FULL PRODUCT VERSION : java version "1.8.0" Java(TM) SE Runtime Environment (build 1.8.0-b129) Java HotSpot(TM) 64-Bit Server VM (build 25.0-b69, mixed mode) java version "1.8.0" Java(TM) SE Runtime Environment (build 1.8.0-b132) Java HotSpot(TM) 64-Bit Server VM (build 25.0-b70, mixed mode) ADDITIONAL OS VERSION INFORMATION : SunOS 7iv05-server-2 5.11 11.1 i86pc i386 i86pc A DESCRIPTION OF THE PROBLEM : Trying to access a locally installed Tomcat 8.0.3 instance via HTTPS using a SSL certificate doesn't work with Java 8 build 129 and 132; the browser only shows an error message indicating a SSL connection error. However, using the same Tomcat with Java 7u51 instead of Java 8 works. See the discussion in the java.net forum: https://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/problem-java-18-and-ssl REGRESSION. Last worked in version 7u51 ADDITIONAL REGRESSION INFORMATION: $ /usr/local/jdk/jdk1.7.0/bin/java -version java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) Server VM (build 24.51-b03, mixed mode) $ /usr/local/jdk/jdk1.7.0/bin/java -d64 -version java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode) STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : 1. Create a certificate: $ keytool -genkeypair -alias tomcat -keyalg RSA $ keytool -certreq -keyalg RSA -alias tomcat -file tomcat.csr 2. Sign the request using my own CA: $ openssl ca -out tomcat.cer -policy policy_anything -days 3650 -infiles tomcat.csr 3. Import the root CA certificate and the signed certificate into the Tomcat user's keytore: $ keytool -import -alias root -trustcacerts -file <my-own-root-ca.crt> $ keytool -import -alias tomcat -file tomcat.cer 4. Install Tomcat 8.0.3 and enable the SSL connector as described in the docs, i.e. enable the following connector in <tomcat_home>/conf/server.conf: <Connector port="4443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="${user.home}/.keystore" keystorePass="changeit" /> 5. Start Tomcat and try to access its web page via HTTPS (http://localhost:8443) EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - The Tomcat welcome web page saying "If you're seeing this, you've successfully installed Tomcat. Congratulations!" ACTUAL - The web page can't be loaded because of an SSL connection error. Firefox shows: An error occurred during a connection to 7iv05-server-2.vkb.loc:8443. SSL received a record with an incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_read) Google Chrome says: SSL connection error ERROR MESSAGES/STACK TRACES THAT OCCUR : The file catalina.out in Tomcat's log folder contains the following stack trace: 07-Mar-2014 12:13:31.338 SEVERE [http-nio-8443-exec-15] org.apache.coyote.http11.AbstractHttp11Processor.process Error processing request java.lang.IllegalStateException: Must use either different key or iv for GCM encryption at com.oracle.security.ucrypto.NativeGCMCipher.engineDoFinal(NativeGCMCipher.java:359) at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:830) at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730) at javax.crypto.Cipher.doFinal(Cipher.java:2416) at sun.security.ssl.CipherBox.encrypt(CipherBox.java:396) at sun.security.ssl.EngineOutputRecord.write(EngineOutputRecord.java:300) at sun.security.ssl.EngineOutputRecord.write(EngineOutputRecord.java:225) at sun.security.ssl.EngineWriter.writeRecord(EngineWriter.java:186) at sun.security.ssl.SSLEngineImpl.writeRecord(SSLEngineImpl.java:1280) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1251) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1166) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.apache.tomcat.util.net.SecureNioChannel.write(SecureNioChannel.java:498) at org.apache.tomcat.util.net.NioBlockingSelector.write(NioBlockingSelector.java:101) at org.apache.tomcat.util.net.NioSelectorPool.write(NioSelectorPool.java:173) at org.apache.coyote.http11.InternalNioOutputBuffer.writeToSocket(InternalNioOutputBuffer.java:139) at org.apache.coyote.http11.InternalNioOutputBuffer.addToBB(InternalNioOutputBuffer.java:197) at org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:41) at org.apache.coyote.http11.InternalNioOutputBuffer$SocketOutputBuffer.doWrite(InternalNioOutputBuffer.java:320) at org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:118) at org.apache.coyote.http11.AbstractOutputBuffer.doWrite(AbstractOutputBuffer.java:257) at org.apache.coyote.Response.doWrite(Response.java:523) at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:391) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:426) at org.apache.catalina.connector.OutputBuffer.realWriteChars(OutputBuffer.java:474) at org.apache.tomcat.util.buf.CharChunk.flushBuffer(CharChunk.java:393) at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:276) at org.apache.catalina.connector.Response.finishResponse(Response.java:409) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:557) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1015) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:652) at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1575) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1533) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:744) REPRODUCIBILITY : This bug can be reproduced always. CUSTOMER SUBMITTED WORKAROUND : Use Java 7u51 instead of Java 8.
|