#1438 pkispawn: SSL_ForceHandshake issue for non-CA on HSM on both shared and nonshared tomcat instances
Closed: Fixed None Opened 9 years ago by mharmsen.

This ticket is a consolidation of the following three tickets:

Example of failure from KRA ticket:

[root@sigma alias]# pkispawn -s KRA -f /tmp/kra_hsm_instance_nonshared.inf
Loading deployment configuration from /tmp/kra_hsm_instance_nonshared.inf.
Installing KRA into /var/lib/pki/rootkra.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/rootkra/kra/deployment.cfg.
Module "nfast" added to database.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token):
line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert
srv.base.PKIException","Code":500,"Message":"Failed to import certificate chain
from security domain master: java.io.IOException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938)
Encountered end of file."}

Installation failed.


KRA debug log has the following messages:
[16/Jun/2015:14:06:57][http-bio-31242-exec-3]: === Security Domain Panel ===
[16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Joining existing security domain
[16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Resolving security domain
URLhttps://sigma.lab.eng.rdu.redhat.com:30042
[16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Getting security domain cert
chain
[16/Jun/2015:14:06:58][http-bio-31242-exec-3]: getHttpResponse:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938)
Encountered end of file.
com.netscape.certsrv.base.PKIException: Failed to import certificate chain from
security domain master: java.io.IOException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938)
Encountered end of file.
        at org.dogtagpki.server.rest.SystemConfigService.getCertChainFromSecuri
tyDomain(SystemConfigService.java:952)
        at org.dogtagpki.server.rest.SystemConfigService.logIntoSecurityDomain(
SystemConfigService.java:927)
        at org.dogtagpki.server.rest.SystemConfigService.configureSecurityDomai
n(SystemConfigService.java:886)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig
Service.java:149)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig
Service.java:117)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce
ssorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc
eMethodInvoker.java:280)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI
nvoker.java:234)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI
nvoker.java:221)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
atcher.java:356)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
atcher.java:179)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher
.service(ServletContainerDispatcher.java:220)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
ice(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
ice(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App
licationFilterChain.java:303)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application
FilterChain.java:208)
        at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App
licationFilterChain.java:241)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application
FilterChain.java:208)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper
Valve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContext
Valve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentic
atorBase.java:501)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa
lve.java:116)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHtt
p11Processor.java:1040)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process
(AbstractProtocol.java:607)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoi
nt.java:314)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskT
hread.java:61)
        at java.lang.Thread.run(Thread.java:745)

Per discussion with cfu, a new deployment config parameter should be added to select the initial cipher set (RSA or ECC).

there is an existing pki_ssl_server_key_type which can be used.

The SSL_ForceHandshake failed issue has a workaround.

The workaround is the following: Edit the CA's server.xml: replace the sslRangeCiphers value with the following:

sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"

I will provide the actual fix in code in due time.

pushed to master:
commit 7c1af7f7dac89363c7923802ec759ccb84813bfb

Metadata Update from @mharmsen:
- Issue assigned to cfu
- Issue set to the milestone: 10.2.6

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1998

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Log in to comment on this ticket.

Metadata