Trying to understand How Tomcat uses Keystore for SSL

2017-11-13 Thread Don Flinn 
I've done some reading on SSL and understand the protocol is as follows;
Client/Browser sends ClientHello and server Tomcat replies with
ServerHello.  This establishes the protocol they will use.
The server then sends the certificate and the public key - in the clear
The browser encrypts a message containing the servers domain, all encrypted
with the server's public key to the CA which the browser trusts.  The
public key is in the certificate.
The CA de-crypts the message with the server's private key.  So the
server's name/ domain must be not encrypted. If the server can decrypt the
message it knows the server and it then sends a ack message back to the
browser encrypted with the client's private key.
The browser and Tomcat then establish a secret key to send messages back
and forth.

If I have the above correct, I must have keystore set up incorrectly, since
running my scenario I get an error in the Chrome debugger,which says

This page is not secure
"Valid certificate
The connection to this site is using a valid, trusted server certificate
issued by unknown name.
Secure resources
All resources on this page are served securely. "

Note the 'the certificate is valid and it is issued by unknown name"  Why
is the issuer unknown, since the issuer's name is in the certificate?

letsencrypt has an online web site from which one can download a ca_bundle,
a private key and a certificate for your domain
Oracle has an article on keytool which says that keytool  can not create a
pkcs12 keystore but can read it and to use openssl, which I did following
their instructions.  Concatenate the CA cert, the private key and the user
cert then put these in keystore. The result is shown below.  Tomcat isn't
able to use this keystore to communicate with the browser for some reason.
Why? What's missing or incorrect?

C:\Users\don\Security\letsenc>%keytool% -list -keystore MMcert.p12 -v
-storetype pkcs12
Enter keystore password:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Nov 13, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=info.finwoks.com
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: 415913da3a6a956ef3efef2fb2eb4baff17
Valid from: Sat Nov 11 16:05:35 EST 2017 until: Fri Feb 09 16:05:35 EST 2018
Certificate fingerprints:
 MD5:  F5:FD:4F:8B:9A:A0:38:D1:B7:78:B6:36:38:AB:42:31
 SHA1: 7C:AB:5C:D3:A9:95:01:FD:43:CC:F5:D5:1D:24:64:1A:BF:4C:AE:66
 SHA256:
A9:85:5C:34:3D:DA:65:64:2F:C7:45:57:52:3F:EE:0F:D6:70:50:DE:AA:5C:2A:D1:16:F3:29:B9:CB:F3:B2:36
 Signature algorithm name: SHA256withRSA
 Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org
,
   accessMethod: caIssuers
   accessLocation: URIName: http://cert.int-x3.letsencrypt.org/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc..9..Ee.
0010: F3 A8 EC A1
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: : 16 1A 68 74 74 70 3A 2F   2F 63 70 73 2E 6C 65 74  ..
http://cps.let
0010: 73 65 6E 63 72 79 70 74   2E 6F 72 67  sencrypt.org

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: : 30 81 9E 0C 81 9B 54 68   69 73 20 43 65 72 74 69
0.This Certi
0010: 66 69 63 61 74 65 20 6D   61 79 20 6F 6E 6C 79 20  ficate may only
0020: 62 65 20 72 65 6C 69 65   64 20 75 70 6F 6E 20 62  be relied upon b
0030: 79 20 52 65 6C 79 69 6E   67 20 50 61 72 74 69 65  y Relying Partie
0040: 73 20 61 6E 64 20 6F 6E   6C 79 20 69 6E 20 61 63  s and only in ac
0050: 63 6F 72 64 61 6E 63 65   20 77 69 74 68 20 74 68  cordance with th
0060: 65 20 43 65 72 74 69 66   69 63 61 74 65 20 50 6F  e Certificate Po
0070: 6C 69 63 79 20 66 6F 75   6E 64 20 61 74 20 68 74  licy found at ht
0080: 74 70 73 3A 2F 2F 6C 65   74 73 65 6E 63 72 79 70  tps://letsencryp
0090: 74 2E 6F 72 67 2F 72 65   70 6F 73 69 74 6F 72 79  t.org/repository
00A0: 2F /

]]  ]
]

#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: info.finwoks.com
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: 04 6B 27 5C F4 5E 85 21   24 38 A7 44 2D 7E 69 CA  .k'\.^.!$8.D-.i.
0010: CF

Re: non www to www URL Rewrite

2017-11-13 Thread RAVIRAJ SHAH 
Sorry didn't get you exactly
But I did above setup in tomcat web server only

Thanks
Ravi

On Mon, Nov 13, 2017, 20:45 shivashankar manukondu <
sivasankar.m...@gmail.com> wrote:

> Please make it these changes in your webserver
>
> Regards,
> Siva
>
> On Sat, Nov 11, 2017 at 10:17 AM, RAVIRAJ SHAH 
> wrote:
>
> > Thanks shiv,
> >
> > But no luck it is not working
> > I did configuration as below
> >
> > Created rewrite.config file in
> > ../conf/Catalina/example.com
> >
> > RewriteCond %{HTTP_HOST} ^example\.com [NC]
> > RewriteCond %{HTTPS} ^on$
> > RewriteRule ^(.*)$ https://www.example.com/$[R=permanent,L,NE]
> >
> > And added valve as below in server.xml
> >  > unpackWARs="true" autoDeploy="true"
> > xmlValidation="false" xmlNamespaceAware="false">
> > 
> >
> > Do guide if anything to correct or any other solution
> >
> > On Fri, Nov 10, 2017, 14:43 shivashankar manukondu <
> > sivasankar.m...@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > If you want both should be accessible then try to use "ServerAlias"
> > option
> > >
> > > If you want redirect all requests then try
> > >
> > > RewriteCond %{HTTP_HOST} ^example\.com [NC]
> > > RewriteCond %{HTTPS} ^on$#if you don't want https then make off
> > > RewriteRule ^(.*)$ https://www.example.com/$ [R=permanent,L,NE]  #
> > > flags based on your requirement
> > >
> > > Please remember the above rules will be work based on all your existing
> > > rewrite rules.
> > >
> > >
> > > Regards,
> > > Siva
> > >
> > >
> > >
> > > On Thu, Nov 9, 2017 at 10:58 AM, RAVIRAJ SHAH  >
> > > wrote:
> > >
> > > > Hi Andre,
> > > >
> > > > Thanks for quick reply
> > > > yes it is pointing to same public IP
> > > >
> > > > Thanks,
> > > > Raviraj
> > > >
> > > >
> > > >
> > > > Thanks & Regards,
> > > > Raviraj Shah
> > > >
> > > >
> > > > On 8 November 2017 at 22:50, André Warnier (tomcat) 
> > > wrote:
> > > >
> > > > > On 08.11.2017 17:35, RAVIRAJ SHAH wrote:
> > > > >
> > > > >> Sorry for my language
> > > > >> my query with example
> > > > >>
> > > > >> Let's say my website domain is "example.com"
> > > > >> Now I want to redirect "example.com" to "www.example.com"
> > > > >> Kindly share how I can achieve it
> > > > >>
> > > > >
> > > > > Well first, you need the 2 entries in the DNS server for "
> > example.com
> > > ".
> > > > > You need :
> > > > > example.com --> public Internet IP address of your server (A)
> > > > > www.example.com --> public  Internet IP address of your server (B)
> > > > >
> > > > > and A == B
> > > > >
> > > > > otherwise it will never work.
> > > > > Do you have that ?
> > > > >
> > > > > You can check this by getting a command-line window somewhere and
> > > > entering
> > > > > :
> > > > > nslookup example.com
> > > > > nslookup www.example.com
> > > > > and both should give the same IP address.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >> On Wed, Nov 8, 2017, 19:08 André Warnier (tomcat) 
> > > > wrote:
> > > > >>
> > > > >> On 08.11.2017 14:30, RAVIRAJ SHAH wrote:
> > > > >>>
> > > >  Anybody please help
> > > > 
> > > > >>>
> > > > >>> I think that you first try to communicate more clearly what you
> > want
> > > to
> > > > >>> achieve.
> > > > >>> "redirect non-www URL to www URL only"
> > > > >>> does not appear to make much sense.
> > > > >>>
> > > > >>> Also please send your message to the list as *plain text*, not
> > html.
> > > > >>> It will make it easier to read configuration lines below which
> look
> > > > like
> > > > >>> URL's.
> > > > >>>
> > > > >>>
> > > > >>>
> > > >  On Tue, Nov 7, 2017, 12:00 RAVIRAJ SHAH <
> me.raviraj...@gmail.com>
> > > >  wrote:
> > > > 
> > > >  Dear All,
> > > > >
> > > > > Kindly request you to help to resolve this issue
> > > > >
> > > > > Problem Statement :
> > > > > we want to redirect non-www URL to www URL only
> > > > >
> > > > > Current setup :
> > > > >
> > > > > Defined rewrite valve in server.xml as below
> > > > >
> > > > >
> > > > >  > > > > autoDeploy=
> > > > > "true">
> > > > >
> > > > >
> > > > >
> > > > >> > > >
> > > >  />
> > > > >>>
> > > > 
> > > > >
> > > > >
> > > > > 
> > > > >
> > > > > Created rewrite.config file in ../conf/Catalina//
> > > > >
> > > > >
> > > > > *RewriteCond %{HTTP_HOST} !^(.*)\.yourdomain\.com$ [NC]
> > RewriteRule
> > > > >
> > > >  ^(.*)$
> > > > >>>
> > > >  http://www.yourdomain.com /$1
> > [R=301,L]*
> > > > >
> > > > > *kindly do needful*
> > > > >
> > > > > Thanks & Regards,
> > > > > Raviraj Shah
> > > > >
> > > > >
> > > > >
> > > > 
> > > > >>>
> > > > >>> 
> > -
> > > > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > > >>> For

Re: White-space encoding issue in 8.5.16

2017-11-13 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

To whom it may concern,

On 11/13/17 4:10 AM, M. Manna wrote:
> Actually, it's the same issue (and even error stack) reported
> here:
> 
> http://tomcat.10.x6.nabble.com/Tomcat-8-5-4-uses-RFC-6265-by-default-w
hich-does-not-appear-to-be-Servlet-3-1-compliant-td5054685.html

So
> 
you are having an issue with cookie values?

Are you expecting the cookie values containing spaces to be converted
to %20 while writing responses or are you finding that cookie values
containing spaces aren't being converted to %20 for you when reading
requests?

I wouldn't expect the container to perform either of those actions.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloJuv8dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFibxhAAvymYP9xusV8I0OvV
GKk2QnTWpnJTNU+fJkmXacmltb1ZUCPBdw1H+W1u1n6L+adQnGmgoLbpSRZ2cWzk
52lnlypV+SqfVCgw32tTpXOV0oJwlPc7HmftRyilmjmiGuIkY1XupHGiJ3ShtIDi
zTrIoCqtgJ1MFoITBKTtN6Z7P4t41p9sDCSPatVonmPsOWFqAlTXLUXfEMhQX0XZ
wIXGIk1mUu02477vHA+5JFPwhzJNsla12PBlHhq3dLHSHJjG99T2wRqkNrJYTRWU
0JE8/n02XAfnCwMn1UNpK7SYArp2j5JFgvOmHmc7mT8HrL8cUOgxy/fjKIstyz9c
GBKMIbu9glLG+iOKbQ94mkw8cxx/X55tvlbG+MkjockfQn6ys7vUwtUN/4ZvIGiS
ToudjhZbG60UJ/ImHEvf/hD2A+FJPpO9ko9oxHKRS3XKK+G3R9ZreJCDQBSXyvgX
QyOIE8RB/8RMyaQFiVPtSi13Rp+dheIdglArRjxPCygHlbJXIShpd+Nse5/zvfd7
ikeIZCrf+PCDw5g8jCcl58thfjgL/ffmuUCrtig8/VQ4clRE3SxHGebuouQYv53T
eva07X6jOwBqJw8GbYIZl3mT3iM6F2WBaErQy0YU+q6r2bCrhoUZjvVLP+HMWtsF
HEHsllOy5nlxKDRA0DeZwWjXSSs=
=VWgo
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: non www to www URL Rewrite

2017-11-13 Thread shivashankar manukondu 
Please make it these changes in your webserver

Regards,
Siva

On Sat, Nov 11, 2017 at 10:17 AM, RAVIRAJ SHAH 
wrote:

> Thanks shiv,
>
> But no luck it is not working
> I did configuration as below
>
> Created rewrite.config file in
> ../conf/Catalina/example.com
>
> RewriteCond %{HTTP_HOST} ^example\.com [NC]
> RewriteCond %{HTTPS} ^on$
> RewriteRule ^(.*)$ https://www.example.com/$[R=permanent,L,NE]
>
> And added valve as below in server.xml
>  unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
> 
>
> Do guide if anything to correct or any other solution
>
> On Fri, Nov 10, 2017, 14:43 shivashankar manukondu <
> sivasankar.m...@gmail.com> wrote:
>
> > Hi,
> >
> > If you want both should be accessible then try to use "ServerAlias"
> option
> >
> > If you want redirect all requests then try
> >
> > RewriteCond %{HTTP_HOST} ^example\.com [NC]
> > RewriteCond %{HTTPS} ^on$#if you don't want https then make off
> > RewriteRule ^(.*)$ https://www.example.com/$ [R=permanent,L,NE]  #
> > flags based on your requirement
> >
> > Please remember the above rules will be work based on all your existing
> > rewrite rules.
> >
> >
> > Regards,
> > Siva
> >
> >
> >
> > On Thu, Nov 9, 2017 at 10:58 AM, RAVIRAJ SHAH 
> > wrote:
> >
> > > Hi Andre,
> > >
> > > Thanks for quick reply
> > > yes it is pointing to same public IP
> > >
> > > Thanks,
> > > Raviraj
> > >
> > >
> > >
> > > Thanks & Regards,
> > > Raviraj Shah
> > >
> > >
> > > On 8 November 2017 at 22:50, André Warnier (tomcat) 
> > wrote:
> > >
> > > > On 08.11.2017 17:35, RAVIRAJ SHAH wrote:
> > > >
> > > >> Sorry for my language
> > > >> my query with example
> > > >>
> > > >> Let's say my website domain is "example.com"
> > > >> Now I want to redirect "example.com" to "www.example.com"
> > > >> Kindly share how I can achieve it
> > > >>
> > > >
> > > > Well first, you need the 2 entries in the DNS server for "
> example.com
> > ".
> > > > You need :
> > > > example.com --> public Internet IP address of your server (A)
> > > > www.example.com --> public  Internet IP address of your server (B)
> > > >
> > > > and A == B
> > > >
> > > > otherwise it will never work.
> > > > Do you have that ?
> > > >
> > > > You can check this by getting a command-line window somewhere and
> > > entering
> > > > :
> > > > nslookup example.com
> > > > nslookup www.example.com
> > > > and both should give the same IP address.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >> On Wed, Nov 8, 2017, 19:08 André Warnier (tomcat) 
> > > wrote:
> > > >>
> > > >> On 08.11.2017 14:30, RAVIRAJ SHAH wrote:
> > > >>>
> > >  Anybody please help
> > > 
> > > >>>
> > > >>> I think that you first try to communicate more clearly what you
> want
> > to
> > > >>> achieve.
> > > >>> "redirect non-www URL to www URL only"
> > > >>> does not appear to make much sense.
> > > >>>
> > > >>> Also please send your message to the list as *plain text*, not
> html.
> > > >>> It will make it easier to read configuration lines below which look
> > > like
> > > >>> URL's.
> > > >>>
> > > >>>
> > > >>>
> > >  On Tue, Nov 7, 2017, 12:00 RAVIRAJ SHAH 
> > >  wrote:
> > > 
> > >  Dear All,
> > > >
> > > > Kindly request you to help to resolve this issue
> > > >
> > > > Problem Statement :
> > > > we want to redirect non-www URL to www URL only
> > > >
> > > > Current setup :
> > > >
> > > > Defined rewrite valve in server.xml as below
> > > >
> > > >
> > > >  > > > autoDeploy=
> > > > "true">
> > > >
> > > >
> > > >
> > > >> > >
> > >  />
> > > >>>
> > > 
> > > >
> > > >
> > > > 
> > > >
> > > > Created rewrite.config file in ../conf/Catalina//
> > > >
> > > >
> > > > *RewriteCond %{HTTP_HOST} !^(.*)\.yourdomain\.com$ [NC]
> RewriteRule
> > > >
> > >  ^(.*)$
> > > >>>
> > >  http://www.yourdomain.com /$1
> [R=301,L]*
> > > >
> > > > *kindly do needful*
> > > >
> > > > Thanks & Regards,
> > > > Raviraj Shah
> > > >
> > > >
> > > >
> > > 
> > > >>>
> > > >>> 
> -
> > > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> > > >>>
> > > >>>
> > > >>>
> > > >>
> > > >
> > > > 
> -
> > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > > >
> > > >
> > >
> >
> >
> >
> > --
> >
> > Regards
> > Siva
> > #068860592040
> >
>



-- 

Regards
Siva
#068860592040

Re: White-space encoding issue in 8.5.16

2017-11-13 Thread M. Manna 
Actually, it's the same issue (and even error stack) reported here:

http://tomcat.10.x6.nabble.com/Tomcat-8-5-4-uses-RFC-6265-by-default-which-does-not-appear-to-be-Servlet-3-1-compliant-td5054685.html



On 13 November 2017 at 09:00, Mark Thomas  wrote:

> On 12/11/17 22:25, M. Manna wrote:
> > Hi,
> >
> > We are currently encountering an issue where some of our REST  API calls
> > are failing because of a white-space not being encoded (i.e. %20). This
> has
> > started with 8.5.16 and our previous version didn't have this problem -
> > 8.0.29.
> >
> > Is this something anyone has seen before? I am assuming that it's RFC
> 6265
> > where whitespace is not allowed? But is there any work around?
>
> You are going to need to be more specific about the problem. You need to
> provide enough information for someone else to reproduce the issue and
> investigate it.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: White-space encoding issue in 8.5.16

2017-11-13 Thread Mark Thomas 
On 12/11/17 22:25, M. Manna wrote:
> Hi,
> 
> We are currently encountering an issue where some of our REST  API calls
> are failing because of a white-space not being encoded (i.e. %20). This has
> started with 8.5.16 and our previous version didn't have this problem -
> 8.0.29.
> 
> Is this something anyone has seen before? I am assuming that it's RFC 6265
> where whitespace is not allowed? But is there any work around?

You are going to need to be more specific about the problem. You need to
provide enough information for someone else to reproduce the issue and
investigate it.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org