RE: Nio Connector and self signed SSL certificate giving No client certificate chain in this request
Christopher, Thanks for the help. I will log this in Bugzilla shortly. -parag -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Saturday, February 05, 2011 4:06 AM To: Tomcat Users List Subject: Re: Nio Connector and self signed SSL certificate giving No client certificate chain in this request -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Parag, On 2/4/2011 5:04 AM, Parag Thakur wrote: When I try to access a secure URL (e.g. /secure/foo.do) from a java program using apache httpclient library (where the client is configured to use C:\keys\webserver.keystore as the truststore and C:\keys\client.keystore as the keystore), I get the following response from the tomcat server: This request requires HTTP authentication (No client certificate chain in this request). Tomcat's log shows the following stack trace: 2011-02-04 15:04:47 WARNING: #{11} [Http11NioProcessor.action] Exception getting SSL attributes java.lang.NullPointerException at org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:1 50) [snip] Oddly, the same program works if I use org.apache.coyote.http11.Http11Protocol instead of org.apache.coyote.http11.Http11NioProtocol. That looks like a problem. Can you build a minimal test case (nearly empty webapp with CLIENT-CERT authentication) and include a server.xml file as well as keystore and truststore that can demonstrably work in the BIO connector and fail in the NIO one? If so, please log this in Bugzilla and attach all of the above. Secondly, for Http11Protocol, I use to be able to specify a list of ciphers in the Connector configuration to prevent weak ciphers being used. E.g. ciphers=TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_S HA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH E_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DS S_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_ EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CB C_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH _RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_MD5 However, the same does not seem to work with the Http11NioProtocol, and I get the following in tomcat's logs: 2011-02-04 15:09:12 SEVERE: #{11} [NioEndpoint.setSocketOptions] java.lang.IllegalArgumentException: Cannot support TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers See http://markmail.org/message/zn4namfhypyxum23 for code that will show you what ciphers are available for your environment. Perhaps you really are using an unsupported cipher. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1Mf2IACgkQ9CaO5/Lv0PBG+QCgmrd5uUAl+yaXjmd8/WknbpJE WQsAnjj2lr9Swn2RROocNCrb521mk3ZF =2+Gu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Nio Connector and self signed SSL certificate giving No client certificate chain in this request
Hi, On 4 February 2011 22:36, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Parag, On 2/4/2011 5:04 AM, Parag Thakur wrote: When I try to access a secure URL (e.g. /secure/foo.do) from a java program using apache httpclient library (where the client is configured to use C:\keys\webserver.keystore as the truststore and C:\keys\client.keystore as the keystore), I get the following response from the tomcat server: This request requires HTTP authentication (No client certificate chain in this request). Tomcat's log shows the following stack trace: 2011-02-04 15:04:47 WARNING: #{11} [Http11NioProcessor.action] Exception getting SSL attributes java.lang.NullPointerException at org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:1 50) [snip] Oddly, the same program works if I use org.apache.coyote.http11.Http11Protocol instead of org.apache.coyote.http11.Http11NioProtocol. That looks like a problem. Can you build a minimal test case (nearly empty webapp with CLIENT-CERT authentication) and include a server.xml file as well as keystore and truststore that can demonstrably work in the BIO connector and fail in the NIO one? If so, please log this in Bugzilla and attach all of the above. Secondly, for Http11Protocol, I use to be able to specify a list of ciphers in the Connector configuration to prevent weak ciphers being used. E.g. ciphers=TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_S HA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH E_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DS S_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_ EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CB C_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH _RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_MD5 However, the same does not seem to work with the Http11NioProtocol, and I get the following in tomcat's logs: 2011-02-04 15:09:12 SEVERE: #{11} [NioEndpoint.setSocketOptions] java.lang.IllegalArgumentException: Cannot support TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers See http://markmail.org/message/zn4namfhypyxum23 for code that will show you what ciphers are available for your environment. Perhaps you really are using an unsupported cipher. Stupid question but did the op copy the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for whatever JVM they are using? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1Mf2IACgkQ9CaO5/Lv0PBG+QCgmrd5uUAl+yaXjmd8/WknbpJE WQsAnjj2lr9Swn2RROocNCrb521mk3ZF =2+Gu -END PGP SIGNATURE- -- Best Regards, Brett Delle Grazie - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Nio Connector and self signed SSL certificate giving No client certificate chain in this request
On 04/02/2011 10:04, Parag Thakur wrote: Oddly, the same program works if I use org.apache.coyote.http11.Http11Protocol instead of org.apache.coyote.http11.Http11NioProtocol. Any idea what might be causing the NIO implementation to not work in this case? Does this have anything to do with SSL renegotiation that was recently addressed in latest tomcat? https://issues.apache.org/bugzilla/show_bug.cgi?id=49284 ? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org