search

dogtagpki / jss

Network Security Services for Java is a Java interface to NSS
https://dogtagpki.github.io/jss
19 stars 30 forks source link

Unable to create SSL connection with SoftHSM #668

Open edewata opened 3 years ago

edewata commented 3 years ago

JSS is unable to create SSL connection using certificate in SoftHSM.

Steps to reproduce:

  1. Build and install PKI from this branch: https://github.com/edewata/pki/tree/softhsm
  2. Install DS
  3. Prepare a SoftHSM token: 
    $ usermod pkiuser -a -G ods
$ runuser -u pkiuser -- softhsm2-util --init-token --label HSM --so-pin Secret.123 --pin Secret.123 --free
  4. Install CA with SoftHSM 
    $ pkispawn -f /usr/share/pki/server/examples/installation/ca-hsm.cfg -s CA -v
  5. Connect via SSL: 
    $ pki info

Actual result: The SSL connection fails due to handshake failure. The server generates the following stack trace in systemd journal.

SEVERE: Error running socket processor
java.lang.RuntimeException: Unable to configure certificate and key on model SSL PRFileDesc proxy: SEC_ERROR_NO_MEMORY (-8173)
        at org.mozilla.jss.ssl.javax.JSSEngine.getServerTemplate(JSSEngine.java:993)
        at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.createBufferFD(JSSEngineReferenceImpl.java:322)
        at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.init(JSSEngineReferenceImpl.java:252)
        at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.beginHandshake(JSSEngineReferenceImpl.java:634)
        at org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:348)
        at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:175)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1568)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)

Expected result: The SSL connection should not fail.

Note: To remove the SoftHSM token:

$ runuser -u pkiuser -- softhsm2-util --delete-token --token HSM
edewata commented 3 years ago

Server startup log:

Started PKI Tomcat Server pki-tomcat.
Java virtual machine used: /usr/share/java-utils/java-wrapper
classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
main class used: org.apache.catalina.startup.Bootstrap
flags used: -Dcom.redhat.fips=false
options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager     -Djava.security.manager     -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
arguments used: start
+ JAVACMD=/usr/lib/jvm/java-1.8.0-openjdk/bin/java
+ JAVACMD_OPTS=' -agentpath:/usr/lib/abrt-java-connector/libabrt-java-connector.so=abrt=on,'
+ unset _JP_JAVACMD
+ unset _JP_JAVACMD_OPTS
+ exec /usr/lib/jvm/java-1.8.0-openjdk/bin/java -agentpath:/usr/lib/abrt-java-connector/libabrt-java-connector.so=abrt=on, -Dcom.redhat.fips=false -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start
INFO: JSSListener: Initializing JSS
FINE: CryptoManager: loading JSS library
FINE: CryptoManager: loaded JSS library from /usr/lib64/jss/libjss4.so
FINE: Loaded org.mozilla.jss.provider.java.security.JSSMessageDigestSpi$SHA1@7f77e91b
FINE: Loaded RSA
INFO: JSS CryptoManager: successfully initialized from NSS database at /var/lib/pki/pki-tomcat/alias
FINE: JSSImplementation: instance created
FINE: JSSImplementation: getSSLUtil()
FINE: JSSImplementation: key alias: HSM:sslserver
FINE: JSSImplementation: keystore provider: Mozilla-JSS
FINE: JSSImplementation: key manager alg: SunX509
FINE: JSSImplementation: truststore alg: PKIX
FINE: JSSImplementation: truststore provider: Mozilla-JSS
FINE: JSSUtil: getImplementedProtocols()
FINE: JSSContext(null)
FINE: JSSContext.init(...)
FINE: JSSContextSpi.engineInit(null, null, null)
FINE: JSSContext.createSSLEngine()
FINE: JSSContextSpi.engineCreateSSLEngine()
FINE: JSSEngine: constructor()
FINE: JSSEngine: setKeyManager(null)
FINE: JSSEngine: setKeyManagers([null])
FINE: JSSEngine: getSupportedProtocols()
FINE: JSSEngine: getSupportedProtocol - Supported: TLS_1_0
FINE: JSSEngine: getSupportedProtocol - Supported: TLS_1_1
FINE: JSSEngine: getSupportedProtocol - Supported: TLS_1_2
FINE: JSSEngine: getSupportedProtocol - Supported: TLS_1_3
FINE: JSSEngine: getSupportedCipherSuites()
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_RSA_WITH_AES_128_CBC_SHA
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_RSA_WITH_AES_256_CBC_SHA
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_RSA_WITH_AES_128_CBC_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_RSA_WITH_AES_256_CBC_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_RSA_WITH_AES_128_GCM_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_RSA_WITH_AES_256_GCM_SHA384
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_FALLBACK_SCSV
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_AES_128_GCM_SHA256
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_AES_256_GCM_SHA384
FINE: JSSEngine: getSupportedCipherSuites() - Supported: TLS_CHACHA20_POLY1305_SHA256
FINE: JSSUtil: getLog()
FINE: The [protocols] that are active are : [[TLSv1, TLSv1.3, TLSv1.2, TLSv1.1]]
FINE: JSSUtil: isTls13RenegAuthAvailable()
FINE: JSSUtil: getImplementedCiphers()
FINE: JSSUtil: getLog()
FINE: The [ciphers] that are active are : [[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA]]
FINE: Some of the specified [ciphers] are not supported by the SSL engine and have been skipped: [[TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_PSK_DHE_WITH_AES_256_CCM_8, TLS_DHE_PSK_WITH_AES_256_CCM, TLS_DHE_RSA_WITH_AES_256_CCM_8, TLS_DHE_RSA_WITH_AES_256_CCM, TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA, TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA, TLS_SRP_SHA_WITH_AES_256_CBC_SHA, TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, TLS_DH_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DH_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_PSK_WITH_AES_256_CBC_SHA, TLS_DHE_PSK_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DH_RSA_WITH_AES_256_CBC_SHA256, TLS_DH_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384, TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384, TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384, TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384, TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256, TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, TLS_PSK_WITH_AES_256_CCM_8, TLS_PSK_WITH_AES_256_CCM, TLS_PSK_WITH_AES_256_CBC_SHA384, TLS_PSK_WITH_AES_256_GCM_SHA384, TLS_PSK_WITH_AES_256_CBC_SHA, TLS_PSK_WITH_CHACHA20_POLY1305_SHA256, TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384, TLS_PSK_WITH_ARIA_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_PSK_DHE_WITH_AES_128_CCM_8, TLS_DHE_PSK_WITH_AES_128_CCM, TLS_DHE_RSA_WITH_AES_128_CCM_8, TLS_DHE_RSA_WITH_AES_128_CCM, TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA, TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA, TLS_SRP_SHA_WITH_AES_128_CBC_SHA, TLS_AES_128_CCM_8_SHA256, TLS_AES_128_CCM_SHA256, TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_PSK_WITH_AES_128_CBC_SHA, TLS_DHE_PSK_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DH_RSA_WITH_AES_128_CBC_SHA256, TLS_DH_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256, TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256, TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256, TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256, TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_PSK_WITH_AES_128_CCM_8, TLS_PSK_WITH_AES_128_CCM, TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_PSK_WITH_AES_128_GCM_SHA256, TLS_PSK_WITH_AES_128_CBC_SHA, TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256, TLS_PSK_WITH_ARIA_128_GCM_SHA256]]
FINE: JSSUtil: instance created
FINE: JSSUtil createSSLContextInternal(...) keyAlias=HSM:sslserver
FINE: JSSContext(HSM:sslserver)
FINE: JSSUtil: getKeyManagers()
FINE: JSSUtil: getTrustManagers()
FINE: JSSContext.init(...)
FINE: JSSContextSpi.engineInit([Ljavax.net.ssl.KeyManager;@236e3f4e, [Ljavax.net.ssl.TrustManager;@3cc1435c, null)
FINE: JSSContext.getServerSessionContext()
FINE: JSSContextSpi.engineGetServerSessionContext() - not implemented
INFO: PKIAuthenticator: Creating SSLAuthenticatorWithFallback
FINE: PKIAuthenticator: Setting container
FINE: PKIAuthenticator: Initializing authenticators
FINE: PKIAuthenticator: Starting authenticators
INFO: PKIListener: Subsystem CA is running.
edewata commented 3 years ago

Server connection log:

FINE: JSSContext.createSSLEngine()
FINE: JSSContextSpi.engineCreateSSLEngine()
FINE: JSSEngine: constructor()
FINE: JSSEngine: setKeyManager(org.mozilla.jss.provider.javax.crypto.JSSTokenKeyManager)
FINE: JSSEngine: setTrustManagers(
FINE:  - org.mozilla.jss.provider.javax.crypto.JSSNativeTrustManager
FINE: )
FINE: JSSKeyManager: getPrivateKey(HSM:sslserver)
FINE: JSSEngine.setUseClientMode(false)
FINE: JSSEngine: setEnabledProtocols(
FINE:         TLSv1,
FINE:         TLSv1.3,
FINE:         TLSv1.2,
FINE:         TLSv1.1,
FINE: )
FINE: JSSEngine: setEnabledProtocols()
FINE: JSSEngine: getEnabledCipherSuites()
FINE: JSSEngine: getEnabledProtocols()
FINE: JSSEngine: setEnabledProtocols()
FINE: JSSEngine.setWantClientAuth(true)
FINE: JSSEngine.setNeedClientAuth(false)
FINE: JSSEngine: getSession()
FINE: JSSEngine: getSession()
FINE: JSSEngine: getSession()
FINE: JSSEngine: getSession()
FINE: JSSEngine: beginHandshake()
FINE: JSSEngine: init()
FINE: JSSEngine: createBuffers()
FINE: JSSEngine: createBufferFD()
SEVERE: Error running socket processor
java.lang.RuntimeException: Unable to configure certificate and key on model SSL PRFileDesc proxy: SEC_ERROR_NO_MEMORY (-8173)
        at org.mozilla.jss.ssl.javax.JSSEngine.getServerTemplate(JSSEngine.java:993)
        at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.createBufferFD(JSSEngineReferenceImpl.java:322)
        at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.init(JSSEngineReferenceImpl.java:252)
        at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.beginHandshake(JSSEngineReferenceImpl.java:634)
        at org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:348)
        at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:175)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1568)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
FINE: JSSEngine: closeOutbound()
FINE: JSSEngine: wrap(ssl_fd=null)
FINE: JSSEngine: beginHandshake()
FINE: JSSEngine: init()
FINE: JSSEngine: createBuffers()
FINE: JSSEngine: createBufferFD()