https://bz.apache.org/bugzilla/show_bug.cgi?id=60138
Bug ID: 60138
Summary: protocol TLSV1.2 causes exception text
sslUtilBase.noneSupported
Product: Tomcat 8
Version: 8.5.5
Hardware: Other
OS: other
Status: NEW
Severity: major
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: psc...@skycoast.us
This problem seems to only occur on IBM z/OS with Tomcat 8.5.5. All other
things equal, the problem does not exist with Tomcat 7.
First, with Tomcat 7, the connector is defined thusly:
<Connector protocol="HTTP/1.1"
clientAuth="false"
connectionTimeout="20000"
keystoreFile="conf/keystore.p12" keystorePass="password"
keystoreType="pkcs12"
maxThreads="150"
maxPostSize="-1"
port="55663"
scheme="https" secure="true" SSLEnabled="true"
sslEnabledProtocols="TLSv1.2" sslProtocol="TLS"
URIEncoding="UTF-8" />
This works, and connections can be established using (and only using) TLSv1.2
protocol.
Now, all other things being equal, with Tomcat 8.5.5, the connector is defined
thusly:
<Connector protocol="HTTP/1.1"
connectionTimeout="20000"
maxThreads="150"
maxPostSize="-1"
port="58789"
scheme="https" secure="true" SSLEnabled="true"
URIEncoding="UTF-8" >
<SSLHostConfig certificateVerification="none" protocols="TLSv1.2"
sslProtocol="TLS">
<Certificate
certificateKeystoreFile="conf/keystore.p12"
certificateKeystorePassword="password"
certificateKeystoreType="pkcs12"
/>
</SSLHostConfig>
</Connector>
This causes the following exception trace (and connections are not possible):
SEVERE: Failed to initialize end point associated with ProtocolHandler
["https-jsse-nio-58789"]
java.lang.IllegalArgumentException: sslUtilBase.noneSupported
at org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:87)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:54)
at org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:151)
at
org.apache.tomcat.util.net.jsse.JSSEImplementation.getSSLUtil(JSSEImplementation.java:49)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:91)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:213)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:944)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Changing protocol="TLSv1.2" to protocol="TLSv1" avoids the exception and
connections are made with TLSv1. TLSv1.1 and TLSv1.2 are conspicuously missing.
Again, I must stress that the underlying environment is identical in both
cases, including environment variables, Java home directory, system properties
specified at startup (-D), etc. The singular difference that I am aware of is
moving from Tomcat 7 to Tomcat 8.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
