Re: SSL Not working on tomcat 5.5.29
Hi All, If I rename tcnative-1.dll in the bin folder then the site on SSL works. I am not that knowledgeable on thie dll. Any comments or ideas please? I got this suggestion from google but no specific reason. Regards, Kareem Pid * wrote: On 02/07/2010 06:30, kareem_s_m wrote: Hi All, I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what's going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443. Under tomcat 5.5.28, the site renders fine with SSL and non SSL. Is there something I could be missing? Are the Connector definitions in server.xml files identical? You can post it inline here, if you remove the comments and any passwords. p -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29137241.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Not working on tomcat 5.5.29
From: kareem_s_m [mailto:kareemud...@gmail.com] Subject: Re: SSL Not working on tomcat 5.5.29 If I rename tcnative-1.dll in the bin folder then the site on SSL works. SSL handling with the APR connector is completely different from that with a pure Java connector. The docs are here: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html http://tomcat.apache.org/tomcat-5.5-doc/apr.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
2010/7/12 kareem_s_m kareemud...@gmail.com: Hi All, If I rename tcnative-1.dll in the bin folder then the site on SSL works. I am not that knowledgeable on thie dll. Any comments or ideas please? I got this suggestion from google but no specific reason. It was already mentioned in this very thread. http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-ts29052531.html#a29083748 Regards, Kareem - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
Yup... I guess I missed it. Thank You Konstantin. Konstantin Kolinko wrote: 2010/7/12 kareem_s_m kareemud...@gmail.com: Hi All, If I rename tcnative-1.dll in the bin folder then the site on SSL works. I am not that knowledgeable on thie dll. Any comments or ideas please? I got this suggestion from google but no specific reason. It was already mentioned in this very thread. http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-ts29052531.html#a29083748 Regards, Kareem - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29143073.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Not working on tomcat 5.5.29
Thank You Chuck!!! n828cl wrote: From: kareem_s_m [mailto:kareemud...@gmail.com] Subject: Re: SSL Not working on tomcat 5.5.29 If I rename tcnative-1.dll in the bin folder then the site on SSL works. SSL handling with the APR connector is completely different from that with a pure Java connector. The docs are here: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html http://tomcat.apache.org/tomcat-5.5-doc/apr.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29143076.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
When I run in NON SSL (port 8080, stuff is written to the log files). When I run under SSL (8443) nothing is written to the same log files. Konstantin Kolinko wrote: 2010/7/2 kareem_s_m kareemud...@gmail.com: Also nothing is written to the log flies. Nothing at all? The logs are completely empty? Maybe you are still running 5.5.28, or writing to 5.5.28 logs, if the service was installed incorrectly? Under tomcat 5.5.28, the site renders fine with SSL and non SSL. How did you install Tomcat, and how are you running it? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29082265.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
2010/7/6 kareem_s_m kareemud...@gmail.com: When I run in NON SSL (port 8080, stuff is written to the log files). When I run under SSL (8443) nothing is written to the same log files. In the configuration fragment that you provided you are running with all 8080, 8443, 8009 at the same time. If you are adding an XML comment around unneeded connectors, maybe you are doing it wrong, and thus your server.xml is not a well-formed XML file? (You know, XML comments cannot contain -- and thus comments cannot be nested). A trivial question: your keystore is now in a new path. Have you copied it to the new location? keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.29 orig\selfcert.jks How did you install Tomcat, and how are you running it? Not answered. Do you install it as a service, or you are using *.bat files? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
2010/7/6 Konstantin Kolinko knst.koli...@gmail.com: 2010/7/6 kareem_s_m kareemud...@gmail.com: When I run in NON SSL (port 8080, stuff is written to the log files). When I run under SSL (8443) nothing is written to the same log files. In the configuration fragment that you provided you are running with all 8080, 8443, 8009 at the same time. If you are adding an XML comment around unneeded connectors, maybe you are doing it wrong, and thus your server.xml is not a well-formed XML file? (You know, XML comments cannot contain -- and thus comments cannot be nested). A trivial question: your keystore is now in a new path. Have you copied it to the new location? keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.29 orig\selfcert.jks How did you install Tomcat, and how are you running it? Not answered. Do you install it as a service, or you are using *.bat files? One more: please check whether you have bin/tcnative-1.dll in your tomcat-5.5.29. If you do, than APR version of the connector will be used. Configuration for the APR SSL connector is different (it uses OpenSSL library to perform encryption and not Java). Just remove or rename the tcnative-1.dll file. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
Server.xml is well formed as I can render it in IE. Also, the cert path is right. Konstantin Kolinko wrote: 2010/7/6 kareem_s_m kareemud...@gmail.com: When I run in NON SSL (port 8080, stuff is written to the log files). When I run under SSL (8443) nothing is written to the same log files. In the configuration fragment that you provided you are running with all 8080, 8443, 8009 at the same time. If you are adding an XML comment around unneeded connectors, maybe you are doing it wrong, and thus your server.xml is not a well-formed XML file? (You know, XML comments cannot contain -- and thus comments cannot be nested). A trivial question: your keystore is now in a new path. Have you copied it to the new location? keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.29 orig\selfcert.jks How did you install Tomcat, and how are you running it? Not answered. Do you install it as a service, or you are using *.bat files? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29090432.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
2010/7/2 kareem_s_m kareemud...@gmail.com: Also nothing is written to the log flies. Nothing at all? The logs are completely empty? Maybe you are still running 5.5.28, or writing to 5.5.28 logs, if the service was installed incorrectly? Under tomcat 5.5.28, the site renders fine with SSL and non SSL. How did you install Tomcat, and how are you running it? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
The connectors from server.xml in 5.5.29 is as follows: Service name=Catalina !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8080 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=http /Connector Connector port=8443 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.29 orig\selfcert.jks keystorePass=X /Connector !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 redirectPort=8443 protocol=AJP/1.3 /Connector Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm/ Host appBase=webapps name=localhost /Host /Engine /Service The connectors from server.xml in 5.5.28 is as follows: Service name=Catalina !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8080 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=http /Connector Connector port=8443 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.28\selfcert.jks keystorePass=X /Connector !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 redirectPort=8443 protocol=AJP/1.3 /Connector Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm/ Host appBase=webapps name=localhost /Host /Engine /Service /Server Output of version.bat Using CATALINA_BASE: E:\apps\thirdparty\apache-tomcat-5.5.29 orig Using CATALINA_HOME: E:\apps\thirdparty\apache-tomcat-5.5.29 orig Using CATALINA_TMPDIR: E:\apps\thirdparty\apache-tomcat-5.5.29 orig\temp Using JRE_HOME:D:\Java\jdk.1.5.07 Using CLASSPATH: E:\apps\thirdparty\apache-tomcat-5.5.29 orig\bin\bootstrap.jar Server version: Apache Tomcat/5.5.29 Server built: Mar 29 2010 07:46:34 Server number: 5.5.29.0 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.5.0_07-b03 JVM Vendor: Sun Microsystems Inc. awarnier wrote: kareem_s_m wrote: Hi All, I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what's going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443. Under tomcat 5.5.28, the site renders fine with SSL and non SSL. Is there something I could be missing? On the face of it, I would estimate the probability of that at so close to 1 as cannot be distinguished from it. But if you want someone here to help, you will have to provide some more details, such as for example a copy-and-paste of your Connector tags, and maybe tell us which platform this is, and where these Tomcat's are coming from. Useful : go to the Tomcat bin subdirectory with a console window, run version.sh or version.bat, and paste the result in your next message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29067491.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
Hi. 502 Bad Gateway That is a strange error, in this context. Are you accessing this Tomcat directly, or through Apache or IIS or some load-balancer ? Try this anyway : Start Tomcat 5.5.28, open a command window, and enter netstat -ano. With your setup, in the lines marked LISTEN, you should see 4 lines related to Tomcat : in the 2d column (local address), these lines should contain respectively :8005 :8009 :8080 :8443 (The last column contains the PID of the corresponding process (Tomcat). You can check this with the Task Manager, if you enable the PID column.) Anyway, copy and paste these lines here. Now stop Tomcat 5.5.28, start Tomcat 5.5.29, and run the above command again. Copy and paste these lines here. Any difference ? kareem_s_m wrote: The connectors from server.xml in 5.5.29 is as follows: Service name=Catalina !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8080 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=http /Connector Connector port=8443 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.29 orig\selfcert.jks keystorePass=X /Connector !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 redirectPort=8443 protocol=AJP/1.3 /Connector Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm/ Host appBase=webapps name=localhost /Host /Engine /Service The connectors from server.xml in 5.5.28 is as follows: Service name=Catalina !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8080 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=http /Connector Connector port=8443 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.28\selfcert.jks keystorePass=X /Connector !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 redirectPort=8443 protocol=AJP/1.3 /Connector Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm/ Host appBase=webapps name=localhost /Host /Engine /Service /Server Output of version.bat Using CATALINA_BASE: E:\apps\thirdparty\apache-tomcat-5.5.29 orig Using CATALINA_HOME: E:\apps\thirdparty\apache-tomcat-5.5.29 orig Using CATALINA_TMPDIR: E:\apps\thirdparty\apache-tomcat-5.5.29 orig\temp Using JRE_HOME:D:\Java\jdk.1.5.07 Using CLASSPATH: E:\apps\thirdparty\apache-tomcat-5.5.29 orig\bin\bootstrap.jar Server version: Apache Tomcat/5.5.29 Server built: Mar 29 2010 07:46:34 Server number: 5.5.29.0 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.5.0_07-b03 JVM Vendor: Sun Microsystems Inc. awarnier wrote: kareem_s_m wrote: Hi All, I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what's going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443. Under tomcat 5.5.28, the site renders fine with SSL and non SSL. Is there something I could be missing? On the face of it, I would estimate the probability of that at so close to 1 as cannot be distinguished from it. But if you want someone here to help, you will have to provide some more details, such as for example a copy-and-paste of your Connector tags, and maybe tell us which platform this is, and where these Tomcat's are coming from. Useful : go to the Tomcat bin subdirectory with a console window, run version.sh or version.bat, and paste the result in your next message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
On 02/07/2010 06:30, kareem_s_m wrote: Hi All, I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what's going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443. Under tomcat 5.5.28, the site renders fine with SSL and non SSL. Is there something I could be missing? Are the Connector definitions in server.xml files identical? You can post it inline here, if you remove the comments and any passwords. p signature.asc Description: OpenPGP digital signature
Re: SSL Not working on tomcat 5.5.29
kareem_s_m wrote: Hi All, I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what's going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443. Under tomcat 5.5.28, the site renders fine with SSL and non SSL. Is there something I could be missing? On the face of it, I would estimate the probability of that at so close to 1 as cannot be distinguished from it. But if you want someone here to help, you will have to provide some more details, such as for example a copy-and-paste of your Connector tags, and maybe tell us which platform this is, and where these Tomcat's are coming from. Useful : go to the Tomcat bin subdirectory with a console window, run version.sh or version.bat, and paste the result in your next message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL not working on Tomcat 5.5
Marcus Johansson wrote: I am running Tomcat 5.5 on a Windows 2003 server box, using Sun JRE 1.5.0_11. Since I want to have SSL support on my server, I followed the instructions on http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html first creating a self-signed certificate and then uncommenting the SSL Connector on port 8443. After a restart of the tomcat service i expected to have the SSL up and running but alas. When accessing http://localhost:8443 it works fine, hence the connector seems active on the port. But when trying to access https://localhost:8443 , my IE7 browser stands hanging for a pretty long while until it declares that the page cannot be opened. No error messages whatsoever to be found in the tomcat logs. Check whether you're using APR. If so, the above document won't help you much - look at http://tomcat.apache.org/tomcat-5.5-doc/apr.html#HTTPS instead and check the list archives for more info, since this comes up quite frequently. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL not working on Tomcat
Michael, I may have missed something, but did you install your certificate reply into your keystore? I can't see any account of that been done. I also agree that you need to install the CA root certificate in your keystore as well. You need to have the full trust chain in your keystore. Another thought is to configure your server.xml slightly differently. You may want to try the following to get you going: Connector port=8443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS Factory className=org.apache.coyote.tomcat5.CoyoteServerSocketFactory clientAuth=false protocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS / /Connector Hope that helps. Regards, Andrew -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Thursday, 9 November 2006 9:02 AM To: Tomcat Users List Subject: Re: SSL not working on Tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, Michael Casale wrote: I've installed Firefox 2.0 and I get the error: Firefox can't connect securely to upm.knoa.com because the site uses a security protocol which isn't enabled So... I changed sslProtocol=TLS to sslProtocol=SSL and restarted the service. I get the same error. Wow. Sounds like something is seriously screwed up. Have you tried a different client machine? Perhaps one of your SSL libraries is hosed. Have you tried re-installing Tomcat? Perhaps one of TC's SSL libraries is hosed. If all else fails, I would run something like memtest86 on your server to see if the memory is okay. It's tough to do all this crypto stuff and not have an exception when the littlest thing goes wrong, so something is definitely amiss. It's not like Sun invented a new SSL protocol and didn't tell anyone about it ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUlPC9CaO5/Lv0PARAiljAJ9auqO2pfKdS9+zimV5hFhJR2zn2wCfZkY5 KP4Xe5Do8g1iS9+EYc0LqvA= =QizN -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL not working on Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, Michael Casale wrote: I've installed Firefox 2.0 and I get the error: Firefox can't connect securely to upm.knoa.com because the site uses a security protocol which isn't enabled So... I changed sslProtocol=TLS to sslProtocol=SSL and restarted the service. I get the same error. Wow. Sounds like something is seriously screwed up. Have you tried a different client machine? Perhaps one of your SSL libraries is hosed. Have you tried re-installing Tomcat? Perhaps one of TC's SSL libraries is hosed. If all else fails, I would run something like memtest86 on your server to see if the memory is okay. It's tough to do all this crypto stuff and not have an exception when the littlest thing goes wrong, so something is definitely amiss. It's not like Sun invented a new SSL protocol and didn't tell anyone about it ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUlPC9CaO5/Lv0PARAiljAJ9auqO2pfKdS9+zimV5hFhJR2zn2wCfZkY5 KP4Xe5Do8g1iS9+EYc0LqvA= =QizN -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL not working on Tomcat - The Solution
Hi All - The simple solution to this whole problem is that I was using the wrong Keystore file - not the one I originally used to generate my certificate request. I originally tried to use the original keystore file to import in my newly purchased certification, but I kept getting the error Wrong Keystore Format (or something to that effect - I forgot and am in a hurry here). The reason why is I was following poor instructions on my company's wiki which omitted the storetype tag in the keystore -import line. You need the -storetype PKCS12 when importing into a PKCS12 keystore. Duh on me. This is how we learn. I figured I'd just point this out for anyone else using the keytool command and working with PKCS12 format keys and keystores. Thanks to all those who offered help! Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 5:02 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, Michael Casale wrote: I've installed Firefox 2.0 and I get the error: Firefox can't connect securely to upm.knoa.com because the site uses a security protocol which isn't enabled So... I changed sslProtocol=TLS to sslProtocol=SSL and restarted the service. I get the same error. Wow. Sounds like something is seriously screwed up. Have you tried a different client machine? Perhaps one of your SSL libraries is hosed. Have you tried re-installing Tomcat? Perhaps one of TC's SSL libraries is hosed. If all else fails, I would run something like memtest86 on your server to see if the memory is okay. It's tough to do all this crypto stuff and not have an exception when the littlest thing goes wrong, so something is definitely amiss. It's not like Sun invented a new SSL protocol and didn't tell anyone about it ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUlPC9CaO5/Lv0PARAiljAJ9auqO2pfKdS9+zimV5hFhJR2zn2wCfZkY5 KP4Xe5Do8g1iS9+EYc0LqvA= =QizN -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL not working on Tomcat
From: Michael Casale [mailto:[EMAIL PROTECTED] Subject: SSL not working on Tomcat I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Depending on how you installed Tomcat, you may have also gotten the native connector, aka APR. Its SSL configuration is different from the traditional Tomcat connector. Look here for details: http://tomcat.apache.org/tomcat-5.5-doc/apr.html Regardless, you probably want to move up to a more recent level. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL not working on Tomcat
Did you try this with Firefox? IE has some problems with no-cache in the header or as a pragma. Later versions of Tomcat 5.5 set this. There is a mailing list thread concerning this: http://marc.theaimsgroup.com/?t=11180675668r=1w=2 along with some solutions. Hope this helps. /mde/ just my two cents . . . . --- Michael Casale [EMAIL PROTECTED] wrote: Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1.Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2.Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3.I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ According to the Tomcat SSL documentation, I need to have the root cert and the purchased cert in the keystore file, and I need to use the keyAlias to tell Tomcat which one to use. But whenever I add in the keyAlias entry it gives me the Alias name tomcat does not identify a key entry error in the logs. If I could find out how to enable better logging I may be able to troubleshoot this further. Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL not working on Tomcat
Hi, According to you, one of the steps that you did was , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. You seem to be running your application on a windows box. Can that be the reason why your key is not working properly ? Thanks Dhiraj Ramakrishnan On 11/8/06, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Michael Casale [mailto:[EMAIL PROTECTED] Subject: SSL not working on Tomcat I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Depending on how you installed Tomcat, you may have also gotten the native connector, aka APR. Its SSL configuration is different from the traditional Tomcat connector. Look here for details: http://tomcat.apache.org/tomcat-5.5-doc/apr.html Regardless, you probably want to move up to a more recent level. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL not working on Tomcat
I've installed Firefox 2.0 and I get the error: Firefox can't connect securely to upm.knoa.com because the site uses a security protocol which isn't enabled So... I changed sslProtocol=TLS to sslProtocol=SSL and restarted the service. I get the same error. Meanwhile, with Internet Explorer, I turned off friendly error messages, and loaded the page. Instead of a page not found I get a blank page. Interesting. Next I tried the validator, a tool from here: http://validator.w3.org/ Great tool. It reports the following error: 500 SSL negotiation failed: error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher Any ideas? I'm going to try re-importing the original certificate in PKCS12 format... Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -Original Message- From: Mark Eggers [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 6:35 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat Did you try this with Firefox? IE has some problems with no-cache in the header or as a pragma. Later versions of Tomcat 5.5 set this. There is a mailing list thread concerning this: http://marc.theaimsgroup.com/?t=11180675668r=1w=2 along with some solutions. Hope this helps. /mde/ just my two cents . . . . --- Michael Casale [EMAIL PROTECTED] wrote: Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1.Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2.Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3.I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ According to the Tomcat SSL documentation, I need to have the root cert and the purchased cert in the keystore file, and I need to use the keyAlias to tell Tomcat which one to use. But whenever I add in the keyAlias entry it gives me the Alias name tomcat does not identify a key entry error in the logs. If I could find out how to enable better logging I may be able to troubleshoot this further. Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index
RE: SSL not working on Tomcat
I also tried building the keystore in PKCS12 format - importing both the root cert and normal cert into the keystore. I'm getting the same error. Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -Original Message- From: Dhiraj Ramakrishnan [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 6:44 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat Hi, According to you, one of the steps that you did was , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. You seem to be running your application on a windows box. Can that be the reason why your key is not working properly ? Thanks Dhiraj Ramakrishnan On 11/8/06, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Michael Casale [mailto:[EMAIL PROTECTED] Subject: SSL not working on Tomcat I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Depending on how you installed Tomcat, you may have also gotten the native connector, aka APR. Its SSL configuration is different from the traditional Tomcat connector. Look here for details: http://tomcat.apache.org/tomcat-5.5-doc/apr.html Regardless, you probably want to move up to a more recent level. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL not working on Tomcat
Michael comments prefixed with Re Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1. Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2. Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3. I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ MGcould you check to see if the keystoreFile is called tomcat and is located in in C:\files ? MGout of curiosity which JVM are you using Sun or IBM..this changes the values assigned to sslProtocol and algorithm? MGhttp://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html MGM- Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121
RE: SSL not working on Tomcat
Thanks for your response. The tomcat keystore is located in c:\files. The version of Java is 1.5.0_06 Thanks! Mike -Original Message- From: Martin Gainty [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 9:08 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat Michael comments prefixed with Re Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1. Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2. Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3. I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ MGcould you check to see if the keystoreFile is called tomcat and is located in in C:\files ? MGout of curiosity which JVM are you using Sun or IBM..this changes the values assigned to sslProtocol and algorithm? MGhttp://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html MGM- Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]