RE: Nio Connector and self signed SSL certificate giving No client certificate chain in this request
Christopher,
Thanks for the help. I will log this in Bugzilla shortly.
-parag
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Saturday, February 05, 2011 4:06 AM
To: Tomcat Users List
Subject: Re: Nio Connector and self signed SSL certificate giving No client
certificate chain in this request
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Parag,
On 2/4/2011 5:04 AM, Parag Thakur wrote:
When I try to access a secure URL (e.g. /secure/foo.do) from a java
program using apache httpclient library (where the client is configured
to use C:\keys\webserver.keystore as the truststore and
C:\keys\client.keystore as the keystore), I get the following response
from the tomcat server:
This request requires HTTP authentication (No client certificate chain
in this request).
Tomcat's log shows the following stack trace:
2011-02-04 15:04:47 WARNING: #{11} [Http11NioProcessor.action] Exception
getting SSL attributes
java.lang.NullPointerException
at
org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:1
50)
[snip]
Oddly, the same program works if I use
org.apache.coyote.http11.Http11Protocol instead of
org.apache.coyote.http11.Http11NioProtocol.
That looks like a problem. Can you build a minimal test case (nearly
empty webapp with CLIENT-CERT authentication) and include a server.xml
file as well as keystore and truststore that can demonstrably work in
the BIO connector and fail in the NIO one? If so, please log this in
Bugzilla and attach all of the above.
Secondly, for Http11Protocol, I use to be able to specify a list of
ciphers in the Connector configuration to prevent weak ciphers being
used. E.g.
ciphers=TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_S
HA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH
E_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DS
S_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_
EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CB
C_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH
_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_MD5
However, the same does not seem to work with the Http11NioProtocol, and
I get the following in tomcat's logs:
2011-02-04 15:09:12 SEVERE: #{11} [NioEndpoint.setSocketOptions]
java.lang.IllegalArgumentException: Cannot support
TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers
See http://markmail.org/message/zn4namfhypyxum23 for code that will show
you what ciphers are available for your environment. Perhaps you really
are using an unsupported cipher.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1Mf2IACgkQ9CaO5/Lv0PBG+QCgmrd5uUAl+yaXjmd8/WknbpJE
WQsAnjj2lr9Swn2RROocNCrb521mk3ZF
=2+Gu
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Nio Connector and self signed SSL certificate giving No client certificate chain in this request
Hi,
On 4 February 2011 22:36, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Parag,
On 2/4/2011 5:04 AM, Parag Thakur wrote:
When I try to access a secure URL (e.g. /secure/foo.do) from a java
program using apache httpclient library (where the client is configured
to use C:\keys\webserver.keystore as the truststore and
C:\keys\client.keystore as the keystore), I get the following response
from the tomcat server:
This request requires HTTP authentication (No client certificate chain
in this request).
Tomcat's log shows the following stack trace:
2011-02-04 15:04:47 WARNING: #{11} [Http11NioProcessor.action] Exception
getting SSL attributes
java.lang.NullPointerException
at
org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:1
50)
[snip]
Oddly, the same program works if I use
org.apache.coyote.http11.Http11Protocol instead of
org.apache.coyote.http11.Http11NioProtocol.
That looks like a problem. Can you build a minimal test case (nearly
empty webapp with CLIENT-CERT authentication) and include a server.xml
file as well as keystore and truststore that can demonstrably work in
the BIO connector and fail in the NIO one? If so, please log this in
Bugzilla and attach all of the above.
Secondly, for Http11Protocol, I use to be able to specify a list of
ciphers in the Connector configuration to prevent weak ciphers being
used. E.g.
ciphers=TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_S
HA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH
E_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DS
S_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_
EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CB
C_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH
_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_MD5
However, the same does not seem to work with the Http11NioProtocol, and
I get the following in tomcat's logs:
2011-02-04 15:09:12 SEVERE: #{11} [NioEndpoint.setSocketOptions]
java.lang.IllegalArgumentException: Cannot support
TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers
See http://markmail.org/message/zn4namfhypyxum23 for code that will show
you what ciphers are available for your environment. Perhaps you really
are using an unsupported cipher.
Stupid question but did the op copy the Java Cryptography Extension
(JCE) Unlimited Strength Jurisdiction
Policy Files for whatever JVM they are using?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1Mf2IACgkQ9CaO5/Lv0PBG+QCgmrd5uUAl+yaXjmd8/WknbpJE
WQsAnjj2lr9Swn2RROocNCrb521mk3ZF
=2+Gu
-END PGP SIGNATURE-
--
Best Regards,
Brett Delle Grazie
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Nio Connector and self signed SSL certificate giving No client certificate chain in this request
On 04/02/2011 10:04, Parag Thakur wrote: Oddly, the same program works if I use org.apache.coyote.http11.Http11Protocol instead of org.apache.coyote.http11.Http11NioProtocol. Any idea what might be causing the NIO implementation to not work in this case? Does this have anything to do with SSL renegotiation that was recently addressed in latest tomcat? https://issues.apache.org/bugzilla/show_bug.cgi?id=49284 ? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
