[Pki-users] Problems with java11

Timo Aaltonen tjaalton at ubuntu.com
Tue Jan 15 19:49:50 UTC 2019 

On 15.1.2019 21.03, Endi Sukma Dewata wrote:
> ----- Original Message -----
>>>>> The error message is not very helpful, but I think this error
>>>>> happens because the clientAuth in Connector has been replaced
>>>>> by certificateVerification in SSLHostConfig and they cannot be
>>>>> specified at the same time. See the following page:
>>>>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>>>>
>>>>> So try removing the clientAuth and set the certificateVerification
>>>>> to "required". I have not tried this myself though.
>>>>
>>>> nope, still get the same
>>>
>>> Could you show me the entire Connector element and its children?
>>> Make sure all attributes replaced by SSLHostConfig have been
>>> deleted from the Connector element (see the above link).
>>
>>     <Connector name="Secure"
>>                port="8443"
>>                protocol="org.dogtagpki.tomcat.Http11NioProtocol"
>>                SSLEnabled="true"
>>                scheme="https"
>>                secure="true"
>>                connectionTimeout="80000"
>>                keepAliveTimeout="300000"
>>                maxHttpHeaderSize="8192"
>>                acceptCount="100"
>>                maxThreads="150"
>>                minSpareThreads="25"
>>                enableLookups="false"
>>                disableUploadTimeout="true"
>>                enableOCSP="false"
>>                ocspResponderURL="http://sid1.leon.tyrell:8080/ca/ocsp"
>>                ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
>>                ocspCacheSize="1000"
>>                ocspMinCacheEntryDuration="7200"
>>                ocspMaxCacheEntryDuration="14400"
>>                ocspTimeout="10"
>>                strictCiphers="true"
>>                sslVersionRangeStream="tls1_1:tls1_2"
>>                sslVersionRangeDatagram="tls1_1:tls1_2"
>>                sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384"
>>                serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
>>                passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
>>                passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
>>                certdbDir="/var/lib/pki/pki-tomcat/alias">
>>
>>         <SSLHostConfig sslProtocol="SSL"
>>                        certificateVerification="required"
>>                        trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
>>             <Certificate certificateKeystoreType="pkcs11"
>>                          certificateKeystoreProvider="Mozilla-JSS"
>>                          certificateKeyAlias="sslserver"/>
>>         </SSLHostConfig>
>>
>>     </Connector>
>>
>>
>> I don't see what should be dropped from Connector..
> 
> Are you getting this error:
> 
>  java.lang.IllegalArgumentException: Alias name [sslserver] does not identify a key
>  entry
> 
> or this error?
> 
>  java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided
>  for the host name [_default_]. Host names must be unique.
> 
> If it's the first one, that means the PKCS #11 keystore (i.e. JSS keystore) cannot
> find the SSL server certificate. We may not have a solution since we do not support
> Java 11 yet.

But I've patched Dogtag to support the new keystore, and am using JSS
4.5.1, I thought they did support Java 11.. so something is missing
still then..



> If it's the second one, that message is coming from Tomcat when validating the
> server.xml. Is certificateVerification the only thing you change in that file? You
> might want to try adding defaultSSLHostConfigName to Connector and hostName to
> SSLHostConfig, but I'm really not sure what's going on.
> 
> See also this page:
> https://stackoverflow.com/questions/42135892/tomcat-8-5-server-xml-multiple-sslhostconfig-elements-were-provided-for-the-ho
> 
>  If you put any of these deprecated attributes in the Connector directive, tomcat
>  assumes you are using the old way and auto creates a SSLHostConfig itself, which
>  then conflicts with the one you are creating.
> 
> --
> Endi S. Dewata
> 


-- 
t

More information about the Pki-users mailing list