Bug 60138 - protocol TLSV1.2 causes exception text sslUtilBase.noneSupported
Summary: protocol TLSV1.2 causes exception text sslUtilBase.noneSupported
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.5.5
Hardware: Other other
: P2 major (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-14 23:38 UTC by Paul Scott
Modified: 2016-12-06 03:46 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Scott 2016-09-14 23:38:11 UTC
This problem seems to only occur on IBM z/OS with Tomcat 8.5.5. All other things equal, the problem does not exist with Tomcat 7.

First, with Tomcat 7, the connector is defined thusly:

    <Connector protocol="HTTP/1.1"
        clientAuth="false"
        connectionTimeout="20000"
        keystoreFile="conf/keystore.p12" keystorePass="password" keystoreType="pkcs12"
        maxThreads="150"
        maxPostSize="-1"
        port="55663"
        scheme="https" secure="true" SSLEnabled="true" sslEnabledProtocols="TLSv1.2" sslProtocol="TLS"
        URIEncoding="UTF-8" />

This works, and connections can be established using (and only using) TLSv1.2 protocol.

Now, all other things being equal, with Tomcat 8.5.5, the connector is defined thusly: 

    <Connector protocol="HTTP/1.1"
        connectionTimeout="20000"
        maxThreads="150"
        maxPostSize="-1"
        port="58789"
        scheme="https" secure="true" SSLEnabled="true"
        URIEncoding="UTF-8" >
        <SSLHostConfig certificateVerification="none" protocols="TLSv1.2" sslProtocol="TLS">
            <Certificate
                certificateKeystoreFile="conf/keystore.p12"
                certificateKeystorePassword="password"
                certificateKeystoreType="pkcs12"
            />
        </SSLHostConfig>
    </Connector>

This causes the following exception trace (and connections are not possible):

 SEVERE: Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-58789"]
 java.lang.IllegalArgumentException: sslUtilBase.noneSupported
  at org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:87)
  at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:54)
  at org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:151)
  at org.apache.tomcat.util.net.jsse.JSSEImplementation.getSSLUtil(JSSEImplementation.java:49)
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:91)
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
  at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
  at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:213)
  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
  at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
  at org.apache.catalina.connector.Connector.initInternal(Connector.java:944)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
  at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
  at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
  at java.lang.reflect.Method.invoke(Method.java:508)
  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)

Changing protocol="TLSv1.2" to protocol="TLSv1" avoids the exception and connections are made with TLSv1. TLSv1.1 and TLSv1.2 are conspicuously missing.

Again, I must stress that the underlying environment is identical in both cases, including environment variables, Java home directory, system properties specified at startup (-D), etc. The singular difference that I am aware of is moving from Tomcat 7 to Tomcat 8.
Comment 1 Mark Thomas 2016-09-20 13:08:17 UTC
It looks like we are mixing up default and supported protocols. I'm working on a fix.
Comment 2 Paul Scott 2016-09-20 18:36:24 UTC
Great news. Thanks you! Looking forward to fix so we can move forward.
Comment 3 Mark Thomas 2016-09-20 19:03:12 UTC
This has been fixed in the following branches:
- 9.0.x for 9.0.0.M11 onwards
- 8.5.x for 8.5.6 onwards
Comment 4 Paul Scott 2016-12-06 03:46:35 UTC
Verified fix in 8.5.6