Re: SSL issue

[John Dale (DB2DOM)]

Noted - excellent!

On 3/18/23, Kevin Huntly  wrote:
> I was able to read the keystore with both openssl and keytool, but for some
> reason the private key within the pkcs#12 file had a different password
> than the keystone password. I ended up just rebuilding the cert and the
> keystore, and it's working now. Thanks !
> 
>
> Kevin Huntly
> Email: kmhun...@gmail.com
> Cell: 716/424-3311
> 
>
> -BEGIN GEEK CODE BLOCK-
> Version: 1.0
> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
> G++ e(+) h--- r+++ y+++*
> --END GEEK CODE BLOCK--
>
>
> On Sat, Mar 18, 2023 at 3:27 PM Thomas Hoffmann (Speed4Trade GmbH)
>  wrote:
>
>> Hello,
>>
>> the relevant error is:
>> Caused by: javax.crypto.BadPaddingException: Given final block not
>> properly padded. Such issues can arise if a bad key is used during
>> decryption.
>>
>> It seems there is something wrong with your keystore.
>> Are both, private and public key in the p12 file?
>> Can you check the contents with keytool?
>> Alternatively, you can also use pem files, they are more readable than
>> p12.
>>
>> Greetings, Thomas
>>
>> > -Ursprüngliche Nachricht-
>> > Von: Kevin Huntly 
>> > Gesendet: Samstag, 18. März 2023 19:15
>> > An: users@tomcat.apache.org
>> > Betreff: SSL issue
>> >
>> > Hello Everyone,
>> >
>> > I'm having an issue with my SSL connector:
>> >
>> > 
>> > 18-Mar-2023 14:12:46.996 SEVERE [main]
>> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
>> > to
>> > initialize component
>> [Connector[org.apache.coyote.http11.Http11Nio2Protocol-
>> > 8443]]
>> > org.apache.catalina.LifecycleException: Protocol handler
>> initialization
>> > failed
>> > at
>> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
>> > at
>> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> > at
>> >
>> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549
>> > )
>> > at
>> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> > at
>> >
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1032)
>> > at
>> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> > at
>> > org.apache.catalina.startup.Catalina.load(Catalina.java:724)
>> > at
>> > org.apache.catalina.startup.Catalina.load(Catalina.java:746)
>> > at
>> >
>> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMeth
>> > odHandleAccessor.java:104)
>> > at
>> > java.base/java.lang.reflect.Method.invoke(Method.java:578)
>> > at
>> > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
>> > at
>> > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
>> > Caused by: java.lang.IllegalArgumentException: Get Key failed:
>> > Given final block not properly padded. Such issues can arise if a bad
>> key is used
>> > during decryption.
>> > at
>> > org.apache.tomcat.util.net
>> .AbstractJsseEndpoint.createSSLContext(AbstractJsse
>> > Endpoint.java:107)
>> > at
>> > org.apache.tomcat.util.net
>> .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoi
>> > nt.java:71)
>> > at
>> > org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
>> > at
>> > org.apache.tomcat.util.net
>> .AbstractEndpoint.bindWithCleanup(AbstractEndpoin
>> > t.java:1302)
>> > at
>> > org.apache.tomcat.util.net
>> .AbstractEndpoint.init(AbstractEndpoint.java:1315)
>> > at
>> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
>> > at
>> >
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.j
>> > ava:75)
>> > at
>> > org.apache.catalina.connector.Connector.init

Re: SSL issue

[John Dale (DB2DOM)]

What kind of key are you using?

I generate my certs with certbot.

The result needs to be converted thusly to be used:
openssl pkcs12 -export -out mykey-bundle.pfx -inkey myprivkey.pem -in
cert.pem -certfile chain.pem -password
pass:superdupersecretnoteventhealiensknow

Is this a possible source of the issue?


On 3/18/23, Kevin Huntly  wrote:
> Hello Everyone,
>
> I'm having an issue with my SSL connector:
>
> 
> 18-Mar-2023 14:12:46.996 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component
> [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8443]]
> org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1032)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> at
> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
> at
> java.base/java.lang.reflect.Method.invoke(Method.java:578)
> at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> Caused by: java.lang.IllegalArgumentException: Get Key failed:
> Given final block not properly padded. Such issues can arise if a bad key
> is used during decryption.
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
> at
> org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1302)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1315)
> at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1012)
> ... 11 more
> Caused by: java.security.UnrecoverableKeyException: Get Key failed:
> Given final block not properly padded. Such issues can arise if a bad key
> is used during decryption.
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:454)
> at
> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:91)
> at
> java.base/java.security.KeyStore.getKey(KeyStore.java:1077)
> at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:353)
> at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
> ... 18 more
> Caused by: javax.crypto.BadPaddingException: Given final block not
> properly padded. Such issues can arise if a bad key is used during
> decryption.
> at
> java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
> at
> java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:941)
> at
> java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
> at
> java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:310)
> at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2207)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:370)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361)
> ... 23 more
> 
>
> And my SSL config:
>
> 
>  protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> address="0.0.0.0" port="8443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" enableLookups="f

AW: SSL issue

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Kevin,

That's why I also suggest to use PEM format.
You don’t have to deal with two passwords and the files can be open in a normal 
editor.
Copy & paste also works easily in PEM format.

Glad it works now.
Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: Kevin Huntly 
> Gesendet: Samstag, 18. März 2023 20:30
> An: Tomcat Users List 
> Betreff: Re: SSL issue
> 
> I was able to read the keystore with both openssl and keytool, but for some
> reason the private key within the pkcs#12 file had a different password than 
> the
> keystone password. I ended up just rebuilding the cert and the keystore, and 
> it's
> working now. Thanks !
> 
> 
> Kevin Huntly
> Email: kmhun...@gmail.com
> Cell: 716/424-3311
> 
> 
> -BEGIN GEEK CODE BLOCK-
> Version: 1.0
> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
> G++ e(+) h--- r+++ y+++*
> --END GEEK CODE BLOCK--
> 
> 
> On Sat, Mar 18, 2023 at 3:27 PM Thomas Hoffmann (Speed4Trade GmbH)
>  wrote:
> 
> > Hello,
> >
> > the relevant error is:
> > Caused by: javax.crypto.BadPaddingException: Given final block not
> > properly padded. Such issues can arise if a bad key is used during
> > decryption.
> >
> > It seems there is something wrong with your keystore.
> > Are both, private and public key in the p12 file?
> > Can you check the contents with keytool?
> > Alternatively, you can also use pem files, they are more readable than p12.
> >
> > Greetings, Thomas
> >
> > > -Ursprüngliche Nachricht-
> > > Von: Kevin Huntly 
> > > Gesendet: Samstag, 18. März 2023 19:15
> > > An: users@tomcat.apache.org
> > > Betreff: SSL issue
> > >
> > > Hello Everyone,
> > >
> > > I'm having an issue with my SSL connector:
> > >
> > > 
> > > 18-Mar-2023 14:12:46.996 SEVERE [main]
> > > org.apache.catalina.util.LifecycleBase.handleSubClassException
> > > Failed to initialize component
> > [Connector[org.apache.coyote.http11.Http11Nio2Protocol-
> > > 8443]]
> > > org.apache.catalina.LifecycleException: Protocol handler
> > initialization
> > > failed
> > > at
> > > org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
> > > at
> > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > > at
> > >
> > org.apache.catalina.core.StandardService.initInternal(StandardService.
> > java:549
> > > )
> > > at
> > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > > at
> > >
> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
> > va:1032)
> > > at
> > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > > at
> > > org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> > > at
> > > org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> > > at
> > >
> > java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Direc
> > tMeth
> > > odHandleAccessor.java:104)
> > > at
> > > java.base/java.lang.reflect.Method.invoke(Method.java:578)
> > > at
> > > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> > > at
> > > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> > > Caused by: java.lang.IllegalArgumentException: Get Key failed:
> > > Given final block not properly padded. Such issues can arise if a
> > > bad
> > key is used
> > > during decryption.
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractJsseEndpoint.createSSLContext(AbstractJsse
> > > Endpoint.java:107)
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoi
> > > nt.java:71)
> > > at
> > > org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractEndpoint.bindWithCleanup(AbstractEndpoin
> > > t.java:1302)
> > > 

Re: SSL issue

[Kevin Huntly]

I was able to read the keystore with both openssl and keytool, but for some
reason the private key within the pkcs#12 file had a different password
than the keystone password. I ended up just rebuilding the cert and the
keystore, and it's working now. Thanks !


Kevin Huntly
Email: kmhun...@gmail.com
Cell: 716/424-3311


-BEGIN GEEK CODE BLOCK-
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
G++ e(+) h--- r+++ y+++*
--END GEEK CODE BLOCK--


On Sat, Mar 18, 2023 at 3:27 PM Thomas Hoffmann (Speed4Trade GmbH)
 wrote:

> Hello,
>
> the relevant error is:
> Caused by: javax.crypto.BadPaddingException: Given final block not
> properly padded. Such issues can arise if a bad key is used during
> decryption.
>
> It seems there is something wrong with your keystore.
> Are both, private and public key in the p12 file?
> Can you check the contents with keytool?
> Alternatively, you can also use pem files, they are more readable than p12.
>
> Greetings, Thomas
>
> > -Ursprüngliche Nachricht-
> > Von: Kevin Huntly 
> > Gesendet: Samstag, 18. März 2023 19:15
> > An: users@tomcat.apache.org
> > Betreff: SSL issue
> >
> > Hello Everyone,
> >
> > I'm having an issue with my SSL connector:
> >
> > 
> > 18-Mar-2023 14:12:46.996 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> > initialize component
> [Connector[org.apache.coyote.http11.Http11Nio2Protocol-
> > 8443]]
> > org.apache.catalina.LifecycleException: Protocol handler
> initialization
> > failed
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> >
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549
> > )
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> >
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1032)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> > org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> > at
> > org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> > at
> >
> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMeth
> > odHandleAccessor.java:104)
> > at
> > java.base/java.lang.reflect.Method.invoke(Method.java:578)
> > at
> > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> > at
> > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> > Caused by: java.lang.IllegalArgumentException: Get Key failed:
> > Given final block not properly padded. Such issues can arise if a bad
> key is used
> > during decryption.
> > at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsse
> > Endpoint.java:107)
> > at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoi
> > nt.java:71)
> > at
> > org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
> > at
> > org.apache.tomcat.util.net
> .AbstractEndpoint.bindWithCleanup(AbstractEndpoin
> > t.java:1302)
> > at
> > org.apache.tomcat.util.net
> .AbstractEndpoint.init(AbstractEndpoint.java:1315)
> > at
> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
> > at
> >
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.j
> > ava:75)
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1012)
> > ... 11 more
> > Caused by: java.security.UnrecoverableKeyException: Get Key
> failed:
> > Given final block not properly padded. Such issues can arise if a bad
> key is used
> > during decryption.
> > at
> >
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.j
> > ava:454)
> > at
> >
> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator
> 

AW: SSL issue

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

the relevant error is:
Caused by: javax.crypto.BadPaddingException: Given final block not properly 
padded. Such issues can arise if a bad key is used during decryption.

It seems there is something wrong with your keystore.
Are both, private and public key in the p12 file?
Can you check the contents with keytool?
Alternatively, you can also use pem files, they are more readable than p12.

Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: Kevin Huntly 
> Gesendet: Samstag, 18. März 2023 19:15
> An: users@tomcat.apache.org
> Betreff: SSL issue
> 
> Hello Everyone,
> 
> I'm having an issue with my SSL connector:
> 
> 
> 18-Mar-2023 14:12:46.996 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-
> 8443]]
> org.apache.catalina.LifecycleException: Protocol handler 
> initialization
> failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549
> )
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1032)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> at
> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMeth
> odHandleAccessor.java:104)
> at
> java.base/java.lang.reflect.Method.invoke(Method.java:578)
> at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> Caused by: java.lang.IllegalArgumentException: Get Key failed:
> Given final block not properly padded. Such issues can arise if a bad key is 
> used
> during decryption.
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsse
> Endpoint.java:107)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoi
> nt.java:71)
> at
> org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoin
> t.java:1302)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1315)
> at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.j
> ava:75)
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1012)
> ... 11 more
> Caused by: java.security.UnrecoverableKeyException: Get Key failed:
> Given final block not properly padded. Such issues can arise if a bad key is 
> used
> during decryption.
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.j
> ava:454)
> at
> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator
> .java:91)
> at
> java.base/java.security.KeyStore.getKey(KeyStore.java:1077)
> at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:353)
> at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsse
> Endpoint.java:105)
> ... 18 more
> Caused by: javax.crypto.BadPaddingException: Given final block not
> properly padded. Such issues can arise if a bad key is used during decryption.
> at
> java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
> at
> java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.jav
> a:941)
> at
> java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
> at
> java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:3
> 10)
> at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2207)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.lamb

SSL issue

[Kevin Huntly]

Hello Everyone,

I'm having an issue with my SSL connector:


18-Mar-2023 14:12:46.996 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component
[Connector[org.apache.coyote.http11.Http11Nio2Protocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1032)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at
org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at
java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at
java.base/java.lang.reflect.Method.invoke(Method.java:578)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
Caused by: java.lang.IllegalArgumentException: Get Key failed:
Given final block not properly padded. Such issues can arise if a bad key
is used during decryption.
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at
org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1302)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1315)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1012)
... 11 more
Caused by: java.security.UnrecoverableKeyException: Get Key failed:
Given final block not properly padded. Such issues can arise if a bad key
is used during decryption.
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:454)
at
java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:91)
at
java.base/java.security.KeyStore.getKey(KeyStore.java:1077)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:353)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
... 18 more
Caused by: javax.crypto.BadPaddingException: Given final block not
properly padded. Such issues can arise if a bad key is used during
decryption.
at
java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
at
java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:941)
at
java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
at
java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:310)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2207)
at
java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:370)
at
java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361)
... 23 more


And my SSL config:










So, what am I doing wrong here?


Kevin Huntly
Email: kmhun...@gmail.com


-BEGIN GEEK CODE BLOCK-
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
G++ e(+) h--- r+++ y+++*
--END GEEK CODE BLOCK--

AW: AW: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Thomas Hoffmann (Speed4Trade GmbH)]

> -Ursprüngliche Nachricht-
> Von: Peter Chamberlain 
> Gesendet: Freitag, 17. Juni 2022 15:36
> An: Tomcat Users List 
> Betreff: Re: AW: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> 
> On Thu, 16 Jun 2022 at 04:42, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> > Thomas,
> >
> > On 6/15/22 03:08, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > > Hello,
> > >
> > >> -Ursprüngliche Nachricht-
> > >> Von: Pavan Kumar Tiruvaipati 
> > >> Gesendet: Mittwoch, 15. Juni 2022 08:59
> > >> An: Christopher Schultz 
> > >> Cc: Tomcat Users List 
> > >> Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> > >>
> > >> Hi,
> > >>
> > >> Tomcat server started successfully.
> > >>
> > >> I'm seeing the following error in the tomcat logs when SSL is
> > >> enabled in server.xml
> > >>
> > >> Application is not able to run on https://localhost:8080.
> > >>
> > >> 2022-06-15 12:02:43,923 [http-3003-1] DEBUG
> > >> *org.apache.tomcat.util.net.JIoEndpoint
> > >> - Handshake failed*
> > >>
> > >> *javax.net.ssl.SSLHandshakeException: no cipher suites in common at
> > >> sun.security.ssl.Alert.createSSLException(Unknown Source) *
> > >>
> > >> *at sun.security.ssl.Alert.createSSLException(Unknown Source) at
> > >> sun.security.ssl.TransportContext.fatal(Unknown Source) *
> > >>
> > >> *at sun.security.ssl.TransportContext.fatal(Unknown Source) at
> > >> sun.security.ssl.TransportContext.fatal(Unknown Source) at
> > >> sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSui
> > >> te(Un
> > >> known
> > >> Source) at
> > >>
> sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown
> > >> Source) at sun.security.ssl.SSLHandshake.produce(Unknown Source) at
> > >>
> sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown
> > >> Source) at
> > >> sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unkn
> > >> own
> > >> Source) at
> > >> sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown
> > >> Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at
> > >> sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> > >> sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> > >> sun.security.ssl.TransportContext.dispatch(Unknown Source) at
> > >> sun.security.ssl.SSLTransport.decode(Unknown Source) at
> > >> sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at
> > >> sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown
> Source)
> > >> at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> > >> sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> > >> org.apache.tomcat.util.net
> > .jsse.JSSESocketFactory.handshake(JSSESocketFac
> > >> tory.java:233)
> > >> at
> > >> org.apache.tomcat.util.net
> > .JIoEndpoint.setSocketOptions(JIoEndpoint.java:7
> > >> 01)
> > >> at org.apache.tomcat.util.net
> > .JIoEndpoint$Worker.run(JIoEndpoint.java:503)
> > >> at java.lang.Thread.run(Unknown Source)*
> > >>
> > >> If I disable SSL in tomcat server.xml, It's working with Non-SSL (
> > >> http://localhost:8080).
> > >>
> > >> Does Tomcat SSL configuration work with JRE 1.8.0 ? Are there any
> > changes
> > >> required to establish a handshake ?
> > >>
> > >> Please let me know if you need more details.
> > >>
> > >>
> > >> Regards,
> > >> Pavan
> > >>
> > >> On Tue, Jun 14, 2022 at 10:44 PM Christopher Schultz <
> > >> ch...@christopherschultz.net> wrote:
> > >>
> > >>> Pavan,
> > >>>
> > >>> Please reply to the list and not me personally.
> > >>>
> > >>> On 6/14/22 11:21, Pavan Kumar Tiruvaipati wrote:
> > >>>>  > >>>>  maxThreads="150" minSpareThreads="25"
> > >>> maxSpareThreads="75"
> > >>>>  enableLookups="false" disableUploadTimeout="true"
> > >>>>  acceptCoun

Re: AW: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Peter Chamberlain]

On Thu, 16 Jun 2022 at 04:42, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Thomas,
>
> On 6/15/22 03:08, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > Hello,
> >
> >> -Ursprüngliche Nachricht-
> >> Von: Pavan Kumar Tiruvaipati 
> >> Gesendet: Mittwoch, 15. Juni 2022 08:59
> >> An: Christopher Schultz 
> >> Cc: Tomcat Users List 
> >> Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> >>
> >> Hi,
> >>
> >> Tomcat server started successfully.
> >>
> >> I'm seeing the following error in the tomcat logs when SSL is enabled in
> >> server.xml
> >>
> >> Application is not able to run on https://localhost:8080.
> >>
> >> 2022-06-15 12:02:43,923 [http-3003-1] DEBUG
> >> *org.apache.tomcat.util.net.JIoEndpoint
> >> - Handshake failed*
> >>
> >> *javax.net.ssl.SSLHandshakeException: no cipher suites in common at
> >> sun.security.ssl.Alert.createSSLException(Unknown Source) *
> >>
> >> *at sun.security.ssl.Alert.createSSLException(Unknown Source) at
> >> sun.security.ssl.TransportContext.fatal(Unknown Source) *
> >>
> >> *at sun.security.ssl.TransportContext.fatal(Unknown Source) at
> >> sun.security.ssl.TransportContext.fatal(Unknown Source) at
> >> sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(Un
> >> known
> >> Source) at
> >> sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown
> >> Source) at sun.security.ssl.SSLHandshake.produce(Unknown Source) at
> >> sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown
> >> Source) at
> >> sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown
> >> Source) at
> >> sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown
> >> Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at
> >> sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> >> sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> >> sun.security.ssl.TransportContext.dispatch(Unknown Source) at
> >> sun.security.ssl.SSLTransport.decode(Unknown Source) at
> >> sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at
> >> sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) at
> >> sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> >> sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> >> org.apache.tomcat.util.net
> .jsse.JSSESocketFactory.handshake(JSSESocketFac
> >> tory.java:233)
> >> at
> >> org.apache.tomcat.util.net
> .JIoEndpoint.setSocketOptions(JIoEndpoint.java:7
> >> 01)
> >> at org.apache.tomcat.util.net
> .JIoEndpoint$Worker.run(JIoEndpoint.java:503)
> >> at java.lang.Thread.run(Unknown Source)*
> >>
> >> If I disable SSL in tomcat server.xml, It's working with Non-SSL (
> >> http://localhost:8080).
> >>
> >> Does Tomcat SSL configuration work with JRE 1.8.0 ? Are there any
> changes
> >> required to establish a handshake ?
> >>
> >> Please let me know if you need more details.
> >>
> >>
> >> Regards,
> >> Pavan
> >>
> >> On Tue, Jun 14, 2022 at 10:44 PM Christopher Schultz <
> >> ch...@christopherschultz.net> wrote:
> >>
> >>> Pavan,
> >>>
> >>> Please reply to the list and not me personally.
> >>>
> >>> On 6/14/22 11:21, Pavan Kumar Tiruvaipati wrote:
> >>>>  >>>>  maxThreads="150" minSpareThreads="25"
> >>> maxSpareThreads="75"
> >>>>  enableLookups="false" disableUploadTimeout="true"
> >>>>  acceptCount="100"  scheme="https" secure="true"
> >>>> connectionTimeout="2"
> >>>>  clientAuth="false" algorithm="SunX509"
> sslProtocol="TLS"
> >>>> keystoreFile="conf/certificate" keystorePass="x"
> >>>> useBodyEncodingForURI="true"
> >>>> SSLEnabled="true"/>
> >>>
> >>> That all looks pretty straightforward.
> >>>
> >>> When you say it's "not working", can you be more specific? Does the
> >>> Tomcat server start? Are there any 

Re: AW: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Christopher Schultz]

Thomas,

On 6/15/22 03:08, Thomas Hoffmann (Speed4Trade GmbH) wrote:

Hello,


-Ursprüngliche Nachricht-
Von: Pavan Kumar Tiruvaipati 
Gesendet: Mittwoch, 15. Juni 2022 08:59
An: Christopher Schultz 
Cc: Tomcat Users List 
Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

Hi,

Tomcat server started successfully.

I'm seeing the following error in the tomcat logs when SSL is enabled in
server.xml

Application is not able to run on https://localhost:8080.

2022-06-15 12:02:43,923 [http-3003-1] DEBUG
*org.apache.tomcat.util.net.JIoEndpoint
- Handshake failed*

*javax.net.ssl.SSLHandshakeException: no cipher suites in common at
sun.security.ssl.Alert.createSSLException(Unknown Source) *

*at sun.security.ssl.Alert.createSSLException(Unknown Source) at
sun.security.ssl.TransportContext.fatal(Unknown Source) *

*at sun.security.ssl.TransportContext.fatal(Unknown Source) at
sun.security.ssl.TransportContext.fatal(Unknown Source) at
sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(Un
known
Source) at
sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown
Source) at sun.security.ssl.SSLHandshake.produce(Unknown Source) at
sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown
Source) at
sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown
Source) at
sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown
Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at
sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
sun.security.ssl.TransportContext.dispatch(Unknown Source) at
sun.security.ssl.SSLTransport.decode(Unknown Source) at
sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) at
sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFac
tory.java:233)
at
org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:7
01)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:503)
at java.lang.Thread.run(Unknown Source)*

If I disable SSL in tomcat server.xml, It's working with Non-SSL (
http://localhost:8080).

Does Tomcat SSL configuration work with JRE 1.8.0 ? Are there any changes
required to establish a handshake ?

Please let me know if you need more details.


Regards,
Pavan

On Tue, Jun 14, 2022 at 10:44 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Pavan,

Please reply to the list and not me personally.

On 6/14/22 11:21, Pavan Kumar Tiruvaipati wrote:


maxSpareThreads="75"

 enableLookups="false" disableUploadTimeout="true"
 acceptCount="100"  scheme="https" secure="true"
connectionTimeout="2"
 clientAuth="false" algorithm="SunX509" sslProtocol="TLS"
keystoreFile="conf/certificate" keystorePass="x"
useBodyEncodingForURI="true"
SSLEnabled="true"/>


That all looks pretty straightforward.

When you say it's "not working", can you be more specific? Does the
Tomcat server start? Are there any errors or warnings in the logs?

-chris


On Tue, Jun 14, 2022 at 7:30 PM Christopher Schultz
mailto:ch...@christopherschultz.net>>

wrote:


 Pavan,

 On 6/14/22 08:32, Pavan Kumar Tiruvaipati wrote:
  > We have replaced JDK 1.8 with JRE 1.8.0_333.
  >
  > SSL configuration was working fine with Tomcat 6.0.45 before
 replacing JDK
  > with JRE.
  >
  > Now it's not working.
  >
  > In server.xml, SSL Protocol is set to "TLS".
  >
  > Does Tomcat 6.0.45 support SSL with JRE 1.8.0_333 ?
  >
  > Are there any specific protocols / versions to be used to enable
 SSL ?

 Please post your  configuration. Remove any secrets
that

may

 be in there (e.g. passwords).

 -chris





The error says that the client and the server couldn’t find a common cipher 
suite.
They couldn’t agree on any cipher.
Does your keystore contain a valid private key?


The problem is likely that Tomcat 6 (which is ancient) defaults to TLSv1 
and no higher (this is a guess; I'm not bothering to look at a 
14-year-old version of Tomcat to figure out what the problem really is). 
The client isn't willing to connect to such an ancient version of any 
protocol, so it fails with the handshake failure.



Maybe you can try to print out all available cipher suites on your environment:
https://stackoverflow.com/questions/9333504/how-can-i-list-the-available-cipher-algorithms
You can add the code to a jsp-page and print out the available algorithms.

AW: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello Pavan,

which client are you using to access Tomcat?
Which TLS-Version are activated on that client?

Java 8 ships with ssl ciphers suitable for common browsers (in default 
configuration).

If the server is public, use https://www.ssllabs.com/ssltest/ to check the 
server ciphers.
If the server is not public, you can use e.g. https://github.com/rbsec/sslscan 
You need to check the ciphers of the server and which ciphers are enabled on 
the client side.

I would also recommend to upgrade Tomcat because it is an ancient version and 
reached EOL many years ago.

Greetings, Thomas

> -Ursprüngliche Nachricht-
> Von: Pavan Kumar Tiruvaipati 
> Gesendet: Mittwoch, 15. Juni 2022 11:14
> An: Tomcat Users List 
> Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> 
> Hi,
> 
> Java ships cipher suites. We have printed all available cipher suites in our
> environment.
> 
> Tomcat is not able to enable SSL with JRE 1.8.0_333.
> 
> The error says that the client and the server couldn’t find a common cipher
> suite.
> 
> 1. Which cipher suite to be updated in tomcat to enable SSL ?
> 2. Where do we need to update the cipher suite in tomcat ? server.xml ?
> 
> Please advise me if there is any other way to fix the SSL issue. Thank you in
> advance.
> 
> Regards,
> Pavan
> 
> On Wed, Jun 15, 2022 at 1:34 PM Thomas Hoffmann (Speed4Trade GmbH)
>  wrote:
> 
> > Hello,
> > Java already ships with a broad variety of cipher suites.
> > The crypto providers are listed in the file java.security.
> > As long as you don’t modify this file, SSL should work just fine in
> > the default java-configuration.
> >
> > Greetings, Thomas
> >
> >
> > > -Ursprüngliche Nachricht-
> > > Von: Pavan Kumar Tiruvaipati 
> > > Gesendet: Mittwoch, 15. Juni 2022 09:56
> > > An: thomas.hoffm...@speed4trade.com.invalid
> > > Cc: Tomcat Users List 
> > > Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> > >
> > > Hi,
> > >
> > > Thanks for the quick response. I will print all the available cipher
> > suites.
> > >
> > > Where do I need to update the cipher to support SSL ?
> > >
> > >
> > > Regards,
> > > Pavan
> > >
> > > On Wed, Jun 15, 2022 at 12:39 PM Thomas Hoffmann (Speed4Trade
> GmbH)
> > >  wrote:
> > >
> > > > Hello,
> > > >
> > > > > -Ursprüngliche Nachricht-
> > > > > Von: Pavan Kumar Tiruvaipati 
> > > > > Gesendet: Mittwoch, 15. Juni 2022 08:59
> > > > > An: Christopher Schultz 
> > > > > Cc: Tomcat Users List 
> > > > > Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> > > > >
> > > > > Hi,
> > > > >
> > > > > Tomcat server started successfully.
> > > > >
> > > > > I'm seeing the following error in the tomcat logs when SSL is
> > > > > enabled in server.xml
> > > > >
> > > > > Application is not able to run on https://localhost:8080.
> > > > >
> > > > > 2022-06-15 12:02:43,923 [http-3003-1] DEBUG
> > > > > *org.apache.tomcat.util.net.JIoEndpoint
> > > > > - Handshake failed*
> > > > >
> > > > > *javax.net.ssl.SSLHandshakeException: no cipher suites in common
> > > > > at sun.security.ssl.Alert.createSSLException(Unknown Source) *
> > > > >
> > > > > *at sun.security.ssl.Alert.createSSLException(Unknown Source) at
> > > > > sun.security.ssl.TransportContext.fatal(Unknown Source) *
> > > > >
> > > > > *at sun.security.ssl.TransportContext.fatal(Unknown Source) at
> > > > > sun.security.ssl.TransportContext.fatal(Unknown Source) at
> > > > > sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipher
> > > > > Suit
> > > > > e(Un
> > > > > known
> > > > > Source) at
> > > > > sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unkn
> > > > > own
> > > > > Source) at sun.security.ssl.SSLHandshake.produce(Unknown Source)
> > > > > at
> > > > > sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unkn
> > > > > own
> > > > > Source) at
> > > > > sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(U
> > > > > nkno
> > > > > wn
> > > > > Source) at
> > > 

Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Pavan Kumar Tiruvaipati]

Hi,

Java ships cipher suites. We have printed all available cipher suites in
our environment.

Tomcat is not able to enable SSL with JRE 1.8.0_333.

The error says that the client and the server couldn’t find a common cipher
suite.

1. Which cipher suite to be updated in tomcat to enable SSL ?
2. Where do we need to update the cipher suite in tomcat ? server.xml ?

Please advise me if there is any other way to fix the SSL issue. Thank you
in advance.

Regards,
Pavan

On Wed, Jun 15, 2022 at 1:34 PM Thomas Hoffmann (Speed4Trade GmbH)
 wrote:

> Hello,
> Java already ships with a broad variety of cipher suites.
> The crypto providers are listed in the file java.security.
> As long as you don’t modify this file, SSL should work just fine in the
> default java-configuration.
>
> Greetings, Thomas
>
>
> > -Ursprüngliche Nachricht-
> > Von: Pavan Kumar Tiruvaipati 
> > Gesendet: Mittwoch, 15. Juni 2022 09:56
> > An: thomas.hoffm...@speed4trade.com.invalid
> > Cc: Tomcat Users List 
> > Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> >
> > Hi,
> >
> > Thanks for the quick response. I will print all the available cipher
> suites.
> >
> > Where do I need to update the cipher to support SSL ?
> >
> >
> > Regards,
> > Pavan
> >
> > On Wed, Jun 15, 2022 at 12:39 PM Thomas Hoffmann (Speed4Trade GmbH)
> >  wrote:
> >
> > > Hello,
> > >
> > > > -Ursprüngliche Nachricht-
> > > > Von: Pavan Kumar Tiruvaipati 
> > > > Gesendet: Mittwoch, 15. Juni 2022 08:59
> > > > An: Christopher Schultz 
> > > > Cc: Tomcat Users List 
> > > > Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> > > >
> > > > Hi,
> > > >
> > > > Tomcat server started successfully.
> > > >
> > > > I'm seeing the following error in the tomcat logs when SSL is
> > > > enabled in server.xml
> > > >
> > > > Application is not able to run on https://localhost:8080.
> > > >
> > > > 2022-06-15 12:02:43,923 [http-3003-1] DEBUG
> > > > *org.apache.tomcat.util.net.JIoEndpoint
> > > > - Handshake failed*
> > > >
> > > > *javax.net.ssl.SSLHandshakeException: no cipher suites in common at
> > > > sun.security.ssl.Alert.createSSLException(Unknown Source) *
> > > >
> > > > *at sun.security.ssl.Alert.createSSLException(Unknown Source) at
> > > > sun.security.ssl.TransportContext.fatal(Unknown Source) *
> > > >
> > > > *at sun.security.ssl.TransportContext.fatal(Unknown Source) at
> > > > sun.security.ssl.TransportContext.fatal(Unknown Source) at
> > > > sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuit
> > > > e(Un
> > > > known
> > > > Source) at
> > > > sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown
> > > > Source) at sun.security.ssl.SSLHandshake.produce(Unknown Source) at
> > > > sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown
> > > > Source) at
> > > > sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unkno
> > > > wn
> > > > Source) at
> > > > sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown
> > > > Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at
> > > > sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> > > > sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> > > > sun.security.ssl.TransportContext.dispatch(Unknown Source) at
> > > > sun.security.ssl.SSLTransport.decode(Unknown Source) at
> > > > sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at
> > > > sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
> > > > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> > > > sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> > > > org.apache.tomcat.util.net
> > > .jsse.JSSESocketFactory.handshake(JSSESocketFac
> > > > tory.java:233)
> > > > at
> > > > org.apache.tomcat.util.net
> > > .JIoEndpoint.setSocketOptions(JIoEndpoint.java:7
> > > > 01)
> > > > at org.apache.tomcat.util.net
> > > .JIoEndpoint$Worker.run(JIoEndpoint.java:503)
> > > > at java.lang.Thread.run(Unknown Source)*
> > > >
> > > > If I disable SSL in tomcat server.xml, It's working with Non-SSL (
> &g

AW: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,
Java already ships with a broad variety of cipher suites.
The crypto providers are listed in the file java.security.
As long as you don’t modify this file, SSL should work just fine in the default 
java-configuration.

Greetings, Thomas


> -Ursprüngliche Nachricht-
> Von: Pavan Kumar Tiruvaipati 
> Gesendet: Mittwoch, 15. Juni 2022 09:56
> An: thomas.hoffm...@speed4trade.com.invalid
> Cc: Tomcat Users List 
> Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> 
> Hi,
> 
> Thanks for the quick response. I will print all the available cipher suites.
> 
> Where do I need to update the cipher to support SSL ?
> 
> 
> Regards,
> Pavan
> 
> On Wed, Jun 15, 2022 at 12:39 PM Thomas Hoffmann (Speed4Trade GmbH)
>  wrote:
> 
> > Hello,
> >
> > > -Ursprüngliche Nachricht-
> > > Von: Pavan Kumar Tiruvaipati 
> > > Gesendet: Mittwoch, 15. Juni 2022 08:59
> > > An: Christopher Schultz 
> > > Cc: Tomcat Users List 
> > > Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> > >
> > > Hi,
> > >
> > > Tomcat server started successfully.
> > >
> > > I'm seeing the following error in the tomcat logs when SSL is
> > > enabled in server.xml
> > >
> > > Application is not able to run on https://localhost:8080.
> > >
> > > 2022-06-15 12:02:43,923 [http-3003-1] DEBUG
> > > *org.apache.tomcat.util.net.JIoEndpoint
> > > - Handshake failed*
> > >
> > > *javax.net.ssl.SSLHandshakeException: no cipher suites in common at
> > > sun.security.ssl.Alert.createSSLException(Unknown Source) *
> > >
> > > *at sun.security.ssl.Alert.createSSLException(Unknown Source) at
> > > sun.security.ssl.TransportContext.fatal(Unknown Source) *
> > >
> > > *at sun.security.ssl.TransportContext.fatal(Unknown Source) at
> > > sun.security.ssl.TransportContext.fatal(Unknown Source) at
> > > sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuit
> > > e(Un
> > > known
> > > Source) at
> > > sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown
> > > Source) at sun.security.ssl.SSLHandshake.produce(Unknown Source) at
> > > sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown
> > > Source) at
> > > sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unkno
> > > wn
> > > Source) at
> > > sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown
> > > Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at
> > > sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> > > sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> > > sun.security.ssl.TransportContext.dispatch(Unknown Source) at
> > > sun.security.ssl.SSLTransport.decode(Unknown Source) at
> > > sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at
> > > sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
> > > at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> > > sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> > > org.apache.tomcat.util.net
> > .jsse.JSSESocketFactory.handshake(JSSESocketFac
> > > tory.java:233)
> > > at
> > > org.apache.tomcat.util.net
> > .JIoEndpoint.setSocketOptions(JIoEndpoint.java:7
> > > 01)
> > > at org.apache.tomcat.util.net
> > .JIoEndpoint$Worker.run(JIoEndpoint.java:503)
> > > at java.lang.Thread.run(Unknown Source)*
> > >
> > > If I disable SSL in tomcat server.xml, It's working with Non-SSL (
> > > http://localhost:8080).
> > >
> > > Does Tomcat SSL configuration work with JRE 1.8.0 ? Are there any
> > > changes required to establish a handshake ?
> > >
> > > Please let me know if you need more details.
> > >
> > >
> > > Regards,
> > > Pavan
> > >
> > > On Tue, Jun 14, 2022 at 10:44 PM Christopher Schultz <
> > > ch...@christopherschultz.net> wrote:
> > >
> > > > Pavan,
> > > >
> > > > Please reply to the list and not me personally.
> > > >
> > > > On 6/14/22 11:21, Pavan Kumar Tiruvaipati wrote:
> > > > >  > > > > maxThreads="150" minSpareThreads="25"
> > > > maxSpareThreads="75"
> > > > > enableLookups="false" disableUploadTimeout="true"
> > > > &g

Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Pavan Kumar Tiruvaipati]

Hi,

Thanks for the quick response. I will print all the available cipher
suites.

Where do I need to update the cipher to support SSL ?


Regards,
Pavan

On Wed, Jun 15, 2022 at 12:39 PM Thomas Hoffmann (Speed4Trade GmbH)
 wrote:

> Hello,
>
> > -Ursprüngliche Nachricht-
> > Von: Pavan Kumar Tiruvaipati 
> > Gesendet: Mittwoch, 15. Juni 2022 08:59
> > An: Christopher Schultz 
> > Cc: Tomcat Users List 
> > Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> >
> > Hi,
> >
> > Tomcat server started successfully.
> >
> > I'm seeing the following error in the tomcat logs when SSL is enabled in
> > server.xml
> >
> > Application is not able to run on https://localhost:8080.
> >
> > 2022-06-15 12:02:43,923 [http-3003-1] DEBUG
> > *org.apache.tomcat.util.net.JIoEndpoint
> > - Handshake failed*
> >
> > *javax.net.ssl.SSLHandshakeException: no cipher suites in common at
> > sun.security.ssl.Alert.createSSLException(Unknown Source) *
> >
> > *at sun.security.ssl.Alert.createSSLException(Unknown Source) at
> > sun.security.ssl.TransportContext.fatal(Unknown Source) *
> >
> > *at sun.security.ssl.TransportContext.fatal(Unknown Source) at
> > sun.security.ssl.TransportContext.fatal(Unknown Source) at
> > sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(Un
> > known
> > Source) at
> > sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown
> > Source) at sun.security.ssl.SSLHandshake.produce(Unknown Source) at
> > sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown
> > Source) at
> > sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown
> > Source) at
> > sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown
> > Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at
> > sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> > sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> > sun.security.ssl.TransportContext.dispatch(Unknown Source) at
> > sun.security.ssl.SSLTransport.decode(Unknown Source) at
> > sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at
> > sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) at
> > sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> > sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> > org.apache.tomcat.util.net
> .jsse.JSSESocketFactory.handshake(JSSESocketFac
> > tory.java:233)
> > at
> > org.apache.tomcat.util.net
> .JIoEndpoint.setSocketOptions(JIoEndpoint.java:7
> > 01)
> > at org.apache.tomcat.util.net
> .JIoEndpoint$Worker.run(JIoEndpoint.java:503)
> > at java.lang.Thread.run(Unknown Source)*
> >
> > If I disable SSL in tomcat server.xml, It's working with Non-SSL (
> > http://localhost:8080).
> >
> > Does Tomcat SSL configuration work with JRE 1.8.0 ? Are there any changes
> > required to establish a handshake ?
> >
> > Please let me know if you need more details.
> >
> >
> > Regards,
> > Pavan
> >
> > On Tue, Jun 14, 2022 at 10:44 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > > Pavan,
> > >
> > > Please reply to the list and not me personally.
> > >
> > > On 6/14/22 11:21, Pavan Kumar Tiruvaipati wrote:
> > > >  > > > maxThreads="150" minSpareThreads="25"
> > > maxSpareThreads="75"
> > > > enableLookups="false" disableUploadTimeout="true"
> > > > acceptCount="100"  scheme="https" secure="true"
> > > > connectionTimeout="2"
> > > > clientAuth="false" algorithm="SunX509"
> sslProtocol="TLS"
> > > >keystoreFile="conf/certificate" keystorePass="x"
> > > > useBodyEncodingForURI="true"
> > > >SSLEnabled="true"/>
> > >
> > > That all looks pretty straightforward.
> > >
> > > When you say it's "not working", can you be more specific? Does the
> > > Tomcat server start? Are there any errors or warnings in the logs?
> > >
> > > -chris
> > >
> > > > On Tue, Jun 14, 2022 at 7:30 PM Christopher Schultz
> > > > mailto:ch...@christopherschultz.net>>
> > > wrote:
> > > >
> > > > Pavan,
>

AW: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Pavan Kumar Tiruvaipati 
> Gesendet: Mittwoch, 15. Juni 2022 08:59
> An: Christopher Schultz 
> Cc: Tomcat Users List 
> Betreff: Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0
> 
> Hi,
> 
> Tomcat server started successfully.
> 
> I'm seeing the following error in the tomcat logs when SSL is enabled in
> server.xml
> 
> Application is not able to run on https://localhost:8080.
> 
> 2022-06-15 12:02:43,923 [http-3003-1] DEBUG
> *org.apache.tomcat.util.net.JIoEndpoint
> - Handshake failed*
> 
> *javax.net.ssl.SSLHandshakeException: no cipher suites in common at
> sun.security.ssl.Alert.createSSLException(Unknown Source) *
> 
> *at sun.security.ssl.Alert.createSSLException(Unknown Source) at
> sun.security.ssl.TransportContext.fatal(Unknown Source) *
> 
> *at sun.security.ssl.TransportContext.fatal(Unknown Source) at
> sun.security.ssl.TransportContext.fatal(Unknown Source) at
> sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(Un
> known
> Source) at
> sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown
> Source) at sun.security.ssl.SSLHandshake.produce(Unknown Source) at
> sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown
> Source) at
> sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown
> Source) at
> sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown
> Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at
> sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
> sun.security.ssl.TransportContext.dispatch(Unknown Source) at
> sun.security.ssl.SSLTransport.decode(Unknown Source) at
> sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at
> sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) at
> sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFac
> tory.java:233)
> at
> org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:7
> 01)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:503)
> at java.lang.Thread.run(Unknown Source)*
> 
> If I disable SSL in tomcat server.xml, It's working with Non-SSL (
> http://localhost:8080).
> 
> Does Tomcat SSL configuration work with JRE 1.8.0 ? Are there any changes
> required to establish a handshake ?
> 
> Please let me know if you need more details.
> 
> 
> Regards,
> Pavan
> 
> On Tue, Jun 14, 2022 at 10:44 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> > Pavan,
> >
> > Please reply to the list and not me personally.
> >
> > On 6/14/22 11:21, Pavan Kumar Tiruvaipati wrote:
> > >  > > maxThreads="150" minSpareThreads="25"
> > maxSpareThreads="75"
> > > enableLookups="false" disableUploadTimeout="true"
> > > acceptCount="100"  scheme="https" secure="true"
> > > connectionTimeout="2"
> > > clientAuth="false" algorithm="SunX509" sslProtocol="TLS"
> > >keystoreFile="conf/certificate" keystorePass="x"
> > > useBodyEncodingForURI="true"
> > >SSLEnabled="true"/>
> >
> > That all looks pretty straightforward.
> >
> > When you say it's "not working", can you be more specific? Does the
> > Tomcat server start? Are there any errors or warnings in the logs?
> >
> > -chris
> >
> > > On Tue, Jun 14, 2022 at 7:30 PM Christopher Schultz
> > > mailto:ch...@christopherschultz.net>>
> > wrote:
> > >
> > > Pavan,
> > >
> > > On 6/14/22 08:32, Pavan Kumar Tiruvaipati wrote:
> > >  > We have replaced JDK 1.8 with JRE 1.8.0_333.
> > >  >
> > >  > SSL configuration was working fine with Tomcat 6.0.45 before
> > > replacing JDK
> > >  > with JRE.
> > >  >
> > >  > Now it's not working.
> > >  >
> > >  > In server.xml, SSL Protocol is set to "TLS".
> > >  >
> > >  > Does Tomcat 6.0.45 support SSL with JRE 1.8.0_333 ?
> > >  >
> > >  > Are there any specific protocols / versions to be used to enable
> > > SSL ?
> > >
> > > Please post your  configuration. Remove any secrets
> > > that
> > may
> > > be in there (e.g. passwords).
> > >
> > > -chris
> > >
> >

The error says that the client and the server couldn’t find a common cipher 
suite.
They couldn’t agree on any cipher.
Does your keystore contain a valid private key?

Maybe you can try to print out all available cipher suites on your environment:
https://stackoverflow.com/questions/9333504/how-can-i-list-the-available-cipher-algorithms
You can add the code to a jsp-page and print out the available algorithms.

Greetings,
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Pavan Kumar Tiruvaipati]

Hi,

Tomcat server started successfully.

I'm seeing the following error in the tomcat logs when SSL is enabled in
server.xml

Application is not able to run on https://localhost:8080.

2022-06-15 12:02:43,923 [http-3003-1] DEBUG
*org.apache.tomcat.util.net.JIoEndpoint
- Handshake failed*

*javax.net.ssl.SSLHandshakeException: no cipher suites in common at
sun.security.ssl.Alert.createSSLException(Unknown Source) *

*at sun.security.ssl.Alert.createSSLException(Unknown Source) at
sun.security.ssl.TransportContext.fatal(Unknown Source) *

*at sun.security.ssl.TransportContext.fatal(Unknown Source) at
sun.security.ssl.TransportContext.fatal(Unknown Source) at
sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(Unknown
Source) at
sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(Unknown Source)
at sun.security.ssl.SSLHandshake.produce(Unknown Source) at
sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(Unknown Source)
at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(Unknown
Source) at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(Unknown
Source) at sun.security.ssl.SSLHandshake.consume(Unknown Source) at
sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
sun.security.ssl.HandshakeContext.dispatch(Unknown Source) at
sun.security.ssl.TransportContext.dispatch(Unknown Source) at
sun.security.ssl.SSLTransport.decode(Unknown Source) at
sun.security.ssl.SSLSocketImpl.decode(Unknown Source) at
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source) at
sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:233)
at
org.apache.tomcat.util.net.JIoEndpoint.setSocketOptions(JIoEndpoint.java:701)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:503)
at java.lang.Thread.run(Unknown Source)*

If I disable SSL in tomcat server.xml, It's working with Non-SSL (
http://localhost:8080).

Does Tomcat SSL configuration work with JRE 1.8.0 ? Are there any changes
required to establish a handshake ?

Please let me know if you need more details.


Regards,
Pavan

On Tue, Jun 14, 2022 at 10:44 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Pavan,
>
> Please reply to the list and not me personally.
>
> On 6/14/22 11:21, Pavan Kumar Tiruvaipati wrote:
> >  > maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75"
> > enableLookups="false" disableUploadTimeout="true"
> > acceptCount="100"  scheme="https" secure="true"
> > connectionTimeout="2"
> > clientAuth="false" algorithm="SunX509" sslProtocol="TLS"
> >keystoreFile="conf/certificate" keystorePass="x"
> > useBodyEncodingForURI="true"
> >SSLEnabled="true"/>
>
> That all looks pretty straightforward.
>
> When you say it's "not working", can you be more specific? Does the
> Tomcat server start? Are there any errors or warnings in the logs?
>
> -chris
>
> > On Tue, Jun 14, 2022 at 7:30 PM Christopher Schultz
> > mailto:ch...@christopherschultz.net>>
> wrote:
> >
> > Pavan,
> >
> > On 6/14/22 08:32, Pavan Kumar Tiruvaipati wrote:
> >  > We have replaced JDK 1.8 with JRE 1.8.0_333.
> >  >
> >  > SSL configuration was working fine with Tomcat 6.0.45 before
> > replacing JDK
> >  > with JRE.
> >  >
> >  > Now it's not working.
> >  >
> >  > In server.xml, SSL Protocol is set to "TLS".
> >  >
> >  > Does Tomcat 6.0.45 support SSL with JRE 1.8.0_333 ?
> >  >
> >  > Are there any specific protocols / versions to be used to enable
> > SSL ?
> >
> > Please post your  configuration. Remove any secrets that
> may
> > be in there (e.g. passwords).
> >
> > -chris
> >
>

Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Christopher Schultz]

Pavan,

Please reply to the list and not me personally.

On 6/14/22 11:21, Pavan Kumar Tiruvaipati wrote:

                acceptCount="100"  scheme="https" secure="true" 
connectionTimeout="2"

                clientAuth="false" algorithm="SunX509" sslProtocol="TLS"
       keystoreFile="conf/certificate" keystorePass="x" 
useBodyEncodingForURI="true"

       SSLEnabled="true"/>


That all looks pretty straightforward.

When you say it's "not working", can you be more specific? Does the 
Tomcat server start? Are there any errors or warnings in the logs?


-chris

On Tue, Jun 14, 2022 at 7:30 PM Christopher Schultz 
mailto:ch...@christopherschultz.net>> wrote:


Pavan,

On 6/14/22 08:32, Pavan Kumar Tiruvaipati wrote:
 > We have replaced JDK 1.8 with JRE 1.8.0_333.
 >
 > SSL configuration was working fine with Tomcat 6.0.45 before
replacing JDK
 > with JRE.
 >
 > Now it's not working.
 >
 > In server.xml, SSL Protocol is set to "TLS".
 >
 > Does Tomcat 6.0.45 support SSL with JRE 1.8.0_333 ?
 >
 > Are there any specific protocols / versions to be used to enable
SSL ?

Please post your  configuration. Remove any secrets that may
be in there (e.g. passwords).

-chris



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Christopher Schultz]

Pavan,

On 6/14/22 08:32, Pavan Kumar Tiruvaipati wrote:

We have replaced JDK 1.8 with JRE 1.8.0_333.

SSL configuration was working fine with Tomcat 6.0.45 before replacing JDK
with JRE.

Now it's not working.

In server.xml, SSL Protocol is set to "TLS".

Does Tomcat 6.0.45 support SSL with JRE 1.8.0_333 ?

Are there any specific protocols / versions to be used to enable SSL ?


Please post your  configuration. Remove any secrets that may 
be in there (e.g. passwords).


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL issue with Tomcat 6.0.45 and JRE 1.8.0

[Pavan Kumar Tiruvaipati]

Hi,

We have replaced JDK 1.8 with JRE 1.8.0_333.

SSL configuration was working fine with Tomcat 6.0.45 before replacing JDK
with JRE.

Now it's not working.

In server.xml, SSL Protocol is set to "TLS".

Does Tomcat 6.0.45 support SSL with JRE 1.8.0_333 ?

Are there any specific protocols / versions to be used to enable SSL ?


Regards,
Pavan

RE: Tomcat SSL - Issue

[Kumawat, Priyanka]

Hello Christopher/Niranjan,

Thankyou very much for the below information !!!
The issue was with the Java version , we needs to upgrade the java version 
inorder to install the cert .
Thankyou again for your support !!!.

Thanks & Regards,

Priyanka Kumawat | Middleware Admin
T +91.7879364483
EMail - priyanka.kuma...@dxc.com
DL - ams-leveraged-webadmin-offsh...@dxc.com

DXC Technology


-Original Message-
From: Christopher Schultz 
Sent: 22 September 2021 02:53
To: users@tomcat.apache.org
Subject: Re: Tomcat SSL - Issue

Priyanka,

On 9/21/21 13:52, Kumawat, Priyanka wrote:
> Hello Team ,
>
> Please find the error details as below -
>
> The site can't provide a secure connection .
>
> xmotam01.phl.com uses an unsupported protocol
>
> ERR_SSL_VERSION or CIPHER MISMATCH
>
> Unsupported protocol - The client and server don;t support a common
> protocol version.

Many versions of Java 1.7 do not support TLSv1.2. Try running this tool under 
your Java 1.7 environment for some good information:

https://clicktime.symantec.com/3Sz9L481YBNoQcbTNkoLGRP7Vc?u=https%3A%2F%2Fgithub.com%2FChristopherSchultz%2Fssltest

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



DXC Technology Company -- This message is transmitted to you by or on behalf of 
DXC Technology Company or one of its affiliates. It is intended exclusively for 
the addressee. The substance of this message, along with any attachments, may 
contain proprietary, confidential or privileged information or information that 
is otherwise legally exempt from disclosure. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended recipient 
of this message, you are not authorized to read, print, retain, copy or 
disseminate any part of this message. If you have received this message in 
error, please destroy and delete all copies and notify the sender by return 
e-mail. Regardless of content, this e-mail shall not operate to bind DXC 
Technology Company or any of its affiliates to any order or other contract 
unless pursuant to explicit written agreement or government initiative 
expressly permitting the use of e-mail for such purpose.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat SSL - Issue

[Niranjan Babu Bommu]

port where server is listening ssl(8443) and ipaddres of server where
tomcat is running, expect output like this

starting Nmap 6.40 ( http://nmap.org ) at 2021-09-22 14:35 EDT
Nmap scan report for 12.0.0.1
Host is up (0.35s latency).
PORT STATE SERVICEVERSION
8443/tcp open  https-alt?
| ssl-enum-ciphers:
|   TLSv1.0:
| ciphers:
|   TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
|   NULL
|   TLSv1.1:
| ciphers:
|   TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
|   NULL
|   TLSv1.2:
| ciphers:
|   TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
|   NULL
|_  least strength: strong


On Wed, Sep 22, 2021 at 8:48 AM Kumawat, Priyanka 
wrote:

> Hi Niranjan ,
>
> Thankyou.
>
> The script here on the below command will be the ssltest script that Chris
> have given ?
> Also IP address will be the IP of the server .?
>
>
> nmap -sV --script ssl-enum-ciphers -p  
>
> https://clicktime.symantec.com/3Cx1tBjB9n6EQyoUQjHJNWU7Vc?u=https%3A%2
> F%2Fgithub.com%2FChristopherSchultz%2Fssltest
>
>
> Thanks & Regards,
>
> Priyanka Kumawat | Middleware Admin
> T +91.7879364483
> EMail - priyanka.kuma...@dxc.com
> DL - ams-leveraged-webadmin-offsh...@dxc.com
>
> DXC Technology
>
>
>
>
>
>
> -Original Message-
> From: Niranjan Babu Bommu 
> Sent: 22 September 2021 04:53
> To: Tomcat Users List 
> Subject: Re: Tomcat SSL - Issue
>
> Another way you get supported is TLS and the cipher suite.
>
> nmap -sV --script ssl-enum-ciphers -p  
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> nmap -sV --script ssl-enum-ciphers -p  
>
>
>
> On Tue, Sep 21, 2021 at 5:25 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > Priyanka,
> >
> > On 9/21/21 13:52, Kumawat, Priyanka wrote:
> > > Hello Team ,
> > >
> > > Please find the error details as below -
> > >
> > > The site can’t provide a secure connection .
> > >
> > > xmotam01.phl.com uses an unsupported protocol
> > >
> > > ERR_SSL_VERSION or CIPHER MISMATCH
> > >
> > > Unsupported protocol – The client and server don;t support a common
> > > protocol version.
> >
> > Many versions of Java 1.7 do not support TLSv1.2. Try running this
> > tool under your Java 1.7 environment for some good information:
> >
> > https://clicktime.symantec.com/3Cx1tBjB9n6EQyoUQjHJNWU7Vc?u=https%3A%2
> > F%2Fgithub.com%2FChristopherSchultz%2Fssltest
> >
> > -chris
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
> --
> *Thanks*
> *Niranjan*
>
>
> DXC Technology Company -- This message is transmitted to you by or on
> behalf of DXC Technology Company or one of its affiliates. It is intended
> exclusively for the addressee. The substance of this message, along with
> any attachments, may contain proprietary, confidential or privileged
> information or information that is otherwise legally exempt from
> disclosure. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient of this message, you are
> not authorized to read, print, retain, copy or disseminate any part of this
> message. If you have received this message in error, please destroy and
> delete all copies and no

Re: Tomcat SSL - Issue

[Christopher Schultz]

Niranjan,

On 9/21/21 19:23, Niranjan Babu Bommu wrote:

Another way you get supported is TLS and the cipher suite.

nmap -sV --script ssl-enum-ciphers -p  

nmap -sV --script ssl-enum-ciphers -p  


nmap is great, but it won't tell you what your Java client's 
capabilities are.


-chris


On Tue, Sep 21, 2021 at 5:25 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Priyanka,

On 9/21/21 13:52, Kumawat, Priyanka wrote:

Hello Team ,

Please find the error details as below -

The site can’t provide a secure connection .

xmotam01.phl.com uses an unsupported protocol

ERR_SSL_VERSION or CIPHER MISMATCH

Unsupported protocol – The client and server don;t support a common
protocol version.


Many versions of Java 1.7 do not support TLSv1.2. Try running this tool
under your Java 1.7 environment for some good information:

https://github.com/ChristopherSchultz/ssltest

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat SSL - Issue

[Kumawat, Priyanka]

Hi Niranjan ,

Thankyou.

The script here on the below command will be the ssltest script that Chris have 
given ?
Also IP address will be the IP of the server .?


nmap -sV --script ssl-enum-ciphers -p  

https://clicktime.symantec.com/3Cx1tBjB9n6EQyoUQjHJNWU7Vc?u=https%3A%2
F%2Fgithub.com%2FChristopherSchultz%2Fssltest


Thanks & Regards,

Priyanka Kumawat | Middleware Admin
T +91.7879364483
EMail - priyanka.kuma...@dxc.com
DL - ams-leveraged-webadmin-offsh...@dxc.com

DXC Technology






-Original Message-
From: Niranjan Babu Bommu 
Sent: 22 September 2021 04:53
To: Tomcat Users List 
Subject: Re: Tomcat SSL - Issue

Another way you get supported is TLS and the cipher suite.

nmap -sV --script ssl-enum-ciphers -p  
















nmap -sV --script ssl-enum-ciphers -p  



On Tue, Sep 21, 2021 at 5:25 PM Christopher Schultz < 
ch...@christopherschultz.net> wrote:

> Priyanka,
>
> On 9/21/21 13:52, Kumawat, Priyanka wrote:
> > Hello Team ,
> >
> > Please find the error details as below -
> >
> > The site can’t provide a secure connection .
> >
> > xmotam01.phl.com uses an unsupported protocol
> >
> > ERR_SSL_VERSION or CIPHER MISMATCH
> >
> > Unsupported protocol – The client and server don;t support a common
> > protocol version.
>
> Many versions of Java 1.7 do not support TLSv1.2. Try running this
> tool under your Java 1.7 environment for some good information:
>
> https://clicktime.symantec.com/3Cx1tBjB9n6EQyoUQjHJNWU7Vc?u=https%3A%2
> F%2Fgithub.com%2FChristopherSchultz%2Fssltest
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

--
*Thanks*
*Niranjan*


DXC Technology Company -- This message is transmitted to you by or on behalf of 
DXC Technology Company or one of its affiliates. It is intended exclusively for 
the addressee. The substance of this message, along with any attachments, may 
contain proprietary, confidential or privileged information or information that 
is otherwise legally exempt from disclosure. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended recipient 
of this message, you are not authorized to read, print, retain, copy or 
disseminate any part of this message. If you have received this message in 
error, please destroy and delete all copies and notify the sender by return 
e-mail. Regardless of content, this e-mail shall not operate to bind DXC 
Technology Company or any of its affiliates to any order or other contract 
unless pursuant to explicit written agreement or government initiative 
expressly permitting the use of e-mail for such purpose.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat SSL - Issue

[Niranjan Babu Bommu]

Another way you get supported is TLS and the cipher suite.

nmap -sV --script ssl-enum-ciphers -p  
















nmap -sV --script ssl-enum-ciphers -p  



On Tue, Sep 21, 2021 at 5:25 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Priyanka,
>
> On 9/21/21 13:52, Kumawat, Priyanka wrote:
> > Hello Team ,
> >
> > Please find the error details as below -
> >
> > The site can’t provide a secure connection .
> >
> > xmotam01.phl.com uses an unsupported protocol
> >
> > ERR_SSL_VERSION or CIPHER MISMATCH
> >
> > Unsupported protocol – The client and server don;t support a common
> > protocol version.
>
> Many versions of Java 1.7 do not support TLSv1.2. Try running this tool
> under your Java 1.7 environment for some good information:
>
> https://github.com/ChristopherSchultz/ssltest
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 
*Thanks*
*Niranjan*

Re: Tomcat SSL - Issue

[Christopher Schultz]

Priyanka,

On 9/21/21 13:52, Kumawat, Priyanka wrote:

Hello Team ,

Please find the error details as below -

The site can’t provide a secure connection .

xmotam01.phl.com uses an unsupported protocol

ERR_SSL_VERSION or CIPHER MISMATCH

Unsupported protocol – The client and server don;t support a common 
protocol version.


Many versions of Java 1.7 do not support TLSv1.2. Try running this tool 
under your Java 1.7 environment for some good information:


https://github.com/ChristopherSchultz/ssltest

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat SSL - Issue

[Kumawat, Priyanka]

Hello Team ,

Please find the error details as below -

The site can't provide a secure connection .
xmotam01.phl.com uses an unsupported protocol

ERR_SSL_VERSION or CIPHER MISMATCH

Unsupported protocol - The client and server don;t support a common protocol 
version.


Thanks & Regards,

Priyanka Kumawat | Middleware Admin
T +91.7879364483
EMail - priyanka.kuma...@dxc.com<mailto:priyanka.kuma...@dxc.com>
DL - 
ams-leveraged-webadmin-offsh...@dxc.com<mailto:ams-leveraged-webadmin-offsh...@dxc.com>

DXC Technology





From: Kumawat, Priyanka
Sent: 21 September 2021 22:50
To: users@tomcat.apache.org
Subject: RE: Tomcat SSL - Issue

Attaching the screenshot again -

[cid:image001.jpg@01D7AF3F.3BF0B470]


Thanks & Regards,

Priyanka Kumawat | Middleware Admin
T +91.7879364483
EMail - priyanka.kuma...@dxc.com<mailto:priyanka.kuma...@dxc.com>
DL - 
ams-leveraged-webadmin-offsh...@dxc.com<mailto:ams-leveraged-webadmin-offsh...@dxc.com>

DXC Technology






From: Kumawat, Priyanka
Sent: 21 September 2021 22:45
To: users@tomcat.apache.org<mailto:users@tomcat.apache.org>
Subject: Tomcat SSL - Issue

Hi Team ,

We are facing Issue while renewing SSL for the Tomcat/Apache application, the 
SSL was renewed and installed using the key tool . After installation when 
checking the https site it is giving error as given on the below screenshot - 
Could you please help us on this issue , is this related with TLS protocol or 
Cipher issue. The TLS using is TLS1.2 , java version - 1.7

[cid:image004.jpg@01D7AF3F.3BF0B470]

Thanks & Regards,

Priyanka Kumawat | Middleware Admin
T +91.7879364483
EMail - priyanka.kuma...@dxc.com<mailto:priyanka.kuma...@dxc.com>
DL - 
ams-leveraged-webadmin-offsh...@dxc.com<mailto:ams-leveraged-webadmin-offsh...@dxc.com>

DXC Technology






DXC Technology Company -- This message is transmitted to you by or on behalf of 
DXC Technology Company or one of its affiliates. It is intended exclusively for 
the addressee. The substance of this message, along with any attachments, may 
contain proprietary, confidential or privileged information or information that 
is otherwise legally exempt from disclosure. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended recipient 
of this message, you are not authorized to read, print, retain, copy or 
disseminate any part of this message. If you have received this message in 
error, please destroy and delete all copies and notify the sender by return 
e-mail. Regardless of content, this e-mail shall not operate to bind DXC 
Technology Company or any of its affiliates to any order or other contract 
unless pursuant to explicit written agreement or government initiative 
expressly permitting the use of e-mail for such purpose.

RE: Tomcat SSL - Issue

[Kumawat, Priyanka]

Attaching the screenshot again -

[cid:image002.jpg@01D7AF3A.B6F2FA20]


Thanks & Regards,

Priyanka Kumawat | Middleware Admin
T +91.7879364483
EMail - priyanka.kuma...@dxc.com<mailto:priyanka.kuma...@dxc.com>
DL - 
ams-leveraged-webadmin-offsh...@dxc.com<mailto:ams-leveraged-webadmin-offsh...@dxc.com>

DXC Technology






From: Kumawat, Priyanka
Sent: 21 September 2021 22:45
To: users@tomcat.apache.org
Subject: Tomcat SSL - Issue

Hi Team ,

We are facing Issue while renewing SSL for the Tomcat/Apache application, the 
SSL was renewed and installed using the key tool . After installation when 
checking the https site it is giving error as given on the below screenshot - 
Could you please help us on this issue , is this related with TLS protocol or 
Cipher issue. The TLS using is TLS1.2 , java version - 1.7

[cid:image003.jpg@01D7AF3A.B6F2FA20]

Thanks & Regards,

Priyanka Kumawat | Middleware Admin
T +91.7879364483
EMail - priyanka.kuma...@dxc.com<mailto:priyanka.kuma...@dxc.com>
DL - 
ams-leveraged-webadmin-offsh...@dxc.com<mailto:ams-leveraged-webadmin-offsh...@dxc.com>

DXC Technology






DXC Technology Company -- This message is transmitted to you by or on behalf of 
DXC Technology Company or one of its affiliates. It is intended exclusively for 
the addressee. The substance of this message, along with any attachments, may 
contain proprietary, confidential or privileged information or information that 
is otherwise legally exempt from disclosure. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended recipient 
of this message, you are not authorized to read, print, retain, copy or 
disseminate any part of this message. If you have received this message in 
error, please destroy and delete all copies and notify the sender by return 
e-mail. Regardless of content, this e-mail shall not operate to bind DXC 
Technology Company or any of its affiliates to any order or other contract 
unless pursuant to explicit written agreement or government initiative 
expressly permitting the use of e-mail for such purpose.

Tomcat SSL - Issue

[Kumawat, Priyanka]

Hi Team ,

We are facing Issue while renewing SSL for the Tomcat/Apache application, the 
SSL was renewed and installed using the key tool . After installation when 
checking the https site it is giving error as given on the below screenshot - 
Could you please help us on this issue , is this related with TLS protocol or 
Cipher issue. The TLS using is TLS1.2 , java version - 1.7

[cid:image001.jpg@01D7AF3A.03014DA0]

Thanks & Regards,

Priyanka Kumawat | Middleware Admin
T +91.7879364483
EMail - priyanka.kuma...@dxc.com
DL - 
ams-leveraged-webadmin-offsh...@dxc.com

DXC Technology






DXC Technology Company -- This message is transmitted to you by or on behalf of 
DXC Technology Company or one of its affiliates. It is intended exclusively for 
the addressee. The substance of this message, along with any attachments, may 
contain proprietary, confidential or privileged information or information that 
is otherwise legally exempt from disclosure. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended recipient 
of this message, you are not authorized to read, print, retain, copy or 
disseminate any part of this message. If you have received this message in 
error, please destroy and delete all copies and notify the sender by return 
e-mail. Regardless of content, this e-mail shall not operate to bind DXC 
Technology Company or any of its affiliates to any order or other contract 
unless pursuant to explicit written agreement or government initiative 
expressly permitting the use of e-mail for such purpose.

RE: SSL issue : java.security.KeyStoreException: Cannot store non-PrivateKeys

[Venkataraman Srinivasan]

John,

Thanks for your response.

But we have not set any JAVA_OPTS or CATALINA_OPTS in our environment.

>From Apache Tomcat perspective what value have we to give for them?

Thanks
Venkat



>>>  9/26/2019 6:35 PM >>>
Sounds like you need to share your JAVA_OPTS or CATALINA_OPTS, not your 
connector.


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

From: Venkataraman Srinivasan 
Sent: Thursday, September 26, 2019 4:30 PM
To: users@tomcat.apache.org 
Subject: SSL issue : java.security.KeyStoreException: Cannot store 
non-PrivateKeys


Hi,

I am getting below error while I am starting TOMCAT

Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at 
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:250)
at 
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
at org.apache.tomcat.util.net.jsse.
++

Environment :

Tomcat Version : 8.5.32
Certificate Issuer : Thawte
KeyStore created with : Key Algorithm RSA
CSR Requested with : < NO Key Alogorithm is pased>
Certificate Signature algorithm name: SHA1withRSA


Connector Entry in server.xml



  sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
  defaultSSLHostConfigName="https://blabla.bla.org:8443";
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="200"
  enableLookups="false"
  clientAuth="false"
  acceptCount="10"
  SSLEnabled="true"
  connectionTimeout="6"
  
  https://blabla.bla.org:8443"; >

  sslProtocols="+TLS+TLSv1.2+TLSv1.3"
  
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
   
   


Thanks
Venkat




--

This email has been scanned for spam and viruses. Visit the following link to 
report this email as spam:
https://attseg.cloud-protect.net/index01.php?mod_id=11&mod_option=logitem&mail_id=1569537883-jE3ZMjV4cMGi&r_address=venkataraman.srinivasan%40gcrta.org&report=1
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL issue : java.security.KeyStoreException: Cannot store non-PrivateKeys

[Rémy Maucherat]

On Fri, Sep 27, 2019 at 9:40 AM Mark Thomas  wrote:

> >  >   certificateFile="key_store/ssl_certificate.p7b"
> >   certificateAlias="bla"
> >   keystoreFile="/key_store/blabla.jks" type="RSA"
> >   keystoreType="JKS"
> >   keyChainFile="key_store/linux_apex_inter_x509.cer"
> >   keystorePassword="
>
> We need to exactly how each of the following files were created and/or
> exactly what is in each file:
>
> - ssl_certificate.p7b
> - blabla.jks
> - linux_apex_inter_x509.cer
>
> It might be as simple as you need to import the p7b file into the
> keystore and remove the certificateFile setting. But that is just a wild
> guess without knowing what is in those files.
>

I'm a bit lost here.

Normally certificateFile and keystoreFile should be "exclusive" (if
keystoreFile is set, then certificateFile will be ignored - it seems it
could be nice to add a warning ...), and I don't know about a keyChainFile
attribute either (I verified I get a proper "WARNING [main]
org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector/SSLHostConfig/Certificate}
Setting property 'keyChainFile' to 'foobar' did not find a matching
property." in my logs).

So the config should be looked at again first, I think only keystoreFile
will be used and it will be the cause of the error.

Since you made plenty of special cases fixes since 8.5.32 for this, Venkat
should probably first test again with 8.5.46 (IMO).

Rémy


> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: SSL issue : java.security.KeyStoreException: Cannot store non-PrivateKeys

[Mark Thomas]

On 26/09/2019 22:30, Venkataraman Srinivasan wrote:
> 
> Hi,
>  
> I am getting below error while I am starting TOMCAT
>  
> Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys



This looks like it is related to the work we have been doing to make it
easy to swap between JSSE and OpenSSL based Connectors. In the
background Tomcat creates an in-memory keystore for each certificate and
then provides the key / cert / chain in the the right format for the TLS
implementation.

We have already found a few "interesting" configuration combinations
that needed specific handling. This may be one - or it may be an invalid
configuration.

We need to be able to recreate this problem. With that in mind...



>        certificateFile="key_store/ssl_certificate.p7b"
>   certificateAlias="bla"
>   keystoreFile="/key_store/blabla.jks" type="RSA"
>   keystoreType="JKS"
>   keyChainFile="key_store/linux_apex_inter_x509.cer"
>   keystorePassword="

We need to exactly how each of the following files were created and/or
exactly what is in each file:

- ssl_certificate.p7b
- blabla.jks
- linux_apex_inter_x509.cer

It might be as simple as you need to import the p7b file into the
keystore and remove the certificateFile setting. But that is just a wild
guess without knowing what is in those files.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: SSL issue : java.security.KeyStoreException: Cannot store non-PrivateKeys

[jonmcalexander]

Sounds like you need to share your JAVA_OPTS or CATALINA_OPTS, not your 
connector.


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

From: Venkataraman Srinivasan 
Sent: Thursday, September 26, 2019 4:30 PM
To: users@tomcat.apache.org
Subject: SSL issue : java.security.KeyStoreException: Cannot store 
non-PrivateKeys


Hi,

I am getting below error while I am starting TOMCAT

Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at 
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:250)
at 
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
at org.apache.tomcat.util.net.jsse.
++

Environment :

Tomcat Version : 8.5.32
Certificate Issuer : Thawte
KeyStore created with : Key Algorithm RSA
CSR Requested with : < NO Key Alogorithm is pased>
Certificate Signature algorithm name: SHA1withRSA


Connector Entry in server.xml



  sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
  defaultSSLHostConfigName="https://blabla.bla.org:8443";
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="200"
  enableLookups="false"
  clientAuth="false"
  acceptCount="10"
  SSLEnabled="true"
  connectionTimeout="6"
  
  https://blabla.bla.org:8443"; >

  sslProtocols="+TLS+TLSv1.2+TLSv1.3"
  
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
   
   


Thanks
Venkat

SSL issue : java.security.KeyStoreException: Cannot store non-PrivateKeys

[Venkataraman Srinivasan]

Hi,
 
I am getting below error while I am starting TOMCAT
 
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
at 
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at 
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:250)
at 
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
at org.apache.tomcat.util.net.jsse.
++
 
Environment :
 
Tomcat Version : 8.5.32
Certificate Issuer : Thawte
KeyStore created with : Key Algorithm RSA
CSR Requested with : < NO Key Alogorithm is pased>
Certificate Signature algorithm name: SHA1withRSA  
 
 
Connector Entry in server.xml
 


  
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
  defaultSSLHostConfigName="https://blabla.bla.org:8443";
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="200"
  enableLookups="false"
  clientAuth="false"
  acceptCount="10"
  SSLEnabled="true"
  connectionTimeout="6"
  
  https://blabla.bla.org:8443"; >

  sslProtocols="+TLS+TLSv1.2+TLSv1.3"
  
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
   
   
 
 
Thanks
Venkat

 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat SSL issue

[Terence M. Bandoian]

On 10/10/2017 9:45 AM, John Ellis wrote:


John Ellis

405.285.2500 office


 


http://biz-e.io


-Original Message-
From: Terence M. Bandoian [mailto:tere...@tmbsw.com]
Sent: Monday, October 9, 2017 4:49 PM
To: Tomcat Users List 
Subject: Re: Tomcat SSL issue

On 10/9/2017 10:01 AM, John Ellis wrote:

I posted questions about this a couple of weeks ago I think it was. I
have been trying to get Tomcat running on a secure port with a valid
SSL certificate. We finally got version 9.0.0.M20 setup successfully
on port 9443 and I can go to that IP:port and get a Tomcat webpage but
when I go through all the steps using the keytool commands to submit a
certificate (we use Cacert.org) and try to plug that certificate into
the mix it doesn’t work. I still get an error message telling me that
I will have to create an exception to go to that IP address and port.
Last Friday I even deleted the certificate and all the keystore file,
etc. and got the same exact error. So it appears that Tomcat is not
seeing the certificate at all since I get the same error about having
to add an exception whether or not I have a valid certificate in place
on the server.

The lines we added to the server.xml file to get the secure port
working are-


keystoreFile=home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jk
s"

keystorePass=hangeit" />

John Ellis

Thanks for the reply Terence. Yes I get the message about needing to create

a security exception when I first try to open the Tomcat webpage on the
secure port of 9443. I have deleted the certificate and supporting files off
of the server as I was going to start over with a new certificate. I believe
the error said something about not being able to verify the certificate. I
think the main issue is that this is just an internal server here in our
office running RHEL 6. It is not setup as a web server and it just has the
name of "cowboy" (given that name by my boss) so it is hard to figure out
what to call the "First and last name" part when I am creating the CSR to
send to Cacert.org. I can't just use the name "cowboy" as I don't have any
way to validate that. Have you ever run into situations like this? As I said
before I am not a programmer or developer or anything like that. My
background was in computer hardware for over 25 years until I took this
position after being laid off from what was formerly WebMD. We installed
systems in dr's offices, etc. Any light you could shed on this would be
great!
Thanks

Hi, John-

Is it a browser that's displaying the error message and requesting that you
create an exception to continue?  If so, have you looked at the additional
information to determine what problems the browser has detected with the
certificate?

-Terence Bandoian
   http://www.tmbsw.com/



Hi, John-

I would check the error message presented by the browser carefully and 
test with multiple browsers (e.g. Firefox, Chrome, IE, etc.). If you can 
copy the exact error messages to the list, someone might be able to 
offer more assistance.


If you're able to establish an encrypted connection, I would guess that 
Tomcat is at least finding "something" for a certificate.  And, you 
should be able to at least change the error message by altering your 
configuration.  If you can't, then something is amiss in the 
configuration process.  Was Tomcat restarted after the configuration was 
modified?  Is Java using a default location for the keystore? Is the 
keystore you specify in your Tomcat configuration modified when you 
execute the keytool commands?  Can you list the contents of the keystore?


If the browser can't verify the certificate, I'd guess that either 
intermediate certificates aren't available or the browser doesn't trust 
the certificate authority or the wrong address is used to access the 
server from the browser.  Detailed error messages would be helpful.


Instructions to generate a CSR are available on the Internet.  They vary 
though so you may have to dig to find something that works in your 
case.  I've found it best to use the instructions provided by the 
certificate provider.  In some cases, the prompt for first and last name 
is actually a request for the domain name to be secured. Also, a domain 
name that is at least recognized on your intranet will likely be 
required if you want to use a valid certificate.


It's been a while since I've configured Tomcat for SSL so I'm going on 
memory and can't offer much additional help.  There are others on the 
list though that probably can.  Specific details, such as Tomcat 
version, Java version and OS version and exact configuration, commands 
utilized and error messages make receiving that help more likely and 
more likely to result in success.


Hope that gets you started!

-Terence


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat SSL issue

[John Ellis]

John Ellis

405.285.2500 office


    

http://biz-e.io


-Original Message-
From: Terence M. Bandoian [mailto:tere...@tmbsw.com] 
Sent: Monday, October 9, 2017 4:49 PM
To: Tomcat Users List 
Subject: Re: Tomcat SSL issue

On 10/9/2017 10:01 AM, John Ellis wrote:
>
> I posted questions about this a couple of weeks ago I think it was. I 
> have been trying to get Tomcat running on a secure port with a valid 
> SSL certificate. We finally got version 9.0.0.M20 setup successfully 
> on port 9443 and I can go to that IP:port and get a Tomcat webpage but 
> when I go through all the steps using the keytool commands to submit a 
> certificate (we use Cacert.org) and try to plug that certificate into 
> the mix it doesn’t work. I still get an error message telling me that 
> I will have to create an exception to go to that IP address and port.
> Last Friday I even deleted the certificate and all the keystore file, 
> etc. and got the same exact error. So it appears that Tomcat is not 
> seeing the certificate at all since I get the same error about having 
> to add an exception whether or not I have a valid certificate in place 
> on the server.
>
> The lines we added to the server.xml file to get the secure port 
> working are-
>
> 
> maxThreads="150" scheme="https" secure="true"
>
> clientAuth="false" sslProtocol="TLS"
>
>
keystoreFile="/home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jk
s"
>
>keystorePass="changeit" />
>
> John Ellis
>
>Terence I have tried putting my name in where it asks for the "first and
last name" part of filling out the certificate info but when I do that the
Cacert.org website says I have to authenticate the actual internal IP
address of this server and there is no way to do that that I know of.
Thanks, 

Hi, John-

Is it a browser that's displaying the error message and requesting that you
create an exception to continue?  If so, have you looked at the additional
information to determine what problems the browser has detected with the
certificate?

-Terence Bandoian
  http://www.tmbsw.com/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat SSL issue

[John Ellis]

John Ellis

405.285.2500 office


    

http://biz-e.io


-Original Message-
From: Terence M. Bandoian [mailto:tere...@tmbsw.com] 
Sent: Monday, October 9, 2017 4:49 PM
To: Tomcat Users List 
Subject: Re: Tomcat SSL issue

On 10/9/2017 10:01 AM, John Ellis wrote:
>
> I posted questions about this a couple of weeks ago I think it was. I 
> have been trying to get Tomcat running on a secure port with a valid 
> SSL certificate. We finally got version 9.0.0.M20 setup successfully 
> on port 9443 and I can go to that IP:port and get a Tomcat webpage but 
> when I go through all the steps using the keytool commands to submit a 
> certificate (we use Cacert.org) and try to plug that certificate into 
> the mix it doesn’t work. I still get an error message telling me that 
> I will have to create an exception to go to that IP address and port.
> Last Friday I even deleted the certificate and all the keystore file, 
> etc. and got the same exact error. So it appears that Tomcat is not 
> seeing the certificate at all since I get the same error about having 
> to add an exception whether or not I have a valid certificate in place 
> on the server.
>
> The lines we added to the server.xml file to get the secure port 
> working are-
>
> 
> maxThreads="150" scheme="https" secure="true"
>
> clientAuth="false" sslProtocol="TLS"
>
>
keystoreFile="/home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jk
s"
>
>keystorePass="changeit" />
>
> John Ellis
>
>Thanks for the reply Terence. Yes I get the message about needing to create
a security exception when I first try to open the Tomcat webpage on the
secure port of 9443. I have deleted the certificate and supporting files off
of the server as I was going to start over with a new certificate. I believe
the error said something about not being able to verify the certificate. I
think the main issue is that this is just an internal server here in our
office running RHEL 6. It is not setup as a web server and it just has the
name of "cowboy" (given that name by my boss) so it is hard to figure out
what to call the "First and last name" part when I am creating the CSR to
send to Cacert.org. I can't just use the name "cowboy" as I don't have any
way to validate that. Have you ever run into situations like this? As I said
before I am not a programmer or developer or anything like that. My
background was in computer hardware for over 25 years until I took this
position after being laid off from what was formerly WebMD. We installed
systems in dr's offices, etc. Any light you could shed on this would be
great!
Thanks 

Hi, John-

Is it a browser that's displaying the error message and requesting that you
create an exception to continue?  If so, have you looked at the additional
information to determine what problems the browser has detected with the
certificate?

-Terence Bandoian
  http://www.tmbsw.com/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat SSL issue

[Terence M. Bandoian]

On 10/9/2017 10:01 AM, John Ellis wrote:


I posted questions about this a couple of weeks ago I think it was. I 
have been trying to get Tomcat running on a secure port with a valid 
SSL certificate. We finally got version 9.0.0.M20 setup successfully 
on port 9443 and I can go to that IP:port and get a Tomcat webpage but 
when I go through all the steps using the keytool commands to submit a 
certificate (we use Cacert.org) and try to plug that certificate into 
the mix it doesn’t work. I still get an error message telling me that 
I will have to create an exception to go to that IP address and port. 
Last Friday I even deleted the certificate and all the keystore file, 
etc. and got the same exact error. So it appears that Tomcat is not 
seeing the certificate at all since I get the same error about having 
to add an exception whether or not I have a valid certificate in place 
on the server.


The lines we added to the server.xml file to get the secure port 
working are-




John Ellis




Hi, John-

Is it a browser that's displaying the error message and requesting that 
you create an exception to continue?  If so, have you looked at the 
additional information to determine what problems the browser has 
detected with the certificate?


-Terence Bandoian
 http://www.tmbsw.com/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat SSL issue

[Mark Thomas]

On 09/10/17 18:48, John Ellis wrote:
> 
> 
> John Ellis
> 
> 405.285.2500 office
> 
> 
>     
> 
> http://biz-e.io
> 
> 
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org] 
> Sent: Monday, October 9, 2017 12:33 PM
> To: Tomcat Users List 
> Subject: Re: Tomcat SSL issue
> 
> On 09/10/17 16:01, John Ellis wrote:
>> I posted questions about this a couple of weeks ago I think it was. I 
>> have been trying to get Tomcat running on a secure port with a valid 
>> SSL certificate. We finally got version 9.0.0.M20 setup successfully 
>> on port
>> 9443 and I can go to that IP:port and get a Tomcat webpage but when I 
>> go through all the steps using the keytool commands to submit a 
>> certificate (we use Cacert.org) and try to plug that certificate into 
>> the mix it doesn’t work. I still get an error message telling me that 
>> I will have to create an exception to go to that IP address and port. 
>> Last Friday I even deleted the certificate and all the keystore file, 
>> etc. and got the same exact error. So it appears that Tomcat is not 
>> seeing the certificate at all since I get the same error about having 
>> to add an exception whether or not I have a valid certificate in place on
> the server.
> 
> If you get that error then Tomcat has the certificate but the client doesn't
> trust it. You need to check if:
> 
> - Tomcat is supplying the full certificate chain
> - If the client trusts the issuing CA
> 
> Mark
> 
> OK Mark can you explain to me why we get the same exact error condition with
> no certificate in place at all as when we provide a certificate?

That isn't possible. If no certificate is provided, Tomcat won't even
open the port.

I think you are going to need to provide more details about exactly how
things are configured, how you are testing it and the log messages
Tomcat provides when started (note you have to restart Tomcat after
changing the connector configuration - or anything in server.xml)

Mark


> I'm not arguing that just doesn't make any sense to me but as I said before
> I am not a programmer or developer or anything like that.
> Thanks,
> John 
> 
>>
>> The lines we added to the server.xml file to get the secure port 
>> working
>> are-
>>
>>  
>>
>> >
>>   maxThreads="150" scheme="https" secure="true"
>>
>>   clientAuth="false" sslProtocol="TLS"
>>
>>    
>>
> keystoreFile="/home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jk
> s"
>>
>>     keystorePass="changeit" />
>>
>>  
>>
>> John Ellis
>>
>>  
>>
>> 405.285.2500 office
>>
>>  
>>
>> United States
>>
>> bize-logo-rgb-original_Ryan_Revised_portal size
>>  cid:image002.jpg@01CECFDA.65B42CD0
>>
>>  
>>
>> http://biz-e.io
>>
>>  
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat SSL issue

[John Ellis]

John Ellis

405.285.2500 office


    

http://biz-e.io


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Monday, October 9, 2017 12:33 PM
To: Tomcat Users List 
Subject: Re: Tomcat SSL issue

On 09/10/17 16:01, John Ellis wrote:
> I posted questions about this a couple of weeks ago I think it was. I 
> have been trying to get Tomcat running on a secure port with a valid 
> SSL certificate. We finally got version 9.0.0.M20 setup successfully 
> on port
> 9443 and I can go to that IP:port and get a Tomcat webpage but when I 
> go through all the steps using the keytool commands to submit a 
> certificate (we use Cacert.org) and try to plug that certificate into 
> the mix it doesn’t work. I still get an error message telling me that 
> I will have to create an exception to go to that IP address and port. 
> Last Friday I even deleted the certificate and all the keystore file, 
> etc. and got the same exact error. So it appears that Tomcat is not 
> seeing the certificate at all since I get the same error about having 
> to add an exception whether or not I have a valid certificate in place on
the server.

If you get that error then Tomcat has the certificate but the client doesn't
trust it. You need to check if:

- Tomcat is supplying the full certificate chain
- If the client trusts the issuing CA

Mark

OK Mark can you explain to me why we get the same exact error condition with
no certificate in place at all as when we provide a certificate? 
I'm not arguing that just doesn't make any sense to me but as I said before
I am not a programmer or developer or anything like that.
Thanks,
John 

> 
> The lines we added to the server.xml file to get the secure port 
> working
> are-
> 
>  
> 
>  
>   maxThreads="150" scheme="https" secure="true"
> 
>   clientAuth="false" sslProtocol="TLS"
> 
>    
>
keystoreFile="/home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jk
s"
> 
>     keystorePass="changeit" />
> 
>  
> 
> John Ellis
> 
>  
> 
> 405.285.2500 office
> 
>  
> 
> United States
> 
> bize-logo-rgb-original_Ryan_Revised_portal size
>  cid:image002.jpg@01CECFDA.65B42CD0
> 
>  
> 
> http://biz-e.io
> 
>  
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat SSL issue

[Mark Thomas]

On 09/10/17 16:01, John Ellis wrote:
> I posted questions about this a couple of weeks ago I think it was. I
> have been trying to get Tomcat running on a secure port with a valid SSL
> certificate. We finally got version 9.0.0.M20 setup successfully on port
> 9443 and I can go to that IP:port and get a Tomcat webpage but when I go
> through all the steps using the keytool commands to submit a certificate
> (we use Cacert.org) and try to plug that certificate into the mix it
> doesn’t work. I still get an error message telling me that I will have
> to create an exception to go to that IP address and port. Last Friday I
> even deleted the certificate and all the keystore file, etc. and got the
> same exact error. So it appears that Tomcat is not seeing the
> certificate at all since I get the same error about having to add an
> exception whether or not I have a valid certificate in place on the server.

If you get that error then Tomcat has the certificate but the client
doesn't trust it. You need to check if:

- Tomcat is supplying the full certificate chain
- If the client trusts the issuing CA

Mark


> 
> The lines we added to the server.xml file to get the secure port working
> are-
> 
>  
> 
>  
>   maxThreads="150" scheme="https" secure="true"
> 
>   clientAuth="false" sslProtocol="TLS"
> 
>    
> keystoreFile="/home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jks"
> 
>     keystorePass="changeit" />
> 
>  
> 
> John Ellis
> 
>  
> 
> 405.285.2500 office
> 
>  
> 
> United States
> 
> bize-logo-rgb-original_Ryan_Revised_portal size  
>  cid:image002.jpg@01CECFDA.65B42CD0
> 
>  
> 
> http://biz-e.io
> 
>  
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat SSL issue

[John Ellis]

John Ellis

405.285.2500 office




http://biz-e.io

-Original Message-
From: Jose María Zaragoza [mailto:demablo...@gmail.com] 
Sent: Monday, October 9, 2017 11:25 AM
To: Tomcat Users List 
Subject: Re: Tomcat SSL issue

2017-10-09 17:01 GMT+02:00 John Ellis :

> I posted questions about this a couple of weeks ago I think it was. I 
> have been trying to get Tomcat running on a secure port with a valid 
> SSL certificate. We finally got version 9.0.0.M20 setup successfully 
> on port
> 9443 and I can go to that IP:port and get a Tomcat webpage but when I 
> go through all the steps using the keytool commands to submit a 
> certificate (we use Cacert.org) and try to plug that certificate into 
> the mix it doesn’t work. I still get an error message telling me that 
> I will have to create an exception to go to that IP address and port. 
> Last Friday I even deleted the certificate and all the keystore file, 
> etc. and got the same exact error. So it appears that Tomcat is not 
> seeing the certificate at all since I get the same error about having 
> to add an exception whether or not I have a valid certificate in place on the 
> server.
>
> The lines we added to the server.xml file to get the secure port 
> working
> are-
>
>
>
> 
>   maxThreads="150" scheme="https" secure="true"
>
>   clientAuth="false" sslProtocol="TLS"
>
> keystoreFile="/home/tomcat9.0.
> 0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jks"
>
> keystorePass="changeit" />
>


Maybe you should use  element, do you ?

Read:
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig

Each secure connector must define at least one *SSLHostConfig*


I thought that was only for version 9? However I believe we did try that and 
got the same result last week.




>
>
> John Ellis
>
>
>
> 405.285.2500 office
>
>
>
> [image: United States]
>
> [image: bize-logo-rgb-original_Ryan_Revised_portal size][image:
> cid:image002.jpg@01CECFDA.65B42CD0]
>
>
>
> http://biz-e.io
>
>
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat SSL issue

[Jose María Zaragoza]

2017-10-09 17:01 GMT+02:00 John Ellis :

> I posted questions about this a couple of weeks ago I think it was. I have
> been trying to get Tomcat running on a secure port with a valid SSL
> certificate. We finally got version 9.0.0.M20 setup successfully on port
> 9443 and I can go to that IP:port and get a Tomcat webpage but when I go
> through all the steps using the keytool commands to submit a certificate
> (we use Cacert.org) and try to plug that certificate into the mix it
> doesn’t work. I still get an error message telling me that I will have to
> create an exception to go to that IP address and port. Last Friday I even
> deleted the certificate and all the keystore file, etc. and got the same
> exact error. So it appears that Tomcat is not seeing the certificate at all
> since I get the same error about having to add an exception whether or not
> I have a valid certificate in place on the server.
>
> The lines we added to the server.xml file to get the secure port working
> are-
>
>
>
> 
>   maxThreads="150" scheme="https" secure="true"
>
>   clientAuth="false" sslProtocol="TLS"
>
> keystoreFile="/home/tomcat9.0.
> 0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jks"
>
> keystorePass="changeit" />
>


Maybe you should use  element, do you ?

Read:
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig

Each secure connector must define at least one *SSLHostConfig*





>
>
> John Ellis
>
>
>
> 405.285.2500 office
>
>
>
> [image: United States]
>
> [image: bize-logo-rgb-original_Ryan_Revised_portal size][image:
> cid:image002.jpg@01CECFDA.65B42CD0]
>
>
>
> http://biz-e.io
>
>
>

Tomcat SSL issue

[John Ellis]

I posted questions about this a couple of weeks ago I think it was. I have
been trying to get Tomcat running on a secure port with a valid SSL
certificate. We finally got version 9.0.0.M20 setup successfully on port
9443 and I can go to that IP:port and get a Tomcat webpage but when I go
through all the steps using the keytool commands to submit a certificate (we
use Cacert.org) and try to plug that certificate into the mix it doesn't
work. I still get an error message telling me that I will have to create an
exception to go to that IP address and port. Last Friday I even deleted the
certificate and all the keystore file, etc. and got the same exact error. So
it appears that Tomcat is not seeing the certificate at all since I get the
same error about having to add an exception whether or not I have a valid
certificate in place on the server.

The lines we added to the server.xml file to get the secure port working
are-

 



 

John Ellis

 

405.285.2500 office

 





 

http://biz-e.io

 

Re: 8.5.4 to 8.5.5 SSL Issue

[William Boyd]

On Thu, Nov 24, 2016 at 5:15 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> William,
>
> On 11/23/16 3:56 PM, William Boyd wrote:
> > On Tue, Nov 22, 2016 at 3:41 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > William,
> >
> > On 11/16/16 1:06 PM, William Boyd wrote:
>  On Tue, Nov 15, 2016 at 2:17 PM,
>   wrote:
> >
> > I haven't been following this super closely, but it sounds
> > like there is a lot of trial and error going on so let me
> > try to explain how the key stores and trust stores are
> > used.
> 
>  Will: Ultimately I am trying to determine why a configuration
>  that worked since Tomcat 5, stopped working in Tomcat 8.5.5
>  so I can explain the issue to operations.  We used to be able
>  to use the same keystore for both keystoreFile in the
>  Connector and the javax.net.ssl.trustStore system property
>  but that no longer works. The only variable is Tomcat.  This
>  will affect many TEST and PROD sites.
> 
> > The system properties affect things like outgoing
> > connections that use SSL, like https calls.
> > javax.net.ssl.trustStore would contain the certs for the
> > CAs that sign the backend server's cert.
> > javax.net.ssl.keyStore would come into play if the backend
> > uses mutual authentication/client authentication/2-way SSL.
> > If that's required by the backend, you would put your own
> > cert and private key in the key store.  I think you can
> > combine them all into one file, but usually they're kept
> > separate.
> >
> 
>  Will: Thanks, I think this explains our need for
>  javax.net.ssl.trustStore. The system I'm supporting is using
>  axis jaxrpc to communicate between WARs over HTTPS within
>  Tomcat. These connections in axis must be the reason we
>  require javax.net.ssl.trustStore.
> >
> > Exactly. I think one of the confusing things here has been the
> > confusion in my mind between exceptions you are getting on the
> > client and exceptions being thrown on the server (which, oddly
> > enough, is a client).
> >
> > In the absence of any specific Java-level calls to set the trust
> > store for a SOAP connection, Axis is going to use the system-wide
> > trust store which is in fact set using the javax.net.ssl.trustStore
> > system property.
> >
> > Nothing in Tomcat's configuration can set this for you.
> >
> > So why does the Tomcat upgrade seem to have broken something
> > that's been working? I can think of two possibilities:
> >
> > 1. The system property was set in CATALINA_HOME/bin/setenv.sh in
> > your old Tomcat installation, and nobody copied that file to the
> > new installation. Solution: use CATALINA_BASE/bin/setenv.sh instead
> > of CATALINA_HOME/bin/setenv.sh
> >
> > 2. The system property was set in
> > CATALINA_BASE/conf/catalina.properties in your old installation
> > and nobody copied that configuration to the new installation.
> > Solution: look at a diff between those two config files and fix the
> > differences as appropriate.
> >
> > The Tomcat connector parameters are for Tomcat's use when
> > serving https connections to clients.  I don't think they
> > have any impact on outgoing calls.  The key store would
> > contain Tomcat's cert and private key. Likewise the trust
> > store would contain the certs of the CA or CAs who sign
> > your client's certs if you have mutual auth enabled.  It
> > might also be required to form the chain linking the
> > server's cert to the CA.  In that case, though, I might be
> > inclined to putting the CA in the key store itself for
> > simplicity.  According to the docs, Tomcat will fall back
> > to the system properties if the connector doesn't
> > explicitly them.
> >
> 
>  Will: Sorry I'm confused by the last bit here. Using
>  "keytool -genkeypair" I have a file containing a self-signed
>  certificate yet I now need to export, than import that cert
>  into a separate truststore in order for our servers to work.
>  If this is to spec and Tomcat it tightening up the rules I
>  could understand.
> >
> > I don't think anything really changed between Tomcat 8.5.4 and
> > 8.5.5... I think your configuration must have changed slightly.
> >
> > If you need a webapp in server A to contact server B using Axis,
> > then you'll need:
> >
> > serverA$ keytool -genkeypair -alias X -keystore serverA.jks
> > serverA$ keytool -exportcert -alias X -keystore serverA.jks \
> >> trusted.crt
> > serverA$ keytool -importcert -alias X -keystore truststore.jks \ <
> > trusted.crt
> >
> > Tell Tomcat on server A to use serverA.jks as its keystore. No
> > other configuration is required. Specifically, setting
> > trustStoreFile on the  accomplishes nothing.
> >
> > Tell the JVM on server B to use truststore.jks as the trust store,

Re: 8.5.4 to 8.5.5 SSL Issue

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

William,

On 11/23/16 3:56 PM, William Boyd wrote:
> On Tue, Nov 22, 2016 at 3:41 PM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> William,
> 
> On 11/16/16 1:06 PM, William Boyd wrote:
 On Tue, Nov 15, 2016 at 2:17 PM,
  wrote:
> 
> I haven't been following this super closely, but it sounds
> like there is a lot of trial and error going on so let me
> try to explain how the key stores and trust stores are
> used.
 
 Will: Ultimately I am trying to determine why a configuration
 that worked since Tomcat 5, stopped working in Tomcat 8.5.5
 so I can explain the issue to operations.  We used to be able
 to use the same keystore for both keystoreFile in the
 Connector and the javax.net.ssl.trustStore system property
 but that no longer works. The only variable is Tomcat.  This
 will affect many TEST and PROD sites.
 
> The system properties affect things like outgoing
> connections that use SSL, like https calls.
> javax.net.ssl.trustStore would contain the certs for the
> CAs that sign the backend server's cert.
> javax.net.ssl.keyStore would come into play if the backend 
> uses mutual authentication/client authentication/2-way SSL.
> If that's required by the backend, you would put your own
> cert and private key in the key store.  I think you can
> combine them all into one file, but usually they're kept
> separate.
> 
 
 Will: Thanks, I think this explains our need for 
 javax.net.ssl.trustStore. The system I'm supporting is using
 axis jaxrpc to communicate between WARs over HTTPS within
 Tomcat. These connections in axis must be the reason we
 require javax.net.ssl.trustStore.
> 
> Exactly. I think one of the confusing things here has been the 
> confusion in my mind between exceptions you are getting on the
> client and exceptions being thrown on the server (which, oddly
> enough, is a client).
> 
> In the absence of any specific Java-level calls to set the trust
> store for a SOAP connection, Axis is going to use the system-wide
> trust store which is in fact set using the javax.net.ssl.trustStore
> system property.
> 
> Nothing in Tomcat's configuration can set this for you.
> 
> So why does the Tomcat upgrade seem to have broken something
> that's been working? I can think of two possibilities:
> 
> 1. The system property was set in CATALINA_HOME/bin/setenv.sh in
> your old Tomcat installation, and nobody copied that file to the
> new installation. Solution: use CATALINA_BASE/bin/setenv.sh instead
> of CATALINA_HOME/bin/setenv.sh
> 
> 2. The system property was set in 
> CATALINA_BASE/conf/catalina.properties in your old installation
> and nobody copied that configuration to the new installation.
> Solution: look at a diff between those two config files and fix the
> differences as appropriate.
> 
> The Tomcat connector parameters are for Tomcat's use when
> serving https connections to clients.  I don't think they
> have any impact on outgoing calls.  The key store would
> contain Tomcat's cert and private key. Likewise the trust
> store would contain the certs of the CA or CAs who sign
> your client's certs if you have mutual auth enabled.  It
> might also be required to form the chain linking the
> server's cert to the CA.  In that case, though, I might be
> inclined to putting the CA in the key store itself for 
> simplicity.  According to the docs, Tomcat will fall back
> to the system properties if the connector doesn't
> explicitly them.
> 
 
 Will: Sorry I'm confused by the last bit here. Using
 "keytool -genkeypair" I have a file containing a self-signed
 certificate yet I now need to export, than import that cert
 into a separate truststore in order for our servers to work.
 If this is to spec and Tomcat it tightening up the rules I
 could understand.
> 
> I don't think anything really changed between Tomcat 8.5.4 and 
> 8.5.5... I think your configuration must have changed slightly.
> 
> If you need a webapp in server A to contact server B using Axis,
> then you'll need:
> 
> serverA$ keytool -genkeypair -alias X -keystore serverA.jks 
> serverA$ keytool -exportcert -alias X -keystore serverA.jks \
>> trusted.crt
> serverA$ keytool -importcert -alias X -keystore truststore.jks \ <
> trusted.crt
> 
> Tell Tomcat on server A to use serverA.jks as its keystore. No
> other configuration is required. Specifically, setting
> trustStoreFile on the  accomplishes nothing.
> 
> Tell the JVM on server B to use truststore.jks as the trust store, 
> using a system property if absolutely necessary.
> 
> (I *really* don't like dong this, because it sets the trust store
> for the whole JVM and everything it might need to trust. I much
> prefer to explicitly-set the trust store for a particular
> connection. That might require 

Re: 8.5.4 to 8.5.5 SSL Issue

[William Boyd]

On Tue, Nov 22, 2016 at 3:41 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> William,
>
> On 11/16/16 1:06 PM, William Boyd wrote:
> > On Tue, Nov 15, 2016 at 2:17 PM, 
> > wrote:
> >>
> >> I haven't been following this super closely, but it sounds like
> >> there is a lot of trial and error going on so let me try to
> >> explain how the key stores and trust stores are used.
> >
> > Will: Ultimately I am trying to determine why a configuration that
> > worked since Tomcat 5, stopped working in Tomcat 8.5.5 so I can
> > explain the issue to operations.  We used to be able to use the
> > same keystore for both keystoreFile in the Connector and the
> > javax.net.ssl.trustStore system property but that no longer works.
> > The only variable is Tomcat.  This will affect many TEST and PROD
> > sites.
> >
> >> The system properties affect things like outgoing connections
> >> that use SSL, like https calls.  javax.net.ssl.trustStore would
> >> contain the certs for the CAs that sign the backend server's
> >> cert.  javax.net.ssl.keyStore would come into play if the backend
> >> uses mutual authentication/client authentication/2-way SSL.  If
> >> that's required by the backend, you would put your own cert and
> >> private key in the key store.  I think you can combine them all
> >> into one file, but usually they're kept separate.
> >>
> >
> > Will: Thanks, I think this explains our need for
> > javax.net.ssl.trustStore. The system I'm supporting is using axis
> > jaxrpc to communicate between WARs over HTTPS within Tomcat. These
> > connections in axis must be the reason we require
> > javax.net.ssl.trustStore.
>
> Exactly. I think one of the confusing things here has been the
> confusion in my mind between exceptions you are getting on the client
> and exceptions being thrown on the server (which, oddly enough, is a
> client).
>
> In the absence of any specific Java-level calls to set the trust store
> for a SOAP connection, Axis is going to use the system-wide trust
> store which is in fact set using the javax.net.ssl.trustStore system
> property.
>
> Nothing in Tomcat's configuration can set this for you.
>
> So why does the Tomcat upgrade seem to have broken something that's
> been working? I can think of two possibilities:
>
> 1. The system property was set in CATALINA_HOME/bin/setenv.sh in your
> old Tomcat installation, and nobody copied that file to the new
> installation. Solution: use CATALINA_BASE/bin/setenv.sh instead of
> CATALINA_HOME/bin/setenv.sh
>
> 2. The system property was set in
> CATALINA_BASE/conf/catalina.properties in your old installation and
> nobody copied that configuration to the new installation. Solution:
> look at a diff between those two config files and fix the differences
> as appropriate.
>
> >> The Tomcat connector parameters are for Tomcat's use when serving
> >> https connections to clients.  I don't think they have any impact
> >> on outgoing calls.  The key store would contain Tomcat's cert and
> >> private key. Likewise the trust store would contain the certs of
> >> the CA or CAs who sign your client's certs if you have mutual
> >> auth enabled.  It might also be required to form the chain
> >> linking the server's cert to the CA.  In that case, though, I
> >> might be inclined to putting the CA in the key store itself for
> >> simplicity.  According to the docs, Tomcat will fall back to the
> >> system properties if the connector doesn't explicitly them.
> >>
> >
> > Will: Sorry I'm confused by the last bit here. Using "keytool
> > -genkeypair" I have a file containing a self-signed certificate yet
> > I now need to export, than import that cert into a separate
> > truststore in order for our servers to work.  If this is to spec
> > and Tomcat it tightening up the rules I could understand.
>
> I don't think anything really changed between Tomcat 8.5.4 and
> 8.5.5... I think your configuration must have changed slightly.
>
> If you need a webapp in server A to contact server B using Axis, then
> you'll need:
>
> serverA$ keytool -genkeypair -alias X -keystore serverA.jks
> serverA$ keytool -exportcert -alias X -keystore serverA.jks \
>  > trusted.crt
> serverA$ keytool -importcert -alias X -keystore truststore.jks \
>  < trusted.crt
>
> Tell Tomcat on server A to use serverA.jks as its keystore. No other
> configuration is required. Specifically, setting trustStoreFile on the
>  accomplishes nothing.
>
> Tell the JVM on server B to use truststore.jks as the trust store,
> using a system property if absolutely necessary.
>
> (I *really* don't like dong this, because it sets the trust store for
> the whole JVM and everything it might need to trust. I much prefer to
> explicitly-set the trust store for a particular connection. That might
> require re-writing code which is expensive and risky, but you are
> better-off in the long-run.)
>
> If you need a webapp in server B to contact serv

Re: 8.5.4 to 8.5.5 SSL Issue

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

William,

On 11/16/16 1:06 PM, William Boyd wrote:
> On Tue, Nov 15, 2016 at 2:17 PM, 
> wrote:
>> 
>> I haven't been following this super closely, but it sounds like
>> there is a lot of trial and error going on so let me try to
>> explain how the key stores and trust stores are used.
> 
> Will: Ultimately I am trying to determine why a configuration that
> worked since Tomcat 5, stopped working in Tomcat 8.5.5 so I can
> explain the issue to operations.  We used to be able to use the
> same keystore for both keystoreFile in the Connector and the
> javax.net.ssl.trustStore system property but that no longer works.
> The only variable is Tomcat.  This will affect many TEST and PROD
> sites.
> 
>> The system properties affect things like outgoing connections
>> that use SSL, like https calls.  javax.net.ssl.trustStore would
>> contain the certs for the CAs that sign the backend server's
>> cert.  javax.net.ssl.keyStore would come into play if the backend
>> uses mutual authentication/client authentication/2-way SSL.  If
>> that's required by the backend, you would put your own cert and
>> private key in the key store.  I think you can combine them all
>> into one file, but usually they're kept separate.
>> 
> 
> Will: Thanks, I think this explains our need for
> javax.net.ssl.trustStore. The system I'm supporting is using axis
> jaxrpc to communicate between WARs over HTTPS within Tomcat. These
> connections in axis must be the reason we require
> javax.net.ssl.trustStore.

Exactly. I think one of the confusing things here has been the
confusion in my mind between exceptions you are getting on the client
and exceptions being thrown on the server (which, oddly enough, is a
client).

In the absence of any specific Java-level calls to set the trust store
for a SOAP connection, Axis is going to use the system-wide trust
store which is in fact set using the javax.net.ssl.trustStore system
property.

Nothing in Tomcat's configuration can set this for you.

So why does the Tomcat upgrade seem to have broken something that's
been working? I can think of two possibilities:

1. The system property was set in CATALINA_HOME/bin/setenv.sh in your
old Tomcat installation, and nobody copied that file to the new
installation. Solution: use CATALINA_BASE/bin/setenv.sh instead of
CATALINA_HOME/bin/setenv.sh

2. The system property was set in
CATALINA_BASE/conf/catalina.properties in your old installation and
nobody copied that configuration to the new installation. Solution:
look at a diff between those two config files and fix the differences
as appropriate.

>> The Tomcat connector parameters are for Tomcat's use when serving
>> https connections to clients.  I don't think they have any impact
>> on outgoing calls.  The key store would contain Tomcat's cert and
>> private key. Likewise the trust store would contain the certs of
>> the CA or CAs who sign your client's certs if you have mutual
>> auth enabled.  It might also be required to form the chain
>> linking the server's cert to the CA.  In that case, though, I
>> might be inclined to putting the CA in the key store itself for
>> simplicity.  According to the docs, Tomcat will fall back to the
>> system properties if the connector doesn't explicitly them.
>> 
> 
> Will: Sorry I'm confused by the last bit here. Using "keytool
> -genkeypair" I have a file containing a self-signed certificate yet
> I now need to export, than import that cert into a separate
> truststore in order for our servers to work.  If this is to spec
> and Tomcat it tightening up the rules I could understand.

I don't think anything really changed between Tomcat 8.5.4 and
8.5.5... I think your configuration must have changed slightly.

If you need a webapp in server A to contact server B using Axis, then
you'll need:

serverA$ keytool -genkeypair -alias X -keystore serverA.jks
serverA$ keytool -exportcert -alias X -keystore serverA.jks \
 > trusted.crt
serverA$ keytool -importcert -alias X -keystore truststore.jks \
 < trusted.crt

Tell Tomcat on server A to use serverA.jks as its keystore. No other
configuration is required. Specifically, setting trustStoreFile on the
 accomplishes nothing.

Tell the JVM on server B to use truststore.jks as the trust store,
using a system property if absolutely necessary.

(I *really* don't like dong this, because it sets the trust store for
the whole JVM and everything it might need to trust. I much prefer to
explicitly-set the trust store for a particular connection. That might
require re-writing code which is expensive and risky, but you are
better-off in the long-run.)

If you need a webapp in server B to contact server A using Axis, thn
you need to reverse the process above so that A trusts B's cert and B
trusts A's cert. If both servers are using the same cert, then both
servers only need to trust the single cert, of course.

> Will: I’m guessing its AXIS that can’t find the CA in the trust
> s

Re: 8.5.4 to 8.5.5 SSL Issue

[William Boyd]

On Tue, Nov 15, 2016 at 2:17 PM,  wrote:

>
>
> > -Original Message-
> > From: William Boyd [mailto:william.b...@gmail.com]
> > Sent: Tuesday, November 15, 2016 3:44 PM
> > To: Tomcat Users List
> > Subject: Re: 8.5.4 to 8.5.5 SSL Issue
> >
> > On Tue, Nov 15, 2016 at 10:50 AM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA256
> > >
> > > William,
> > >
> > > On 11/14/16 7:18 PM, William Boyd wrote:
> > > > First, I'd like to thank everyone for the help.
> > > >
> > > > Is it now safe to say that the behaviour we've been taking advantage
> > > > of is undocumented and will no long be supported?
> > > >
> > > > Also, for those that hit this thread and need to get HTTPS working
> > > > with a *self-signed* certificate in a dev environment...
> > > >
> > > > Here's what worked for me: 1. Copy
> > > > %JAVA_HOME%\jre\lib\security\cacerts some place (say C:\keystore) 2.
> > > > Create a *self-signed* certificate with %JAVA_HOME%\bin\keytool
> > > > -genkeypair -keyalg RSA -alias myAlias -keystore
> > > > "C:\keystore\keystore.jsk" -storepass changeit -validity 360
> > > > -keysize 2048 -dname
> > > > CN=localhost,OU=OrgUnit,O=Org,L=City,ST=State,C=Country 3. Export
> > > > the myAlias certificate with %JAVA_HOME%\bin\keytool -export -alias
> > > > myAlias -keystore C:\keystore\keystore.jsk -rfc -file
> > > > C:\keystore\myAlias.cer 4. Import the myAlias certificate into your
> > > > copy of cacerts with: %JAVA_HOME%\bin\keytool -import -alias myAlias
> > > > -keystore C:\keystore\cacerts -file C:\keystore\myAlias.cer 5. Add
> > > > this to setclasspath.bat in tomcat:
> > > > set JAVA_OPTS=%JAVA_OPTS%
> > > > -Djavax.net.ssl.trustStore="C:\keystore\cacert" 6. In server.xml,
> > > > add these attributes to the Connector element
> > > > keystoreFile="C:\keystore\keystore.jsk" keystorePass="changeit"
> > > > keyAlias="myAlias" scheme="https" secure="true" SSLEnabled="true"
> > > > clientAuth="false" sslProtocol="TLS"
> > > >
> > > > Now you should be good to go in with HTTPS in Tomcat 8.5.5 +
> > >
> > > This is exactly what I suggested, except that you set the trust store
> > > using a system property instead of using truststoreFile in the
> > > . You do not need to duplicate the JRE's trust store. You
> > > only need your own single certificate in your local truststore.
> > >
> > > Can you use keystoreFile and truststoreFile separately pointing to
> > > those files and re-check that it works? Perhaps Tomcat chokes when
> > > using the same file for both. That's what I'd like to verify.
> > >
> > > - -chris
> > > -BEGIN PGP SIGNATURE-
> > > Comment: GPGTools - http://gpgtools.org
> > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> > >
> > >
> > iQIcBAEBCAAGBQJYK1kHAAoJEBzwKT+lPKRYa48P/jl6hWa1mj5HCnawJZ3mHbjX
> > >
> > ADdXYl45aym/E6QV/n99XYVYG2q+ZN9w0XDVP54lQhQhcgOUtCiPbTHEcYSYdwr
> > U
> > >
> > kLYMc3Ge8Jt7/zDMvem+pKYkHMvyHbspVqSujZ4uJ3Ozr9mYD89hSFgxqG0iYSE+
> > > 5c0pvz1nW4Pt1F4A/+WETkL4Y5Xrq1Vn1LSAxAZoYiU/o93nVos7etIBUO9E430+
> > > GihbhvkpS/yBitvrir/YacvWauBxpi30wR++6ZNAhpzlb+j90dk3i6iPcDO6K1f2
> > > SNeqZATJDlXyU1hEksW4UxWLhtUeekqmJEiEqqWCYxNz9lwJG9f4kILUrzsZexlu
> > >
> > FmP2o4IxWTBcgOUs5Km5DlfYwogJmlRhqQoOlg2JOpv+KIb67DX+PuY6bhGomDf
> > f
> > >
> > YQ03Y7WQcjNZ/uOIoadAkXxKRaRHmuz2KkPYwgDutOgxtJV1jNxTT3A3znGT1cW
> > N
> > >
> > yekjXHOpe2FdXnaoG0X7mTpvx5AhkHN9mRdW+5/ZBpPzUN0M7zy8oBEpLtZKfrT
> > J
> > > k40Xz70DnNxBP3XS/1w7DJ1H3/FBxNdatVVbbcJ/+lS/NiS4Gn2kMAZgrCuZrUsn
> > >
> > FdpdyCwq3VLJ2X9LVBR03rJOyPIiybANNjfhPpiEMC9uQu2ENm4A4Hm1p/cXdpo3
> > > 2J2O1AQA7tfew10t3F4K
> > > =a+Um
> > > -END PGP SIGNATURE-
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> > Hi Christopher,
> >
> > Thanks, I'm glad to hear I'm heading in th

RE: 8.5.4 to 8.5.5 SSL Issue

[John.E.Gregg]

> -Original Message-
> From: William Boyd [mailto:william.b...@gmail.com]
> Sent: Tuesday, November 15, 2016 3:44 PM
> To: Tomcat Users List
> Subject: Re: 8.5.4 to 8.5.5 SSL Issue
> 
> On Tue, Nov 15, 2016 at 10:50 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > William,
> >
> > On 11/14/16 7:18 PM, William Boyd wrote:
> > > First, I'd like to thank everyone for the help.
> > >
> > > Is it now safe to say that the behaviour we've been taking advantage
> > > of is undocumented and will no long be supported?
> > >
> > > Also, for those that hit this thread and need to get HTTPS working
> > > with a *self-signed* certificate in a dev environment...
> > >
> > > Here's what worked for me: 1. Copy
> > > %JAVA_HOME%\jre\lib\security\cacerts some place (say C:\keystore) 2.
> > > Create a *self-signed* certificate with %JAVA_HOME%\bin\keytool
> > > -genkeypair -keyalg RSA -alias myAlias -keystore
> > > "C:\keystore\keystore.jsk" -storepass changeit -validity 360
> > > -keysize 2048 -dname
> > > CN=localhost,OU=OrgUnit,O=Org,L=City,ST=State,C=Country 3. Export
> > > the myAlias certificate with %JAVA_HOME%\bin\keytool -export -alias
> > > myAlias -keystore C:\keystore\keystore.jsk -rfc -file
> > > C:\keystore\myAlias.cer 4. Import the myAlias certificate into your
> > > copy of cacerts with: %JAVA_HOME%\bin\keytool -import -alias myAlias
> > > -keystore C:\keystore\cacerts -file C:\keystore\myAlias.cer 5. Add
> > > this to setclasspath.bat in tomcat:
> > > set JAVA_OPTS=%JAVA_OPTS%
> > > -Djavax.net.ssl.trustStore="C:\keystore\cacert" 6. In server.xml,
> > > add these attributes to the Connector element
> > > keystoreFile="C:\keystore\keystore.jsk" keystorePass="changeit"
> > > keyAlias="myAlias" scheme="https" secure="true" SSLEnabled="true"
> > > clientAuth="false" sslProtocol="TLS"
> > >
> > > Now you should be good to go in with HTTPS in Tomcat 8.5.5 +
> >
> > This is exactly what I suggested, except that you set the trust store
> > using a system property instead of using truststoreFile in the
> > . You do not need to duplicate the JRE's trust store. You
> > only need your own single certificate in your local truststore.
> >
> > Can you use keystoreFile and truststoreFile separately pointing to
> > those files and re-check that it works? Perhaps Tomcat chokes when
> > using the same file for both. That's what I'd like to verify.
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> >
> iQIcBAEBCAAGBQJYK1kHAAoJEBzwKT+lPKRYa48P/jl6hWa1mj5HCnawJZ3mHbjX
> >
> ADdXYl45aym/E6QV/n99XYVYG2q+ZN9w0XDVP54lQhQhcgOUtCiPbTHEcYSYdwr
> U
> >
> kLYMc3Ge8Jt7/zDMvem+pKYkHMvyHbspVqSujZ4uJ3Ozr9mYD89hSFgxqG0iYSE+
> > 5c0pvz1nW4Pt1F4A/+WETkL4Y5Xrq1Vn1LSAxAZoYiU/o93nVos7etIBUO9E430+
> > GihbhvkpS/yBitvrir/YacvWauBxpi30wR++6ZNAhpzlb+j90dk3i6iPcDO6K1f2
> > SNeqZATJDlXyU1hEksW4UxWLhtUeekqmJEiEqqWCYxNz9lwJG9f4kILUrzsZexlu
> >
> FmP2o4IxWTBcgOUs5Km5DlfYwogJmlRhqQoOlg2JOpv+KIb67DX+PuY6bhGomDf
> f
> >
> YQ03Y7WQcjNZ/uOIoadAkXxKRaRHmuz2KkPYwgDutOgxtJV1jNxTT3A3znGT1cW
> N
> >
> yekjXHOpe2FdXnaoG0X7mTpvx5AhkHN9mRdW+5/ZBpPzUN0M7zy8oBEpLtZKfrT
> J
> > k40Xz70DnNxBP3XS/1w7DJ1H3/FBxNdatVVbbcJ/+lS/NiS4Gn2kMAZgrCuZrUsn
> >
> FdpdyCwq3VLJ2X9LVBR03rJOyPIiybANNjfhPpiEMC9uQu2ENm4A4Hm1p/cXdpo3
> > 2J2O1AQA7tfew10t3F4K
> > =a+Um
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> Hi Christopher,
> 
> Thanks, I'm glad to hear I'm heading in the right direction. :)
> 
> I tested some more configuration.
> 
> Firstly, I removed the system property but retained these Connector attributes
> 
>keystoreFile="C:\keystore\keystore.jsk" keystorePass="changeit"
> keyAlias="myAlias"
>scheme="https" secure="true" SSLEnabled="true" clientAuth="false"
> sslProtocol="TLS"
> 
> Then I tried the following:
> 
> 1. adding truststor

Re: 8.5.4 to 8.5.5 SSL Issue

[William Boyd]

On Tue, Nov 15, 2016 at 10:50 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> William,
>
> On 11/14/16 7:18 PM, William Boyd wrote:
> > First, I'd like to thank everyone for the help.
> >
> > Is it now safe to say that the behaviour we've been taking
> > advantage of is undocumented and will no long be supported?
> >
> > Also, for those that hit this thread and need to get HTTPS working
> > with a *self-signed* certificate in a dev environment...
> >
> > Here's what worked for me: 1. Copy
> > %JAVA_HOME%\jre\lib\security\cacerts some place (say C:\keystore)
> > 2. Create a *self-signed* certificate with %JAVA_HOME%\bin\keytool
> > -genkeypair -keyalg RSA -alias myAlias -keystore
> > "C:\keystore\keystore.jsk" -storepass changeit -validity 360
> > -keysize 2048 -dname
> > CN=localhost,OU=OrgUnit,O=Org,L=City,ST=State,C=Country 3. Export
> > the myAlias certificate with %JAVA_HOME%\bin\keytool -export -alias
> > myAlias -keystore C:\keystore\keystore.jsk -rfc -file
> > C:\keystore\myAlias.cer 4. Import the myAlias certificate into your
> > copy of cacerts with: %JAVA_HOME%\bin\keytool -import -alias
> > myAlias -keystore C:\keystore\cacerts -file
> > C:\keystore\myAlias.cer 5. Add this to setclasspath.bat in tomcat:
> > set JAVA_OPTS=%JAVA_OPTS%
> > -Djavax.net.ssl.trustStore="C:\keystore\cacert" 6. In server.xml,
> > add these attributes to the Connector element
> > keystoreFile="C:\keystore\keystore.jsk" keystorePass="changeit"
> > keyAlias="myAlias" scheme="https" secure="true" SSLEnabled="true"
> > clientAuth="false" sslProtocol="TLS"
> >
> > Now you should be good to go in with HTTPS in Tomcat 8.5.5 +
>
> This is exactly what I suggested, except that you set the trust store
> using a system property instead of using truststoreFile in the
> . You do not need to duplicate the JRE's trust store. You
> only need your own single certificate in your local truststore.
>
> Can you use keystoreFile and truststoreFile separately pointing to
> those files and re-check that it works? Perhaps Tomcat chokes when
> using the same file for both. That's what I'd like to verify.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYK1kHAAoJEBzwKT+lPKRYa48P/jl6hWa1mj5HCnawJZ3mHbjX
> ADdXYl45aym/E6QV/n99XYVYG2q+ZN9w0XDVP54lQhQhcgOUtCiPbTHEcYSYdwrU
> kLYMc3Ge8Jt7/zDMvem+pKYkHMvyHbspVqSujZ4uJ3Ozr9mYD89hSFgxqG0iYSE+
> 5c0pvz1nW4Pt1F4A/+WETkL4Y5Xrq1Vn1LSAxAZoYiU/o93nVos7etIBUO9E430+
> GihbhvkpS/yBitvrir/YacvWauBxpi30wR++6ZNAhpzlb+j90dk3i6iPcDO6K1f2
> SNeqZATJDlXyU1hEksW4UxWLhtUeekqmJEiEqqWCYxNz9lwJG9f4kILUrzsZexlu
> FmP2o4IxWTBcgOUs5Km5DlfYwogJmlRhqQoOlg2JOpv+KIb67DX+PuY6bhGomDff
> YQ03Y7WQcjNZ/uOIoadAkXxKRaRHmuz2KkPYwgDutOgxtJV1jNxTT3A3znGT1cWN
> yekjXHOpe2FdXnaoG0X7mTpvx5AhkHN9mRdW+5/ZBpPzUN0M7zy8oBEpLtZKfrTJ
> k40Xz70DnNxBP3XS/1w7DJ1H3/FBxNdatVVbbcJ/+lS/NiS4Gn2kMAZgrCuZrUsn
> FdpdyCwq3VLJ2X9LVBR03rJOyPIiybANNjfhPpiEMC9uQu2ENm4A4Hm1p/cXdpo3
> 2J2O1AQA7tfew10t3F4K
> =a+Um
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Hi Christopher,

Thanks, I'm glad to hear I'm heading in the right direction. :)

I tested some more configuration.

Firstly, I removed the system property but retained these Connector
attributes

   keystoreFile="C:\keystore\keystore.jsk" keystorePass="changeit"
keyAlias="myAlias"
   scheme="https" secure="true" SSLEnabled="true" clientAuth="false"
sslProtocol="TLS"

Then I tried the following:

1. adding truststoreFile="C:\keystore\cacerts" to my Connector and got the
following error in an IE11 browser
   Caught Exception (javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
   PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
   unable to find valid certification path to requested target): ;
   nested exception is: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
   PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
   unable to find valid certification path to requested target

2. adding truststoreFile="C:\keystore\myAlias.cer" to my Connector and got
the following error at startup
   15-Nov-2016 12:34:57.379 SEVERE [main]
org.apache.coyote.AbstractProtocol.init
   Failed to initialize end point associated with ProtocolHandler
["https-openssl-nio-8001"]
   java.lang.IllegalArgumentException: java.io.IOException: Invalid
keystore format
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
   :
   Caused by: java.io.IOException: Invalid keystore format
at
sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
at
sun.security.pr

Re: 8.5.4 to 8.5.5 SSL Issue

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

William,

On 11/14/16 7:18 PM, William Boyd wrote:
> First, I'd like to thank everyone for the help.
> 
> Is it now safe to say that the behaviour we've been taking
> advantage of is undocumented and will no long be supported?
> 
> Also, for those that hit this thread and need to get HTTPS working
> with a *self-signed* certificate in a dev environment...
> 
> Here's what worked for me: 1. Copy
> %JAVA_HOME%\jre\lib\security\cacerts some place (say C:\keystore) 
> 2. Create a *self-signed* certificate with %JAVA_HOME%\bin\keytool
> -genkeypair -keyalg RSA -alias myAlias -keystore
> "C:\keystore\keystore.jsk" -storepass changeit -validity 360 
> -keysize 2048 -dname
> CN=localhost,OU=OrgUnit,O=Org,L=City,ST=State,C=Country 3. Export
> the myAlias certificate with %JAVA_HOME%\bin\keytool -export -alias
> myAlias -keystore C:\keystore\keystore.jsk -rfc -file
> C:\keystore\myAlias.cer 4. Import the myAlias certificate into your
> copy of cacerts with: %JAVA_HOME%\bin\keytool -import -alias
> myAlias -keystore C:\keystore\cacerts -file
> C:\keystore\myAlias.cer 5. Add this to setclasspath.bat in tomcat: 
> set JAVA_OPTS=%JAVA_OPTS% 
> -Djavax.net.ssl.trustStore="C:\keystore\cacert" 6. In server.xml,
> add these attributes to the Connector element 
> keystoreFile="C:\keystore\keystore.jsk" keystorePass="changeit" 
> keyAlias="myAlias" scheme="https" secure="true" SSLEnabled="true" 
> clientAuth="false" sslProtocol="TLS"
> 
> Now you should be good to go in with HTTPS in Tomcat 8.5.5 +

This is exactly what I suggested, except that you set the trust store
using a system property instead of using truststoreFile in the
. You do not need to duplicate the JRE's trust store. You
only need your own single certificate in your local truststore.

Can you use keystoreFile and truststoreFile separately pointing to
those files and re-check that it works? Perhaps Tomcat chokes when
using the same file for both. That's what I'd like to verify.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYK1kHAAoJEBzwKT+lPKRYa48P/jl6hWa1mj5HCnawJZ3mHbjX
ADdXYl45aym/E6QV/n99XYVYG2q+ZN9w0XDVP54lQhQhcgOUtCiPbTHEcYSYdwrU
kLYMc3Ge8Jt7/zDMvem+pKYkHMvyHbspVqSujZ4uJ3Ozr9mYD89hSFgxqG0iYSE+
5c0pvz1nW4Pt1F4A/+WETkL4Y5Xrq1Vn1LSAxAZoYiU/o93nVos7etIBUO9E430+
GihbhvkpS/yBitvrir/YacvWauBxpi30wR++6ZNAhpzlb+j90dk3i6iPcDO6K1f2
SNeqZATJDlXyU1hEksW4UxWLhtUeekqmJEiEqqWCYxNz9lwJG9f4kILUrzsZexlu
FmP2o4IxWTBcgOUs5Km5DlfYwogJmlRhqQoOlg2JOpv+KIb67DX+PuY6bhGomDff
YQ03Y7WQcjNZ/uOIoadAkXxKRaRHmuz2KkPYwgDutOgxtJV1jNxTT3A3znGT1cWN
yekjXHOpe2FdXnaoG0X7mTpvx5AhkHN9mRdW+5/ZBpPzUN0M7zy8oBEpLtZKfrTJ
k40Xz70DnNxBP3XS/1w7DJ1H3/FBxNdatVVbbcJ/+lS/NiS4Gn2kMAZgrCuZrUsn
FdpdyCwq3VLJ2X9LVBR03rJOyPIiybANNjfhPpiEMC9uQu2ENm4A4Hm1p/cXdpo3
2J2O1AQA7tfew10t3F4K
=a+Um
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5.4 to 8.5.5 SSL Issue

[William Boyd]

On Tue, Oct 25, 2016 at 2:08 AM, Kreuser, Peter 
wrote:

> Dear all,
>
> > On Sun, Oct 23, 2016 at 3:15 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA256
> > >
> > > William,
> > >
> > > On 10/21/16 6:08 PM, William Boyd wrote:
> > > > On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz <
> > > > ch...@christopherschultz.net> wrote:
> > > >
> > > > William,
> > > >
> > > > On 10/21/16 4:37 PM, William Boyd wrote:
> > >  Hello,
> > > 
> > >  I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything
> > >  was working great until I enabled SSL with a self-signed
> > >  certificate. I am able to recreated the issue on 8.5.5. I
> > >  finally had to down graded to 8.5.4 to get SSL working with
> > >  identical configuration and cert.
> > > 
> > >  I want to be sure that this is not a known issue and that I'm
> > >  not doing something wrong before I create a bug report.
> > > 
> > >  Server version:Apache Tomcat/8.5.5 64-bit OS Name:
> > >  Windows 7 JVM Version:   1.8.0_102-b14
> > > 
> > >  The cert was generated with this command: keytool
> > >  -genkeypair -keyalg RSA -alias tomcat -keystore
> > >  "C:/keys/keystore.jsk" -storepass changeit -validity 360
> > >  -keysize 2048 -dname
> > >  CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA
> > > 
> > >  Configuration includes adding
> > >  -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS
> > > >
> > > > I think this might be the problem. Tomcat doesn't use
> > > > javax.net.ssl.trustStore except as a backup in case you haven't
> > > > specified a trust store in your . You have pointed that
> > > > system property at a keystore, not a trust store. Technically,
> > > > they are the same format, but they are used for different things.
> > > >
> > > > If you need that for making your own outgoing TLS connections then
> > > > leave it in there and we'll try to get it to work, otherwise it's
> > > > just confusing and might cause Tomcat to do weird things.
> > > >
> > >  and using this connector config
> > > 
> > >   > >  connectionTimeout="6" maxThreads="200"
> > >  minSpareThreads="4" enableLookups="false" compression="on"
> > >  server="Apache" scheme="https" secure="true"
> > >  SSLEnabled="true" keystoreFile="c:/keys/keystore.jsk"
> > >  keystorePass="changeit" keyAlias="tomcat" clientAuth="false"
> > >  sslProtocol="TLS"/>
> > > >
> > > > Looks good so far.
> > > >
> > >  Here is the exception I get at startup
> > > 
> > >  13-Oct-2016 15:05:17.309 SEVERE [main]
> > >  org.apache.coyote.AbstractProtocol.init Failed to initialize
> > >  end point associated with ProtocolHandler
> > >  ["https-openssl-nio-8001"]
> > >  java.lang.IllegalArgumentException:
> > >  java.security.InvalidAlgorithmParameterException: the
> > >  trustAnchors parameter must be non-empty at
> > >  org.apache.tomcat.util.net.AbstractJsseEndpoint.
> createSSLContext(Ab
> > > str
> > > >
> > > 
> > > actJsseEndpoint.java:103)
> > > 
> > > 
> > > > at
> > >  org.apache.tomcat.util.net.AbstractJsseEndpoint.
> initialiseSsl(Abstr
> > > act
> > > >
> > > 
> > > JsseEndpoint.java:81)
> > > 
> > > 
> > > > at
> > > > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
> > >  at
> > >  org.apache.tomcat.util.net.AbstractEndpoint.init(
> AbstractEndpoint.j
> > > ava
> > > >
> > > 
> > > :866)
> > > 
> > > 
> > > > at
> > >  org.apache.tomcat.util.net.AbstractJsseEndpoint.init(
> AbstractJsseEn
> > > dpo
> > > >
> > > 
> > > int.java:213)
> > > 
> > > 
> > > > at
> > > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
> > >  at
> > >  org.apache.coyote.http11.AbstractHttp11Protocol.init(
> AbstractHttp11
> > > Pro
> > > >
> > > 
> > > tocol.java:65)
> > > 
> > > 
> > > > at
> > > > org.apache.catalina.connector.Connector.initInternal(
> Connector.java:9
> > > >
> > > >
> > > 44)
> > >  at
> > >  org.apache.catalina.util.LifecycleBase.init(
> LifecycleBase.java:107)
> > > 
> > > 
> > > >
> > > 
> > > at
> > >  org.apache.catalina.core.StandardService.initInternal(
> StandardServi
> > > ce.
> > > >
> > > 
> > > java:549)
> > > 
> > > 
> > > > at
> > > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > > 
> > > >
> > > at
> > >  org.apache.catalina.core.StandardServer.initInternal(
> StandardServer
> > > .ja
> > > >
> > > 
> > > va:873)
> > > 
> > > 
> > > > at
> > > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > > 
> > > >
> > > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at
> > >  org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> > >  at sun.reflect.NativeMethodAcces

AW: 8.5.4 to 8.5.5 SSL Issue

[Kreuser, Peter]

Dear all,

> On Sun, Oct 23, 2016 at 3:15 PM, Christopher Schultz <
>  
> ch...@christopherschultz.net> wrote:  
>  
>   
>  
> > -BEGIN PGP SIGNED MESSAGE-  
> >  
> > Hash: SHA256
> >  
> > 
> >  
> > William,
> >  
> > 
> >  
> > On 10/21/16 6:08 PM, William Boyd wrote:
> >  
> > > On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz <
> > >  
> > > ch...@christopherschultz.net> wrote:  
> > >  
> > >   
> > >  
> > > William,  
> > >  
> > >   
> > >  
> > > On 10/21/16 4:37 PM, William Boyd wrote:  
> > >  
> >  Hello, 
> >   
> > 
> >   
> >  I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything  
> >   
> >  was working great until I enabled SSL with a self-signed   
> >   
> >  certificate. I am able to recreated the issue on 8.5.5. I  
> >   
> >  finally had to down graded to 8.5.4 to get SSL working with
> >   
> >  identical configuration and cert.  
> >   
> > 
> >   
> >  I want to be sure that this is not a known issue and that I'm  
> >   
> >  not doing something wrong before I create a bug report.
> >   
> > 
> >   
> >  Server version:Apache Tomcat/8.5.5 64-bit OS Name: 
> >   
> >  Windows 7 JVM Version:   1.8.0_102-b14 
> >   
> > 
> >   
> >  The cert was generated with this command: keytool  
> >   
> >  -genkeypair -keyalg RSA -alias tomcat -keystore
> >   
> >  "C:/keys/keystore.jsk" -storepass changeit -validity 360   
> >   
> >  -keysize 2048 -dname   
> >   
> >  CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA 
> >   
> > 
> >   
> >  Configuration includes adding  
> >   
> >  -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS   
> >   
> > >   
> > >  
> > > I think this might be the problem. Tomcat doesn't use 
> > >  
> > > javax.net.ssl.trustStore except as a backup in case you haven't   
> > >  
> > > specified a trust store in your . You have pointed that
> > >  
> > > system property at a keystore, not a trust store. Technically,
> > >  
> > > they are the same format, but they are used for different things. 
> > >  
> > >   
> > >  
> > > If you need that for making your own outgoing TLS connections then
> > >  
> > > leave it in there and we'll try to get it to work, otherwise it's 
> > >  
> > > just confusing and might cause Tomcat to do weird things. 
> > >  
> > > 

Re: 8.5.4 to 8.5.5 SSL Issue

[William Boyd]

On Sun, Oct 23, 2016 at 3:15 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> William,
>
> On 10/21/16 6:08 PM, William Boyd wrote:
> > On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > William,
> >
> > On 10/21/16 4:37 PM, William Boyd wrote:
>  Hello,
> 
>  I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything
>  was working great until I enabled SSL with a self-signed
>  certificate. I am able to recreated the issue on 8.5.5. I
>  finally had to down graded to 8.5.4 to get SSL working with
>  identical configuration and cert.
> 
>  I want to be sure that this is not a known issue and that I'm
>  not doing something wrong before I create a bug report.
> 
>  Server version:Apache Tomcat/8.5.5 64-bit OS Name:
>  Windows 7 JVM Version:   1.8.0_102-b14
> 
>  The cert was generated with this command: keytool
>  -genkeypair -keyalg RSA -alias tomcat -keystore
>  "C:/keys/keystore.jsk" -storepass changeit -validity 360
>  -keysize 2048 -dname
>  CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA
> 
>  Configuration includes adding
>  -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS
> >
> > I think this might be the problem. Tomcat doesn't use
> > javax.net.ssl.trustStore except as a backup in case you haven't
> > specified a trust store in your . You have pointed that
> > system property at a keystore, not a trust store. Technically,
> > they are the same format, but they are used for different things.
> >
> > If you need that for making your own outgoing TLS connections then
> > leave it in there and we'll try to get it to work, otherwise it's
> > just confusing and might cause Tomcat to do weird things.
> >
>  and using this connector config
> 
>    connectionTimeout="6" maxThreads="200"
>  minSpareThreads="4" enableLookups="false" compression="on"
>  server="Apache" scheme="https" secure="true"
>  SSLEnabled="true" keystoreFile="c:/keys/keystore.jsk"
>  keystorePass="changeit" keyAlias="tomcat" clientAuth="false"
>  sslProtocol="TLS"/>
> >
> > Looks good so far.
> >
>  Here is the exception I get at startup
> 
>  13-Oct-2016 15:05:17.309 SEVERE [main]
>  org.apache.coyote.AbstractProtocol.init Failed to initialize
>  end point associated with ProtocolHandler
>  ["https-openssl-nio-8001"]
>  java.lang.IllegalArgumentException:
>  java.security.InvalidAlgorithmParameterException: the
>  trustAnchors parameter must be non-empty at
>  org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Ab
> str
> >
> 
> actJsseEndpoint.java:103)
> 
> 
> > at
>  org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstr
> act
> >
> 
> JsseEndpoint.java:81)
> 
> 
> > at
> > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
>  at
>  org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.j
> ava
> >
> 
> :866)
> 
> 
> > at
>  org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEn
> dpo
> >
> 
> int.java:213)
> 
> 
> > at
> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
>  at
>  org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11
> Pro
> >
> 
> tocol.java:65)
> 
> 
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:9
> >
> >
> 44)
>  at
>  org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> 
> 
> >
> 
> at
>  org.apache.catalina.core.StandardService.initInternal(StandardServi
> ce.
> >
> 
> java:549)
> 
> 
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> 
> >
> at
>  org.apache.catalina.core.StandardServer.initInternal(StandardServer
> .ja
> >
> 
> va:873)
> 
> 
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> 
> >
> at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at
>  org.apache.catalina.startup.Catalina.load(Catalina.java:629)
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>  Method) at
>  sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImp
> l.j
> >
> 
> ava:62)
> 
> 
> > at
>  sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcc
> ess
> >
> 
> orImpl.java:43)
> 
> 
> > at java.lang.reflect.Method.invoke(Method.java:498)
>  at
>  org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> 
> 
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
>  Caused by: java.security.InvalidAlgorithmParameterException:
>  the trustAnchors parameter must be non-empty at
>  java.security.cert.PKIXParameters.setTrustAnchors(PKIXParamet

Re: 8.5.4 to 8.5.5 SSL Issue

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

William,

On 10/21/16 6:08 PM, William Boyd wrote:
> On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> William,
> 
> On 10/21/16 4:37 PM, William Boyd wrote:
 Hello,
 
 I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything
 was working great until I enabled SSL with a self-signed
 certificate. I am able to recreated the issue on 8.5.5. I
 finally had to down graded to 8.5.4 to get SSL working with
 identical configuration and cert.
 
 I want to be sure that this is not a known issue and that I'm
 not doing something wrong before I create a bug report.
 
 Server version:Apache Tomcat/8.5.5 64-bit OS Name: 
 Windows 7 JVM Version:   1.8.0_102-b14
 
 The cert was generated with this command: keytool
 -genkeypair -keyalg RSA -alias tomcat -keystore
 "C:/keys/keystore.jsk" -storepass changeit -validity 360
 -keysize 2048 -dname 
 CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA
 
 Configuration includes adding 
 -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS
> 
> I think this might be the problem. Tomcat doesn't use 
> javax.net.ssl.trustStore except as a backup in case you haven't 
> specified a trust store in your . You have pointed that 
> system property at a keystore, not a trust store. Technically,
> they are the same format, but they are used for different things.
> 
> If you need that for making your own outgoing TLS connections then 
> leave it in there and we'll try to get it to work, otherwise it's
> just confusing and might cause Tomcat to do weird things.
> 
 and using this connector config
 
 >>> connectionTimeout="6" maxThreads="200"
 minSpareThreads="4" enableLookups="false" compression="on"
 server="Apache" scheme="https" secure="true"
 SSLEnabled="true" keystoreFile="c:/keys/keystore.jsk"
 keystorePass="changeit" keyAlias="tomcat" clientAuth="false"
 sslProtocol="TLS"/>
> 
> Looks good so far.
> 
 Here is the exception I get at startup
 
 13-Oct-2016 15:05:17.309 SEVERE [main] 
 org.apache.coyote.AbstractProtocol.init Failed to initialize
 end point associated with ProtocolHandler
 ["https-openssl-nio-8001"] 
 java.lang.IllegalArgumentException: 
 java.security.InvalidAlgorithmParameterException: the
 trustAnchors parameter must be non-empty at 
 org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Ab
str
>
 
actJsseEndpoint.java:103)
 
 
> at
 org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstr
act
>
 
JsseEndpoint.java:81)
 
 
> at
> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
 at 
 org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.j
ava
>
 
:866)
 
 
> at
 org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEn
dpo
>
 
int.java:213)
 
 
> at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
 at 
 org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11
Pro
>
 
tocol.java:65)
 
 
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:9
>
> 
44)
 at 
 org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)


>
 
at
 org.apache.catalina.core.StandardService.initInternal(StandardServi
ce.
>
 
java:549)
 
 
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)

> 
at
 org.apache.catalina.core.StandardServer.initInternal(StandardServer
.ja
>
 
va:873)
 
 
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)

> 
at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at
 org.apache.catalina.startup.Catalina.load(Catalina.java:629)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
 Method) at 
 sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImp
l.j
>
 
ava:62)
 
 
> at
 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcc
ess
>
 
orImpl.java:43)
 
 
> at java.lang.reflect.Method.invoke(Method.java:498)
 at
 org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)

 
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
 Caused by: java.security.InvalidAlgorithmParameterException:
 the trustAnchors parameter must be non-empty at 
 java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.ja
va:
>
 
200)
 
 
> at
> java.security.cert.PKIXParameters.(PKIXParameters.java:157)
 at 
 java.security.cert.PKIXBuilderParameters.(PKIXBuilderParamete
rs.
>
 
java:130)
 
 
> at
 org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.jav
a:3
>
 
41)
 
 
> at
 org.apache.tomcat.util.net.jsse.JSSEUtil.ge

Re: 8.5.4 to 8.5.5 SSL Issue

[William Boyd]

On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> William,
>
> On 10/21/16 4:37 PM, William Boyd wrote:
> > Hello,
> >
> > I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything was
> > working great until I enabled SSL with a self-signed certificate. I
> > am able to recreated the issue on 8.5.5. I finally had to down
> > graded to 8.5.4 to get SSL working with identical configuration and
> > cert.
> >
> > I want to be sure that this is not a known issue and that I'm not
> > doing something wrong before I create a bug report.
> >
> > Server version:Apache Tomcat/8.5.5 64-bit OS Name:
> > Windows 7 JVM Version:   1.8.0_102-b14
> >
> > The cert was generated with this command: keytool -genkeypair
> > -keyalg RSA -alias tomcat -keystore "C:/keys/keystore.jsk"
> > -storepass changeit -validity 360 -keysize 2048 -dname
> > CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA
> >
> > Configuration includes adding
> > -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS
>
> I think this might be the problem. Tomcat doesn't use
> javax.net.ssl.trustStore except as a backup in case you haven't
> specified a trust store in your . You have pointed that
> system property at a keystore, not a trust store. Technically, they
> are the same format, but they are used for different things.
>
> If you need that for making your own outgoing TLS connections then
> leave it in there and we'll try to get it to work, otherwise it's just
> confusing and might cause Tomcat to do weird things.
>
> > and using this connector config
> >
> >  > connectionTimeout="6" maxThreads="200" minSpareThreads="4"
> > enableLookups="false" compression="on" server="Apache"
> > scheme="https" secure="true" SSLEnabled="true"
> > keystoreFile="c:/keys/keystore.jsk" keystorePass="changeit"
> > keyAlias="tomcat" clientAuth="false" sslProtocol="TLS"/>
>
> Looks good so far.
>
> > Here is the exception I get at startup
> >
> > 13-Oct-2016 15:05:17.309 SEVERE [main]
> > org.apache.coyote.AbstractProtocol.init Failed to initialize end
> > point associated with ProtocolHandler ["https-openssl-nio-8001"]
> > java.lang.IllegalArgumentException:
> > java.security.InvalidAlgorithmParameterException: the trustAnchors
> > parameter must be non-empty at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJsseEndpoint.java:103)
> >
> >
> at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
> JsseEndpoint.java:81)
> >
> >
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
> > at
> > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
> :866)
> >
> >
> at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo
> int.java:213)
> >
> >
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
> > at
> > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
> tocol.java:65)
> >
> >
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
> 44)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> >
> >
> at
> > org.apache.catalina.core.StandardService.initInternal(StandardService.
> java:549)
> >
> >
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > at
> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
> va:873)
> >
> >
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at
> > org.apache.catalina.startup.Catalina.load(Catalina.java:629) at
> > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62)
> >
> >
> at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:43)
> >
> >
> at java.lang.reflect.Method.invoke(Method.java:498)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> > Caused by: java.security.InvalidAlgorithmParameterException: the
> > trustAnchors parameter must be non-empty at
> > java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:
> 200)
> >
> >
> at java.security.cert.PKIXParameters.(PKIXParameters.java:157)
> > at
> > java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.
> java:130)
> >
> >
> at
> > org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:3
> 41)
> >
> >
> at
> > org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.jav
> a:273)
> >
> >
> at
> > org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(OpenSS
> LUtil.java:93)
> >
> >
> at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJsseEndpoint.java:101)
> >
> >
> ... 20 more
>
> Tomcat is choking when trying to load the trust manage

Re: 8.5.4 to 8.5.5 SSL Issue

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

William,

On 10/21/16 4:37 PM, William Boyd wrote:
> Hello,
> 
> I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything was
> working great until I enabled SSL with a self-signed certificate. I
> am able to recreated the issue on 8.5.5. I finally had to down
> graded to 8.5.4 to get SSL working with identical configuration and
> cert.
> 
> I want to be sure that this is not a known issue and that I'm not
> doing something wrong before I create a bug report.
> 
> Server version:Apache Tomcat/8.5.5 64-bit OS Name:
> Windows 7 JVM Version:   1.8.0_102-b14
> 
> The cert was generated with this command: keytool -genkeypair
> -keyalg RSA -alias tomcat -keystore "C:/keys/keystore.jsk"
> -storepass changeit -validity 360 -keysize 2048 -dname
> CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA
> 
> Configuration includes adding 
> -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS

I think this might be the problem. Tomcat doesn't use
javax.net.ssl.trustStore except as a backup in case you haven't
specified a trust store in your . You have pointed that
system property at a keystore, not a trust store. Technically, they
are the same format, but they are used for different things.

If you need that for making your own outgoing TLS connections then
leave it in there and we'll try to get it to work, otherwise it's just
confusing and might cause Tomcat to do weird things.

> and using this connector config
> 
>  connectionTimeout="6" maxThreads="200" minSpareThreads="4" 
> enableLookups="false" compression="on" server="Apache" 
> scheme="https" secure="true" SSLEnabled="true" 
> keystoreFile="c:/keys/keystore.jsk" keystorePass="changeit" 
> keyAlias="tomcat" clientAuth="false" sslProtocol="TLS"/>

Looks good so far.

> Here is the exception I get at startup
> 
> 13-Oct-2016 15:05:17.309 SEVERE [main] 
> org.apache.coyote.AbstractProtocol.init Failed to initialize end
> point associated with ProtocolHandler ["https-openssl-nio-8001"] 
> java.lang.IllegalArgumentException: 
> java.security.InvalidAlgorithmParameterException: the trustAnchors 
> parameter must be non-empty at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
actJsseEndpoint.java:103)
>
> 
at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
JsseEndpoint.java:81)
>
> 
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
> at 
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
:866)
>
> 
at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo
int.java:213)
>
> 
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
> at 
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
tocol.java:65)
>
> 
at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
44)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>
> 
at
> org.apache.catalina.core.StandardService.initInternal(StandardService.
java:549)
>
> 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
va:873)
>
> 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at
> org.apache.catalina.startup.Catalina.load(Catalina.java:629) at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
ava:62)
>
> 
at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
orImpl.java:43)
>
> 
at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) 
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) 
> Caused by: java.security.InvalidAlgorithmParameterException: the 
> trustAnchors parameter must be non-empty at 
> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:
200)
>
> 
at java.security.cert.PKIXParameters.(PKIXParameters.java:157)
> at 
> java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.
java:130)
>
> 
at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:3
41)
>
> 
at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.jav
a:273)
>
> 
at
> org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(OpenSS
LUtil.java:93)
>
> 
at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
actJsseEndpoint.java:101)
>
> 
... 20 more

Tomcat is choking when trying to load the trust managers, which is
synonymous with loading the data from the "trust store". You don't
need a "trust store", otherwise you'd have specified is in the
.

Try just removing that system property and see what happens.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmai

8.5.4 to 8.5.5 SSL Issue

[William Boyd]

Hello,

I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything was working
great until I enabled SSL with a self-signed certificate. I am able to
recreated the issue on 8.5.5. I finally had to down graded to 8.5.4 to get
SSL working with identical configuration and cert.

I want to be sure that this is not a known issue and that I'm not doing
something wrong before I create a bug report.

Server version:Apache Tomcat/8.5.5 64-bit
OS Name:   Windows 7
JVM Version:   1.8.0_102-b14

The cert was generated with this command:
keytool -genkeypair -keyalg RSA -alias tomcat -keystore
"C:/keys/keystore.jsk" -storepass changeit -validity 360 -keysize 2048
-dname CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA

Configuration includes adding
-Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS and using this
connector config



Here is the exception I get at startup

13-Oct-2016 15:05:17.309 SEVERE [main]
org.apache.coyote.AbstractProtocol.init Failed to initialize end point
associated with ProtocolHandler ["https-openssl-nio-8001"]
 java.lang.IllegalArgumentException:
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
 at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
 at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
 at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
 at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
 at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:213)
 at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
 at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
 at org.apache.catalina.connector.Connector.initInternal(Connector.java:944)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
 at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
 at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
 at
java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
 at java.security.cert.PKIXParameters.(PKIXParameters.java:157)
 at
java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:130)
 at
org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:341)
 at
org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:273)
 at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(OpenSSLUtil.java:93)
 at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101)
 ... 20 more


Thanks in advance


Will

Re: 8.5.3 to 8.5.4 SSL Issue

[Chuck Syperski]

Great, I'm not crazy!  Thanks so much for the help and quick responses!

On Mon, Aug 22, 2016 at 1:39 PM, Mark Thomas  wrote:

> On 22/08/2016 13:40, Chuck Syperski wrote:
> > Hello,
> >
> > I am having issues when upgrading from 8.5.3 to 8.5.4 with SSL.  It seems
> > that my config from 8.5.3 is not working with 8.5.4 when using the same
> > exact file.   The majority of the server.xml is stock, but here what I
> > manually have changed and it is where I am encountering my problem
>
> Known issue. Already fixed for 8.5.5:
>
> http://svn.us.apache.org/repos/asf/tomcat/tc8.5.x/
> trunk/webapps/docs/changelog.xml
>
> Mark
>
>
> > 
> >  >scheme="https" secure="true" maxThreads="750"
> > SSLEnabled="true">
> > 
> >  > certificateFile="/opt/ssl/cert.pem"
> > certificateChainFile="/opt/ssl/chain.pem"
> > certificateKeyFile="/opt/ssl/privkey.pem"
> > type="RSA" />
> > 
> > 
> > 
> > This worked fine with 8.5.3, but I get the following errors in
> catalina.out
> > on 8.5.4
> >
> > 22-Aug-2016 12:16:21.139 INFO [main]
> > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> > ["https-jsse-nio-8443"]
> > 22-Aug-2016 12:16:22.119 SEVERE [main]
> > org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore
> > type [JKS] with path [/home/tomcat8/.keystore] due to
> > [/home/tomcat8/.keystore (No such file or directory)]
> >  java.io.FileNotFoundException: /home/tomcat8/.keystore (No such file or
> > directory)
> > at java.io.FileInputStream.open0(Native Method)
> > at java.io.FileInputStream.open(FileInputStream.java:195)
> > at java.io.FileInputStream.(FileInputStream.java:138)
> > at java.io.FileInputStream.(FileInputStream.java:93)
> > at
> > sun.net.www.protocol.file.FileURLConnection.connect(
> FileURLConnection.java:90)
> > at
> > sun.net.www.protocol.file.FileURLConnection.getInputStream(
> FileURLConnection.java:188)
> > at
> > org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(
> ConfigFileLoader.java:96)
> > at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:129)
> > at
> > org.apache.tomcat.util.net.SSLHostConfigCertificate.
> getCertificateKeystore(SSLHostConfigCertificate.java:187)
> > at
> > org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(
> JSSEUtil.java:189)
> > at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(
> AbstractJsseEndpoint.java:101)
> > at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(
> AbstractJsseEndpoint.java:81)
> > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
> > at
> > org.apache.tomcat.util.net.AbstractEndpoint.init(
> AbstractEndpoint.java:866)
> > at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(
> AbstractJsseEndpoint.java:213)
> > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
> > at
> > org.apache.coyote.http11.AbstractHttp11Protocol.init(
> AbstractHttp11Protocol.java:65)
> > at org.apache.catalina.connector.Connector.initInternal(
> Connector.java:1010)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > at
> > org.apache.catalina.core.StandardService.initInternal(
> StandardService.java:549)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > at
> > org.apache.catalina.core.StandardServer.initInternal(
> StandardServer.java:873)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> > sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> > at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:498)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> >
> > 22-Aug-2016 12:16:22.123 SEVERE [main]
> > org.apache.coyote.AbstractProtocol.init Failed to initialize end point
> > associated with ProtocolHandler ["https-jsse-nio-8443"]
> >  java.lang.IllegalArgumentException: java.io.FileNotFoundException:
> > /home/tomcat8/.keystore (No such file or directory)
> > at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(
> AbstractJsseEndpoint.java:103)
> > at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(
> AbstractJsseEndpoint.java:81)
> > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
> > at
> > org.apache.tomcat.util.net.AbstractEndpoint.init(
> AbstractEndpoint.java:866)
> > at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(
> AbstractJsseEndpoint.java:213)
> > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
> > at
> > org.apache.coyote.http11.AbstractHttp11Protoc

Re: 8.5.3 to 8.5.4 SSL Issue

[Mark Thomas]

On 22/08/2016 13:40, Chuck Syperski wrote:
> Hello,
> 
> I am having issues when upgrading from 8.5.3 to 8.5.4 with SSL.  It seems
> that my config from 8.5.3 is not working with 8.5.4 when using the same
> exact file.   The majority of the server.xml is stock, but here what I
> manually have changed and it is where I am encountering my problem

Known issue. Already fixed for 8.5.5:

http://svn.us.apache.org/repos/asf/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml

Mark


> 
> scheme="https" secure="true" maxThreads="750"
> SSLEnabled="true">
> 
>  certificateFile="/opt/ssl/cert.pem"
> certificateChainFile="/opt/ssl/chain.pem"
> certificateKeyFile="/opt/ssl/privkey.pem"
> type="RSA" />
> 
> 
> 
> This worked fine with 8.5.3, but I get the following errors in catalina.out
> on 8.5.4
> 
> 22-Aug-2016 12:16:21.139 INFO [main]
> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> ["https-jsse-nio-8443"]
> 22-Aug-2016 12:16:22.119 SEVERE [main]
> org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore
> type [JKS] with path [/home/tomcat8/.keystore] due to
> [/home/tomcat8/.keystore (No such file or directory)]
>  java.io.FileNotFoundException: /home/tomcat8/.keystore (No such file or
> directory)
> at java.io.FileInputStream.open0(Native Method)
> at java.io.FileInputStream.open(FileInputStream.java:195)
> at java.io.FileInputStream.(FileInputStream.java:138)
> at java.io.FileInputStream.(FileInputStream.java:93)
> at
> sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90)
> at
> sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188)
> at
> org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:96)
> at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:129)
> at
> org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187)
> at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:189)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:213)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> 
> 22-Aug-2016 12:16:22.123 SEVERE [main]
> org.apache.coyote.AbstractProtocol.init Failed to initialize end point
> associated with ProtocolHandler ["https-jsse-nio-8443"]
>  java.lang.IllegalArgumentException: java.io.FileNotFoundException:
> /home/tomcat8/.keystore (No such file or directory)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:213)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at
> org.apache.catalina.core.Sta

Re: 8.5.3 to 8.5.4 SSL Issue

[Chuck Syperski]

I was under the impressions that as of 8.5.3 you could do JSSE with OpenSSL
from this page:

https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File

Excerpt:
"Tomcat can use three different implementations of SSL:

JSSE implementation provided as part of the Java runtime
JSSE implementation that uses OpenSSL
APR implementation, which uses the OpenSSL engine by default"

I originally attempted using OpenSSL directly after viewing this post and
this is what my configuration is based off of:

https://community.letsencrypt.org/t/how-to-use-the-certificate-for-tomcat/3677/39

If it isn't supported, it is just odd that it did work with 8.5.3.




On Mon, Aug 22, 2016 at 1:08 PM, Kreuser, Peter 
wrote:

> Chuck,
> >
> > Hello,
> >
> > I am having issues when upgrading from 8.5.3 to 8.5.4 with SSL.  It seems
> > that my config from 8.5.3 is not working with 8.5.4 when using the same
> > exact file.   The majority of the server.xml is stock, but here what I
> > manually have changed and it is where I am encountering my problem
> > 
> >  >scheme="https" secure="true" maxThreads="750"
> > SSLEnabled="true">
> > 
> >  > certificateFile="/opt/ssl/cert.pem"
> > certificateChainFile="/opt/ssl/chain.pem"
> > certificateKeyFile="/opt/ssl/privkey.pem"
> > type="RSA" />
> > 
> > 
> > 
> > This worked fine with 8.5.3, but I get the following errors in
> catalina.out
> > on 8.5.4
> >
> > 22-Aug-2016 12:16:21.139 INFO [main]
> > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> > ["https-jsse-nio-8443"]
> > 22-Aug-2016 12:16:22.119 SEVERE [main]
> > org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore
> > type [JKS] with path [/home/tomcat8/.keystore] due to
> > [/home/tomcat8/.keystore (No such file or directory)]
> >  java.io.FileNotFoundException: /home/tomcat8/.keystore (No such file or
> > directory)
> 
> >
> > I am attempting to use Let's Encrypts certs on Ubuntu 16.04.  My setup is
> > pretty simple and the things I am changing is a sym link between the
> 8.5.3
> > directory and 8.5.4, with 8.5.3 the ssl connector starts, but with
> 8.5.4, I
> > get not ssl with the above error in my logs.  Am I missing something?
> Any
> > pointers or help would be greatly appreciated!
> >
>
> It seems to me, that tomcat requests JKS certificates but you give openssl
> options (certificateFile, certificateChainFile, certificateKeyFile).
>
> Documentation says:
> " If the installation uses APR - i.e. you have installed the Tomcat native
> library - then it will use the JSSE OpenSSL implementation, otherwise it
> will use the Java JSSE implementation." Or
> " Note: If tomcat-native is installed, the configuration will use JSSE
> with an OpenSSL implementation, which supports either this configuration or
> the APR configuration example given below.
>
> The APR connector uses different attributes for many SSL settings,
> particularly keys and certificates. An example of an APR configuration is:"
>
> So are you using TC Native?
>
> Best regards
>
> Peter
>
>
>
>
>

AW: 8.5.3 to 8.5.4 SSL Issue

[Kreuser, Peter]

Chuck,
> 
> Hello,
> 
> I am having issues when upgrading from 8.5.3 to 8.5.4 with SSL.  It seems
> that my config from 8.5.3 is not working with 8.5.4 when using the same
> exact file.   The majority of the server.xml is stock, but here what I
> manually have changed and it is where I am encountering my problem
> 
> scheme="https" secure="true" maxThreads="750"
> SSLEnabled="true">
> 
>  certificateFile="/opt/ssl/cert.pem"
> certificateChainFile="/opt/ssl/chain.pem"
> certificateKeyFile="/opt/ssl/privkey.pem"
> type="RSA" />
> 
> 
> 
> This worked fine with 8.5.3, but I get the following errors in catalina.out
> on 8.5.4
> 
> 22-Aug-2016 12:16:21.139 INFO [main]
> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> ["https-jsse-nio-8443"]
> 22-Aug-2016 12:16:22.119 SEVERE [main]
> org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore
> type [JKS] with path [/home/tomcat8/.keystore] due to
> [/home/tomcat8/.keystore (No such file or directory)]
>  java.io.FileNotFoundException: /home/tomcat8/.keystore (No such file or
> directory)
 
> 
> I am attempting to use Let's Encrypts certs on Ubuntu 16.04.  My setup is
> pretty simple and the things I am changing is a sym link between the 8.5.3
> directory and 8.5.4, with 8.5.3 the ssl connector starts, but with 8.5.4, I
> get not ssl with the above error in my logs.  Am I missing something?  Any
> pointers or help would be greatly appreciated!
>

It seems to me, that tomcat requests JKS certificates but you give openssl 
options (certificateFile, certificateChainFile, certificateKeyFile).

Documentation says:
" If the installation uses APR - i.e. you have installed the Tomcat native 
library - then it will use the JSSE OpenSSL implementation, otherwise it will 
use the Java JSSE implementation." Or
" Note: If tomcat-native is installed, the configuration will use JSSE with an 
OpenSSL implementation, which supports either this configuration or the APR 
configuration example given below.

The APR connector uses different attributes for many SSL settings, particularly 
keys and certificates. An example of an APR configuration is:"

So are you using TC Native?

Best regards

Peter

8.5.3 to 8.5.4 SSL Issue

[Chuck Syperski]

Hello,

I am having issues when upgrading from 8.5.3 to 8.5.4 with SSL.  It seems
that my config from 8.5.3 is not working with 8.5.4 when using the same
exact file.   The majority of the server.xml is stock, but here what I
manually have changed and it is where I am encountering my problem







This worked fine with 8.5.3, but I get the following errors in catalina.out
on 8.5.4

22-Aug-2016 12:16:21.139 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["https-jsse-nio-8443"]
22-Aug-2016 12:16:22.119 SEVERE [main]
org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore
type [JKS] with path [/home/tomcat8/.keystore] due to
[/home/tomcat8/.keystore (No such file or directory)]
 java.io.FileNotFoundException: /home/tomcat8/.keystore (No such file or
directory)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.(FileInputStream.java:138)
at java.io.FileInputStream.(FileInputStream.java:93)
at
sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90)
at
sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188)
at
org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:96)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:129)
at
org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187)
at
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:189)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:213)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)

22-Aug-2016 12:16:22.123 SEVERE [main]
org.apache.coyote.AbstractProtocol.init Failed to initialize end point
associated with ProtocolHandler ["https-jsse-nio-8443"]
 java.lang.IllegalArgumentException: java.io.FileNotFoundException:
/home/tomcat8/.keystore (No such file or directory)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:213)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at

Re: tomcat 7/modcluster ssl issue

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Qadeer,

On 2/14/16 1:50 PM, Qadeer Khan wrote:
> 
> Hello,
> 
> I am trying to hookup ssl connection between mod_Cluster load
> balancer and tomcat 7 and seems to be following everything but when
> I start tomcat server, I am getting the following error in my
> catalina.out. My password is for the keystore is "tomcat". I have
> checked and rechecked. Any thoughts???
> 
> java.lang.IllegalStateException: java.io.IOException: Keystore was
> tampered with, or password was incorrect at
> org.jboss.modcluster.mcmp.impl.JSSESocketFactory.(JSSESocketFact
ory.java:113)
>
> 
at
org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler$Proxy.(DefaultMC
MPHandler.java:790)
> at
> org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.add(DefaultMCMPHandl
er.java:196)
>
> 
at
org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.init(DefaultMCMPHandle
r.java:143)
> at
> org.jboss.modcluster.ModClusterService.init(ModClusterService.java:142
)
>
> 
at
org.jboss.modcluster.container.catalina.CatalinaEventHandlerAdapter.init
(CatalinaEventHandlerAdapter.java:272)
> at
> org.jboss.modcluster.container.catalina.CatalinaEventHandlerAdapter.li
fecycleEvent(CatalinaEventHandlerAdapter.java:210)
>
> 
at
org.jboss.modcluster.container.catalina.standalone.ModClusterListener.li
fecycleEvent(ModClusterListener.java:136)
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycle
Support.java:117)
>
> 
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.
java:90)
> at
> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.
java:402)
>
> 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:576) at
> org.apache.catalina.startup.Catalina.load(Catalina.java:599) at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
ava:62)
>
> 
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497) at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310) at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
> 
> 
> Here is relevant info from my server.xml
> 
>  className="org.jboss.modcluster.container.catalina.standalone.ModClust
erListener"
> stickySession="true" stickySessionForce="false"
> stickySessionRemove="true" advertise="false"
> proxyList="localhost:" ssl="true" sslKeyStorePass="tomcat" 
> sslKeyStore="keystore/keystore.jks" sslKeyStoreType="JKS" 
> sslProtocol="TLS"
> 
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> clientAuth="true" keystoreFile="keystore/keystore.jks" 
> keystorePass="tomcat" keystoreType="JKS" sslProtocol="TLS" />

This looks like it might be a JBoss issue, since everything involved
is provided by JBoss.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbDl5cACgkQ9CaO5/Lv0PBGsQCfd7lU3g6rr4XvIFDM/EI4z2CM
taUAn1GUWU4hREoeScVgJyMvbJZ7Cy8q
=cYRw
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

tomcat 7/modcluster ssl issue

[Qadeer Khan]

Hello,

I am trying to hookup ssl connection between mod_Cluster load balancer and 
tomcat 7 and seems to be following everything but when I start tomcat server, I 
am getting the following error in my catalina.out. My password is for the 
keystore is "tomcat". I have checked and rechecked. Any thoughts???

java.lang.IllegalStateException: java.io.IOException: Keystore was tampered 
with, or password was incorrect
at 
org.jboss.modcluster.mcmp.impl.JSSESocketFactory.(JSSESocketFactory.java:113)
at 
org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler$Proxy.(DefaultMCMPHandler.java:790)
at 
org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.add(DefaultMCMPHandler.java:196)
at 
org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.init(DefaultMCMPHandler.java:143)
at 
org.jboss.modcluster.ModClusterService.init(ModClusterService.java:142)
at 
org.jboss.modcluster.container.catalina.CatalinaEventHandlerAdapter.init(CatalinaEventHandlerAdapter.java:272)
at 
org.jboss.modcluster.container.catalina.CatalinaEventHandlerAdapter.lifecycleEvent(CatalinaEventHandlerAdapter.java:210)
at 
org.jboss.modcluster.container.catalina.standalone.ModClusterListener.lifecycleEvent(ModClusterListener.java:136)
at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at 
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:110)
at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)


Here is relevant info from my server.xml





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Parse and SSL issue

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Uzair,

On 7/19/15 4:52 PM, uzair rashid wrote:
> Konstantin:
> 
> Thank you for your information. Could you please comment on the
> parse error are well?
> 
> You helped a lot in understanding all other errors. I really
> appreciate.
> 
> To remind of the error: at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455) Jul
> 16, 2015 3:54:02 PM org.apache.catalina.core.StandardService 
> startInternal INFO: Starting service Catalina Jul 16, 2015 3:54:02
> PM org.apache.catalina.core.StandardEngine startInternal INFO:
> Starting Servlet Engine: Apache Tomcat/7.0.57 Jul 16, 2015 3:54:02
> PM org.apache.tomcat.util.digester.Digester fatalError SEVERE:
> Parse Fatal Error at line 36 column 4: XML document structures
> must start and end within the same entity. 
> org.xml.sax.SAXParseException: XML document structures must start
> and end within the same entity.

The error is clear (your XML is broken), but it's not entirely clear
which XML document is broken unless you are experienced at reading the
stack traces from Tomcat:

> at 
> com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXP
arseException(ErrorHandlerWrapper.java:195)
>
> 
at
> com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError
(ErrorHandlerWrapper.java:174)
>
> 
at
> com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(X
MLErrorReporter.java:388)
>
> 
at
> com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(XM
LScanner.java:1427)
>
> 
at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl
.endEntity(XMLDocumentFragmentScannerImpl.java:905)
>
> 
at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.endEnti
ty(XMLDocumentScannerImpl.java:604)
>
> 
at
> com.sun.org.apache.xerces.internal.impl.XMLEntityManager.endEntity(XML
EntityManager.java:1420)
>
> 
at
> com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.load(XMLEntit
yScanner.java:1769)
>
> 
at
> com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.peekChar(XMLE
ntityScanner.java:493)
>
> 
at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl
$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2688)
>
> 
at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XM
LDocumentScannerImpl.java:647)
>
> 
at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl
.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
>
> 
at
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XM
L11Configuration.java:817)
>
> 
at
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XM
L11Configuration.java:737)
>
> 
at
> com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.j
ava:119)
>
> 
at
> com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Abs
tractSAXParser.java:1205)
>
> 
at
> com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.pa
rse(SAXParserImpl.java:522)
>
> 
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1580)
> at 
> org.apache.catalina.users.MemoryUserDatabase.open(MemoryUserDatabase.j
ava:432)


This
> 
is coming from the "MemoryUserDatabase" component, which is
likely reading a file called conf/tomcat-users.xml. Check that file to
see if it's not valid XML.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVrRwHAAoJEBzwKT+lPKRYUSgP/j5OaqrF7XkxEGJtkdoOFh1H
rXap+7vDMngaHR6ZtuQSCKl0gWy4/7fpWhbq6JPfTG+fhC7owPbSO4Lzr9d35mrq
1LS4RIDTc3Grlr9nv0PJbS9CKulSov89X/Xdiv43ixxj1Oqf7/32cDzY9t4i0fiY
O7ATLt2L9x0P9HS67oGBb+6uOLnfywfO8q8oNvOUn5hSnxeWbr/RxvZuNztVsiPi
e7BUuVSnmPEzkdByfKf4wAllAGSPSpPJN5Sa/ZM8WxmUEGgekEhm1tHxnTsHzfdN
qHWlms7TYphTKYAOKUE+oESxf4rMNhn6VMzjH1QzFJeJFL/LZcpGQ2+v2sq6a3d9
ggHjyx1CAp8ZVximF9SfIQ7o9DTF/Hi69G9s5SXirMaYrTqs1wubE/4e95sB9xR7
fKJk/Pqss4q7QZWdA2jVJ0YJQHghMYhR8QIjBZ9VdnioA4CceZU8EJE6KcLt6wdY
XCvef3RIgczfoQRymHys7KQtWo9OdQAcTbzaMVOj0cFqC6Q3R0NK/LxCn7HKZN5E
U12T0tm87aqxcEZLlok94b4yOXcz0bT2fXaOlKRjlLPCNl32IwzpnP5DbqXyGpHk
uO3CXfEl3RUQ9XZizjR8YAEySzXfNXjM5W6Tgs4MWDVkYulFeV1+fE0eI5W5uw/D
KoA1F0GLRsnEFHLVWTB1
=mXGv
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Parse and SSL issue

[Konstantin Kolinko]

2015-07-20 0:52 GMT+03:00 uzair rashid :
> Konstantin:
>
> Thank you for your information. Could you please comment on the parse error
> are well?
>
> You helped a lot in understanding all other errors. I really appreciate.
>
> To remind of the error:
>  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
> Jul 16, 2015 3:54:02 PM org.apache.catalina.core.StandardService
> startInternal
> INFO: Starting service Catalina
> Jul 16, 2015 3:54:02 PM org.apache.catalina.core.StandardEngine
> startInternal
> INFO: Starting Servlet Engine: Apache Tomcat/7.0.57
> Jul 16, 2015 3:54:02 PM org.apache.tomcat.util.digester.Digester fatalError
> SEVERE: Parse Fatal Error at line 36 column 4: XML document structures must
> start and end within the same entity.
> org.xml.sax.SAXParseException: XML document structures must start and end
> within the same entity.
>  at
> com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:195)


https://en.wikipedia.org/wiki/XML#Well-formedness_and_error-handling

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Parse and SSL issue

[uzair rashid]

Konstantin:

Thank you for your information. Could you please comment on the parse error
are well?

You helped a lot in understanding all other errors. I really appreciate.

To remind of the error:
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Jul 16, 2015 3:54:02 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jul 16, 2015 3:54:02 PM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.57
Jul 16, 2015 3:54:02 PM org.apache.tomcat.util.digester.Digester fatalError
SEVERE: Parse Fatal Error at line 36 column 4: XML document structures must
start and end within the same entity.
org.xml.sax.SAXParseException: XML document structures must start and end
within the same entity.
 at
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:195)
 at
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:174)
 at
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:388)
 at
com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(XMLScanner.java:1427)
 at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.endEntity(XMLDocumentFragmentScannerImpl.java:905)
 at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.endEntity(XMLDocumentScannerImpl.java:604)
 at
com.sun.org.apache.xerces.internal.impl.XMLEntityManager.endEntity(XMLEntityManager.java:1420)
 at
com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.load(XMLEntityScanner.java:1769)
 at
com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.peekChar(XMLEntityScanner.java:493)
 at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2688)
 at
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:647)
 at
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
 at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:817)
 at
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
 at
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119)
 at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
 at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
 at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1580)
 at
org.apache.catalina.users.MemoryUserDatabase.open(MemoryUserDatabase.java:432)
 at
org.apache.catalina.users.MemoryUserDatabaseFactory.getObjectInstance(MemoryUserDatabaseFactory.java:102)
 at
org.apache.naming.factory.ResourceFactory.getObjectInstance(ResourceFactory.java:141)
 at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304)
 at org.apache.naming.NamingContext.lookup(NamingContext.java:842)
 at org.apache.naming.NamingContext.lookup(NamingContext.java:167)
 at
org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:253)
 at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
 at
org.apache.catalina.realm.CombinedRealm.startInternal(CombinedRealm.java:201)
 at
org.apache.catalina.realm.LockOutRealm.startInternal(LockOutRealm.java:120)
 at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
 at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1109)
 at
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:300)
 at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
 at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
 at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
 at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:739)
 at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
 at org.apache.catalina.startup.Catalina.start(Catalina.java:689)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:321)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Jul 16, 2015 3:54:02 PM org.apache.naming.NamingContext lookup
WARNING: Unexpected exception resolving reference
org.xml.sax.SAXParseException: XML document structures must start and end
within the same entity.
 at
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1231)
 at
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAX

Re: Parse and SSL issue

[Konstantin Kolinko]

.2015-07-17 21:19 GMT+03:00 uzair rashid :
> Hello:
>
> I am having an issue with tomcat version: Apache Tomcat 7.0.57 . Windows
> Server 2008 R2 Enterprise.
>
> I am using mssql and bobj as well.
>
> I am having a few issues one seems to be related to ssl/apr... maybe my
> sslcipher should just be ciphers? and second issue i'm having is a saxparse
> issue. Here is my stderr.log:
>
> 2015-07-17 09:56:43 Commons Daemon procrun stderr initialized
> Jul 17, 2015 9:56:48 AM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'maxSpareThreads' to '75' did not find a matching property.
> Jul 17, 2015 9:56:48 AM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'debug' to '0' did not find a matching property.

Note the above warnings.  There are no such configuration options in
your version of Tomcat.

If you used some obsolete documentation, throw it away.


> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Server version:Apache Tomcat/7.0.57
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Server built:  Nov 3 2014 08:39:16 UTC
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Server number: 7.0.57.0
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: OS Name:   Windows Server 2008 R2
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: OS Version:6.1
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Architecture:  amd64
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: JAVA_HOME: d:\SAP BusinessObjects\SAP BusinessObjects
> Enterprise XI 4.0\win64_x64\sapjvm\jre
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: JVM Version:   6.1.044
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: JVM Vendor:SAP AG
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: CATALINA_BASE: d:\SAP BusinessObjects\tomcat\
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: CATALINA_HOME: d:\SAP BusinessObjects\tomcat\
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: -Djava.library.path=C:\Windows\SysWOW64\;d:\SAP
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: BusinessObjects\SAP
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: BusinessObjects
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: Enterprise
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: XI
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: 4.0\win64_x64\
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: -Dcatalina.base=d:\SAP
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: BusinessObjects\tomcat\
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: -Dcatalina.home=d:\SAP
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: BusinessObjects\tomcat\
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: -Djava.endorsed.dirs=d:\SAP
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: BusinessObjects\tomcat\common\endorsed\
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: -Dbobj.enterprise.home=d:\SAP
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: BusinessObjects\SAP
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: BusinessObjects
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: Enterprise
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: XI
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> log
> INFO: Command line argument: 4.0\
> Jul 17, 2015 9:56:49 AM org.apache.catalina.startup.VersionLoggerListener
> l

Re: SSL Issue on the 443 port on tomcat7

[Vijay Karthick]

Thanks Akbar,

It's worked.

Regards,

Vijay S

On Thu, Mar 19, 2015 at 10:31 PM, Akbar Thanakalacheruvu <
akb...@sumtotalsystems.com> wrote:

>
> -Original Message-
> From: Vijay Karthick [mailto:vijaykarthic...@gmail.com]
> Sent: Thursday, March 19, 2015 12:11 PM
> To: users@tomcat.apache.org
> Subject: Fwd: SSL Issue on the 443 port on tomcat7
>
> Hi,
>
> In SAP BO environment, the SSL has been enabled in the Tomcat7 version.
> However, the Tomcat is not initializing. Its states that password error.
> I've recreated the keystore file. However, we're unable to fix it. Please
> refer the Log on the Tomcat folder.
>
>
>
> Server.xml :
>
>
> 
>maxThreads="150" scheme="https" secure="true"
>
>clientAuth="false" sslProtocol="TLS"
> maxHttpHeaderSize="65536" keystore="D:\SAP
> BusinessObjects\Tomcat6\conf\.keystore" keypass="Password" />
>
>
> The tomcat logs folder file "stderr" files give the below log,
>
>
>
> 2015-03-18 23:10:01 Commons Daemon procrun stderr initialized
>
> Mar 18, 2015 11:10:02 PM org.apache.catalina.core.AprLifecycleListener init
>
> INFO: The APR based Apache Tomcat Native library which allows optimal
> performance in production environments was not found on the
> java.library.path: C:\Windows\SysWOW64\;D:\SAP BusinessObjects\SAP
> BusinessObjects Enterprise XI 4.0\win64_x64\
>
> Mar 18, 2015 11:10:02 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'keystore' to 'D:\SAP BusinessObjects\tomcat\conf\.keystore' did not find a
> matching property.
>
> Mar 18, 2015 11:10:02 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'keypass' to 'Password' did not find a matching property.
>
> Mar 18, 2015 11:10:02 PM org.apache.coyote.AbstractProtocol init
>
> INFO: Initializing ProtocolHandler ["http-bio-443"]
>
> Mar 18, 2015 11:10:03 PM org.apache.coyote.AbstractProtocol init
>
> SEVERE: Failed to initialize end point associated with ProtocolHandler
> ["http-bio-443"]
>
> java.io.IOException: Keystore was tampered with, or password was incorrect
>
>   at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
>
>   at
> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
>
>   at java.security.KeyStore.load(KeyStore.java:1183)
>
>   at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407)
>
>   at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306)
>
>   at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)
>
>   at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
>
>   at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)
>
>   at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
>
>   at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:393)
>
>   at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:610)
>
>   at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:429)
>
>   at
>
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
>
>   at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
>
>   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>
>   at
>
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
>
>   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>
>   at
>
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
>
>   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
>
>   at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
>
>   at org.apache.catalina.startup.Catalina.load(Catalina.java:658)
>
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>   at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>
>   at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>
>   at java.lang.reflect.Method.invoke(Method.java:597)
>
>   at org.apache.catalina.startup.Bootstrap.l

Re: Fwd: SSL Issue on the 443 port on tomcat7

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Vijay,

On 3/19/15 12:11 PM, Vijay Karthick wrote:
> In SAP BO environment, the SSL has been enabled in the Tomcat7
> version. However, the Tomcat is not initializing. Its states that
> password error. I've recreated the keystore file. However, we're
> unable to fix it. Please refer the Log on the Tomcat folder.

If you have recreated your keystore, you have likely lost the original
private key you were intending to use. Don't throw out the old
keystore file!

And, as others have said, you misspelled your configuration directive.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVCxGqAAoJEBzwKT+lPKRYTB0P/3QrG06d3fPQKcOVMbtxvRoS
mK7RFe4mBT1GU6T+NxKYeVgOwEusPMoABKQobCwHCFWSiSxbK9LZHlqKZr+L1Kqs
BsT3gaAx5KtsmOIeddUN+tGHAf+lw1FuGbWQGeJd7bHLH3QwzjkFDA3MyT3OmAVz
Pq09jbjI4kf233eB8qD4O0FXcaO/crGMCepUZYa1bKl8owq8n9Buw8/qDlpY6PrN
0GsWfFetTD2Wk3IDl+10zIDUChsEVMJL48K6rtpYAeQPmgLZeBTjMDVMJ8k6YPh3
4nno6rHXXStEOjrPGplpktRmTQwSCCY051rJccqKoWKvHziLomRXppQKOpUBohwo
3BwDjwc0iv3XZBzyB4g2bffJIpCwQ2MHkxCLn468npWWFqVKvjWxiCa6P6terpzQ
x8WsUPG9cSKkin8BjHUcMGqa174Jd8i8viXc6apVKp2fEqD1BFcyWlLglLhDgIDp
p6HQnPFiF3Bm2x0v5rfMW88g6ZV3ZDl+UB6ScUjoImRTrM/XXqDS2i/99PfutrM7
GAQXh/VHeXRRbVy8tBGqxhBHShibN+qxDdj9fRTntYEZnNOJPAHCmNv2ZlPesGem
RS6270HOru/f5iFz8gIFC20VmyNg524XZGei4vT08EsQgKPSYA9sdTniV8nfed7R
xeWfBU/CwjfqZHL6MNCL
=mw5F
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: SSL Issue on the 443 port on tomcat7

[Akbar Thanakalacheruvu]

-Original Message-
From: Vijay Karthick [mailto:vijaykarthic...@gmail.com]
Sent: Thursday, March 19, 2015 12:11 PM
To: users@tomcat.apache.org
Subject: Fwd: SSL Issue on the 443 port on tomcat7

Hi,

In SAP BO environment, the SSL has been enabled in the Tomcat7 version.
However, the Tomcat is not initializing. Its states that password error.
I've recreated the keystore file. However, we're unable to fix it. Please refer 
the Log on the Tomcat folder.



Server.xml :





The tomcat logs folder file "stderr" files give the below log,



2015-03-18 23:10:01 Commons Daemon procrun stderr initialized

Mar 18, 2015 11:10:02 PM org.apache.catalina.core.AprLifecycleListener init

INFO: The APR based Apache Tomcat Native library which allows optimal 
performance in production environments was not found on the
java.library.path: C:\Windows\SysWOW64\;D:\SAP BusinessObjects\SAP 
BusinessObjects Enterprise XI 4.0\win64_x64\

Mar 18, 2015 11:10:02 PM org.apache.catalina.startup.SetAllPropertiesRule
begin

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'keystore' to 'D:\SAP BusinessObjects\tomcat\conf\.keystore' did not find a 
matching property.

Mar 18, 2015 11:10:02 PM org.apache.catalina.startup.SetAllPropertiesRule
begin

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 
'keypass' to 'Password' did not find a matching property.

Mar 18, 2015 11:10:02 PM org.apache.coyote.AbstractProtocol init

INFO: Initializing ProtocolHandler ["http-bio-443"]

Mar 18, 2015 11:10:03 PM org.apache.coyote.AbstractProtocol init

SEVERE: Failed to initialize end point associated with ProtocolHandler 
["http-bio-443"]

java.io.IOException: Keystore was tampered with, or password was incorrect

  at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)

  at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)

  at java.security.KeyStore.load(KeyStore.java:1183)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)

  at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:393)

  at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:610)

  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:429)

  at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)

  at
org.apache.catalina.connector.Connector.initInternal(Connector.java:981)

  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

  at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)

  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

  at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)

  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

  at org.apache.catalina.startup.Catalina.load(Catalina.java:633)

  at org.apache.catalina.startup.Catalina.load(Catalina.java:658)

  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

  at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

  at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

  at java.lang.reflect.Method.invoke(Method.java:597)

  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)

  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)

Caused by: java.security.UnrecoverableKeyException: Password verification failed

  at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)

  ... 26 more

--



Vijay

The attributes that you mentioned in the server.xml file should be corrected as 
follows

keystore with keystoreFile
keypass with keyPass  (P is Capital here)

-Akbar





This message and any attachments thereto contain information that may be 
privileged, confidential or otherwise protected from disclosure and is the 
property of SumTotal Systems, LLC  It is intended only for the person to whom 
it is addressed.  If you are not the intended recipient, you are not authorized 
to read, print, retain, copy, disseminate, distribute, or use this message, any 
attachments thereto or any part thereof.  If you receive this message in error, 
please notify me at 
akb...@sumtotalsystems.com<mailto:akb...@sumtotalsystems.com> and delete all 
copies of this message and attachments.   SumTotal Systems, LLC has implemen

RE: SSL Issue on the 443 port on tomcat7

[Jeffrey Janner]

> -Original Message-
> From: Vijay Karthick [mailto:vijaykarthic...@gmail.com]
> Sent: Thursday, March 19, 2015 11:11 AM
> To: users@tomcat.apache.org
> Subject: Fwd: SSL Issue on the 443 port on tomcat7
> 
> Hi,
> 
> In SAP BO environment, the SSL has been enabled in the Tomcat7 version.
> However, the Tomcat is not initializing. Its states that password error.
> I've recreated the keystore file. However, we're unable to fix it.
> Please
> refer the Log on the Tomcat folder.
> 
> 
> 
> Server.xml :
> 
> 
>  
>maxThreads="150" scheme="https" secure="true"
> 
>clientAuth="false" sslProtocol="TLS"
> maxHttpHeaderSize="65536" keystore="D:\SAP
> BusinessObjects\Tomcat6\conf\.keystore" keypass="Password" />
> 
 
Please review the documentation on proper  configuration.
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html

> 
> The tomcat logs folder file "stderr" files give the below log,
> 
> 
> 
> 2015-03-18 23:10:01 Commons Daemon procrun stderr initialized
> 
> Mar 18, 2015 11:10:02 PM org.apache.catalina.core.AprLifecycleListener
> init
> 
> INFO: The APR based Apache Tomcat Native library which allows optimal
> performance in production environments was not found on the
> java.library.path: C:\Windows\SysWOW64\;D:\SAP BusinessObjects\SAP
> BusinessObjects Enterprise XI 4.0\win64_x64\
> 
> Mar 18, 2015 11:10:02 PM
> org.apache.catalina.startup.SetAllPropertiesRule
> begin
> 
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property
> 'keystore' to 'D:\SAP BusinessObjects\tomcat\conf\.keystore' did not
> find a
> matching property.
> 
> Mar 18, 2015 11:10:02 PM
> org.apache.catalina.startup.SetAllPropertiesRule
> begin
> 
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property
> 'keypass' to 'Password' did not find a matching property.
> 
> Mar 18, 2015 11:10:02 PM org.apache.coyote.AbstractProtocol init
> 
> INFO: Initializing ProtocolHandler ["http-bio-443"]
> 
> Mar 18, 2015 11:10:03 PM org.apache.coyote.AbstractProtocol init
> 
> SEVERE: Failed to initialize end point associated with ProtocolHandler
> ["http-bio-443"]
> 
> java.io.IOException: Keystore was tampered with, or password was
> incorrect
> 
>   at
> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
> 
>   at
> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
> 
>   at java.security.KeyStore.load(KeyStore.java:1183)
> 
>   at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFac
> tory.java:407)
> 
>   at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocket
> Factory.java:306)
> 
>   at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESoc
> ketFactory.java:565)
> 
>   at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESoc
> ketFactory.java:505)
> 
>   at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory
> .java:449)
> 
>   at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
> tFactory.java:158)
> 
>   at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:393)
> 
>   at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:6
> 10)
> 
>   at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:429)
> 
>   at
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11J
> sseProtocol.java:119)
> 
>   at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:981)
> 
>   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> 
>   at
> org.apache.catalina.core.StandardService.initInternal(StandardService.ja
> va:559)
> 
>   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> 
>   at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java
> :814)
> 
>   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> 
>   at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
> 
>   at org.apache.catalina.startup.Catalina.load(Catalina.java:658)
> 
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 
>   at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
> a:39)
> 
>   at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
> Impl.java:25)
> 
>   at java.lang.reflect.Method.invoke(Method.java:597)
> 
>   at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
> 
>   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)
> 
> Caused by: java.security.UnrecoverableKeyException: Password
> verification
> failed
> 
>   at
> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
> 
>   ... 26 more
> 
> --
> *Regards,*
> Vijay Karthick S
> 
> 
> 
> 
> --
> *Regards,*
> Vijay Karthick S
> +91-9597957874

Re: Fwd: SSL Issue on the 443 port on tomcat7

[David kerber]

On 3/19/2015 12:11 PM, Vijay Karthick wrote:

Hi,

In SAP BO environment, the SSL has been enabled in the Tomcat7 version.
However, the Tomcat is not initializing. Its states that password error.
I've recreated the keystore file. However, we're unable to fix it. Please
refer the Log on the Tomcat folder.



Server.xml :





The tomcat logs folder file "stderr" files give the below log,



2015-03-18 23:10:01 Commons Daemon procrun stderr initialized

Mar 18, 2015 11:10:02 PM org.apache.catalina.core.AprLifecycleListener init

INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path: C:\Windows\SysWOW64\;D:\SAP BusinessObjects\SAP
BusinessObjects Enterprise XI 4.0\win64_x64\

Mar 18, 2015 11:10:02 PM org.apache.catalina.startup.SetAllPropertiesRule
begin

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'keystore' to 'D:\SAP BusinessObjects\tomcat\conf\.keystore' did not find a
matching property.


"did not find a matching property." is the important point here.  That 
means it doesn't know what to do with the property called 'keystore'.  I 
believe these property names are case-sensitive...





Mar 18, 2015 11:10:02 PM org.apache.catalina.startup.SetAllPropertiesRule
begin

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'keypass' to 'Password' did not find a matching property.

Mar 18, 2015 11:10:02 PM org.apache.coyote.AbstractProtocol init

INFO: Initializing ProtocolHandler ["http-bio-443"]

Mar 18, 2015 11:10:03 PM org.apache.coyote.AbstractProtocol init

SEVERE: Failed to initialize end point associated with ProtocolHandler
["http-bio-443"]

java.io.IOException: Keystore was tampered with, or password was incorrect

   at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)

   at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)

   at java.security.KeyStore.load(KeyStore.java:1183)

   at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407)

   at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306)

   at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)

   at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)

   at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)

   at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)

   at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:393)

   at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:610)

   at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:429)

   at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)

   at
org.apache.catalina.connector.Connector.initInternal(Connector.java:981)

   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

   at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)

   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

   at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)

   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

   at org.apache.catalina.startup.Catalina.load(Catalina.java:633)

   at org.apache.catalina.startup.Catalina.load(Catalina.java:658)

   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

   at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

   at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

   at java.lang.reflect.Method.invoke(Method.java:597)

   at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)

   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)

Caused by: java.security.UnrecoverableKeyException: Password verification
failed

   at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)

   ... 26 more




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Fwd: SSL Issue on the 443 port on tomcat7

[Vijay Karthick]

Hi,

In SAP BO environment, the SSL has been enabled in the Tomcat7 version.
However, the Tomcat is not initializing. Its states that password error.
I've recreated the keystore file. However, we're unable to fix it. Please
refer the Log on the Tomcat folder.



Server.xml :





The tomcat logs folder file "stderr" files give the below log,



2015-03-18 23:10:01 Commons Daemon procrun stderr initialized

Mar 18, 2015 11:10:02 PM org.apache.catalina.core.AprLifecycleListener init

INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path: C:\Windows\SysWOW64\;D:\SAP BusinessObjects\SAP
BusinessObjects Enterprise XI 4.0\win64_x64\

Mar 18, 2015 11:10:02 PM org.apache.catalina.startup.SetAllPropertiesRule
begin

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'keystore' to 'D:\SAP BusinessObjects\tomcat\conf\.keystore' did not find a
matching property.

Mar 18, 2015 11:10:02 PM org.apache.catalina.startup.SetAllPropertiesRule
begin

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'keypass' to 'Password' did not find a matching property.

Mar 18, 2015 11:10:02 PM org.apache.coyote.AbstractProtocol init

INFO: Initializing ProtocolHandler ["http-bio-443"]

Mar 18, 2015 11:10:03 PM org.apache.coyote.AbstractProtocol init

SEVERE: Failed to initialize end point associated with ProtocolHandler
["http-bio-443"]

java.io.IOException: Keystore was tampered with, or password was incorrect

  at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)

  at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)

  at java.security.KeyStore.load(KeyStore.java:1183)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)

  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)

  at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:393)

  at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:610)

  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:429)

  at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)

  at
org.apache.catalina.connector.Connector.initInternal(Connector.java:981)

  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

  at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)

  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

  at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)

  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

  at org.apache.catalina.startup.Catalina.load(Catalina.java:633)

  at org.apache.catalina.startup.Catalina.load(Catalina.java:658)

  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

  at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

  at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

  at java.lang.reflect.Method.invoke(Method.java:597)

  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)

  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:450)

Caused by: java.security.UnrecoverableKeyException: Password verification
failed

  at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)

  ... 26 more

-- 
*Regards,*
Vijay Karthick S




-- 
*Regards,*
Vijay Karthick S
+91-9597957874

Re: SSL issue in tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jason,

On 2/2/15 4:46 AM, Jason Y wrote:
> Thanks for your reply, Chris.
> 
> I am providing solr search service on Linux server. My java version
> is 1.7_67(64bit) and tomcat version is 7.0.55 and tomcat Connector
> is:  protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="500"
> SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS" keystoreFile="/path/**.keystore"
> keystorePass="password" /> In my service I provide both REST and
> WSDL servie to call solr search by https. Everything worked well
> until one day(about in Nov, 2014) we found we could not open wsdl
> URL in any browsers while our clients' codes that calls solr search
> are always working fine.
> 
> In the coming days, two clients' developers(.NET) raised some
> tickets complaining that they could not call solr service on their
> local machines(while their code on PROD running well and never
> failed). They said they could not even load wsdl in Visual Studio.
> At this time I realized that I should test it by myself so I
> tested(with java code) to call the service both by REST and by
> WSDL, and both worked fine.
> 
> *My code to call WSDL is:* 
> System.setProperty("javax.net.ssl.trustStore", certificationPath); 
> Service service = new Service();  port =
> service.getPort(); // start add soap header Binding binding =
> ((BindingProvider) port).getBinding(); List handlerList =
> binding.getHandlerChain(); if (handlerList == null) handlerList =
> new ArrayList();
> 
> handlerList.add(new SecurityHandler(username, password)); 
> binding.setHandlerChain(handlerList); String query =
> "q=Id:123456"; long offset = 0; long limit = 100; Holder
> numFound = new Holder(); Holder start = new
> Holder(); Holder> doc=new 
> Holder>();
> 
> port.search(query,offset,limit,numFound,start,doc); 
> System.out.println(doc.value.size()); *My code to call REST service
> is:* SolrQuery query = new SolrQuery(); query.setQuery("*:*"); 
> System.setProperty("javax.net.ssl.trustStore", certificationPath); 
> HttpSolrServer server = new HttpSolrServer(" 
> https://server_ip:8443/solr/solr_test";); 
> query.setHighlight(true).setStart(1); query.setRows(15); 
> ModifiableSolrParams paramsDemo = new ModifiableSolrParams(); 
> paramsDemo.add("wt", "json"); paramsDemo.add("indent", "true"); 
> paramsDemo.add("q", "Id:123456"); query.add(paramsDemo); 
> QueryResponse queryResponse = server.query(query);
> 
> Then I tried to disable SSL 3.0 on server by adding ​ 
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to the Connector in
> server.xml. After a restart, my service was running OK and my test
> code running OK and https wsdl URLs OK to open in browsers. But,
> about one hour later, all above test failed.
> 
> *Error message when calling wsdl:* Exception in thread "main"
> javax.xml.ws.WebServiceException: Failed to access the WSDL at:
> https://server_ip:8443/solr_test_name?wsdl. It failed with: 
> Received fatal alert: handshake_failure. at 
> com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:151)
>
> 
at
> com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:133)
>
> 
at
> com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:254)
>
> 
at
> com.sun.xml.internal.ws.client.WSServiceDelegate.(WSServiceDelegate.java:217)
>
> 
at
> com.sun.xml.internal.ws.client.WSServiceDelegate.(WSServiceDelegate.java:165)
>
> 
at
> com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:93)
>
> 
at javax.xml.ws.Service.(Service.java:56)
> at com..webservice.Service.(Service.java:42) at
> com..client.Test.main(Test.java:30) Caused by:
> javax.net.ssl.SSLHandshakeException: Received fatal alert: 
> handshake_failure
> 
> *​Error message then calling REST:* ​IOException occured when
> talking to server at: [MY_REST_SERVICE_ADDRESS]
> 
> *Error message when trying to open WSDL URL in browser:* SSL
> connection errorUnable to make a secure connection to the server.
> This may be a problem with the server, or it may be requiring a
> client authentication certificate that you don't have. Error code:
> ERR_SSL_PROTOCOL_ERROR ​My question is, after adding ​
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to the *Connector *in
> server.xml, is there anything else that I need to do? Such as: i)
> on server side JDK settings with "-D ="; ii) on client side
> with System.setProperties("","")? iii) or anything else?

You should not have to do anything else.

The one thing I can think of is that some clients are trying to use an
SSLv2hello handshake and you are not supporting one. I would imagine
that most modern clients would try SSLv2hello and then switch to TLS
if that didn't work (or, better yet, the other way around). Your Java
1.7 client will certainly be able to connect to either. I'm not sure
about .NET clients, but they are probably smar

Re: SSL issue in tomcat

[Jason Y]

Thanks for your reply, Chris.

I am providing solr search service on Linux server. My java version is
1.7_67(64bit) and tomcat version is 7.0.55 and tomcat Connector is:

In my service I provide both REST and WSDL servie to call solr search by
https. Everything worked well until one day(about in Nov, 2014) we found we
could not open wsdl URL in any browsers while our clients' codes that calls
solr search are always working fine.

In the coming days, two clients' developers(.NET) raised some tickets
complaining that they could not call solr service on their local
machines(while their code on PROD running well and never failed). They said
they could not even load wsdl in Visual Studio. At this time I realized
that I should test it by myself so I tested(with java code) to call the
service both by REST and by WSDL, and both worked fine.

*My code to call WSDL is:*
System.setProperty("javax.net.ssl.trustStore", certificationPath);
Service service = new Service();
 port = service.getPort();
// start add soap header
Binding binding = ((BindingProvider) port).getBinding();
List handlerList = binding.getHandlerChain();
if (handlerList == null)
handlerList = new ArrayList();

handlerList.add(new SecurityHandler(username, password));
binding.setHandlerChain(handlerList);
String query = "q=Id:123456";
long offset = 0;
long limit = 100;
Holder numFound = new Holder();
Holder start = new Holder();
Holder> doc=new
Holder>();

port.search(query,offset,limit,numFound,start,doc);
System.out.println(doc.value.size());
*My code to call REST service is:*
SolrQuery query = new SolrQuery();
query.setQuery("*:*");
System.setProperty("javax.net.ssl.trustStore", certificationPath);
HttpSolrServer server = new HttpSolrServer("
https://server_ip:8443/solr/solr_test";);
query.setHighlight(true).setStart(1);
query.setRows(15);
ModifiableSolrParams paramsDemo = new ModifiableSolrParams();
paramsDemo.add("wt", "json");
paramsDemo.add("indent", "true");
paramsDemo.add("q", "Id:123456");
query.add(paramsDemo);
QueryResponse queryResponse = server.query(query);

Then I tried to disable SSL 3.0 on server by adding
​
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to the Connector in server.xml.
After a restart, my service was running OK and my test code running OK and
https wsdl URLs OK to open in browsers. But, about one hour later, all
above test failed.

*Error message when calling wsdl:*
Exception in thread "main" javax.xml.ws.WebServiceException: Failed to
access the WSDL at: https://server_ip:8443/solr_test_name?wsdl. It failed
with:
Received fatal alert: handshake_failure.
at
com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:151)
at
com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:133)
at
com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:254)
at
com.sun.xml.internal.ws.client.WSServiceDelegate.(WSServiceDelegate.java:217)
at
com.sun.xml.internal.ws.client.WSServiceDelegate.(WSServiceDelegate.java:165)
at
com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:93)
at javax.xml.ws.Service.(Service.java:56)
at com..webservice.Service.(Service.java:42)
at com..client.Test.main(Test.java:30)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure

*​Error message then calling REST:*
​IOException occured when talking to server at: [MY_REST_SERVICE_ADDRESS]

*Error message when trying to open WSDL URL in browser:*
SSL connection errorUnable to make a secure connection to the server. This
may be a problem with the server, or it may be requiring a client
authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
​My question is, after adding ​sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
to the *Connector *in server.xml, is there anything else that I need to do?
Such as:
i) on server side JDK settings with "-D =";
ii) on client side with System.setProperties("","")?
iii) or anything else?

Re: SSL issue in tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jason,

On 1/23/15 3:27 AM, Jason Y wrote:
> Thank you Chris for your reply.
> 
> I think I was mislead by this error. My services--both REST and
> SOAP--are hosted by tomcat and used by downstream users with HTTPS.
> They are running well for long time until some day one of
> downstream developers reported that the WSDL URL cannot be
> accessible by his browsers and his code either.

Now accessible .. how? 404 response? Unexpected content in response?
Infinite timeout? Connection refused?

> At first I thought it was due to openSSL HeartBleed issue 
> <https://wiki.apache.org/tomcat/Security/Heartbleed> or POODLE
> issue <http://wiki.apache.org/tomcat/Security/POODLE>.

You have misunderstood the nature of those vulnerabilities.

> So I made respective changes to server.xml and then restarted my 
> service. I added highlighted part as below:
> 
> * protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
> SSLEnabled="true" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx" 
> keystorePass="xxx" />* It ran well after the restart, but last not
> for long. Soon, the developer reported that he could not access the
> service again. It was NOT fixed and I am so confused.

Was it ever working, or had this "developer" even checked the service
after the restart?

> Yesterday, I was thinking why and how the user couldn't access the
> service? Why not test it by myself? So I rolled back all my changes
> and wrote code to call the service via REST and WSDL and both were
> running OK!

Sounds like WORKSFORME.

> (Still I cannot open WSDL URL in my browsers, I think it is SSL 
> issue.)

What happens when you try to open that WSDL URL in your browser?

> Also, there is never a production user reporting this issue. So I
> think it might be something wrong with the developer's code (it is
> .NET code on which I have 0 knowledge), I will keep on watching
> this.

.NET can certainly call-up a web server and request a resource. You
need more details from this person. Direct them here if you'd rather
not be a go-between.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUwr2KAAoJEBzwKT+lPKRY5G8QALcMs9brkM19I+EJSUAECXgB
yk8PQ/Gtrn3tfN1lFh+m6AHLCYsb79tzTdjLJiVbtoIki9t2RDqFx3AIFJidVqZ7
uW4RnzJE4vgmKsLx6m5kkcjrW+4gwns2QO8eucfsyIyy6EtzvkXeJIXQBBBhf2F7
UKFkY4fjMlVN5yX6zTnOC9JT3JudAByWhbG0ERi7w1uTq2Jf43tBTMt6otL25Bqa
6i9glQPQdkVyelyCiyn4dBx4+C8DEWHr33XYgVP4n/XFN6uH31hdP0aV0BPnqZXg
3VEL59VScJHMwajQSwyQ9XpfE9/Wx2/BJLhyD7kiE90RSAR27kNIjVEGO+4nSmGv
JywXaHosSfAbQltf37LcHBjsXgXk4Jeth27xGax/k5wiN6P+26SsKe943v9xO8GJ
O+A6CvqhoKolRguszUcN7l+ueXQj1TYCrjTjuDrp9eDcaIN3+6RNXLG0lJAcnQ8i
l3+8f6v8owRMv5R/5YGV6L912UoEi1q8v5RYY9Atp/Nk6cW7dFzQ1NXayiZrC7c0
OSQIJya8Cj6144TNFSQ0UcCFZcD/fi603PavrQxUxZIp0ZTgW1hay7qfsLBne5Ic
t79WOUDOJjZDVTx6DHxpJwbaBX4qo1c0N+sNQP5G7uGRpOnGA/e3UJmuIld/0hw9
WSGaS1OUg68e2gnxz/2t
=wzkK
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL issue in tomcat

[Jason Y]

Thank you Chris for your reply.

I think I was mislead by this error. My services--both REST and SOAP--are
hosted by tomcat and used by downstream users with HTTPS. They are running
well for long time until some day one of downstream developers reported
that the WSDL URL cannot be accessible by his browsers and his code either.

At first I thought it was due to openSSL HeartBleed issue
<https://wiki.apache.org/tomcat/Security/Heartbleed> or POODLE issue
<http://wiki.apache.org/tomcat/Security/POODLE>. So I made respective
changes to server.xml and then restarted my service. I added highlighted
part as below:


**
It ran well after the restart, but last not for long. Soon, the developer
reported that he could not access the service again. It was NOT fixed and I
am so confused.

Yesterday, I was thinking why and how the user couldn't access the service?
Why not test it by myself? So I rolled back all my changes and wrote code
to call the service via REST and WSDL and both were running OK!(Still I
cannot open WSDL URL in my browsers, I think it is SSL issue.)

Also, there is never a production user reporting this issue. So I think it
might be something wrong with the developer's code(it is .NET code on which
I have 0 knowledge), I will keep on watching this.



On Thu, Jan 22, 2015 at 11:01 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> ason,
>
> On 1/22/15 1:26 AM, Jason Y wrote:
> > What I changed in server.xml is adding
> > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1".
>
> If you want to be able to handle SSL handshakes (and not just TLS ones
> like some older clients might require), you'll need to enable
> SSLv2hello along with all the TLS versions you have specified above.
>
> > BUT I noticed that I am using JSSE instead of APR, so I remoeved
> > the listener  > className="org.apache.catalina.core.AprLifecycleListener"
> > SSLEngine="on" />
> >
> > is this causing my error?
>
> No. Using the AprLifecycleListener won't hurt anything; you'll just
> get a warning on startup that the native library isn't available.
>
> I'm not quite convinced this is an SSL problem, since most clients can
> handle a TLS handshake these days.
>
> Back to the original problem: how long does your application work
> before it "doesn't". When it "doesn't work", what happens when you try
> to connect? Long timeout? Immediate connection refusal? Failed handshake?
>
> You need to provide more information. Can you summarize the problem
> again and give specifics?
>
> - -chris
>
> > On Wed, Jan 21, 2015 at 11:39 PM, Jason Y 
> > wrote:
> >
> >> You mean here maxThreads="150"?
> >>
> >> But is no respective log message for this. And, I didn't find
> >> much request to the service. Currently there are no changed
> >> settings(firewall/network, etc.).
> >>
> >> On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner <
> >> jeffrey.jan...@polydyne.com> wrote:
> >>
> >>>> -Original Message- From: Jason Y
> >>>> [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015
> >>>> 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in
> >>>> tomcat
> >>>>
> >>>> Got another issue...Tomcat is working fine after restart but
> >>>> it cannot last long. Now I cannot access https pages with any
> >>>> browsers. I didn't find anything useful in logs. After a
> >>>> restart, it works well again.
> >>>>
> >>>>  >>>> protocol="HTTP/1.1" connectionTimeout="2"
> >>>> redirectPort="8443" />  >>>> protocol="org.apache.coyote.http11.Http11Protocol"
> >>>> maxThreads="150" SSLEnabled="true" scheme="https"
> >>>> secure="true" clientAuth="false" sslProtocol="TLS"
> >>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> >>>> keystoreFile="lib/cert/.keystore" keystorePass="" />
> >>>>   >>>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
> >>>>
> >>>
> >>> Just a thought, but since it works for a while and then stops
> >>> responding, could it be that the OP is running out of
> >>> processing threads, i.e. a thread or connection pool leak?
> >>>
> >>>
> >>>>

Re: SSL issue in tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

ason,

On 1/22/15 1:26 AM, Jason Y wrote:
> What I changed in server.xml is adding 
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1".

If you want to be able to handle SSL handshakes (and not just TLS ones
like some older clients might require), you'll need to enable
SSLv2hello along with all the TLS versions you have specified above.

> BUT I noticed that I am using JSSE instead of APR, so I remoeved
> the listener  className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
> 
> is this causing my error?

No. Using the AprLifecycleListener won't hurt anything; you'll just
get a warning on startup that the native library isn't available.

I'm not quite convinced this is an SSL problem, since most clients can
handle a TLS handshake these days.

Back to the original problem: how long does your application work
before it "doesn't". When it "doesn't work", what happens when you try
to connect? Long timeout? Immediate connection refusal? Failed handshake?

You need to provide more information. Can you summarize the problem
again and give specifics?

- -chris

> On Wed, Jan 21, 2015 at 11:39 PM, Jason Y 
> wrote:
> 
>> You mean here maxThreads="150"?
>> 
>> But is no respective log message for this. And, I didn't find
>> much request to the service. Currently there are no changed
>> settings(firewall/network, etc.).
>> 
>> On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner < 
>> jeffrey.jan...@polydyne.com> wrote:
>> 
>>>> -Original Message- From: Jason Y
>>>> [mailto:day...@gmail.com] Sent: Wednesday, January 21, 2015
>>>> 12:44 AM To: Tomcat Users List Subject: Re: SSL issue in
>>>> tomcat
>>>> 
>>>> Got another issue...Tomcat is working fine after restart but
>>>> it cannot last long. Now I cannot access https pages with any
>>>> browsers. I didn't find anything useful in logs. After a
>>>> restart, it works well again.
>>>> 
>>>> >>> protocol="HTTP/1.1" connectionTimeout="2" 
>>>> redirectPort="8443" /> >>> protocol="org.apache.coyote.http11.Http11Protocol" 
>>>> maxThreads="150" SSLEnabled="true" scheme="https" 
>>>> secure="true" clientAuth="false" sslProtocol="TLS" 
>>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" 
>>>> keystoreFile="lib/cert/.keystore" keystorePass="" /> 
>>>>  >>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>>> 
>>> 
>>> Just a thought, but since it works for a while and then stops
>>> responding, could it be that the OP is running out of
>>> processing threads, i.e. a thread or connection pool leak?
>>> 
>>> 
>>>> On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah
>>>>  wrote:
>>>> 
>>>>> its not necessary to have ciphers properties but if you
>>>>> want to
>>>> restrict
>>>>> the ciphers then you can use this property.
>>>>> 
>>>>> On Wed, Jan 21, 2015 at 6:53 AM, Jason Y 
>>>>> wrote:
>>>>> 
>>>>>> Thank you all. Now it is working fine.
>>>>>> 
>>>>>> >>> protocol="org.apache.coyote.http11.Http11Protocol"
>>>>>> maxThreads="150" SSLEnabled="true" scheme="https" 
>>>>>> secure="true" clientAuth="false" sslProtocol="TLS" 
>>>>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" 
>>>>>> keystoreFile="lib/cert/.keystore"
>>>>>> keystorePass="" 
>>>>>> ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, 
>>>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>>>>>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
>>>> />
>>>>>> 
>>>>>> By the way, do I need "ciphers" properties here?
>>>>>> 
>>>>>> On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < 
>>>>>> ch...@christopherschultz.net> wrote:
>>>>>> 
> Jason,
> 
> On 1/20/15 4:17 AM, Jason Y wrote:
>>>>>>>>> Recently my application cannot be accessible in
>>>>>>>>> browser wi

Re: SSL issue in tomcat

[Jason Y]

What I changed in server.xml is adding
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1".
BUT I noticed that I am using JSSE instead of APR, so I remoeved the
listener 

is this causing my error?

On Wed, Jan 21, 2015 at 11:39 PM, Jason Y  wrote:

> You mean here maxThreads="150"?
>
> But is no respective log message for this. And, I didn't find much request
> to the service. Currently there are no changed settings(firewall/network,
> etc.).
>
> On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner <
> jeffrey.jan...@polydyne.com> wrote:
>
>> > -Original Message-
>> > From: Jason Y [mailto:day...@gmail.com]
>> > Sent: Wednesday, January 21, 2015 12:44 AM
>> > To: Tomcat Users List
>> > Subject: Re: SSL issue in tomcat
>> >
>> > Got another issue...Tomcat is working fine after restart but it cannot
>> > last
>> > long.
>> > Now I cannot access https pages with any browsers. I didn't find
>> > anything
>> > useful in logs.
>> > After a restart, it works well again.
>> >
>> > > >port="8080" protocol="HTTP/1.1"
>> >connectionTimeout="2"
>> >redirectPort="8443" />
>> > > > protocol="org.apache.coyote.http11.Http11Protocol"
>> >maxThreads="150" SSLEnabled="true" scheme="https"
>> > secure="true"
>> >clientAuth="false" sslProtocol="TLS"
>> > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
>> > keystoreFile="lib/cert/.keystore"
>> > keystorePass="" />
>> > 
>> > 
>> >
>>
>> Just a thought, but since it works for a while and then stops responding,
>> could it be that the OP is running out of processing threads, i.e. a thread
>> or connection pool leak?
>>
>>
>> > On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah 
>> > wrote:
>> >
>> > > its not necessary to have ciphers properties but if you want to
>> > restrict
>> > > the ciphers then you can use this property.
>> > >
>> > > On Wed, Jan 21, 2015 at 6:53 AM, Jason Y  wrote:
>> > >
>> > > > Thank you all. Now it is working fine.
>> > > >
>> > > > > > protocol="org.apache.coyote.http11.Http11Protocol"
>> > > >maxThreads="150" SSLEnabled="true" scheme="https"
>> > > > secure="true"
>> > > >clientAuth="false" sslProtocol="TLS"
>> > > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
>> > > > keystoreFile="lib/cert/.keystore" keystorePass=""
>> > > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
>> > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
>> > />
>> > > >
>> > > > By the way, do I need "ciphers" properties here?
>> > > >
>> > > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
>> > > > ch...@christopherschultz.net> wrote:
>> > > >
>> > > > > -BEGIN PGP SIGNED MESSAGE-
>> > > > > Hash: SHA256
>> > > > >
>> > > > > Jason,
>> > > > >
>> > > > > On 1/20/15 4:17 AM, Jason Y wrote:
>> > > > > > Recently my application cannot be accessible in browser with
>> > https
>> > > > > > version. I think it is due to vulnerability in ssl 3.0 issue.
>> > > > > >
>> > > > > > I checked my tomcat configuration and replaced sslProtocol="TLS"
>> > > > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
>> > > > > > 3.0.
>> > > > > >
>> > > > > > > > > > > > connectionTimeout="2" redirectPort="8443" /> > > > > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
>> > > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>> > > > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>> > > > > &g

Re: SSL issue in tomcat

[Jason Y]

You mean here maxThreads="150"?

But is no respective log message for this. And, I didn't find much request
to the service. Currently there are no changed settings(firewall/network,
etc.).

On Wed, Jan 21, 2015 at 11:28 PM, Jeffrey Janner <
jeffrey.jan...@polydyne.com> wrote:

> > -Original Message-
> > From: Jason Y [mailto:day...@gmail.com]
> > Sent: Wednesday, January 21, 2015 12:44 AM
> > To: Tomcat Users List
> > Subject: Re: SSL issue in tomcat
> >
> > Got another issue...Tomcat is working fine after restart but it cannot
> > last
> > long.
> > Now I cannot access https pages with any browsers. I didn't find
> > anything
> > useful in logs.
> > After a restart, it works well again.
> >
> >  >port="8080" protocol="HTTP/1.1"
> >connectionTimeout="2"
> >redirectPort="8443" />
> >  > protocol="org.apache.coyote.http11.Http11Protocol"
> >maxThreads="150" SSLEnabled="true" scheme="https"
> > secure="true"
> >clientAuth="false" sslProtocol="TLS"
> > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> > keystoreFile="lib/cert/.keystore"
> > keystorePass="" />
> > 
> > 
> >
>
> Just a thought, but since it works for a while and then stops responding,
> could it be that the OP is running out of processing threads, i.e. a thread
> or connection pool leak?
>
>
> > On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah 
> > wrote:
> >
> > > its not necessary to have ciphers properties but if you want to
> > restrict
> > > the ciphers then you can use this property.
> > >
> > > On Wed, Jan 21, 2015 at 6:53 AM, Jason Y  wrote:
> > >
> > > > Thank you all. Now it is working fine.
> > > >
> > > >  > protocol="org.apache.coyote.http11.Http11Protocol"
> > > >maxThreads="150" SSLEnabled="true" scheme="https"
> > > > secure="true"
> > > >clientAuth="false" sslProtocol="TLS"
> > > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> > > > keystoreFile="lib/cert/.keystore" keystorePass=""
> > > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
> > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
> > />
> > > >
> > > > By the way, do I need "ciphers" properties here?
> > > >
> > > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
> > > > ch...@christopherschultz.net> wrote:
> > > >
> > > > > -BEGIN PGP SIGNED MESSAGE-
> > > > > Hash: SHA256
> > > > >
> > > > > Jason,
> > > > >
> > > > > On 1/20/15 4:17 AM, Jason Y wrote:
> > > > > > Recently my application cannot be accessible in browser with
> > https
> > > > > > version. I think it is due to vulnerability in ssl 3.0 issue.
> > > > > >
> > > > > > I checked my tomcat configuration and replaced sslProtocol="TLS"
> > > > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
> > > > > > 3.0.
> > > > > >
> > > > > >  > > > > > connectionTimeout="2" redirectPort="8443" />  > > > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > > > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > > > > > keystoreFile="xxx" keystorePass="xxx" />  > > > > > protocol="AJP/1.3" redirectPort="8443" />
> > > > >
> > > > > None of the responses you have gotten thus far are useful in any
> > way.
> > > > >
> > > > > Your configuration looks fine to me: sslEnabledProtocols is the
> > way to
> > > > > go, although in recent versions of Tomcat the default is NOT to
> > > > > include any "SSL" protocols and only use the "T

RE: SSL issue in tomcat

[Jeffrey Janner]

> -Original Message-
> From: Jason Y [mailto:day...@gmail.com]
> Sent: Wednesday, January 21, 2015 12:44 AM
> To: Tomcat Users List
> Subject: Re: SSL issue in tomcat
> 
> Got another issue...Tomcat is working fine after restart but it cannot
> last
> long.
> Now I cannot access https pages with any browsers. I didn't find
> anything
> useful in logs.
> After a restart, it works well again.
> 
> port="8080" protocol="HTTP/1.1"
>connectionTimeout="2"
>redirectPort="8443" />
>  protocol="org.apache.coyote.http11.Http11Protocol"
>maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
>clientAuth="false" sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> keystoreFile="lib/cert/.keystore"
> keystorePass="" />
> 
> 
> 

Just a thought, but since it works for a while and then stops responding, could 
it be that the OP is running out of processing threads, i.e. a thread or 
connection pool leak?


> On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah 
> wrote:
> 
> > its not necessary to have ciphers properties but if you want to
> restrict
> > the ciphers then you can use this property.
> >
> > On Wed, Jan 21, 2015 at 6:53 AM, Jason Y  wrote:
> >
> > > Thank you all. Now it is working fine.
> > >
> > >  protocol="org.apache.coyote.http11.Http11Protocol"
> > >maxThreads="150" SSLEnabled="true" scheme="https"
> > > secure="true"
> > >clientAuth="false" sslProtocol="TLS"
> > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> > > keystoreFile="lib/cert/.keystore" keystorePass=""
> > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
> > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
> />
> > >
> > > By the way, do I need "ciphers" properties here?
> > >
> > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
> > > ch...@christopherschultz.net> wrote:
> > >
> > > > -BEGIN PGP SIGNED MESSAGE-
> > > > Hash: SHA256
> > > >
> > > > Jason,
> > > >
> > > > On 1/20/15 4:17 AM, Jason Y wrote:
> > > > > Recently my application cannot be accessible in browser with
> https
> > > > > version. I think it is due to vulnerability in ssl 3.0 issue.
> > > > >
> > > > > I checked my tomcat configuration and replaced sslProtocol="TLS"
> > > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
> > > > > 3.0.
> > > > >
> > > > >  > > > > connectionTimeout="2" redirectPort="8443" />  > > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > > > > keystoreFile="xxx" keystorePass="xxx" />  > > > > protocol="AJP/1.3" redirectPort="8443" />
> > > >
> > > > None of the responses you have gotten thus far are useful in any
> way.
> > > >
> > > > Your configuration looks fine to me: sslEnabledProtocols is the
> way to
> > > > go, although in recent versions of Tomcat the default is NOT to
> > > > include any "SSL" protocols and only use the "TLS" ones, so if you
> are
> > > > running something recent, you should be okay.
> > > >
> > > > > Then I can open my application https link in browser. BUT, good
> > > > > time never lasts too long, after several hours, I failed to
> access
> > > > > my https link again.
> > > >
> > > > What kinds of errors do you get? What do the logs say? What are
> the
> > > > URLs you are using?
> > > >
> > > > > Anyone has any ideas about this? please share your
> suggestions...My
> > > > > tomcat version is 7.0.55
> > > >
> > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so
> you

Re: SSL issue in tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jason,

On 1/21/15 4:29 AM, Jason Y wrote:
> Here is what I get with openssl s_client command:
> 
> Loading 'screen' into random state - done CONNECTED(01E8) write
> to 0x2103650 [0x2103698] (124 bytes => 124 (0x7C))  - 80 7a 01
> 03 01 00 51 00-00 00 20 00 00 39 00 00   .zQ... ..9.. 0010 - 38
> 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5 
> 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03
> ..3..2../... 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15
> 00 00    0040 - 12 00 00 09 06 00 40 00-00 14 00 00
> 11 00 00 08   ..@. 0050 - 00 00 06 04 00 80 00 00-03 02
> 00 80 2b 20 ff a2   + .. 0060 - dc 75 81 67 91 ff 8a
> 7e-8e 37 ed ac f6 97 0e 83   .u.g...~.7.. 0070 - 66 46 8c 87 b8
> 1c b3 0a-7e 46 72 30   fF..~Fr0 read from 0x2103650
> [0x2108bf8] (7 bytes => 7 (0x7))  - 15 03 01 00 02 02 28
> ..( 13756:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:.\ssl\s23_clnt.c:596:

Use this:

$ openssl s_client -tls1 -connect host:port

If you want to be able to handle SSL2/3 handshakes, then you will want
to enable SSLv2hello using the "sslProtocolsEnabled" attribute, like this:



- -chris

> On Wed, Jan 21, 2015 at 4:49 PM, Sanaullah 
> wrote:
> 
>> then may be its not the issue of tomcat.you can check you
>> firewall? may be your firewall dropping the correction after some
>> time.
>> 
>> try to connect the server from localhost using " openssl s_client
>> -connect hostname:8443 -debug " may be you will found something
>> use full.
>> 
>> On Wed, Jan 21, 2015 at 11:43 AM, Jason Y 
>> wrote:
>> 
>>> Got another issue...Tomcat is working fine after restart but it
>>> cannot
>> last
>>> long. Now I cannot access https pages with any browsers. I
>>> didn't find anything useful in logs. After a restart, it works
>>> well again.
>>> 
>>> >> protocol="HTTP/1.1" connectionTimeout="2" 
>>> redirectPort="8443" /> >> protocol="org.apache.coyote.http11.Http11Protocol" 
>>> maxThreads="150" SSLEnabled="true" scheme="https" 
>>> secure="true" clientAuth="false" sslProtocol="TLS" 
>>> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" 
>>> keystoreFile="lib/cert/.keystore" keystorePass="" /> 
>>>  >> port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>> 
>>> On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah
>>> 
>> wrote:
>>> 
 its not necessary to have ciphers properties but if you want
 to
>> restrict
 the ciphers then you can use this property.
 
 On Wed, Jan 21, 2015 at 6:53 AM, Jason Y 
 wrote:
 
> Thank you all. Now it is working fine.
> 
> >> protocol="org.apache.coyote.http11.Http11Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https" 
> secure="true" clientAuth="false" sslProtocol="TLS" 
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" 
> keystoreFile="lib/cert/.keystore" keystorePass="" 
> ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, 
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
>> />
> 
> By the way, do I need "ciphers" properties here?
> 
> On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Jason,
> 
> On 1/20/15 4:17 AM, Jason Y wrote:
 Recently my application cannot be accessible in
 browser with
>>> https
 version. I think it is due to vulnerability in ssl
 3.0 issue.
 
 I checked my tomcat configuration and replaced
 sslProtocol="TLS" with
 sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to
 disable SSL 3.0.
 
 >>> connectionTimeout="2" redirectPort="8443" />
 >>> protocol="org.apache.coyote.http11.Http11Protocol" 
 maxThreads="150" SSLEnabled="true" scheme="https"
 secure="true" clientAuth="false"
 sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
 keystoreFile="xxx" keystorePass="xxx" /> >>> port="8009" protocol="AJP/1.3" redirectPort="8443"
 />
> 
> None of the responses you have gotten thus far are useful in any
>>> way.
> 
> Your configuration looks fine to me: sslEnabledProtocols is the
> way
 to
> go, although in recent versions of Tomcat the default is NOT to 
> include any "SSL" protocols and only use the "TLS" ones, so if you
 are
> running something recent, you should be okay.
> 
 Then I can open my application https link in browser.
 BUT, good time never lasts too long, after several
 hours, I failed to
>>> access
 my https link again.
> 
> What kinds of errors do you get? What do the logs say? What are
> the URLs you are using?
> 
 Anyone has any ideas about this? please share your
>>> suggestions...My
 tomcat version is 7.0.55
> 
> Those SSL/TLS defaults I mentioned above were done in 7.0.57, so
>>> you
> should definitely keep your 

Re: SSL issue in tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jason,

On 1/20/15 8:53 PM, Jason Y wrote:
> Thank you all. Now it is working fine.
> 
>  protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
> SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" 
> keystoreFile="lib/cert/.keystore" keystorePass="" 
> ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, 
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
> />
> 
> By the way, do I need "ciphers" properties here?

Usually, no. Your JRE has a set of supported ciphers and a subset of
those are enabled by default. Tomcat will remove a subset of ciphers
known to always be a bad idea (e.g. NULL).

Tomcat 8 and trunk since about 6 months ago have had support for
OpenSSL-style "ciphers" definitions, where you don't have to specify
the exact set of ciphers you want. Instead, you can describe those
ciphers which you do and do not want, and let those filters run
against the ciphers supported by the JVM.

- -chris

> 
> On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Jason,
> 
> On 1/20/15 4:17 AM, Jason Y wrote:
 Recently my application cannot be accessible in browser with
 https version. I think it is due to vulnerability in ssl 3.0
 issue.
 
 I checked my tomcat configuration and replaced
 sslProtocol="TLS" with
 sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 
 3.0.
 
 >>> connectionTimeout="2" redirectPort="8443" /> >>> port="8443"
 protocol="org.apache.coyote.http11.Http11Protocol" 
 maxThreads="150" SSLEnabled="true" scheme="https"
 secure="true" clientAuth="false"
 sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
 keystoreFile="xxx" keystorePass="xxx" /> >>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
> 
> None of the responses you have gotten thus far are useful in any
> way.
> 
> Your configuration looks fine to me: sslEnabledProtocols is the way
> to go, although in recent versions of Tomcat the default is NOT to 
> include any "SSL" protocols and only use the "TLS" ones, so if you
> are running something recent, you should be okay.
> 
 Then I can open my application https link in browser. BUT,
 good time never lasts too long, after several hours, I failed
 to access my https link again.
> 
> What kinds of errors do you get? What do the logs say? What are
> the URLs you are using?
> 
 Anyone has any ideas about this? please share your
 suggestions...My tomcat version is 7.0.55
> 
> Those SSL/TLS defaults I mentioned above were done in 7.0.57, so
> you should definitely keep your above configuration. There is no
> need to add a trust store or cipher specification to that.
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUv74eAAoJEBzwKT+lPKRYxj8QAKyYHwuggY3NwO9HYmxPBFva
kMH5c0DC8VzN+XiIaCvHr16OdwKFHKMtWyP4JI8J3PkPOhxreRhM31vz8hiK2TfE
hyVOJxMAwqUSAMeuDuacSQG933ORc184iLgNbgOr15zGmfwyS5EHMFQjEO5m/HtI
nJ54IWv0PPBJfYegNljd+qAai/At9iWBwmi5woO8evMaQK9WnokjcLZNAmKhKyX7
hvAbcBQFpNoPoI1dvOn/00Ke/GRu/KGVed1pikTVA8D5u75esxG6ZGf2ZX3GpbMk
oSXwVxXLXY9yb6zcSxSKLdEjIO/kNFRHF6PYO7oxFtK9VH/NLpzPJWFszq53lxRt
L5x03FkOqjX11tTgNedMSTKA9KrWiFhqXaa+0CPtaFfUKKaqnEIrlcN7mzrNaICo
s7zpBHr19nLjMcEdbxIEWHMlWi1eA9S7yQihZIk7cilCuGQ5cwaHkSFjKcZl575D
wwhuNLiRRbhXBqQeOoqEqsP4cX2IkV1SsOuCarLtQkdetDmFP/kicef125H1IIER
ejFAaazbb+Ucz6/y1XuD19Q5hcKzvGxnwGo0hp1vqoq5PmZOUiG3tzX6KflfpFIt
VLBrxsXWyJcsKWigixtxCIZ9oyQHB+4B17DkZjfC75a9y8rkh2e8nYpCXEBqYj4K
/CrvXq2r1sQRtM7LN5vM
=Luq1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL issue in tomcat

[Jason Y]

Here is what I get with openssl s_client command:

Loading 'screen' into random state - done
CONNECTED(01E8)
write to 0x2103650 [0x2103698] (124 bytes => 124 (0x7C))
 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .zQ... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../...
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00   
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ..@.
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 2b 20 ff a2   + ..
0060 - dc 75 81 67 91 ff 8a 7e-8e 37 ed ac f6 97 0e 83   .u.g...~.7..
0070 - 66 46 8c 87 b8 1c b3 0a-7e 46 72 30   fF..~Fr0
read from 0x2103650 [0x2108bf8] (7 bytes => 7 (0x7))
 - 15 03 01 00 02 02 28  ..(
13756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:.\ssl\s23_clnt.c:596:



On Wed, Jan 21, 2015 at 4:49 PM, Sanaullah  wrote:

> then may be its not the issue of tomcat.you can check you firewall? may be
> your firewall dropping the correction after some time.
>
> try to connect the server from localhost using " openssl s_client -connect
> hostname:8443 -debug " may be you will found something use full.
>
> On Wed, Jan 21, 2015 at 11:43 AM, Jason Y  wrote:
>
> > Got another issue...Tomcat is working fine after restart but it cannot
> last
> > long.
> > Now I cannot access https pages with any browsers. I didn't find anything
> > useful in logs.
> > After a restart, it works well again.
> >
> >  >port="8080" protocol="HTTP/1.1"
> >connectionTimeout="2"
> >redirectPort="8443" />
> >  >maxThreads="150" SSLEnabled="true" scheme="https"
> > secure="true"
> >clientAuth="false" sslProtocol="TLS"
> > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> > keystoreFile="lib/cert/.keystore"
> > keystorePass="" />
> > 
> > 
> >
> > On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah 
> wrote:
> >
> > > its not necessary to have ciphers properties but if you want to
> restrict
> > > the ciphers then you can use this property.
> > >
> > > On Wed, Jan 21, 2015 at 6:53 AM, Jason Y  wrote:
> > >
> > > > Thank you all. Now it is working fine.
> > > >
> > > >  > protocol="org.apache.coyote.http11.Http11Protocol"
> > > >maxThreads="150" SSLEnabled="true" scheme="https"
> > > > secure="true"
> > > >clientAuth="false" sslProtocol="TLS"
> > > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> > > > keystoreFile="lib/cert/.keystore" keystorePass=""
> > > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
> > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
> />
> > > >
> > > > By the way, do I need "ciphers" properties here?
> > > >
> > > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
> > > > ch...@christopherschultz.net> wrote:
> > > >
> > > > > -BEGIN PGP SIGNED MESSAGE-
> > > > > Hash: SHA256
> > > > >
> > > > > Jason,
> > > > >
> > > > > On 1/20/15 4:17 AM, Jason Y wrote:
> > > > > > Recently my application cannot be accessible in browser with
> https
> > > > > > version. I think it is due to vulnerability in ssl 3.0 issue.
> > > > > >
> > > > > > I checked my tomcat configuration and replaced sslProtocol="TLS"
> > > > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
> > > > > > 3.0.
> > > > > >
> > > > > >  > > > > > connectionTimeout="2" redirectPort="8443" />  > > > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > > > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > > > > > keystoreFile="xxx" keystorePass="xxx" />  > > > > > protocol="AJP/1.3" redirectPort="8443" />
> > > > >
> > > > > None of the responses you have gotten thus far are useful in any
> way.
> > > > >
> > > > > Your configuration looks fine to me: sslEnabledProtocols is the way
> > to
> > > > > go, although in recent versions of Tomcat the default is NOT to
> > > > > include any "SSL" protocols and only use the "TLS" ones, so if you
> > are
> > > > > running something recent, you should be okay.
> > > > >
> > > > > > Then I can open my application https link in browser. BUT, good
> > > > > > time never lasts too long, after several hours, I failed to
> access
> > > > > > my https link again.
> > > > >
> > > > > What kinds of errors do you get? What do the logs say? What are the
> > > > > URLs you are using?
> > > > >
> > > > > > Anyone has any ideas about this? please share your
> suggestions...My
> > > > > > tomcat version is 7.0.55
> > > > >
> > > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so
> you
> > > > > should definitely keep your above configuration. There is no need
> to
> > > > > add a trust store or cipher specification to that.
> > > > >
> >

Re: SSL issue in tomcat

[Sanaullah]

then may be its not the issue of tomcat.you can check you firewall? may be
your firewall dropping the correction after some time.

try to connect the server from localhost using " openssl s_client -connect
hostname:8443 -debug " may be you will found something use full.

On Wed, Jan 21, 2015 at 11:43 AM, Jason Y  wrote:

> Got another issue...Tomcat is working fine after restart but it cannot last
> long.
> Now I cannot access https pages with any browsers. I didn't find anything
> useful in logs.
> After a restart, it works well again.
>
> port="8080" protocol="HTTP/1.1"
>connectionTimeout="2"
>redirectPort="8443" />
> maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
>clientAuth="false" sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> keystoreFile="lib/cert/.keystore"
> keystorePass="" />
> 
> 
>
> On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah  wrote:
>
> > its not necessary to have ciphers properties but if you want to restrict
> > the ciphers then you can use this property.
> >
> > On Wed, Jan 21, 2015 at 6:53 AM, Jason Y  wrote:
> >
> > > Thank you all. Now it is working fine.
> > >
> > >  protocol="org.apache.coyote.http11.Http11Protocol"
> > >maxThreads="150" SSLEnabled="true" scheme="https"
> > > secure="true"
> > >clientAuth="false" sslProtocol="TLS"
> > > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> > > keystoreFile="lib/cert/.keystore" keystorePass=""
> > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
> > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" />
> > >
> > > By the way, do I need "ciphers" properties here?
> > >
> > > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
> > > ch...@christopherschultz.net> wrote:
> > >
> > > > -BEGIN PGP SIGNED MESSAGE-
> > > > Hash: SHA256
> > > >
> > > > Jason,
> > > >
> > > > On 1/20/15 4:17 AM, Jason Y wrote:
> > > > > Recently my application cannot be accessible in browser with https
> > > > > version. I think it is due to vulnerability in ssl 3.0 issue.
> > > > >
> > > > > I checked my tomcat configuration and replaced sslProtocol="TLS"
> > > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
> > > > > 3.0.
> > > > >
> > > > >  > > > > connectionTimeout="2" redirectPort="8443" />  > > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > > > > keystoreFile="xxx" keystorePass="xxx" />  > > > > protocol="AJP/1.3" redirectPort="8443" />
> > > >
> > > > None of the responses you have gotten thus far are useful in any way.
> > > >
> > > > Your configuration looks fine to me: sslEnabledProtocols is the way
> to
> > > > go, although in recent versions of Tomcat the default is NOT to
> > > > include any "SSL" protocols and only use the "TLS" ones, so if you
> are
> > > > running something recent, you should be okay.
> > > >
> > > > > Then I can open my application https link in browser. BUT, good
> > > > > time never lasts too long, after several hours, I failed to access
> > > > > my https link again.
> > > >
> > > > What kinds of errors do you get? What do the logs say? What are the
> > > > URLs you are using?
> > > >
> > > > > Anyone has any ideas about this? please share your suggestions...My
> > > > > tomcat version is 7.0.55
> > > >
> > > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you
> > > > should definitely keep your above configuration. There is no need to
> > > > add a trust store or cipher specification to that.
> > > >
> > > > - -chris
> > > > -BEGIN PGP SIGNATURE-
> > > > Version: GnuPG v1
> > > > Comment: GPGTools - http://gpgtools.org
> > > >
> > > > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty
> > > > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J
> > > > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT
> > > > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG
> > > > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH
> > > > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ
> > > > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw
> > > > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM
> > > > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7
> > > > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq
> > > > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo
> > > > G5/ksEFNFSc9+yQSSC1H
> > > > =PVop
> > > > -END PGP SIGNATURE-
> > > >
> > > > -
> > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > > >
>

Re: SSL issue in tomcat

[Jason Y]

Got another issue...Tomcat is working fine after restart but it cannot last
long.
Now I cannot access https pages with any browsers. I didn't find anything
useful in logs.
After a restart, it works well again.






On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah  wrote:

> its not necessary to have ciphers properties but if you want to restrict
> the ciphers then you can use this property.
>
> On Wed, Jan 21, 2015 at 6:53 AM, Jason Y  wrote:
>
> > Thank you all. Now it is working fine.
> >
> >  >maxThreads="150" SSLEnabled="true" scheme="https"
> > secure="true"
> >clientAuth="false" sslProtocol="TLS"
> > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> > keystoreFile="lib/cert/.keystore" keystorePass=""
> > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" />
> >
> > By the way, do I need "ciphers" properties here?
> >
> > On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA256
> > >
> > > Jason,
> > >
> > > On 1/20/15 4:17 AM, Jason Y wrote:
> > > > Recently my application cannot be accessible in browser with https
> > > > version. I think it is due to vulnerability in ssl 3.0 issue.
> > > >
> > > > I checked my tomcat configuration and replaced sslProtocol="TLS"
> > > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
> > > > 3.0.
> > > >
> > > >  > > > connectionTimeout="2" redirectPort="8443" />  > > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > > > keystoreFile="xxx" keystorePass="xxx" />  > > > protocol="AJP/1.3" redirectPort="8443" />
> > >
> > > None of the responses you have gotten thus far are useful in any way.
> > >
> > > Your configuration looks fine to me: sslEnabledProtocols is the way to
> > > go, although in recent versions of Tomcat the default is NOT to
> > > include any "SSL" protocols and only use the "TLS" ones, so if you are
> > > running something recent, you should be okay.
> > >
> > > > Then I can open my application https link in browser. BUT, good
> > > > time never lasts too long, after several hours, I failed to access
> > > > my https link again.
> > >
> > > What kinds of errors do you get? What do the logs say? What are the
> > > URLs you are using?
> > >
> > > > Anyone has any ideas about this? please share your suggestions...My
> > > > tomcat version is 7.0.55
> > >
> > > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you
> > > should definitely keep your above configuration. There is no need to
> > > add a trust store or cipher specification to that.
> > >
> > > - -chris
> > > -BEGIN PGP SIGNATURE-
> > > Version: GnuPG v1
> > > Comment: GPGTools - http://gpgtools.org
> > >
> > > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty
> > > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J
> > > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT
> > > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG
> > > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH
> > > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ
> > > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw
> > > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM
> > > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7
> > > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq
> > > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo
> > > G5/ksEFNFSc9+yQSSC1H
> > > =PVop
> > > -END PGP SIGNATURE-
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> >
>

Re: SSL issue in tomcat

[Sanaullah]

its not necessary to have ciphers properties but if you want to restrict
the ciphers then you can use this property.

On Wed, Jan 21, 2015 at 6:53 AM, Jason Y  wrote:

> Thank you all. Now it is working fine.
>
> maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
>clientAuth="false" sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
> keystoreFile="lib/cert/.keystore" keystorePass=""
> ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" />
>
> By the way, do I need "ciphers" properties here?
>
> On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Jason,
> >
> > On 1/20/15 4:17 AM, Jason Y wrote:
> > > Recently my application cannot be accessible in browser with https
> > > version. I think it is due to vulnerability in ssl 3.0 issue.
> > >
> > > I checked my tomcat configuration and replaced sslProtocol="TLS"
> > > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
> > > 3.0.
> > >
> > >  > > connectionTimeout="2" redirectPort="8443" />  > > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > > keystoreFile="xxx" keystorePass="xxx" />  > > protocol="AJP/1.3" redirectPort="8443" />
> >
> > None of the responses you have gotten thus far are useful in any way.
> >
> > Your configuration looks fine to me: sslEnabledProtocols is the way to
> > go, although in recent versions of Tomcat the default is NOT to
> > include any "SSL" protocols and only use the "TLS" ones, so if you are
> > running something recent, you should be okay.
> >
> > > Then I can open my application https link in browser. BUT, good
> > > time never lasts too long, after several hours, I failed to access
> > > my https link again.
> >
> > What kinds of errors do you get? What do the logs say? What are the
> > URLs you are using?
> >
> > > Anyone has any ideas about this? please share your suggestions...My
> > > tomcat version is 7.0.55
> >
> > Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you
> > should definitely keep your above configuration. There is no need to
> > add a trust store or cipher specification to that.
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> >
> > iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty
> > JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J
> > C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT
> > nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG
> > mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH
> > 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ
> > T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw
> > HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM
> > 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7
> > A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq
> > zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo
> > G5/ksEFNFSc9+yQSSC1H
> > =PVop
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>

Re: SSL issue in tomcat

[Jason Y]

Thank you all. Now it is working fine.



By the way, do I need "ciphers" properties here?

On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Jason,
>
> On 1/20/15 4:17 AM, Jason Y wrote:
> > Recently my application cannot be accessible in browser with https
> > version. I think it is due to vulnerability in ssl 3.0 issue.
> >
> > I checked my tomcat configuration and replaced sslProtocol="TLS"
> > with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
> > 3.0.
> >
> >  > connectionTimeout="2" redirectPort="8443" />  > port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > keystoreFile="xxx" keystorePass="xxx" />  > protocol="AJP/1.3" redirectPort="8443" />
>
> None of the responses you have gotten thus far are useful in any way.
>
> Your configuration looks fine to me: sslEnabledProtocols is the way to
> go, although in recent versions of Tomcat the default is NOT to
> include any "SSL" protocols and only use the "TLS" ones, so if you are
> running something recent, you should be okay.
>
> > Then I can open my application https link in browser. BUT, good
> > time never lasts too long, after several hours, I failed to access
> > my https link again.
>
> What kinds of errors do you get? What do the logs say? What are the
> URLs you are using?
>
> > Anyone has any ideas about this? please share your suggestions...My
> > tomcat version is 7.0.55
>
> Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you
> should definitely keep your above configuration. There is no need to
> add a trust store or cipher specification to that.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty
> JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J
> C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT
> nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG
> mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH
> 8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ
> T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw
> HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM
> 9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7
> A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq
> zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo
> G5/ksEFNFSc9+yQSSC1H
> =PVop
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: SSL issue in tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jason,

On 1/20/15 4:17 AM, Jason Y wrote:
> Recently my application cannot be accessible in browser with https
> version. I think it is due to vulnerability in ssl 3.0 issue.
> 
> I checked my tomcat configuration and replaced sslProtocol="TLS"
> with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
> 3.0.
> 
>  connectionTimeout="2" redirectPort="8443" />  port="8443" protocol="org.apache.coyote.http11.Http11Protocol" 
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
> clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> keystoreFile="xxx" keystorePass="xxx" />  protocol="AJP/1.3" redirectPort="8443" />

None of the responses you have gotten thus far are useful in any way.

Your configuration looks fine to me: sslEnabledProtocols is the way to
go, although in recent versions of Tomcat the default is NOT to
include any "SSL" protocols and only use the "TLS" ones, so if you are
running something recent, you should be okay.

> Then I can open my application https link in browser. BUT, good
> time never lasts too long, after several hours, I failed to access
> my https link again.

What kinds of errors do you get? What do the logs say? What are the
URLs you are using?

> Anyone has any ideas about this? please share your suggestions...My
> tomcat version is 7.0.55

Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you
should definitely keep your above configuration. There is no need to
add a trust store or cipher specification to that.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty
JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J
C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT
nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG
mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH
8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ
T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw
HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM
9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7
A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq
zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo
G5/ksEFNFSc9+yQSSC1H
=PVop
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL issue in tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Rajesh,

On 1/20/15 4:27 AM, Rajesh Biswas wrote:
> Please keep SSLEnabled="true" along with your existing
> configuration
> 
>  acceptCount="100"  maxThreads="200" SSLEnabled="true"
> scheme="https" secure="true" clientAuth="false" sslProtocols =
> "TLSv1,TLSv1.1,TLSv1.2" />

There is no "sslProtocols" configuration directive.

- -chris

> On Tue, Jan 20, 2015 at 2:47 PM, Jason Y  wrote:
> 
>> Hi folks,
>> 
>> Recently my application cannot be accessible in browser with
>> https version. I think it is due to vulnerability in ssl 3.0
>> issue.
>> 
>> I checked my tomcat configuration and replaced sslProtocol="TLS"
>> with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
>> 3.0.
>> 
>> >> connectionTimeout="2" redirectPort="8443" /> >> port="8443" protocol="org.apache.coyote.http11.Http11Protocol" 
>>> maxThreads="150" SSLEnabled="true" scheme="https" 
>>> secure="true" clientAuth="false" 
>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx" 
>>> keystorePass="xxx" /> >> redirectPort="8443" />
>> 
>> 
>> Then I can open my application https link in browser. BUT, good
>> time never lasts too long, after several hours, I failed to
>> access my https link again.
>> 
>> Anyone has any ideas about this? please share your
>> suggestions...My tomcat version is 7.0.55
>> 
>> Thank you all very much.
>> 
>> On Tue, Jan 20, 2015 at 3:56 PM, Jason Y 
>> wrote:
>> 
>>> Hi folks,
>>> 
>>> Recently my application cannot be accessible in browser with
>>> https version. I think it is due to vulnerability in ssl 3.0
>>> issue.
>>> 
>>> I checked my tomcat configuration and replaced
>>> sslProtocol="TLS" with 
>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL
>>> 3.0.
>>> 
>>> >>> connectionTimeout="2" redirectPort="8443" /> >>> port="8443" 
 protocol="org.apache.coyote.http11.Http11Protocol" 
 maxThreads="150" SSLEnabled="true" scheme="https" 
 secure="true" clientAuth="false" 
 sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
 keystoreFile="xxx" keystorePass="xxx" /> >>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>> 
>>> 
>>> Then I can open my application https link in browser. BUT, good
>>> time
>> never
>>> lasts too long, after several hours, I failed to access my
>>> https link again.
>>> 
>>> Anyone has any ideas about this? please share your
>>> suggestions...My
>> tomcat
>>> version is 7.0.55
>>> 
>>> Thank you all very much.
>>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUvnFcAAoJEBzwKT+lPKRYtGgP/iTkRdSJi6W4nRqtO8+pvamG
DwioY20yFTiekP0hyc+FYxxKyS5gEjPqCMnW7celPBNe1qPAbWxu5JGIt0g3SUWV
nuGg/8pJN2pGMF3ubG+liBANnvMU2kfXum21PzZi3ljqmvsTNRNTqnorBkEJVBaM
tnGnTD1MCgOVfbBd4w1KO2VEybUQURD/ApyhgHqZy9isOt7vB5lHnOXfSJDoacNu
sqzNr3gGHErBsqdLGd0K1XLBJSx+/Ts4oNzFltKK8oTmW++zmJf6OQwIOBScUMBr
JRsxdj/MOoColRoCAJb9Mq4q0WIjMaerlBFCnMJOGigGVbEJ9FVBUGbRPJ/GOXu9
ZrxeA2FHxyPJIF+rvnl6JaBHrtnS/rvbnJGUhll4uwSjGhiXJCiK+XHkJJW/r1Wu
s7GEF30wM94nfqPiT2LgRFe0vn9xs+zYiCaQSKfPgvq2kRVgkZM3TDbTcfMgazBp
QSxXlzfgtD4aH/Ny/vc+3mIBUOnv3Fe9HMXjfdVzNMJwavAe48l6TOD79bVrqYZS
wZq29RzTL5S1SsXY9RlSFKnGtvAomFTcEwfyCt55iUnOv9lD5zua+EfgFTUVaMJo
afzz5qxkgkCoCNSWxmJBLNZCddXbmQsBqBCs4s/JE9y5XAJfZXmmwFXLDmkMcCiV
1C+pvkD/V3/6R4XzNk/w
=q0C5
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL issue in tomcat

[Jason Y]

Thanks, Raj, Sanaullah and Dave.

I am not sure if it is POODLE issue(
http://wiki.apache.org/tomcat/Security/POODLE), this solution is the same
with Raj's suggestion.

I will try, thanks.

On Tue, Jan 20, 2015 at 5:43 PM, Utkarsh Dave 
wrote:

> I don t think you will achieve what you want to via disabling SSL protocol
> using sslEnabledProtocols.
> The vulnerability "I think it is due to vulnerability in ssl 3.0 issue."
> will not stop access to the application.
> You may want to revert your changes back, and check the firewall settings
> or anything that can block the ports 8443, 8080 etc...
> Is there any exception in catalina.out?
>
> -Utkarsh
>
> On Tue, Jan 20, 2015 at 2:47 PM, Jason Y  wrote:
>
> > Hi folks,
> >
> > Recently my application cannot be accessible in browser with https
> version.
> > I think it is due to vulnerability in ssl 3.0 issue.
> >
> > I checked my tomcat configuration and replaced sslProtocol="TLS" with
> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0.
> >
> >  > >connectionTimeout="2"
> > >redirectPort="8443" />
> > >  > > protocol="org.apache.coyote.http11.Http11Protocol"
> > >maxThreads="150" SSLEnabled="true" scheme="https"
> > > secure="true"
> > >clientAuth="false"
> > > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx"
> > > keystorePass="xxx" />
> > > 
> >
> >
> > Then I can open my application https link in browser. BUT, good time
> never
> > lasts too long, after several hours, I failed to access my https link
> > again.
> >
> > Anyone has any ideas about this? please share your suggestions...My
> tomcat
> > version is 7.0.55
> >
> > Thank you all very much.
> >
> > On Tue, Jan 20, 2015 at 3:56 PM, Jason Y  wrote:
> >
> > > Hi folks,
> > >
> > > Recently my application cannot be accessible in browser with https
> > > version. I think it is due to vulnerability in ssl 3.0 issue.
> > >
> > > I checked my tomcat configuration and replaced sslProtocol="TLS" with
> > > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0.
> > >
> > >  > >>connectionTimeout="2"
> > >>redirectPort="8443" />
> > >>  > >> protocol="org.apache.coyote.http11.Http11Protocol"
> > >>maxThreads="150" SSLEnabled="true" scheme="https"
> > >> secure="true"
> > >>clientAuth="false"
> > >> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx"
> > >> keystorePass="xxx" />
> > >> 
> > >
> > >
> > > Then I can open my application https link in browser. BUT, good time
> > never
> > > lasts too long, after several hours, I failed to access my https link
> > > again.
> > >
> > > Anyone has any ideas about this? please share your suggestions...My
> > tomcat
> > > version is 7.0.55
> > >
> > > Thank you all very much.
> > >
> >
>

Re: SSL issue in tomcat

[Utkarsh Dave]

I don t think you will achieve what you want to via disabling SSL protocol
using sslEnabledProtocols.
The vulnerability "I think it is due to vulnerability in ssl 3.0 issue."
will not stop access to the application.
You may want to revert your changes back, and check the firewall settings
or anything that can block the ports 8443, 8080 etc...
Is there any exception in catalina.out?

-Utkarsh

On Tue, Jan 20, 2015 at 2:47 PM, Jason Y  wrote:

> Hi folks,
>
> Recently my application cannot be accessible in browser with https version.
> I think it is due to vulnerability in ssl 3.0 issue.
>
> I checked my tomcat configuration and replaced sslProtocol="TLS" with
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0.
>
>  >connectionTimeout="2"
> >redirectPort="8443" />
> >  > protocol="org.apache.coyote.http11.Http11Protocol"
> >maxThreads="150" SSLEnabled="true" scheme="https"
> > secure="true"
> >clientAuth="false"
> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx"
> > keystorePass="xxx" />
> > 
>
>
> Then I can open my application https link in browser. BUT, good time never
> lasts too long, after several hours, I failed to access my https link
> again.
>
> Anyone has any ideas about this? please share your suggestions...My tomcat
> version is 7.0.55
>
> Thank you all very much.
>
> On Tue, Jan 20, 2015 at 3:56 PM, Jason Y  wrote:
>
> > Hi folks,
> >
> > Recently my application cannot be accessible in browser with https
> > version. I think it is due to vulnerability in ssl 3.0 issue.
> >
> > I checked my tomcat configuration and replaced sslProtocol="TLS" with
> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0.
> >
> >  >>connectionTimeout="2"
> >>redirectPort="8443" />
> >>  >> protocol="org.apache.coyote.http11.Http11Protocol"
> >>maxThreads="150" SSLEnabled="true" scheme="https"
> >> secure="true"
> >>clientAuth="false"
> >> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx"
> >> keystorePass="xxx" />
> >> 
> >
> >
> > Then I can open my application https link in browser. BUT, good time
> never
> > lasts too long, after several hours, I failed to access my https link
> > again.
> >
> > Anyone has any ideas about this? please share your suggestions...My
> tomcat
> > version is 7.0.55
> >
> > Thank you all very much.
> >
>

Re: SSL issue in tomcat

[Sanaullah]

Please follow the Apache document for the connector configuration.

Here is the sample connector configuration

 

[1] http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

On Tue, Jan 20, 2015 at 2:17 PM, Jason Y  wrote:

> Hi folks,
>
> Recently my application cannot be accessible in browser with https version.
> I think it is due to vulnerability in ssl 3.0 issue.
>
> I checked my tomcat configuration and replaced sslProtocol="TLS" with
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0.
>
>  >connectionTimeout="2"
> >redirectPort="8443" />
> >  > protocol="org.apache.coyote.http11.Http11Protocol"
> >maxThreads="150" SSLEnabled="true" scheme="https"
> > secure="true"
> >clientAuth="false"
> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx"
> > keystorePass="xxx" />
> > 
>
>
> Then I can open my application https link in browser. BUT, good time never
> lasts too long, after several hours, I failed to access my https link
> again.
>
> Anyone has any ideas about this? please share your suggestions...My tomcat
> version is 7.0.55
>
> Thank you all very much.
>
> On Tue, Jan 20, 2015 at 3:56 PM, Jason Y  wrote:
>
> > Hi folks,
> >
> > Recently my application cannot be accessible in browser with https
> > version. I think it is due to vulnerability in ssl 3.0 issue.
> >
> > I checked my tomcat configuration and replaced sslProtocol="TLS" with
> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0.
> >
> >  >>connectionTimeout="2"
> >>redirectPort="8443" />
> >>  >> protocol="org.apache.coyote.http11.Http11Protocol"
> >>maxThreads="150" SSLEnabled="true" scheme="https"
> >> secure="true"
> >>clientAuth="false"
> >> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx"
> >> keystorePass="xxx" />
> >> 
> >
> >
> > Then I can open my application https link in browser. BUT, good time
> never
> > lasts too long, after several hours, I failed to access my https link
> > again.
> >
> > Anyone has any ideas about this? please share your suggestions...My
> tomcat
> > version is 7.0.55
> >
> > Thank you all very much.
> >
>

Re: SSL issue in tomcat

[Rajesh Biswas]

Hello,

Please keep SSLEnabled="true" along with your existing configuration



Rajesh

On Tue, Jan 20, 2015 at 2:47 PM, Jason Y  wrote:

> Hi folks,
>
> Recently my application cannot be accessible in browser with https version.
> I think it is due to vulnerability in ssl 3.0 issue.
>
> I checked my tomcat configuration and replaced sslProtocol="TLS" with
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0.
>
>  >connectionTimeout="2"
> >redirectPort="8443" />
> >  > protocol="org.apache.coyote.http11.Http11Protocol"
> >maxThreads="150" SSLEnabled="true" scheme="https"
> > secure="true"
> >clientAuth="false"
> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx"
> > keystorePass="xxx" />
> > 
>
>
> Then I can open my application https link in browser. BUT, good time never
> lasts too long, after several hours, I failed to access my https link
> again.
>
> Anyone has any ideas about this? please share your suggestions...My tomcat
> version is 7.0.55
>
> Thank you all very much.
>
> On Tue, Jan 20, 2015 at 3:56 PM, Jason Y  wrote:
>
> > Hi folks,
> >
> > Recently my application cannot be accessible in browser with https
> > version. I think it is due to vulnerability in ssl 3.0 issue.
> >
> > I checked my tomcat configuration and replaced sslProtocol="TLS" with
> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0.
> >
> >  >>connectionTimeout="2"
> >>redirectPort="8443" />
> >>  >> protocol="org.apache.coyote.http11.Http11Protocol"
> >>maxThreads="150" SSLEnabled="true" scheme="https"
> >> secure="true"
> >>clientAuth="false"
> >> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx"
> >> keystorePass="xxx" />
> >> 
> >
> >
> > Then I can open my application https link in browser. BUT, good time
> never
> > lasts too long, after several hours, I failed to access my https link
> > again.
> >
> > Anyone has any ideas about this? please share your suggestions...My
> tomcat
> > version is 7.0.55
> >
> > Thank you all very much.
> >
>

Re: SSL issue in tomcat

[Jason Y]

Hi folks,

Recently my application cannot be accessible in browser with https version.
I think it is due to vulnerability in ssl 3.0 issue.

I checked my tomcat configuration and replaced sslProtocol="TLS" with
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0.

connectionTimeout="2"
>redirectPort="8443" />
>  protocol="org.apache.coyote.http11.Http11Protocol"
>maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
>clientAuth="false"
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx"
> keystorePass="xxx" />
> 


Then I can open my application https link in browser. BUT, good time never
lasts too long, after several hours, I failed to access my https link
again.

Anyone has any ideas about this? please share your suggestions...My tomcat
version is 7.0.55

Thank you all very much.

On Tue, Jan 20, 2015 at 3:56 PM, Jason Y  wrote:

> Hi folks,
>
> Recently my application cannot be accessible in browser with https
> version. I think it is due to vulnerability in ssl 3.0 issue.
>
> I checked my tomcat configuration and replaced sslProtocol="TLS" with
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to disable SSL 3.0.
>
> >connectionTimeout="2"
>>redirectPort="8443" />
>> > protocol="org.apache.coyote.http11.Http11Protocol"
>>maxThreads="150" SSLEnabled="true" scheme="https"
>> secure="true"
>>clientAuth="false"
>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="xxx"
>> keystorePass="xxx" />
>> 
>
>
> Then I can open my application https link in browser. BUT, good time never
> lasts too long, after several hours, I failed to access my https link
> again.
>
> Anyone has any ideas about this? please share your suggestions...My tomcat
> version is 7.0.55
>
> Thank you all very much.
>

RE: Help with Apache Tomcat/7.0.53 SSL issue

[Caldarale, Charles R]

> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] 
> Subject: RE: Help with Apache Tomcat/7.0.53 SSL issue

> Is 2g a valid value for -Xmx?

Yes, at least with the Sun/Oracle JVM.  However, on 32-bit systems, that large 
a heap size will usually fail.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Help with Apache Tomcat/7.0.53 SSL issue

[Jeffrey Janner]

> -Original Message-
> From: Brewer, Edward L [mailto:lee.bre...@vanderbilt.edu]
> Sent: Tuesday, October 07, 2014 1:36 PM
> To: Tomcat Users List
> Subject: RE: Help with Apache Tomcat/7.0.53 SSL issue
> 
> To all,
> 
> 
> Oh...  Here is the entry in our server.xml  (probably the most important part)
> 
>  SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
> clientAuth="false"
> ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_
> DHE_RSA_WITH_3DES_EDE_CBC_SHA" keyAlias=""
> keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks"
> keystorePass="" />
> 
>  protocol="org.apache.coyote.http11.Http11Protocol" maxthreads="150"
> scheme="https" SSLEnabled="true" secure="true" clientAuth="want"
> ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_
> DHE_RSA_WITH_3DES_EDE_CBC_SHA" keyAlias=""
> keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks"
> keystorePass="" />
> 
> Users connect directly to first listed connection The second SSL port is 
> not
> currently used.
> 
> Thanks,
> Lee
> 
> From: Brewer, Edward L [mailto:lee.bre...@vanderbilt.edu]
> Sent: Tuesday, October 07, 2014 1:31 PM
> To: users@tomcat.apache.org
> Subject: Help with Apache Tomcat/7.0.53 SSL issue
> 
> To all,
> 
> I am using Apache Tomcat 7.0.53 and I am having an intermittent issue with
> SSL.  I am currently running three environments (Dev, UAT, and Prod. Prod
> comprises 4 VMs  (uname  states version as  "2.6.32-431.11.2.el6.x86_x86_64
> GNU/Linux" ) with each containing a local version of Java [ Java(TM) SE
> Runtime Environment (build 1.7.0_55-b13)  Java HotSpot(TM) 64-Bit Server
> VM (build 24.55-b03, mixed mode) ]  As well Tomcat and Java are owned by
> the user running the app.  The VMs are load balanced over two pair of LTMs
> (LTM1 balances node 1 and node 2;  LTM2 balances node 3 and node 4).  The
> test environment is scaled down to just one LTM with two nodes and
> development is just a single VM.
> 
> Now, when I deployed dev and test I did not have any issues with SSL
> everything went as planned.  When I deployed into production, I started to
> get complaints about timeouts to the service.  After much troubleshooting...
> we were able to discern, using curl, that in production the LTM was not
> getting a response back from the application (using TCPDUMP)
> intermittently.   Our LTMs are configured to server as a SSL proxy.  On the
> VM, TCPDUMP shows that traffic is being presented to the socket but there
> is no response.  As far as I can tell the three environments (TOMCAT and
> JAVA) are the same.   I find nothing in the logs from both access and
> catalina.out.  When I restart the servers the problem goes away for about
> one hour then it comes back rapidly.  Using top and sar I do not see any
> issues with operating system performance.  Also,  by going done to one node
> the problem persists.  As well here are the options that are in setenv.sh
> 
> export JAVA_OPTS="$JAVA_OPTS\
> -verbosegc\
> -Xms256m\
> -XX:+DisableExplicitGC\
> -Xmx2g"
> 
> 
> Here is the error that I see from curl
> 
> curl: (52) SSL read: error::lib(0):func(0):reason(0), errno 104
> 
> Help,
> Lee Brewer

Lee, you say you checked the access & catalina logs, but did you check the 
stdout & stderr logs?
Since the problem goes away for about an hour after you restart, could you be 
having memory issues?  Those are usually reported in the stderr log.
Is 2g a valid value for -Xmx?  I've always specified it in terms of Megs, that 
is -Xmx2048m.
Jeff

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Help with Apache Tomcat/7.0.53 SSL issue

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Edward,

On 10/7/14 2:35 PM, Brewer, Edward L wrote:
> Oh... Here is the entry in our server.xml (probably the most 
> important part)
> 
>  protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
> scheme="https" secure="true" clientAuth="false" 
> ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
>
> 
keyAlias=""
> keystoreFile="/app001/shibboleth/idp/epass/current/credentials/idp.jks"
>
> 
keystorePass="" />

So you are using JSSE and haven't specified an sslProtocol, so you are
getting the default which is TLS (which, for Java, really means SSLv3,
TLSv1, TLSv1.1, and TLSv1.2).

You are specifying a very small number of cipher suites (only 3) so
perhaps that's the problem. Note that all your cipher suites start
with SSL_* and none with TLS_*. That's not in itself a problem, but
you are restricting your server to using old cipher suites and not
allowing new ones. You can find code in the archives to pull the list
of supported and enabled-by-default cipher suites for your JVM.

What happens if you lift the restriction on the ciphers list so that
JSSE will use its default set?

> Here is the error that I see from curl
> 
> curl: (52) SSL read: error::lib(0):func(0):reason(0), errno
> 104

Try using "openssl s_client" -- it gives much more information about
the connection.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUR7P4AAoJEBzwKT+lPKRY1SEP/1A+8i4Td8xD0xOcUe+P8oBK
wA6yjoo76MUqj4Nei0ZghXmzsrIUss/RsuazmLTJFTnJcEg3GThmjh1uKlHloUBR
2dFg6FhUDn4v+7P2sQiDuwtEd9oDx6aFA5j/DxSFCclnR7jq66vU0lxTjFdgd3jw
/G0dlF+iBnvBVEM2hojZAbv30qoIsxPAHXdsf7T13vcUQ/bVywmbqUPtoSR8hWzh
Mg+B+y7MEYJSUzeZf4JOqHuCe3nLHxOV7XNF7Mw5sZZ8DOvoay+tNU8mmeXmnHY0
zJe/4TICGz6BPYKaZNELwv8PiLZZ76mnu+c9I3Bcv3ZBC6D8p+yISA01apYOujgv
0Mfo9ilm/3E9dORHCX4497FyKLq6KjX3dPnlLD2G0YC7qRU6o1iA8pjFkbt38UgU
CeE8AMxu4sgQAyQVXkVlfs9T72JJmUdd3y+Jm5/WUreZoiTjS0gCEhwue9rUDOSo
B6wf7V971IlKQbbxMhpiqbf/2TsoS15REPviepsqCHXWVHxoOT/5etTN9V8vP2G6
fxeI4GaBIulGld+tNeVnR1Izi8sHz1GPYbGfD2zhwC1Br18MxiBdEtYQQI++LcTh
S2JdWtWmJBzgk/uHPB9Lm8oBwYplQYIHUPrF9XO3WJVBuThdeCDf9l5xfefSJktM
7aOx60/EkV878XIK/8Pm
=YDwk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 6 APR SSL Issue

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 10/14/14 2:16 PM, James Drews wrote:
> Hi, I have a question that may be a bug, or I'm just not doing
> something right (I'll happily believe either).
> 
> Configuration: Tomcat 6.0 running on Windows Server The
> tcnative-1.dll is the latest from the download site 
> http://tomcat.apache.org/download-native.cgi
> 
> Item #1
> 
> In our tomcat server.xml config, we have:
> 
>  className="org.apache.catalina.core.AprLifecycleListener" 
> SSLEngine="on" />  protocol="org.apache.coyote.http11.Http11AprProtocol" 
> maxHttpHeaderSize="8192" scheme="https" secure="true" 
> SSLEnabled="true" SSLDisableCompression="true" 
> SSLHonorCipherOrder="true" SSLProtocol="TLSv1+SSLv3" 
> SSLCertificateFile="certificate.crt" 
> SSLCertificateKeyFile="certificate.key" 
> SSLCertificateChainFile="chain.crt" 
> SSLCipherSuite="kEECDH+AES256+AESGCM:kEECDH+AES256:kEDH+AES256+AESGCM:kEDH+AES256:kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:kECDH:kDH:HIGH:-ADH:-MD5:-RC4:-CAMELLIA128:-3DES:-MEDIUM:-LOW:-EXP:-aNULL:-eNULL"
>
>  />
> 
> The issue here is tomcat is only binding to the IPv4 (0.0.0.0)
> address, and not binding to the IPv6 on the box.  If I add a 
> address="0.0.0.0"
> 
> and then duplicate this connector and replace the address option
> with: address="::"
> 
> It binds to both IPv4 and IPv6 as expected. However, tomcat will
> no longer stop when you try to stop the windows service. I have to
> kill the process to get it to stop.  If I only have one or the
> other of the two connectors present, it will stop as expected.
> 
> Also of note, if I used: 
> protocol="org.apache.coyote.http11.Http11Protocol"
> 
> instead, it would bind to both IPv4 and IPv6 as expected when no
> address option is specified (but that method won't take some of the
> options we want to have set).

Check the archives; I seem to recall some oddities when it comes to
APR's use of network interfaces.

> Issue #2
> 
> We would like to have it use: SSLProtocol="TLSv1" but when you have
> just that as the option, it will only talk TLS v1.0, not TLSv1.1 or
> TLSv1.2. Looking briefly at the source code, it looks like you only
> have the option to specify a combination of TLSv1, SSLv2 and SSLv3.
> If we use the option as specified above (TLSv1+SSLv3), it will do
> all three TLS versions and SSLv3.
> 
> Is there a way to get it to do TLS and all three versions of it?

https://issues.apache.org/bugzilla/show_bug.cgi?id=53952

Unfortunately, TLSv1.1 and TLSv1.2 will not be supported until you
have both tcnative 1.1.32 and a Tomcat version that supports the
changes. There is not yet a patch for Tomcat 6 for this, while patches
have been committed for Tomcat 7 and Tomcat 8.

I'm working on a Tomcat 6 patch.

> Also, with SSLv2 not specified, it will still accept that
> protocol, but in the end will fail because no encryption methods
> for it are enabled. Is there a way to have it refuse to talk SSLv2
> from the start?

Usually, SSLv2Hello is used to allow a SSLv2 connection to be
established. This is generally safe (well, until we all decided that
SSLv3 was rubbish).

Once the above updates are released, you will be able to select the
exact set of protocols you want. You should be able to specify
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" and get all the TLSs and no SSLs.
(Also, the definition for "all" has been updated to be "all TLSs and
no SSLs" so you could use that, too).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUQVBqAAoJEBzwKT+lPKRY58oP+wU7d3y4971cxC1Bks67Qjo6
YVlX474OI0t6tICff/WsdradBXxSUfqzO0TnNKnc8VttA1n1EEdoevK+KE+x6gO0
n/XRnAwxQvP7gtHfDGHe52zU090eh92slZXVlJcBe6hAX/uEqfJqD+BExz8M6rtk
oWgam8d1EPMi+sNXImk+OQUMoKlljqRSDduyRwrQc9AJRn7r0bQQffU9k/WlFR19
8JoNyblq/B2NEiGChQ8s+xMyRyzCiB82oIiRPlXZoh2OR10yhRy6lG+VRuw+akvE
Qd79fRIqIoODf2Xp5XpS14ANxLjCxB1Eti49bDa6ydIIWH2QcIiS9DPIvkClVS2s
PYVld7kEWrt2z/96/D0lQWt9pnBzOA2TOGGbJvlXtWEvS8MQk5iHfwmJuCa9b/Kf
8mqDAUvIHx/W1NcSS4mT3Tv5vqFCQbhVwmo1doVdjJr+Vzor7EZpZH6oIhEdFvZE
Rxu0HZxt/w0Qs3ZnKdCrS3+3ssvyhGUtdPYAHBSHoh+gocida+UJia4XLkeY9CyT
bCIftTasPia2UJk+agaDi/HYq4LbzTLy9X6iCoDkkX9Kcms2wl0BEuomRY4BTZDW
gtNCfUtCw3Sd0h8f7JakIY7m3Up6cYlIN1Q4vjD2+mn+AGcijgtVg0T3mWalqOY/
dzyFPvA8MkgFVKUnpeFR
=u7P8
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org