Closed ovcrash closed 2 months ago
Hi, I also think that the OIDC configuration/function doesn't use the https.proxy setting in the .env file. I can't confirm, but i suspect that also.
I can confirm with the next release we're moving to Tomcat 10, which defaults to TLS 1.2+.
Let me check with the team on the rest of this and get back to you.
Is there a way to configure Tomcat 9x to use TLS 1.2 ?
But i also think that is not the only problem, if that is a problem.
Maybe, the OIDC part doesn't use the httpProxy settings. I suspect this pretty much. Because when we hit the web proxy, it's clearly coming in transparent mode.
The current release supports TLS 1.2 but does not force it. You may be able to disable older ciphers by modifying the container but I would not recommend it. Keep in mind modifying any of the configuration while the container is running would likely not take effect, and if the main process is restarted the container may believe it is unhealthy and recreate it. Nullifying any configuration changes.
We anticipate the release being out this week, I'd advise waiting for it. Afterwards I should have an answer on the httpProxy setting and it's implications.
The current release supports TLS 1.2 but does not force it. You may be able to disable older ciphers by modifying the container but I would not recommend it. Keep in mind modifying any of the configuration while the container is running would likely not take effect, and if the main process is restarted the container may believe it is unhealthy and recreate it. Nullifying any configuration changes.
We anticipate the release being out this week, I'd advise waiting for it. Afterwards I should have an answer on the httpProxy setting and it's implications.
Any pre-release i can try?
We don't make pre-releases public but I will bump this thread when the release is out.
I have updated to the latest relase, and got the same error. I will try to get logs and put them here.
2023-04-20 19:12:46,242 ERROR [com.sra.vectr.auth.web.service.IdentityProviderService] - Stack trace: vectr-tomcat_1 | org.pac4j.core.exception.TechnicalException: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:190) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:56) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.oidc.client.OidcClient.internalInit(OidcClient.java:48) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:56) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:33) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at com.sra.vectr.auth.web.service.IdentityProviderService.tryInitClient(IdentityProviderService.java:318) ~[classes/:?] vectr-tomcat_1 | at com.sra.vectr.auth.web.service.IdentityProviderService.validateClientConfiguration(IdentityProviderService.java:171) ~[classes/:?] vectr-tomcat_1 | at com.sra.vectr.auth.web.service.IdentityProviderService.reloadProviderIntoPac4j(IdentityProviderService.java:155) ~[classes/:?] vectr-tomcat_1 | at com.sra.vectr.auth.web.service.IdentityProviderService.reloadProviderConfiguration(IdentityProviderService.java:132) ~[classes/:?] vectr-tomcat_1 | at com.sra.vectr.auth.web.api.v1.resources.IdentityProviderResource.reloadConfiguration(IdentityProviderResource.java:71) ~[classes/:?] vectr-tomcat_1 | at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] vectr-tomcat_1 | at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:207) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:152) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:118) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:884) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:797) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1081) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:974) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1011) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:914) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:563) ~[servlet-api.jar:6.0] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885) ~[spring-webmvc-6.0.7.jar:6.0.7] vectr-tomcat_1 | at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:631) ~[servlet-api.jar:6.0] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-websocket.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at com.sra.vectr.libs.servlet.filters.CharacterSetFilter.doFilter(CharacterSetFilter.java:15) ~[servlet-filters.jar:?] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at com.sra.vectr.libs.servlet.filters.CacheControlFilter.doFilter(CacheControlFilter.java:42) ~[servlet-filters.jar:?] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at com.sra.vectr.auth.web.filters.GenericRequestFilter.doFilterInternal(GenericRequestFilter.java:33) ~[classes/:?] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.0.2.jar:6.0.2] vectr-tomcat_1 | at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:124) ~[spring-boot-3.0.5.jar:3.0.5] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:99) ~[spring-boot-3.0.5.jar:3.0.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:117) ~[spring-boot-3.0.5.jar:3.0.5] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.7.jar:6.0.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) ~[log4j-jakarta-web-2.19.0.jar:2.19.0] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:166) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:676) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341) ~[catalina.jar:10.1.7] vectr-tomcat_1 | at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:894) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1664) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1219) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeWriteCompletionHandler.completed(SecureNio2Channel.java:120) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeWriteCompletionHandler.completed(SecureNio2Channel.java:113) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at sun.nio.ch.Invoker.invokeUnchecked(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.Invoker.invokeDirect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.UnixAsynchronousSocketChannelImpl.implWrite(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.AsynchronousSocketChannelImpl.write(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.AsynchronousSocketChannelImpl.write(Unknown Source) ~[?:?] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:300) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:221) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1641) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1219) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:103) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:96) ~[tomcat-coyote.jar:10.1.7] vectr-tomcat_1 | at sun.nio.ch.Invoker.invokeUnchecked(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.Invoker$2.run(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(Unknown Source) ~[?:?] vectr-tomcat_1 | at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-util.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-util.jar:10.1.7] vectr-tomcat_1 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:10.1.7] vectr-tomcat_1 | at java.lang.Thread.run(Unknown Source) ~[?:?] vectr-tomcat_1 | Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.handleEOF(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:305) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:257) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:187) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | ... 136 more vectr-tomcat_1 | Caused by: java.io.EOFException: SSL peer shut down incorrectly vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.read(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.readHeader(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLTransport.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:305) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:257) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:187) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | ... 136 more
Seem to point to a SSL error. So i'm guessing that it points to a certificate error.
Is there a way to add a certificate authorite into the store tha tomcat/java uses to communicate to the AzureAD endpoint?
You'll need to add your CA (the entire chain if using intermediate certs) to the JVM's trust store in the vectr-tomcat
container.
We do not support custom CA certs and do not have any plans on doing so. If you go down this route, you'll be on your own. Feel free to ask for help on our Discord channel. One thing to keep in mind however is that modifications to a container are temporary.
Describe the bug We are using the AzureAD OIDC integration. This integration needs to acces the well-know to get configuration information. We are behind a web proxy for internet connexion. We have used this help to set the web proxy in the env file (https://github.com/SecurityRiskAdvisors/VECTR/issues/163) . The problem we have, is that we are using SSL inspection, and the certificate used is an internal certificate from our CA. We get SSL error.
Expected behavior Configure proxy settings in the java options. Add certificate in trusted certs. Communication to the AzureAD OIDC should work.
Logs
2023-04-04 12:42:58,372 ERROR [com.sra.auth.web.service.IdentityProviderService] - Stack trace: vectr-tomcat_1 | org.pac4j.core.exception.TechnicalException: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:190) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:56) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.oidc.client.OidcClient.internalInit(OidcClient.java:48) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:56) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:33) ~[pac4j-core-5.7.0.jar:?] vectr-tomcat_1 | at com.sra.auth.web.service.IdentityProviderService.tryInitClient(IdentityProviderService.java:318) ~[classes/:?] vectr-tomcat_1 | at com.sra.auth.web.service.IdentityProviderService.validateClientConfiguration(IdentityProviderService.java:171) ~[classes/:?] vectr-tomcat_1 | at com.sra.auth.web.service.IdentityProviderService.reloadProviderIntoPac4j(IdentityProviderService.java:155) ~[classes/:?] vectr-tomcat_1 | at com.sra.auth.web.service.IdentityProviderService.reloadProviderConfiguration(IdentityProviderService.java:132) ~[classes/:?] vectr-tomcat_1 | at com.sra.auth.web.api.v1.resources.IdentityProviderResource.reloadConfiguration(IdentityProviderResource.java:71) ~[classes/:?] vectr-tomcat_1 | at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] vectr-tomcat_1 | at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?] vectr-tomcat_1 | at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1071) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:964) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at javax.servlet.http.HttpServlet.service(HttpServlet.java:528) ~[servlet-api.jar:4.0.FR] vectr-tomcat_1 | at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.3.23.jar:5.3.23] vectr-tomcat_1 | at javax.servlet.http.HttpServlet.service(HttpServlet.java:596) ~[servlet-api.jar:4.0.FR] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-websocket.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at com.sra.purpletools.servlet.filters.CharacterSetFilter.doFilter(CharacterSetFilter.java:15) ~[sra-purpletools-servlet.jar:?] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at com.sra.purpletools.servlet.filters.CacheControlFilter.doFilter(CacheControlFilter.java:42) ~[sra-purpletools-servlet.jar:?] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at com.sra.auth.web.filters.GenericRequestFilter.doFilterInternal(GenericRequestFilter.java:33) ~[classes/:?] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:337) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:122) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:116) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:126) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:81) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:109) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:149) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:103) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:221) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186) ~[spring-security-web-5.7.5.jar:5.7.5] vectr-tomcat_1 | at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:126) ~[spring-boot-2.7.5.jar:2.7.5] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:64) ~[spring-boot-2.7.5.jar:2.7.5] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:101) ~[spring-boot-2.7.5.jar:2.7.5] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:119) ~[spring-boot-2.7.5.jar:2.7.5] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.23.jar:5.3.23] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) ~[log4j-web-2.17.2.jar:2.17.2] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[catalina.jar:9.0.73] vectr-tomcat_1 | at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:389) ~[tomcat-coyote.jar:9.0.73] vectr-tomcat_1 | at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-coyote.jar:9.0.73] vectr-tomcat_1 | at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926) ~[tomcat-coyote.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2156) ~[tomcat-coyote.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-util.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-util.jar:9.0.73] vectr-tomcat_1 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.73] vectr-tomcat_1 | at java.lang.Thread.run(Unknown Source) ~[?:?] vectr-tomcat_1 | Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.handleEOF(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:305) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:257) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:187) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | ... 121 more vectr-tomcat_1 | Caused by: java.io.EOFException: SSL peer shut down incorrectly vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.read(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.readHeader(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketInputRecord.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLTransport.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.decode(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) ~[?:?] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:305) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:257) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6] vectr-tomcat_1 | at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:187) ~[pac4j-oidc-5.7.0.jar:?] vectr-tomcat_1 | ... 121 more
Question Which cacerts file does the tomcat use? Is there some security settings to change to do TLS 1.2 & + ? Any other settings should be changed, to correctly use a webproxy that does ssl inspect.