Re: [Pki-users] Problems with java11

Tuesday, 15 January 2019

On 14.1.2019 18.06, Alexander Scheel wrote:
...

 ----- Original Message -----
> From: "Timo Aaltonen" <tjaalton(a)ubuntu.com&gt;
> To: pki-users(a)redhat.com
> Sent: Friday, January 11, 2019 2:44:32 AM
> Subject: [Pki-users] Problems with java11
>
>
> 	Hi
>
> I've migrated Debian to use java11 in every component Dogtag needs, but while
> the tomcat instance seems to get up (to be configured), it can't be properly
> reached:
>
> 2019-01-10 18:00:30 pkispawn      : INFO     Checking server at
> https://sid1.leon.tyrell:8443/ca
> 2019-01-10 18:01:56 pkispawn      : ERROR    Server unreachable due to SSL
> error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
> 2019-01-10 18:01:56 configuration : ERROR    Server failed to restart
>
>
> and there's this on catalina.out:
>
> WARNING: The JSSE TLS 1.3 implementation does not support authentication
> after the initial handshake and is there
> fore incompatible with optional client authentication
> SEVERE: Failed to initialize component
> [Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]]
> org.apache.catalina.LifecycleException: Protocol handler initialization
> failed
>         at
>         org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
>         at
>         org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at
>        
org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
>         at
>         org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at
>        
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
>         at
>         org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
>         at
>         java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>         Method)
>         at
>        
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at
>        
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
> Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does
> not identify a key entry
>         at
>        
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
>         at
>        
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
>         at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
>         at
>        
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085)
>         at
>         org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098)
>         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
>         at
>        
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
>         at
>         org.apache.catalina.connector.Connector.initInternal(Connector.java:976)
>         ... 13 more
> Caused by: java.io.IOException: Alias name [sslserver] does not identify a
> key entry
>         at
>         org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:248)
>         at
>        
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
>         ... 20 more
>
> how to fix that? If this is fixed, Dogtag might finally end up in a Debian
> release :)
>

 So my 2c. on this issue -- I don't have a reproducing setup at the moment
 but...

 TomcatJSS for Tomcat versions greater than 8.5 are... misnamed? :) It
 technically is TomcatJSSE (i.e., using Java's JSSE as the crypto backend for
 TLS auth in Tomcat vs. using JSS/NSS).

 So it appears that JSSE lacks support for optional client authentication
 as per the error message:

> WARNING: The JSSE TLS 1.3 implementation does not support authentication
> after the initial handshake and is therefore incompatible with optional
> client authentication

 In PKI's server.xml for tomcat 8.5+, we don't currently set the clientAuth
 parameter, so we use the default of "want":

 https://github.com/dogtagpki/pki/blob/master/base/server/tomcat-8.5/conf/...

https://github.com/dogtagpki/tomcatjss/blob/master/src/org/apache/tomcat/...

 You'll probably want to ship clientAuth="true" as a work around on JDK 11+
 and document that clientAuth="want" will not work for the time being. On the
 other hand, this ~does~ require end users to set up client authentication to
 access the page... 
Doing this (and fixing pki-migrate to not remove that setting) then resulted in this:

SEVERE: End event threw exception
java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373)
        at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
        at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944)
        at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
        at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown
Source)
        at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
        at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
        at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
        at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
        at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:566)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were
provided for the host name [_default_]. Host names must be unique.
        at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248)
        at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203)
        at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542)
        at org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834)
        ... 25 more

WARNING: Unable to load server configuration from
[/var/lib/pki/pki-tomcat/conf/server.xml]
org.xml.sax.SAXParseException; systemId: file:/var/lib/pki/pki-tomcat/conf/server.xml;
lineNumber: 188; columnNumber: 25; Error at (188, 25) : Multiple SSLHostConfig elements
were provided for the host name [_default_]. Host names must be unique.
        at
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1862)
        at
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1894)
        at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:947)
        at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
        at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown
Source)
        at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
        at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
        at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
        at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
        at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:566)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were
provided for the host name [_default_]. Host names must be unique.
        at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248)
        at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203)
        at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542)
        at org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373)
        at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
        at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944)
        ... 18 more

SEVERE: Cannot start server. Server instance is not configured.

and this is in server.xml:

    182         <SSLHostConfig sslProtocol="SSL"
    183                        certificateVerification="optional"
    184                       
trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
    185             <Certificate certificateKeystoreType="pkcs11"
    186                          certificateKeystoreProvider="Mozilla-JSS"
    187                          certificateKeyAlias="sslserver"/>
    188         </SSLHostConfig>

...
 Eventually a new TomcatJSS with JSS support in Tomcat 8.5+ will be
released,
 so this issue will be fixed as JSS/NSS should support this type of optional
 client authentication (but will need to be tested). 
Any idea when that would be? Debian 10 will be frozen in a month.

-- 
t

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Re: [Pki-users] Problems with java11