[Bug 62461] New: Configuration of JSSE HTTPS Virtual Hosts throws exception

bugzilla Fri, 15 Jun 2018 06:32:13 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=62461


            Bug ID: 62461
           Summary: Configuration of JSSE HTTPS Virtual Hosts throws
                    exception
           Product: Tomcat 9
           Version: 9.0.8
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Util
          Assignee: dev@tomcat.apache.org
          Reporter: rad...@gmail.com
  Target Milestone: -----

Old configuration that works on Tomcat 9.0.8

<Service name="Catalina">

  <Connector port="443" address="178.79.132.165"
    protocol="HTTP/1.1"
    scheme="https"
    secure="true"
    SSLEnabled="true"
    sslProtocol="TLS"
    keystoreFile="file.jks"
    keystorePass="pass"
    keyAlias="alias"
    keyPass="pass"
  />

  <Engine name="Catalina" defaultHost="xxx">
    <Host name="xxx" appBase="xxx" autoDeploy="true" unpackWARs="true"
deployXML="false">
      ....
    </Host>
  </Engine>
</Service>


New one (may be I am missing something, but for me seems correct)

<Service name="Catalina">

  <Connector port="443" address="192.168.1.2"
    scheme="https"
    secure="true"
    SSLEnabled="true"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
    defaultSSLHostConfigName="xxx">

    <SSLHostConfig hostName="xxx">
      <Certificate
        certificateKeystoreFile="file_xxx.jks"
        certificateKeystorePassword="pass"
        certificateKeyAlias="alias"
        certificateKeyPassword="pass" />
    </SSLHostConfig>

    <SSLHostConfig hostName="yyy">
      <Certificate
        certificateKeystoreFile="file_yyy.jks"
        certificateKeystorePassword="pass"
        certificateKeyAlias="alias"
        certificateKeyPassword="pass" />
    </SSLHostConfig>

  </Connector>

  <Engine name="Catalina" defaultHost="xxx">
    <Host name="xxx" appBase="xxx" autoDeploy="true" unpackWARs="true"
deployXML="false">
       ...
    </Host>
    <Host name="yyy" appBase="yyy" autoDeploy="true" unpackWARs="true"
deployXML="false">
       ...
    </Host>
  </Engine>

</Service>


Exception is:

Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute
certificateFile must be defined when using an SSL connector
        at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
        at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
        at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
        at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
        at
org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
        ... 13 more
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be
defined when using an SSL connector
        at
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203)
        at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)


After looking into source code of Tomcat 9.0.8 (not latest from repo) and
putting some printouts I saw that SSLHostConfig has zero
SSLHostConfigCertificate although seems they are loaded properly?!?!

At this place org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext
line 101 SSLHostConfigCertificate is empty - e.g. certificate is a new one
created with default values.

After hardcoding those in the method it worked. :)


@Override
protected void createSSLContext(SSLHostConfig sslHostConfig) throws
IllegalArgumentException {
  boolean firstCertificate = true;
  for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
    if ("xxx".equals(sslHostConfig.getHostName())) {
      sslHostConfig.setCertificateKeystoreFile("file_xxx.jks");
      sslHostConfig.setCertificateKeystorePassword("pass");
      sslHostConfig.setCertificateKeyAlias("alias");
      sslHostConfig.setCertificateKeyPassword("pass");
    }
    if ("yyy".equals(sslHostConfig.getHostName())) {
      sslHostConfig.setCertificateKeystoreFile("file_yyy.jks");
      sslHostConfig.setCertificateKeystorePassword("pass");
      sslHostConfig.setCertificateKeyAlias("alias");
      sslHostConfig.setCertificateKeyPassword("pass");
    }
    SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
    ...
    ...


It is really strange, because I am looking into it and cannot find the error.


Also protocol should be "org.apache.coyote.http11.Http11NioProtocol" with NIO2
it has some other additional errors - recognizing only one of the contexts - it
serves host yyy, but cannot recognize xxx. And that happens not on startup time
but when you try to access host.

15-Jun-2018 16:28:15.756 SEVERE [https-jsse-nio2-192.168.1.2-443-exec-2]
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Error running
socket processor
 java.lang.IllegalStateException: No SSLContext could be found for the host
name [xxx]
        at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLEngine(AbstractJsseEndpoint.java:173)
        at
org.apache.tomcat.util.net.SecureNio2Channel.processSNI(SecureNio2Channel.java:403)
        at
org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:214)
        at
org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:205)
        at
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1724)
        at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at
org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1007)
        at
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:99)
        at
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:92)
        at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
        at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
        at
java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
        at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135)
        at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:844)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 62461] New: Configuration of JSSE HTTPS Virtual Hosts throws exception

Reply via email to