
Native 1.2.17; Centos 7.5; OpenSSL 1.0.2k-fips 26 Jan 2017; Oracle
Java JRE 8u172
On upgrading to Tomcat 8.5.35 and Tomcat Native 1.2.18, we get the
following warning:
12-Nov-2018 14:37:03.459 WARNING [main]
org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit> Failed
getting cipher list
java.lang.Exception: Invalid Server SSL Protocol
(error:00000000:lib(0):func(0):reason(0))
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:73)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols(OpenSSLUtil.java:63)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:67)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:51)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.<init>(OpenSSLUtil.java:42)
at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.getSSLUtil(OpenSSLImplementation.java:36)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:661)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
On downgrading Tomcat Native to 1.2.17, and still keeping Tomcat
8.5.35, we get the following FATAL:
12-Nov-2018 17:24:17.474 SEVERE [https-openssl-nio-8443-exec-2]
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
java.lang.UnsatisfiedLinkError:
org.apache.tomcat.jni.SSL.renegotiatePending(J)I
at org.apache.tomcat.jni.SSL.renegotiatePending(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.getHandshakeStatus(OpenSSLEngine.java:1021)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.wrap(OpenSSLEngine.java:457)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeWrap(SecureNioChannel.java:440)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:211)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1475)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Our application is fine with Tomcat 8.5.34 and Tomcat Native 1.2.18 as well.
Our connector configuration is, which we've not changed whilst testing
various version combinations:
<Connector port="${servers.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true" server="Apache" maxPostSize="1048576">
<SSLHostConfig certificateVerification="none" protocols="TLSv1.2"
caCertificateFile="/usr/local/tomcat/ssl/ca-cert.pem"
honorCipherOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA">
<Certificate certificateFile="/usr/local/tomcat/ssl/server-cert.pem"
certificateKeyFile="/usr/local/tomcat/ssl/server-key.pem"
certificateKeyPassword="${keystore.pass}">
</Certificate>
</SSLHostConfig>
</Connector>
We'd like to upgrade to Tomcat 8.5.35 and Tomcat Native 1.2.18,
without the warning (our implementers get twitchy when they see
warnings, even more so when it's around SSL/TLS...)
Richard
--
This email is sent on behalf of Northgate Public Services (UK) Limited and
its associated companies including Rave Technologies (India) Pvt Limited
(together "Northgate Public Services") and is strictly confidential and
intended solely for the addressee(s).
If you are not the intended
recipient of this email you must: (i) not disclose, copy or distribute its
contents to any other person nor use its contents in any way or you may be
acting unlawfully; (ii) contact Northgate Public Services immediately on
+44(0)1442 768445 quoting the name of the sender and the addressee then
delete it from your system.
Northgate Public Services has taken reasonable
precautions to ensure that no viruses are contained in this email, but does
not accept any responsibility once this email has been transmitted. You
should scan attachments (if any) for viruses.
Northgate Public Services
(UK) Limited, registered in England and Wales under number 00968498 with a
registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands
Avenue, Hemel Hempstead, Hertfordshire, HP2 4NW. Rave Technologies (India)
Pvt Limited, registered in India under number 117068 with a registered
address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate,
Mumbai, Maharashtra, India, 400001.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Our applications are all working fine with Tomcat 8.5.34 and Tomcat
Native 1.2.17; Centos 7.5; OpenSSL 1.0.2k-fips 26 Jan 2017; Oracle
Java JRE 8u172
On upgrading to Tomcat 8.5.35 and Tomcat Native 1.2.18, we get the
following warning:
12-Nov-2018 14:37:03.459 WARNING [main]
org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit> Failed
getting cipher list
java.lang.Exception: Invalid Server SSL Protocol
(error:00000000:lib(0):func(0):reason(0))
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:73)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols(OpenSSLUtil.java:63)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:67)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:51)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.<init>(OpenSSLUtil.java:42)
at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.getSSLUtil(OpenSSLImplementation.java:36)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:661)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
On downgrading Tomcat Native to 1.2.17, and still keeping Tomcat
8.5.35, we get the following FATAL:
12-Nov-2018 17:24:17.474 SEVERE [https-openssl-nio-8443-exec-2]
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
java.lang.UnsatisfiedLinkError:
org.apache.tomcat.jni.SSL.renegotiatePending(J)I
at org.apache.tomcat.jni.SSL.renegotiatePending(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.getHandshakeStatus(OpenSSLEngine.java:1021)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.wrap(OpenSSLEngine.java:457)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeWrap(SecureNioChannel.java:440)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:211)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1475)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Our application is fine with Tomcat 8.5.34 and Tomcat Native 1.2.18 as well.
Our connector configuration is, which we've not changed whilst testing
various version combinations:
<Connector port="${servers.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true" server="Apache" maxPostSize="1048576">
<SSLHostConfig certificateVerification="none" protocols="TLSv1.2"
caCertificateFile="/usr/local/tomcat/ssl/ca-cert.pem"
honorCipherOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA">
<Certificate certificateFile="/usr/local/tomcat/ssl/server-cert.pem"
certificateKeyFile="/usr/local/tomcat/ssl/server-key.pem"
certificateKeyPassword="${keystore.pass}">
</Certificate>
</SSLHostConfig>
</Connector>
We'd like to upgrade to Tomcat 8.5.35 and Tomcat Native 1.2.18,
without the warning (our implementers get twitchy when they see
warnings, even more so when it's around SSL/TLS...)
Richard
--
This email is sent on behalf of Northgate Public Services (UK) Limited and
its associated companies including Rave Technologies (India) Pvt Limited
(together "Northgate Public Services") and is strictly confidential and
intended solely for the addressee(s).
If you are not the intended
recipient of this email you must: (i) not disclose, copy or distribute its
contents to any other person nor use its contents in any way or you may be
acting unlawfully; (ii) contact Northgate Public Services immediately on
+44(0)1442 768445 quoting the name of the sender and the addressee then
delete it from your system.
Northgate Public Services has taken reasonable
precautions to ensure that no viruses are contained in this email, but does
not accept any responsibility once this email has been transmitted. You
should scan attachments (if any) for viruses.
Northgate Public Services
(UK) Limited, registered in England and Wales under number 00968498 with a
registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands
Avenue, Hemel Hempstead, Hertfordshire, HP2 4NW. Rave Technologies (India)
Pvt Limited, registered in India under number 117068 with a registered
address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate,
Mumbai, Maharashtra, India, 400001.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org