[Bug 61415] New: SSL protocol error with Chrome, client certificates and OpenSSL/NIO in Tomcat 8.5

Tue, 15 Aug 2017 00:40:16 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=61415

            Bug ID: 61415
           Summary: SSL protocol error with Chrome, client certificates
                    and OpenSSL/NIO in Tomcat 8.5
           Product: Tomcat Native
           Version: unspecified
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Library
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

It seems that there is a problem with openssl when replacing JSSE. It is a a
problem when certificateVerficiation is enabled.
I replaced JSSE/NIO with OpenSSL/NIO because I wanted to enable HTTP/2.
We are using Spring Boot application with tomcat embedded. During startup I was
able to load tcnative-1 using AprLifecycleListener. Spring Boot does not
support APR connector due to different keystore configuration, but I was able
to boot using OpenSSL/NIO. When opening the application in any browser I was
getting SSL protocol errors.

I was able to reproduce the same problem using standalone tomcat without any
applications deployed.

How to reproduce:
- download Tomcat 8.5.20 Windows x64 & unzip it
- generate keystore: "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg
RSA -keystore tomcat_keystore.jks (enter localhost and other data, with
password tomcat)
- copy cacerts to conf folder from JRE folder (for example: C:\Program
Files\Java\jdk1.8.0_131\jre\lib\security)
- edit server.xml and add Connector

    <Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
                <UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
                <SSLHostConfig truststoreFile="conf/cacerts"
truststorePassword="" certificateVerification="optional">
            <Certificate certificateKeystoreFile="conf/tomcat_keystore.jks"
                         certificateKeystorePassword="tomcat"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

- open Chrome and navigate to https://localhost:8443 (you don't need to select
any client certificate)
- you should see tomcat welcome page
- press Ctrl + F5 fast couple of times and you should start seeing SSL protocol
error

First I added comment inside
https://bz.apache.org/bugzilla/show_bug.cgi?id=61394, but after a bit more
testing I doubt it is the same problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to