2

I have to debug a SSL Handshake on Tomcat (OS: MS Windows), so I followed the instructions found in the web an enabled it with the following line in setenv.bat:

set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.debug=ssl"

With Apache Tomcat/9.0.0.M21 everything works fine, when I opened the page with my browser I can see the handshake on the commandline.

With Apache Tomcat/9.0.0.M22 I only can see which certificates are beeing loaded on startup but after then when I call the server via browser no more output is generated on the commandline.

The only difference I could find out is that the Protocolhandler is different between those versions:

  • Apache Tomcat/9.0.0.M21 uses ProtocolHandler ["https-jsse-nio-8083"]
  • Apache Tomcat/9.0.0.M22 uses ProtocolHandler ["https-openssl-nio-8083"]

Is there anything I have to do additional to enable ssl handshake-debugging?

This is my Connector configured in server.xml:

    <Connector port="8083" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="<Path to Keystore>"
               keystorePass="<KeystorePW>" />
HarleyDavidson
  • 559
  • 6
  • 17
  • In your catalina log, you should see a line containing "finished startup in" with the time it took to start the process. Can you check this first ? Then we know if the start is finished. – Eugène Adell Feb 08 '18 at 07:46
  • Yes I can see that line. org.apache.catalina.startup.Catalina.start Server startup in 453 ms Server acts and responds completely normal. – HarleyDavidson Feb 08 '18 at 08:21
  • did you try running M22 with the M21's server.xml (or even copying the whole conf directory) ? – Eugène Adell Feb 08 '18 at 08:47
  • Yes, I completely adjust all settings (settings.xml, logging.properties, setenv.bat, etc.) so that the only difference between these two Tomcats is the version. – HarleyDavidson Feb 08 '18 at 10:26

1 Answers1

4

Try forcing JSSE use by adding sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" in your Connector . For any reason it's detecting APR and trying to use OpenSSL which is not working. You might fill a bug or ask the Tomcat users mailing-list, but 9.0.0 was a development release.

Eugène Adell
  • 3,089
  • 2
  • 18
  • 34