0

On Windows Server 2008, Tomcat 7.0.37 and JRE 7 update 21 run fine with client authentication using the following server.xml file entry: 

<Connector port="8443" crlFile="conf/mvca.crl" truststoreType="JKS"  truststorePass="changeit" truststoreFile="c:/program files/java/jre7/lib/security/cacerts" keystorePass="maxview" keystoreFile="conf/mvkey.ks" sslProtocol="TLS" clientAuth="true" secure="true" scheme="https" maxThreads="150" SSLEnabled="true" protocol="HTTP/1.1"/>

After upgrading to JRE 7 update 40, I can no longer bring up the tomcat main page at: https:/mymachine.mydomain.com:8443

I see the same error when using JRE 7 update 40 and Tomcat 7.0.42.

There is no HTTP error code. The error message displayed is: Internet Explorer cannot display the webpage

The Tomcat7 service starts.

If client authentication is turned off, the main page will operate.

I don't see any relevant error messages in the Tomcat logs.

What steps can I take to shed more light on the issue to determine the root cause?

Eric
  • 1
  • 1

1 Answers1

0

I wonder if it's to do with some of the crypto changes in Update 40 RSA keys < 1024 have been disabled.

From the release notes:

http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html#newft

Default x.509 Certificates Have Longer Key Length Starting from 7u40, the use of x.509 certificates with RSA keys less than 1024 bits in length is restricted. This restriction is applied via the Java Security property, jdk.certpath.disabledAlgorithms. The default value of jdk.certpath.disabledAlgorithms is now as follows:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 In order to avoid the compatibility issue, users who use X.509 certificates with RSA keys less than 1024 bits, are recommended to update their certificates with stronger keys. As a workaround, at their own risk, users can adjust the key size to permit smaller key sizes through the security property jdk.certpath.disabledAlgorithms.

A quick diff in $JAVA_HOME/jre/lib/security/java.security shows:

$ diff java.security /opt/jdk1.7.0_21/jre/lib/security/java.security

149,152c149,150
<                com.sun.org.apache.xml.internal.security.,\
<                com.sun.org.glassfish.,\
<                org.jcp.xml.dsig.internal.,\
<                oracle.jrockit.jfr.
---
>                com.sun.org.glassfish.
>
186,189c184,185
<                    com.sun.org.apache.xml.internal.security.,\
<                    com.sun.org.glassfish.,\
<                    org.jcp.xml.dsig.internal.,\
<                    oracle.jrockit.jfr.
---
>                    com.sun.org.glassfish.
>
402c398
< jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
---
> jdk.certpath.disabledAlgorithms=MD2



jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

Strange that there are no logs indicating what is wrong.

gm3dmo
  • 10,057
  • 1
  • 42
  • 36
  • In the java.security file, restoring the entry to just jdk.certpath.disabledAlgorithms=MD2 resolved the problem. – Eric Nov 27 '13 at 12:59