Description of problem: NIO connector is configured as: <connector name="https" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" socket-binding="https" secure="true"> <ssl name="ssl" key-alias="jboss" password="password" certificate-key-file="/path/to/server.jks"/> After upgrading JDK to 1.8.0_201, the connector does not work and shows the following error message: 15:22:00,510 INFO [stdout] (http-127.0.0.1:8443-Acceptor) Using SSLEngineImpl. 15:22:00,547 INFO [stdout] (http-127.0.0.1:8443-3) Allow unsafe renegotiation: false 15:22:00,547 INFO [stdout] (http-127.0.0.1:8443-3) Allow legacy hello messages: true 15:22:00,547 INFO [stdout] (http-127.0.0.1:8443-3) Is initial handshake: true 15:22:00,547 INFO [stdout] (http-127.0.0.1:8443-3) Is secure renegotiation: false 15:22:00,548 INFO [stdout] (http-127.0.0.1:8443-3) No available cipher suite for TLSv1 15:22:00,548 INFO [stdout] (http-127.0.0.1:8443-3) No available cipher suite for TLSv1.1 15:22:00,548 INFO [stdout] (http-127.0.0.1:8443-3) No available cipher suite for TLSv1.2 15:22:00,548 INFO [stdout] (http-127.0.0.1:8443-3) http-127.0.0.1:8443-3, fatal error: 40: Couldn't kickstart handshaking 15:22:00,548 INFO [stdout] (http-127.0.0.1:8443-3) javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) 15:22:00,549 INFO [stdout] (http-127.0.0.1:8443-3) http-127.0.0.1:8443-3, SEND TLSv1.2 ALERT: fatal, description = handshake_failure 15:22:00,549 INFO [stdout] (http-127.0.0.1:8443-3) http-127.0.0.1:8443-3, WRITE: TLSv1.2 Alert, length = 2 15:22:00,549 INFO [stdout] (http-127.0.0.1:8443-3) http-127.0.0.1:8443-3, called closeOutbound() 15:22:00,549 INFO [stdout] (http-127.0.0.1:8443-3) http-127.0.0.1:8443-3, closeOutboundInternal() 15:22:00,551 INFO [stdout] (http-127.0.0.1:8443-3) [Raw write]: length = 7 15:22:00,552 INFO [stdout] (http-127.0.0.1:8443-3) 0000: 15 03 03 00 02 02 28 ......( Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Since JDK 1.8.0_201, TLS anon and NULL Cipher Suites are Disabled [1]. $JAVA_HOME/jre/lib/security/java.security: ---------------------------------------------------------------------------- jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL <<==anon and NULL are added ---------------------------------------------------------------------------- This causes a side effect to NIO connector. In org.apache.tomcat.util.net.jsse.NioJSSESocketChannelFactory, if "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" is disabled, RFC_5746_SUPPORTED = false. NioJSSESocketChannelFactory.java: ------------------------------------------------------------------------------- 114 if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) { 115 result = true; 116 break; 117 } ... 135 RFC_5746_SUPPORTED = result; ------------------------------------------------------------------------------- If RFC_5746_SUPPORTED is false, the following code will be executed: ------------------------------------------------------------------------------- 223 if (!allowUnsafeLegacyRenegotiation && !RFC_5746_SUPPORTED) { 224 // Prevent further handshakes by removing all cipher suites 225 engine.setEnabledCipherSuites(new String[0]); 226 } ------------------------------------------------------------------------------- This leads to: server.log: ------------------------------------------------------------------------------- 13:08:39,655 INFO [stdout] (http-127.0.0.1:8443-4) No available cipher suite for TLSv1 13:08:39,655 INFO [stdout] (http-127.0.0.1:8443-4) No available cipher suite for TLSv1.1 13:08:39,655 INFO [stdout] (http-127.0.0.1:8443-4) No available cipher suite for TLSv1.2 ------------------------------------------------------------------------------- Finally, SSL handshake initiation fails: server.log: ------------------------------------------------------------------------------- 13:08:39,655 INFO [stdout] (http-127.0.0.1:8443-4) http-127.0.0.1:8443-4, fatal error: 40: Couldn't kickstart handshaking ------------------------------------------------------------------------------- We have 2 workarounds. The 1st is enabling legacy renegotiation, but it is really bad idea. The 2nd is enabling NULL ciphersuites changing JAVA_HOME/jre/lib/security/java.security: ------------------------------------------------------------------------------- jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, anon <<== remove NULL ------------------------------------------------------------------------------- However, it is also not a good idea (pretty better than enabling legacy renegotiation though). [1] https://www.oracle.com/technetwork/java/javase/8u201-relnotes-5209271.html