[Pki-users] Problems with java11

Alexander Scheel ascheel at redhat.com
Mon Jan 14 16:06:43 UTC 2019 


----- Original Message -----
> From: "Timo Aaltonen" <tjaalton at ubuntu.com>
> To: pki-users at redhat.com
> Sent: Friday, January 11, 2019 2:44:32 AM
> Subject: [Pki-users] Problems with java11
> 
> 
> 	Hi
> 
> I've migrated Debian to use java11 in every component Dogtag needs, but while
> the tomcat instance seems to get up (to be configured), it can't be properly
> reached:
> 
> 2019-01-10 18:00:30 pkispawn      : INFO     Checking server at
> https://sid1.leon.tyrell:8443/ca
> 2019-01-10 18:01:56 pkispawn      : ERROR    Server unreachable due to SSL
> error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
> 2019-01-10 18:01:56 configuration : ERROR    Server failed to restart
> 
> 
> and there's this on catalina.out:
> 
> WARNING: The JSSE TLS 1.3 implementation does not support authentication
> after the initial handshake and is there
> fore incompatible with optional client authentication
> SEVERE: Failed to initialize component
> [Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]]
> org.apache.catalina.LifecycleException: Protocol handler initialization
> failed
>         at
>         org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
>         at
>         org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at
>         org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
>         at
>         org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at
>         org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
>         at
>         org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
>         at
>         java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>         Method)
>         at
>         java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at
>         java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
> Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does
> not identify a key entry
>         at
>         org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
>         at
>         org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
>         at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
>         at
>         org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085)
>         at
>         org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098)
>         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
>         at
>         org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
>         at
>         org.apache.catalina.connector.Connector.initInternal(Connector.java:976)
>         ... 13 more
> Caused by: java.io.IOException: Alias name [sslserver] does not identify a
> key entry
>         at
>         org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:248)
>         at
>         org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
>         ... 20 more
> 
> how to fix that? If this is fixed, Dogtag might finally end up in a Debian
> release :)
> 

So my 2c. on this issue -- I don't have a reproducing setup at the moment
but...

TomcatJSS for Tomcat versions greater than 8.5 are... misnamed? :) It
technically is TomcatJSSE (i.e., using Java's JSSE as the crypto backend for
TLS auth in Tomcat vs. using JSS/NSS).

So it appears that JSSE lacks support for optional client authentication
as per the error message:

> WARNING: The JSSE TLS 1.3 implementation does not support authentication
> after the initial handshake and is therefore incompatible with optional
> client authentication

In PKI's server.xml for tomcat 8.5+, we don't currently set the clientAuth
parameter, so we use the default of "want":

https://github.com/dogtagpki/pki/blob/master/base/server/tomcat-8.5/conf/server.xml#L151
https://github.com/dogtagpki/tomcatjss/blob/master/src/org/apache/tomcat/util/net/jss/TomcatJSS.java#L72


You'll probably want to ship clientAuth="true" as a work around on JDK 11+
and document that clientAuth="want" will not work for the time being. On the
other hand, this ~does~ require end users to set up client authentication to
access the page...

(edewata mentioned that you can have two separate PKI servers, one for
 the admin pages with clientAuth="true" and one for end entity services with
 clientAuth="false").

Eventually a new TomcatJSS with JSS support in Tomcat 8.5+ will be released,
so this issue will be fixed as JSS/NSS should support this type of optional
client authentication (but will need to be tested).


(It also isn't clear whether or not JDK8 supports TLS 1.3+).


-- Alex

> 
> --
> t
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>

More information about the Pki-users mailing list