Tomcat and openSSL
Hi all, I'm new to this list and although I read the instructions on how to use the list, I'd like to apologize in advance if I ever misuse the list! - |Question| - I'm currently working on security with Apache Tomcat and openssl under Windows 2000. I'd like to set up Tomcat to be able to use it with SSL. I installed openssl on Windows and I'm now trying to create a CA and certificates. How am I exactly supposed to configure Tomcat and how does it relate to openssl? Did I even need to download openssl in the first place? Instructions on the web are unclear and several relate to older versions of Tomcat. (I'm running Tomcat 5.0.25). Thanks to all, David. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and openSSL
I would recommend using Apache to handle the ssl connections for you. I've been using apache as the ssl connection point in our production environment and using mod_jk to send things on to tomcat. I had tried using the ssl connector bundled with tomcat, but after awhile, it just seemed to reach a point where it no longer served up web pages. Perhaps it was just a config thing... At any rate, if you've already got apache ssl working correctly, you just have to add a line to your conf file: Before: Files ~ \.(cgi|shtml|phtml?)$ SSLOptions +StdEnvVars /Files After: Files ~ \.(cgi|shtml|jsp|phtml|php3?)$ SSLOptions +StdEnvVars /Files Good Luck! - Dan - Hi all, I'm new to this list and although I read the instructions on how to use the list, I'd like to apologize in advance if I ever misuse the list! - |Question| - I'm currently working on security with Apache Tomcat and openssl under Windows 2000. I'd like to set up Tomcat to be able to use it with SSL. I installed openssl on Windows and I'm now trying to create a CA and certificates. How am I exactly supposed to configure Tomcat and how does it relate to openssl? Did I even need to download openssl in the first place? Instructions on the web are unclear and several relate to older versions of Tomcat. (I'm running Tomcat 5.0.25). Thanks to all, David. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: Tomcat and openSSL
I'm currently working on the same thing, (Solaris: Apache, SSL, Tomcat, mod_jk...), and found while reading BUILDING this part for configure - options for mod_jk: --enable-EAPI This parameter is needed when using Apache-1.3 and mod_ssl, otherwise you will get the error message: this module might crash under EAPI! when loading libjk.so in httpd. Don't know if by W2K there is similar flag needed. Good Luck -Ursprüngliche Nachricht- Von: Daniel J. Obregon [mailto:[EMAIL PROTECTED] Gesendet am: Dienstag, 20. Juli 2004 14:50 An: Tomcat Users List Betreff: Re: Tomcat and openSSL I would recommend using Apache to handle the ssl connections for you. I've been using apache as the ssl connection point in our production environment and using mod_jk to send things on to tomcat. I had tried using the ssl connector bundled with tomcat, but after awhile, it just seemed to reach a point where it no longer served up web pages. Perhaps it was just a config thing... At any rate, if you've already got apache ssl working correctly, you just have to add a line to your conf file: Before: Files ~ \.(cgi|shtml|phtml?)$ SSLOptions +StdEnvVars /Files After: Files ~ \.(cgi|shtml|jsp|phtml|php3?)$ SSLOptions +StdEnvVars /Files Good Luck! - Dan - Hi all, I'm new to this list and although I read the instructions on how to use the list, I'd like to apologize in advance if I ever misuse the list! - |Question| - I'm currently working on security with Apache Tomcat and openssl under Windows 2000. I'd like to set up Tomcat to be able to use it with SSL. I installed openssl on Windows and I'm now trying to create a CA and certificates. How am I exactly supposed to configure Tomcat and how does it relate to openssl? Did I even need to download openssl in the first place? Instructions on the web are unclear and several relate to older versions of Tomcat. (I'm running Tomcat 5.0.25). Thanks to all, David. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: HTTPS support for tomcat using openSSL with Client Authentication
First of all did u try without tomcat? [EMAIL PROTECTED] wrote: Still I am looking in to it. If you have any idea please let me know. Regards saravanan -Original Message- From: Anbu [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 7:38 PM To: Tomcat Users List Subject: Re: HTTPS support for tomcat using openSSL with Client Authentication Hello Saravanan, Have you got the answer you wanted ? Anbu [EMAIL PROTECTED] wrote: Hi All, I wanted to support SSL with Client Authentication over Tomcat 4.18. I followed the steps mentioned in the link below, but I couldn't succeed in getting the client authentication to work,however I was able to get the https working with clientAuth=false in tomcat's configuration file server.xml file. http://marc.theaimsgroup.com/?l=tomcat-user m=106293430225790w=2 I have attached the screenshot of the security message I see on the client which doesn't list any certificate to choose from, though I have imported the client certificate.pkcs12 (step 16) and the CA certificate on the client system. Please let me know If I am doing something wrong? Thanks Regards csaravanan Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam
RE: HTTPS support for tomcat using openSSL with Client Authentication
Hi I got the answer and its working too. saravanan -Original Message- From: Anbu [mailto:[EMAIL PROTECTED] Sent: Thursday, March 18, 2004 7:17 PM To: Tomcat Users List Subject: RE: HTTPS support for tomcat using openSSL with Client Authentication First of all did u try without tomcat? [EMAIL PROTECTED] wrote: Still I am looking in to it. If you have any idea please let me know. Regards saravanan -Original Message- From: Anbu [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 7:38 PM To: Tomcat Users List Subject: Re: HTTPS support for tomcat using openSSL with Client Authentication Hello Saravanan, Have you got the answer you wanted ? Anbu [EMAIL PROTECTED] wrote: Hi All, I wanted to support SSL with Client Authentication over Tomcat 4.18. I followed the steps mentioned in the link below, but I couldn't succeed in getting the client authentication to work,however I was able to get the https working with clientAuth=false in tomcat's configuration file server.xml file. http://marc.theaimsgroup.com/?l=tomcat-user m=106293430225790w=2 I have attached the screenshot of the security message I see on the client which doesn't list any certificate to choose from, though I have imported the client certificate.pkcs12 (step 16) and the CA certificate on the client system. Please let me know If I am doing something wrong? Thanks Regards csaravanan Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS support for tomcat using openSSL with Client Authentication
Hello Saravanan, Have you got the answer you wanted ? Anbu [EMAIL PROTECTED] wrote: Hi All, I wanted to support SSL with Client Authentication over Tomcat 4.18. I followed the steps mentioned in the link below, but I couldn't succeed in getting the client authentication to work,however I was able to get the https working with clientAuth=false in tomcat's configuration file server.xml file. http://marc.theaimsgroup.com/?l=tomcat-user m=106293430225790w=2 I have attached the screenshot of the security message I see on the client which doesn't list any certificate to choose from, though I have imported the client certificate.pkcs12 (step 16) and the CA certificate on the client system. Please let me know If I am doing something wrong? Thanks Regards csaravanan Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam
RE: HTTPS support for tomcat using openSSL with Client Authentication
Still I am looking in to it. If you have any idea please let me know. Regards saravanan -Original Message- From: Anbu [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 7:38 PM To: Tomcat Users List Subject: Re: HTTPS support for tomcat using openSSL with Client Authentication Hello Saravanan, Have you got the answer you wanted ? Anbu [EMAIL PROTECTED] wrote: Hi All, I wanted to support SSL with Client Authentication over Tomcat 4.18. I followed the steps mentioned in the link below, but I couldn't succeed in getting the client authentication to work,however I was able to get the https working with clientAuth=false in tomcat's configuration file server.xml file. http://marc.theaimsgroup.com/?l=tomcat-user m=106293430225790w=2 I have attached the screenshot of the security message I see on the client which doesn't list any certificate to choose from, though I have imported the client certificate.pkcs12 (step 16) and the CA certificate on the client system. Please let me know If I am doing something wrong? Thanks Regards csaravanan Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
HTTPS support for tomcat using openSSL with Client Authentication
Hi All, I wanted to support SSL with Client Authentication over Tomcat 4.18. I followed the steps mentioned in the link below, but I couldn't succeed in getting the client authentication to work,however I was able to get the https working with clientAuth=false in tomcat's configuration file server.xml file. http://marc.theaimsgroup.com/?l=tomcat-user http://marc.theaimsgroup.com/?l=tomcat-userm=106293430225790w=2 m=106293430225790w=2 I have attached the screenshot of the security message I see on the client which doesn't list any certificate to choose from, though I have imported the client certificate.pkcs12 (step 16) and the CA certificate on the client system. Please let me know If I am doing something wrong? Thanks Regards csaravanan Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments.
Apache 2.0.47 + Tomcat 4.1.27 + OpenSSL 0.9.7b on Win2k
Hello, Has anyone tried/build a working configuration of these components working together using JK (1)? Does JK (1) still work with the newer stuff? If so, how or where could i get the information? Thanks, Jay
RE: Apache 2.0.47 + Tomcat 4.1.27 + OpenSSL 0.9.7b on Win2k
Jay, Try going to http://hunter.campbus.com or for an archive of stuff try http://tor.ath.cx/~hunter/apache/. Chris aka 'Hunter' (the person behind it all) has compiled many win32 apache servers with SSL enabled. Hope this gets you where you want to be. Stuart -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: 13 August 2003 23:36 To: Tomcat User (E-mail) Subject: Apache 2.0.47 + Tomcat 4.1.27 + OpenSSL 0.9.7b on Win2k Hello, Has anyone tried/build a working configuration of these components working together using JK (1)? Does JK (1) still work with the newer stuff? If so, how or where could i get the information? Thanks, Jay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 4 - OpenSSL - IE client certificate works partially
Hi Peter, Thanks for your reply. We can all use a day off now and then :-) In the meantime I have cracked the nut...! Yes, really!! Last night I succeeded in sending a self-generated certificate from IE to Tomcat that was verified and accepted and let me in on the site. I still have to sort out the exact chain of events that led to this discovery, and will mail them to you and the list once I've got them in correct order. Here are some hints though: In retrospect, I did make some mistakes along the way, such as installing my private self-issued certificate in the IE keystore WITHOUT the private key. In other words, I installed the certificate by converting it into DER format, and then importing it into IE. Wrong! What you MUST do is to combine both the certificate AND the private key into a PKCS#12 format (using openssl pkcs12), and then install that in IE. Once I did that it worked. This was apparently the reason for the SSL handshake failure that we both have seen. You should verify if this solves your problem too. NB. To install other peoples certificates, as well as CA and server certificates, one should still only install the certificate in DER format, WITHOUT the key. Particularly for your own CA certificate ;-) However other things I did prior to that may have attributed to the process too, this is what I need to sort out. One thing I found was that IE does not like keys longer than 1024 bits. I experimented with 512 bit keys right before I succeeded, so that may have left some files in a different order. Of other noteworthy observations: you MUST use your own CA certificate to sign EVERYTHING (server + clients), AND the CA certificate should be installed in the Tomcat JKS keystore (used for client cert validation), AND the CA cert should also be in the trusted CA's file under JRE (used for client cert selection in IE). A tricky part is to create a keyEntry certificate in the JKS keystore for Tomcat; if you just create your own key + cert and install that in the keystore using keytool, it will show up as a trustedCertEntry, because the private key is not imported. So, you actually start out by creating the JKS certificate following the guidelines for keytool, then you create a CERTREQ using keytool, and then you sign that request using your own CA cert. Finally you import the signed cert back into the keystore (this is the only time keytool allows you to import a certificate which already exists in the keystore!), and voila! you have a self-CA-signed cert for Tomcat. (If you know of ways to import a private key for en existing certificate in a JKS please let me know.) Hope these intial comments helps. Otherwise stay tuned for the HOW-TO :-) Regards - Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] Peter Werno To: Henrik Schultz [EMAIL PROTECTED] [EMAIL PROTECTED]cc: m Subject: Re: Tomcat 4 - OpenSSL - IE client certificate works partially 02-07-2002 20:30 Hello Henrik, sorry for not getting back to you, I had a day off :-) I will try to change the Server-Certificate to a real (ca-issued) certificate tomorrow and let you know if it works. I have previously used Apache as the webserver and mod_webapp to publish my Web-Applications through to the user. This has always worked fine, however, I have never tried with anything else than a real cert in this configuration. If you would like to try Apache, I can recommend the mod_ssl - documentation, it is very detailed on how to set up Apache for SSL. Regards, Peter -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED
Re: Tomcat 4 - OpenSSL - IE client certificate works partially
The problem with homemade digital certificates generated with the Keytool is that they are self signed, then IExplorer and other browsers does not trust them and does not let you use it for user authentication. However if you make your own CA using openssl and you generates server and client certificates you will see that it works. You have only to add your new CA on the trusted group for IExplorer (similar with other browsers). When you make a connection to a secure server, it returns data about in which CAs it will accepct (which CA, means which client digital certificates signed with the given CAs) You can also use Thawte test certificates (client server) but it is the same if you use openssl as I describe above. Please, send me your howto and I will take a look :) By the way If you use Apache as frontend your setup will work better and faster and you will be able to make load balance ;) Henrik Schultz wrote: Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4 - OpenSSL - IE client certificate works partially
Peter wrote: this pretty much sounds like the same problem I was experiencing and posted earlier today. Sadly, your link below only gives hints on how to intall a SERVER certificate, but not on how to configure everything to ask for a CLIENT cert. This is what I found too. However, the ImportKey program sounds like a nifty little thing that could come in handy. Thanks for the link Schwarz! The few other responses I got to my first posting were along the same lines, so for the sake of making sure everybody understands this correctly, let me reiterate: This is about CLIENT certificates. Apparently Tomcat gives up mysteriously when receiving a home-made certificate (perhaps the thread dies or something), but in any case the connection is quietly closed with no trace or log messages to be found anywhere. I have exactly the same problem where the initial handshake with the exchange of the SERVER cert is just fine, but then the connection breaks leaving you with absolutely NO LOG-entry as to why it broke Ok, so I'm not the only having this problem, that's assuring... somehow ;-) So far, I was only able to get an error-message out of Netscape (6.x) saying unknown SSL Error -12227 I tried to use NS too to find out more, but I had some problems with the firewall I'm behind to get to my server, so I never got to it. Unknown SSL error ... Hmm! Would it make sense to post this on the tomcat-development-list? I think so. Regardless of why our own certificates does not work, it is highly problematic that there are no trace of what goes wrong anywhere. Do you have experience in this, or do you have the FAQ handy? I've never tried this myself, but one time has to be the first I guess :-) Regards - Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat 4 - OpenSSL - IE client certificate works partially
I don't know if this applies to Apache Tomcat, but Apache Web Server does not like IE certs. There was an article in Eweek that talked about how Apache follows the standard, and Microsoft (as usual) innovated in regards to SSL, TLS, etc. So that Internet Explorer does work quite right with Apache Web Server. This might be what you are seeing. Verisign must have broken their certs to work with both IIS and Apache. Adam Greene ROMulin Group Inc 885 Main St, Suite 16 Moncton, NB E1C 1G5 Ph: (506) 863-1014 x4 Fx: (506) 854-6886 http://www.romulin.com/ -Original Message- From: Henrik Schultz [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 11:43 AM To: tomcat-user Subject: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat 4 - OpenSSL - IE client certificate works partially
I would absolutely love a HOW-TO. I have a project that is going to require certs for security. I will ultimately have to use a Verisign or Thawte cert, but I can certainly test with the homemade ones. Also, have you tried to get Netscape or Mozilla to work?? Adam Greene ROMulin Group Inc 885 Main St, Suite 16 Moncton, NB E1C 1G5 Ph: (506) 863-1014 x4 Fx: (506) 854-6886 http://www.romulin.com/ -Original Message- From: Henrik Schultz [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 11:43 AM To: tomcat-user Subject: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat 4 - OpenSSL - IE client certificate works partially
You could also use a temporary Verisign certificate to test with, which is what I have done so far. No, I did not try Netscape myself due to a proxy issue, but someone else on th list did that, and that came up with a strange error: unknown SSL Error -12227 Have still no clue what this is. At least NS is saying something, contrary to IE that just gives me that bloody Page cannot be displayed. When I've gotten it all to work I'll write up a HOW-TO. Promise. Enough people have been struggling with this now for way too long. Regards - Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] Adam Greene To: Tomcat Users List [EMAIL PROTECTED] agreene@romulicc: n.com Subject: RE: Tomcat 4 - OpenSSL - IE client certificate works partially 02-07-2002 10:18 Please respond to Tomcat Users List I would absolutely love a HOW-TO. I have a project that is going to require certs for security. I will ultimately have to use a Verisign or Thawte cert, but I can certainly test with the homemade ones. Also, have you tried to get Netscape or Mozilla to work?? Adam Greene ROMulin Group Inc 885 Main St, Suite 16 Moncton, NB E1C 1G5 Ph: (506) 863-1014 x4 Fx: (506) 854-6886 http://www.romulin.com/ -Original Message- From: Henrik Schultz [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 11:43 AM To: tomcat-user Subject: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made
Tomcat 4 - OpenSSL - IE client certificate works partially
Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
AW: Tomcat 4 - OpenSSL - IE client certificate works partially
This is the answere: http://www.comu.de/docs/tomcat_ssl.htm and its really easy. -Ursprungliche Nachricht- Von: Henrik Schultz [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 1. Juli 2002 16:43 An: tomcat-user Betreff: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4 - OpenSSL - IE client certificate works partially
Hi Henrik !!! I'm interested in your HOW-TO for making client certificates for Tomcat... and don't worry, i love the tricky stuff !!! :-) Thanks... Marcelo - Original Message - From: Henrik Schultz [EMAIL PROTECTED] To: tomcat-user tomcat-user%jakarta.apache.org%NOTESSMTP Sent: Monday, July 01, 2002 7:42 AM Subject: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: AW: Tomcat 4 - OpenSSL - IE client certificate workspartially
Hello, this pretty much sounds like the same problem I was experiencing and posted earlier today. Sadly, your link below only gives hints on how to intall a SERVER certificate, but not on how to configure everything to ask for a CLIENT cert. I have exactly the same problem where the initial handshake with the exchange of the SERVER cert is just fine, but then the connection breaks leaving you with absolutely NO LOG-entry as to why it broke So far, I was only able to get an error-message out of Netscape (6.x) saying unknown SSL Error -12227 Would it make sense to post this on the tomcat-development-list? Regards, Peter Werno On Mon, 1 Jul 2002 16:50:21 +0200 Power-Netz \(Schwarz\) [EMAIL PROTECTED] wrote: This is the answere: http://www.comu.de/docs/tomcat_ssl.htm and its really easy. -Ursprungliche Nachricht- Von: Henrik Schultz [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 1. Juli 2002 16:43 An: tomcat-user Betreff: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4 - OpenSSL - IE client certificate works partially
I'd be interested too... Marcelo Demestri [EMAIL PROTECTED] wrote: Hi Henrik !!! I'm interested in your HOW-TO for making client certificates for Tomcat... and don't worry, i love the tricky stuff !!! :-) Thanks... Marcelo - Original Message - From: Henrik Schultz To: tomcat-user Sent: Monday, July 01, 2002 7:42 AM Subject: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! -- To unsubscribe, e-mail: For additional commands, e-mail: - Do You Yahoo!? Sign-up for Video Highlights of 2002 FIFA World Cup
Tomcat and OpenSSL
Hi I am using Tomcat 4.0.3 and currently using JSSE for https. JSSE is very slow. If I use Apache for providing SSL support. it works fine and is fast. But I do not want to put Apache just for supporting SSL. Is anyone aware how can Tomcat be integrated with openssl directly ?? One of the commercial servlet engine (Resin) supports Openssl directly. I was wondering how Tomcat can be integrated with OpenSSL. I will really appreciate any help or guidance. Thanks. Animesh -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat and OpenSSL/Keytool
whare security provider are you using... I've installed JSSE from SUN and this works... I've just been unable to load a private key from openSSL to the JKS keystore... however the certificates can be imported easily -Message d'origine- De: Steve Smale [mailto:[EMAIL PROTECTED]] Date: mercredi 31 janvier 2001 13:27 : [EMAIL PROTECTED] Objet: Tomcat and OpenSSL/Keytool Hi all, I'm a bit confused here with tomcat and SSL. I've generated a key using keytool -genkey -alias tomcat -keyalg RSA as described in the tomcat faq. This works fine, although the certificate appears as "signed by an unknown source", and we really need it to just plop straight into https without any warnings appearing on the users screens... So I've looked at OpenSSL, and generated a key and signing-request, and got a certificate via verisign, using openssl req -new -out REQ.csr -keyout KEY.key, again, as in the tomcat faqs. Whether i put this resulting key through verisign's "free trial" signing process, or self-sign it with openssl req -x509 -in REQ.csr -key KEY.key -out CERT.pem, i then install it into the keytool using keytool -import -v trustcacerts -alias tomcat -file CERT.pem. If I then visit the site with netscape, I get the error: Netscape and this server cannot communicate securely because they have no common encryptino algorithm(s). While internet explorer comes up with no sensible error, but doesnt work with https. Does anyone have any ideas what I am doing wrong with this method - it seems somehow the key generated with openssl is not of the right format for netscape/ie to understand, yet the one made with keytool -genkey works fine; - but both are exactly to the letter from the tomcat faq's... If I cannot get openssl to operate with it correctly, is there a way to export the key from keytool? - i've only really found it possible to export the certificate, but not the private key, if it is generated that way... Before I go completely insane, has anyone else had any experience of these problems? Thanks!!! -- Regards Steve Smale Java Developer Hugh Symons Information Management Telephone: 0870 849 0220 Facsimile: 0870 849 0221 www.hughsymons.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Tomcat and OpenSSL/Keytool
Hi all, I'm a bit confused here with tomcat and SSL. I've generated a key using keytool -genkey -alias tomcat -keyalg RSA as described in the tomcat faq. This works fine, although the certificate appears as "signed by an unknown source", and we really need it to just plop straight into https without any warnings appearing on the users screens... So I've looked at OpenSSL, and generated a key and signing-request, and got a certificate via verisign, using openssl req -new -out REQ.csr -keyout KEY.key, again, as in the tomcat faqs. Whether i put this resulting key through verisign's "free trial" signing process, or self-sign it with openssl req -x509 -in REQ.csr -key KEY.key -out CERT.pem, i then install it into the keytool using keytool -import -v trustcacerts -alias tomcat -file CERT.pem. If I then visit the site with netscape, I get the error: Netscape and this server cannot communicate securely because they have no common encryptino algorithm(s). While internet explorer comes up with no sensible error, but doesnt work with https. Does anyone have any ideas what I am doing wrong with this method - it seems somehow the key generated with openssl is not of the right format for netscape/ie to understand, yet the one made with keytool -genkey works fine; - but both are exactly to the letter from the tomcat faq's... If I cannot get openssl to operate with it correctly, is there a way to export the key from keytool? - i've only really found it possible to export the certificate, but not the private key, if it is generated that way... Before I go completely insane, has anyone else had any experience of these problems? Thanks!!! -- Regards Steve Smale Java Developer Hugh Symons Information Management Telephone: 0870 849 0220 Facsimile: 0870 849 0221 www.hughsymons.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]