pkispawn: SSL_ForceHandshake issue for non-CA on HSM on both shared and nonshared tomcat instances #1998

pki-bot · 2020-10-03T00:31:25Z

This issue was migrated from Pagure Issue #1438. Originally filed by mharmsen (@mharmsen) on 2015-06-22 18:34:52:

Closed as Fixed
Assigned to cfu (@cfu)
Associated bugzillas
- https://bugzilla.redhat.com/show_bug.cgi?id=1234638

This ticket is a consolidation of the following three tickets:

PKI TRAC Ticket 1426 - pkispawn of KRA on HSM fails on both shared and nonshared tomcat instances
PKI TRAC Ticket 1427 - pkispawn of OCSP on HSM fails on both shared and nonshared tomcat instances
PKI TRAC Ticket 1429 - pkispawn of TKS on HSM fails on both shared and nonshared tomcat instances

Example of failure from KRA ticket:

[root@sigma alias]# pkispawn -s KRA -f /tmp/kra_hsm_instance_nonshared.inf
Loading deployment configuration from /tmp/kra_hsm_instance_nonshared.inf.
Installing KRA into /var/lib/pki/rootkra.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/rootkra/kra/deployment.cfg.
Module "nfast" added to database.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token):
line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert
srv.base.PKIException","Code":500,"Message":"Failed to import certificate chain
from security domain master: java.io.IOException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938)
Encountered end of file."}

Installation failed.


KRA debug log has the following messages:
[16/Jun/2015:14:06:57][http-bio-31242-exec-3]: === Security Domain Panel ===
[16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Joining existing security domain
[16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Resolving security domain
URLhttps://sigma.lab.eng.rdu.redhat.com:30042
[16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Getting security domain cert
chain
[16/Jun/2015:14:06:58][http-bio-31242-exec-3]: getHttpResponse:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938)
Encountered end of file.
com.netscape.certsrv.base.PKIException: Failed to import certificate chain from
security domain master: java.io.IOException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938)
Encountered end of file.
        at org.dogtagpki.server.rest.SystemConfigService.getCertChainFromSecuri
tyDomain(SystemConfigService.java:952)
        at org.dogtagpki.server.rest.SystemConfigService.logIntoSecurityDomain(
SystemConfigService.java:927)
        at org.dogtagpki.server.rest.SystemConfigService.configureSecurityDomai
n(SystemConfigService.java:886)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig
Service.java:149)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig
Service.java:117)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce
ssorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc
eMethodInvoker.java:280)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI
nvoker.java:234)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI
nvoker.java:221)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
atcher.java:356)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
atcher.java:179)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher
.service(ServletContainerDispatcher.java:220)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
ice(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
ice(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App
licationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application
FilterChain.java:208)
        at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App
licationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application
FilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper
Valve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContext
Valve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentic
atorBase.java:501)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa
lve.java:116)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHtt
p11Processor.java:1040)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process
(AbstractProtocol.java:607)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoi
nt.java:314)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskT
hread.java:61)
        at java.lang.Thread.run(Thread.java:745)

The text was updated successfully, but these errors were encountered:

pki-bot · 2020-10-03T00:31:27Z

Comment from mharmsen (@mharmsen) at 2015-06-22 23:57:09

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1234638 (Red Hat Certificate System)

pki-bot · 2020-10-03T00:31:28Z

Comment from edewata (@edewata) at 2015-06-23 20:25:38

Per discussion with cfu, a new deployment config parameter should be added to select the initial cipher set (RSA or ECC).

pki-bot · 2020-10-03T00:31:28Z

Comment from cfu (@cfu) at 2015-06-23 22:34:15

there is an existing pki_ssl_server_key_type which can be used.

pki-bot · 2020-10-03T00:31:29Z

Comment from cfu (@cfu) at 2015-06-30 03:51:44

The SSL_ForceHandshake failed issue has a workaround.

The workaround is the following: Edit the CA's server.xml: replace the sslRangeCiphers value with the following:

sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"

I will provide the actual fix in code in due time.

pki-bot · 2020-10-03T00:31:30Z

Comment from cfu (@cfu) at 2015-07-01 22:44:44

pushed to master:
commit 7c1af7f

pki-bot · 2020-10-03T00:31:31Z

Comment from mharmsen (@mharmsen) at 2017-02-27 14:00:02

Metadata Update from @mharmsen:

Issue assigned to cfu
Issue set to the milestone: 10.2.6

pki-bot added the Closed: Fixed label Oct 3, 2020

pki-bot added this to the 10.2.6 milestone Oct 3, 2020

pki-bot closed this as completed Oct 3, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pkispawn: SSL_ForceHandshake issue for non-CA on HSM on both shared and nonshared tomcat instances #1998

pkispawn: SSL_ForceHandshake issue for non-CA on HSM on both shared and nonshared tomcat instances #1998

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pkispawn: SSL_ForceHandshake issue for non-CA on HSM on both shared and nonshared tomcat instances #1998

pkispawn: SSL_ForceHandshake issue for non-CA on HSM on both shared and nonshared tomcat instances #1998

Comments

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020

pki-bot commented Oct 3, 2020