Bug 59209

Summary: java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.setUseCipherSuitesOrder during tomcat 8.5.0 start
Product: Tomcat 8 Reporter: Huxing Zhang <huxing.zhang>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 8.0.x-trunk   
Target Milestone: ----   
Hardware: All   
OS: All   
Attachments: remove honorCipherOrder in SSLConfig configuration

Description Huxing Zhang 2016-03-22 06:07:19 UTC 
Steps to reproduce:
1. download tomcat 8.5.0 release candidate.
2. uncomment the following configuration:

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig honorCipherOrder="false" >
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->
3. adjust the certificate configurations
4. start tomcat

Observed result:
There is NoSuchMethodException appeared in standard output.

22-Mar-2016 13:51:30.539 WARNING [main] org.apache.tomcat.util.IntrospectionUtils.setProperty IntrospectionUtils: InvocationTargetException for class org.apache.tomcat.util.net.SSLHostConfig honorCipherOrder=false)
 java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.apache.tomcat.util.IntrospectionUtils.setProperty(IntrospectionUtils.java:126)
	at org.apache.tomcat.util.IntrospectionUtils.setProperty(IntrospectionUtils.java:47)
	at org.apache.tomcat.util.digester.SetPropertiesRule.begin(SetPropertiesRule.java:72)
	at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1188)
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1363)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2786)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
	at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510)
	at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848)
	at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777)
	at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
	at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648)
	at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:578)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.UnsupportedOperationException: Java Runtime does not support "useServerCipherSuitesOrder". You must use Java 8 or later to use this feature.
	at org.apache.tomcat.util.net.SSLHostConfig.setHonorCipherOrder(SSLHostConfig.java:354)
	... 27 more
Caused by: java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.setUseCipherSuitesOrder(boolean)
	at java.lang.Class.getMethod(Class.java:1670)
	at org.apache.tomcat.util.net.SSLHostConfig.setHonorCipherOrder(SSLHostConfig.java:352)
	... 27 more

Suggested  fix:

in conf/server.xml, remove honorCipherOrder="false" from the default configuration:

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->
Comment 1 Huxing Zhang 2016-03-22 06:49:23 UTC 
Created attachment 33689 [details]
remove honorCipherOrder in SSLConfig configuration
Comment 2 Violeta Georgieva 2016-03-22 08:01:16 UTC 
Hi,

Thanks for the report and the patch.
The fix will be available from 9.0.0.M5 and 8.5.1 onwards.

Regards,
Violeta
Comment 3 Huxing Zhang 2016-03-22 09:33:28 UTC 
Hi Violeta,

Should this patch be applied to 9.0.0.x? I main concern is:
Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat will prefer a cipher suite that is blacklisted by HTTP/2. [1]

[1] http://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/coyote/http2/Http2UpgradeHandler.html
Comment 4 Violeta Georgieva 2016-03-22 09:39:36 UTC 
(In reply to Huxing Zhang from comment #3)
> Hi Violeta,
> 
> Should this patch be applied to 9.0.0.x? I main concern is:
> Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat
> will prefer a cipher suite that is blacklisted by HTTP/2. [1]

Yep you are right I'll revert that in 9.0.0.x

Thanks,
Violeta
 
> [1]
> http://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/coyote/http2/
> Http2UpgradeHandler.html
Comment 5 Christopher Schultz 2016-03-22 20:49:47 UTC 
(In reply to Huxing Zhang from comment #3)
> Hi Violeta,
> 
> Should this patch be applied to 9.0.0.x? I main concern is:
> Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat
> will prefer a cipher suite that is blacklisted by HTTP/2.

If that cipher suite has been blacklisted by h2, then why are you specifying it in your cipher suites list, or why are you specifying it early in the list of supported cipher suites?
Comment 6 Huxing Zhang 2016-03-23 00:50:19 UTC 
Hi,

I think specifying cipher suites is another solution, but may be more complicate, because:
1) we don't know what http version client will use, HTTP/1.x over TLS or HTTP/2 over TLS
2) different client may support different protocols, e.g.  ECDHE-ECDSA-CHACHA20-POLY1305 is only supported by Chrome

You have to care about the cipher list, as well as the cipher order.