Bug 59209 - java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.setUseCipherSuitesOrder during tomcat 8.5.0 start
Summary: java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.setUseCipherSuit...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.0.x-trunk
Hardware: All All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-22 06:07 UTC by Huxing Zhang
Modified: 2016-03-23 00:50 UTC (History)
0 users



Attachments
remove honorCipherOrder in SSLConfig configuration (697 bytes, patch)
2016-03-22 06:49 UTC, Huxing Zhang
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Huxing Zhang 2016-03-22 06:07:19 UTC
Steps to reproduce:
1. download tomcat 8.5.0 release candidate.
2. uncomment the following configuration:

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig honorCipherOrder="false" >
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->
3. adjust the certificate configurations
4. start tomcat

Observed result:
There is NoSuchMethodException appeared in standard output.

22-Mar-2016 13:51:30.539 WARNING [main] org.apache.tomcat.util.IntrospectionUtils.setProperty IntrospectionUtils: InvocationTargetException for class org.apache.tomcat.util.net.SSLHostConfig honorCipherOrder=false)
 java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.apache.tomcat.util.IntrospectionUtils.setProperty(IntrospectionUtils.java:126)
	at org.apache.tomcat.util.IntrospectionUtils.setProperty(IntrospectionUtils.java:47)
	at org.apache.tomcat.util.digester.SetPropertiesRule.begin(SetPropertiesRule.java:72)
	at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1188)
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1363)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2786)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
	at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
	at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
	at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
	at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648)
	at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.UnsupportedOperationException: Java Runtime does not support "useServerCipherSuitesOrder". You must use Java 8 or later to use this feature.
	at org.apache.tomcat.util.net.SSLHostConfig.setHonorCipherOrder(SSLHostConfig.java:354)
	... 27 more
Caused by: java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.setUseCipherSuitesOrder(boolean)
	at java.lang.Class.getMethod(Class.java:1670)
	at org.apache.tomcat.util.net.SSLHostConfig.setHonorCipherOrder(SSLHostConfig.java:352)
	... 27 more

Suggested  fix:

in conf/server.xml, remove honorCipherOrder="false" from the default configuration:

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->
Comment 1 Huxing Zhang 2016-03-22 06:49:23 UTC
Created attachment 33689 [details]
remove honorCipherOrder in SSLConfig configuration
Comment 2 Violeta Georgieva 2016-03-22 08:01:16 UTC
Hi,

Thanks for the report and the patch.
The fix will be available from 9.0.0.M5 and 8.5.1 onwards.

Regards,
Violeta
Comment 3 Huxing Zhang 2016-03-22 09:33:28 UTC
Hi Violeta,

Should this patch be applied to 9.0.0.x? I main concern is:
Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat will prefer a cipher suite that is blacklisted by HTTP/2. [1]

[1] http://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/coyote/http2/Http2UpgradeHandler.html
Comment 4 Violeta Georgieva 2016-03-22 09:39:36 UTC
(In reply to Huxing Zhang from comment #3)
> Hi Violeta,
> 
> Should this patch be applied to 9.0.0.x? I main concern is:
> Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat
> will prefer a cipher suite that is blacklisted by HTTP/2. [1]

Yep you are right I'll revert that in 9.0.0.x

Thanks,
Violeta
 
> [1]
> http://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/coyote/http2/
> Http2UpgradeHandler.html
Comment 5 Christopher Schultz 2016-03-22 20:49:47 UTC
(In reply to Huxing Zhang from comment #3)
> Hi Violeta,
> 
> Should this patch be applied to 9.0.0.x? I main concern is:
> Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat
> will prefer a cipher suite that is blacklisted by HTTP/2.

If that cipher suite has been blacklisted by h2, then why are you specifying it in your cipher suites list, or why are you specifying it early in the list of supported cipher suites?
Comment 6 Huxing Zhang 2016-03-23 00:50:19 UTC
Hi,

I think specifying cipher suites is another solution, but may be more complicate, because:
1) we don't know what http version client will use, HTTP/1.x over TLS or HTTP/2 over TLS
2) different client may support different protocols, e.g.  ECDHE-ECDSA-CHACHA20-POLY1305 is only supported by Chrome

You have to care about the cipher list, as well as the cipher order.