Re: [Pki-users] Problems with java11

Monday, 14 January 2019

----- Original Message -----
...
 From: "Timo Aaltonen" <tjaalton(a)ubuntu.com&gt;
 To: pki-users(a)redhat.com
 Sent: Friday, January 11, 2019 2:44:32 AM
 Subject: [Pki-users] Problems with java11

 	Hi

 I've migrated Debian to use java11 in every component Dogtag needs, but while
 the tomcat instance seems to get up (to be configured), it can't be properly
 reached:

 2019-01-10 18:00:30 pkispawn      : INFO     Checking server at
 https://sid1.leon.tyrell:8443/ca
 2019-01-10 18:01:56 pkispawn      : ERROR    Server unreachable due to SSL
 error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
 2019-01-10 18:01:56 configuration : ERROR    Server failed to restart

 and there's this on catalina.out:

 WARNING: The JSSE TLS 1.3 implementation does not support authentication
 after the initial handshake and is there
 fore incompatible with optional client authentication
 SEVERE: Failed to initialize component
 [Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]]
 org.apache.catalina.LifecycleException: Protocol handler initialization
 failed
         at
         org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
         at
         org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
         at
         org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
         at
         org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
         at
         org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
         at
         org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
         at
         java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
         Method)
         at

java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
         at

java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.base/java.lang.reflect.Method.invoke(Method.java:566)
         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
 Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does
 not identify a key entry
         at

org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
         at

org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
         at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
         at

org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085)
         at
         org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098)
         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
         at

org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
         at
         org.apache.catalina.connector.Connector.initInternal(Connector.java:976)
         ... 13 more
 Caused by: java.io.IOException: Alias name [sslserver] does not identify a
 key entry
         at
         org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:248)
         at

org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
         ... 20 more

 how to fix that? If this is fixed, Dogtag might finally end up in a Debian
 release :)

So my 2c. on this issue -- I don't have a reproducing setup at the moment
but...

TomcatJSS for Tomcat versions greater than 8.5 are... misnamed? :) It
technically is TomcatJSSE (i.e., using Java's JSSE as the crypto backend for
TLS auth in Tomcat vs. using JSS/NSS).

So it appears that JSSE lacks support for optional client authentication
as per the error message:

...
 WARNING: The JSSE TLS 1.3 implementation does not support
authentication
 after the initial handshake and is therefore incompatible with optional
 client authentication 
In PKI's server.xml for tomcat 8.5+, we don't currently set the clientAuth
parameter, so we use the default of "want":

https://github.com/dogtagpki/pki/blob/master/base/server/tomcat-8.5/conf/...
https://github.com/dogtagpki/tomcatjss/blob/master/src/org/apache/tomcat/...

You'll probably want to ship clientAuth="true" as a work around on JDK 11+
and document that clientAuth="want" will not work for the time being. On the
other hand, this ~does~ require end users to set up client authentication to
access the page...

(edewata mentioned that you can have two separate PKI servers, one for
 the admin pages with clientAuth="true" and one for end entity services with
 clientAuth="false").

Eventually a new TomcatJSS with JSS support in Tomcat 8.5+ will be released,
so this issue will be fixed as JSS/NSS should support this type of optional
client authentication (but will need to be tested).

(It also isn't clear whether or not JDK8 supports TLS 1.3+).

-- Alex

...

 --
 t

 _______________________________________________
 Pki-users mailing list
 Pki-users(a)redhat.com
 https://www.redhat.com/mailman/listinfo/pki-users

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Re: [Pki-users] Problems with java11