Bug 45528 - Tomcat 5 fails to detect a matching certificate and stuck in an infinite loop
Tomcat 5 fails to detect a matching certificate and stuck in an infinite loop
Status: RESOLVED FIXED
Product: Tomcat 5
Classification: Unclassified
Component: Connector:Coyote
5.5.26
PC Windows XP
: P2 major (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2008-08-03 04:22 UTC by Assaf Vizner
Modified: 2009-05-24 17:19 UTC (History)
0 users



Attachments
The keystore i use (3.29 KB, application/octet-stream)
2008-08-03 04:22 UTC, Assaf Vizner
Details
The server.xml i use with the connector of Http11Protocol (9.90 KB, text/plain)
2008-08-03 04:29 UTC, Assaf Vizner
Details
The catalina log (3.90 KB, application/octet-stream)
2008-08-03 04:29 UTC, Assaf Vizner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Assaf Vizner 2008-08-03 04:22:43 UTC
Created attachment 22351 [details]
The keystore i use

I'm usind apache-tomcat-6.0.16 with jdk1.6.0_06 (but it was also occur with jdk1.5.0_16)
I have a .keystore file which doesn’t matches the SSL definitions in the server.xml(wrong password).
tomcat 4 handled it well – it was unable to connect to it but the logs showed a friendly messages and the server continue working fine.
However in tomcat 6 when I configured the connectors in the server.xml with default settings or as" org.apache.coyote.http11.Http11Protocol" 
and I started the service, the tomcat get in an infinite loop which holds the CPU in 90% and keep writing to catalina log the following error:

*************************************************************************
03/08/2008 11:09:37 org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
SEVERE: Socket accept failed
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
                at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)
                at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
                at java.lang.Thread.run(Thread.java:619)
*************************************************************************

When I configure the connectors to work with “org.apache.coyote.http11.Http11NioProtocol” the problem seems to disappear
Comment 1 Assaf Vizner 2008-08-03 04:29:02 UTC
Created attachment 22352 [details]
The server.xml i use with the connector of Http11Protocol
Comment 2 Assaf Vizner 2008-08-03 04:29:53 UTC
Created attachment 22353 [details]
The catalina log
Comment 3 Mark Thomas 2008-08-10 10:27:40 UTC
This has been fixed in trunk and proposed for 5.5.x and 6.0.x.
Comment 4 Mark Thomas 2008-08-14 03:41:12 UTC
For the record, neither the alias nor the password appears to be the problem. The only way I could reproduce the loop of log messages it was to take a valid, working SSL configuration and set a value for the ciphers attribute that was not compatible with the certificate Tomcat was using.
Comment 5 Mark Thomas 2008-08-20 16:23:22 UTC
The original patch was rejected. I have just proposed a reworked patch.
Comment 6 Mark Thomas 2008-09-06 13:06:54 UTC
The improved patch has been applied to 6.0.x and will be included in 6.0.19 onwards.
Comment 7 Mark Thomas 2009-05-24 17:19:40 UTC
This has been fixed in 5.5.x/4.1.x and will be included in 5.5.28 and 4.1.40 onwards