Re: ssl_error_internal_error_alert in firefox only, dependent on jdk version (tomcat 5.5.26)
2009/10/2 Nada O'Neal nco2...@columbia.edu: Hey everyone - I'm stuck on Tomcat 5.5.26 to support a specific application. This is a Solaris 9 server with no Apache - tomcat is handling its own webserving. We're hoping to upgrade the JDK. I can use JDK-1.5.0_21 successfully. When I start tomcat with JDK-1.6.0_16, I get one specific issue... Firefox, but not Safari or IE, will report on https connections: Secure Connection Error An error occurred during a connection to mysite.com:8443. Peer reports it experienced an internal error. (Error code: ssl_error_internal_error_alert) Weirdly, there is no error in any error log when this happens. I found the following threads in the archives, that may be relevant to this issue: [1] How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols, in org.apache.tomcat.users list http://markmail.org/thread/meymo5jjzwmctuql [2] FireFox v3.0.1 of Windows uses SSLv2 Record Layer even when SSLv2 is disabled in firefox-security-dev http://www.nabble.com/FireFox-v3.0.1-of-Windows-uses-SSLv2-Record-Layer-even-when-SSLv2-is-disabled-td19239646.html [3] Internal error upon seeing the Camellia cipher suites in the SSL handshake message, in org.apache.harmony.dev http://markmail.org/thread/x6d77hsmklm3d3uh [1] is regarding Firefox 3.0.1 that was trying to use SSLv2 handshake. One of the responses contain a link to Tomcat SSL Howto page, [2] explains what happened at Firefox 3.0.1 side in that case. Finally, [3] is Apache Harmony JRE side of the issue, and the one that was actually solved in that case. That was a SSL handshake issue that happened and was resolved about a year ago. While current issue might be different, those threads show how that one was hunted down and solved. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl_error_internal_error_alert in firefox only, dependent on jdk version (tomcat 5.5.26)
Does this issue depend on Firefox version? (which version you are using?) Is it reproducible on different client PCs running the same Firefox version? Maybe different Firefox settings? Is TLS protocol enabled in Firefox (usually it is)? From description, this issue is not dependent on your application. Can you reproduce it with default applications that Tomcat comes with, on latest Tomcat 5.5.28 or 6.0.20, even if you cannot run your application on that versions? Is it reproducible with self-signed certificates? Is it reproducible on other operating systems? The set of ciphers in JDK 1.5 and JDK 1.6 might be different. That is, the browser and the server might not agree on what cipher to use. (though why there is the internal_error alert ?) Best regards, Konstantin Kolinko 2009/10/2 Nada O'Neal nco2...@columbia.edu: Hey everyone - I'm stuck on Tomcat 5.5.26 to support a specific application. This is a Solaris 9 server with no Apache - tomcat is handling its own webserving. We're hoping to upgrade the JDK. I can use JDK-1.5.0_21 successfully. When I start tomcat with JDK-1.6.0_16, I get one specific issue... Firefox, but not Safari or IE, will report on https connections: Secure Connection Error An error occurred during a connection to mysite.com:8443. Peer reports it experienced an internal error. (Error code: ssl_error_internal_error_alert) Weirdly, there is no error in any error log when this happens. I think this might be a configuration error on my part. Here's our SSL conf stanza: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/path/to/my/keystore keystorePass=somePass / ... I notice that in other people's configs, they have a specific reference to a TrustStore. I have the CA certs imported into the keystore, though, and I'm using this config on other servers, with other versions of tomcat, other versions of the JDK, etc. (However, those are all linux servers.) I'm especially suspicious about this possibility because lately there have been other Firefox https bugs (like the Flash uploader bug) that ultimately have to do with verifying the certificate authority. Adding in a truststore doesn't seem to help, but maybe i r doin it wrong. Thanks for any references or wild speculation you can provide. - Nada (p.s. if you're curious about the Flash uploader bug, see e.g.: http://bugs.adobe.com/jira/browse/FP-201 http://bugs.adobe.com/jira/browse/FP-226 https://bugs.adobe.com/jira/browse/SDK-13196 http://swfupload.org/forum/generaldiscussion/347 ) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl_error_internal_error_alert in firefox only, dependent on jdk version (tomcat 5.5.26)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nada, On 10/6/2009 4:51 PM, Nada O'Neal wrote: I don't have an EV cert, it's just a standard cert signed by Equifax. I have similar certs working on other servers. Again, it's the upgrade from one java to another that seems to cause the problem - running java 1.5, I don't have this issue. If you've recently upgraded, then any changes you made to the system keystore may have been lost (which I think is a foolish thing to do, but it looks like each version of the JRE gets its own keystore, and upgrades don't merge or anything like that). $ keytool -list -keystore /path/to/keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries root, Sep 29, 2009, trustedCertEntry, Certificate fingerprint (MD5): [...] tomcat, Sep 29, 2009, PrivateKeyEntry, Certificate fingerprint (MD5): [...] ... is this wrong? I'm not sure. That depends on if this is /your/ keystore or the JRE's keystore. It also depends on what the details of those certs are: do any of them have to do with Equifax? All you really need is: 1. Equifax CA cert in your keystore 2. Any Equifax intermediate certificates in your keystore 3. Your own certificate in your keystore 4. The web browser has to trust either #1 or #2 I'm not altogether clear if it all has to be the same keystore: I think that the JCE reads the system one no matter what, which should include anything Equifax has at the top-level. You may have to import their intermediate cert into your own keystore (or into the system one, again, if you upgraded). There's nothing you can do about #4 above, except that if the browser trusts, say, #1, but you aren't providing the certificate chain between #3 and #1 (via #2), then you'll get this error from the client. I hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrMyjcACgkQ9CaO5/Lv0PAlpQCgsBd2nlqqEwa4fqMKaJlf0YAi ELwAn2+cUWZVBqJOSOKAfm8i81qLucQu =augc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl_error_internal_error_alert in firefox only, dependent on jdk version (tomcat 5.5.26)
Thanks for your continuing endeavors to help me, Chris. I'm pointing tomcat to a safe keystore file, not the system keystore or any particular keystore. So, I don't have to worry about the keystore getting overwritten when I upgrade. Also, just by changing JAVA_HOME, I can start up tomcat with Java 1.5 and watch everything work, then shut it down and start it up in 1.6 and see this niggling issue in Firefox. I also tried, btw, regenerating the keystore from the private key and the certificate using the 1.6 version keytool. This new keystore works with 1.5 java but has the same problem with Firefox when I start up Tomcat with Java 1.6. shrug Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nada, On 10/6/2009 4:51 PM, Nada O'Neal wrote: I don't have an EV cert, it's just a standard cert signed by Equifax. I have similar certs working on other servers. Again, it's the upgrade from one java to another that seems to cause the problem - running java 1.5, I don't have this issue. If you've recently upgraded, then any changes you made to the system keystore may have been lost (which I think is a foolish thing to do, but it looks like each version of the JRE gets its own keystore, and upgrades don't merge or anything like that). $ keytool -list -keystore /path/to/keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries root, Sep 29, 2009, trustedCertEntry, Certificate fingerprint (MD5): [...] tomcat, Sep 29, 2009, PrivateKeyEntry, Certificate fingerprint (MD5): [...] ... is this wrong? I'm not sure. That depends on if this is /your/ keystore or the JRE's keystore. It also depends on what the details of those certs are: do any of them have to do with Equifax? All you really need is: 1. Equifax CA cert in your keystore 2. Any Equifax intermediate certificates in your keystore 3. Your own certificate in your keystore 4. The web browser has to trust either #1 or #2 I'm not altogether clear if it all has to be the same keystore: I think that the JCE reads the system one no matter what, which should include anything Equifax has at the top-level. You may have to import their intermediate cert into your own keystore (or into the system one, again, if you upgraded). There's nothing you can do about #4 above, except that if the browser trusts, say, #1, but you aren't providing the certificate chain between #3 and #1 (via #2), then you'll get this error from the client. I hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrMyjcACgkQ9CaO5/Lv0PAlpQCgsBd2nlqqEwa4fqMKaJlf0YAi ELwAn2+cUWZVBqJOSOKAfm8i81qLucQu =augc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl_error_internal_error_alert in firefox only, dependent on jdk version (tomcat 5.5.26)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nada, On 10/7/2009 5:28 PM, Nada O'Neal wrote: I'm pointing tomcat to a safe keystore file, not the system keystore or any particular keystore. So, I don't have to worry about the keystore getting overwritten when I upgrade. Also, just by changing JAVA_HOME, I can start up tomcat with Java 1.5 and watch everything work, then shut it down and start it up in 1.6 and see this niggling issue in Firefox. Okay, I would do a verbose dump of both system keystores and look for the Equifax entries for each. Perhaps there's a missing Equifax cert in the 1.6 keystore that you just have to import. I would import this certificate into your safe keystore if and when you identify which one it is. You could also try contacting Equifax's SSL technical support. They might have some suggestions. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrNExEACgkQ9CaO5/Lv0PDfLACgvptekFrv1bOCUkW8QX4cB7XJ K58AoK/5hpKblPVxPZBSF0YpsFl7vZsZ =VWDe -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl_error_internal_error_alert in firefox only, dependent on jdk version (tomcat 5.5.26)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nada, On 10/1/2009 4:36 PM, Nada O'Neal wrote: I'm stuck on Tomcat 5.5.26 to support a specific application. This is a Solaris 9 server with no Apache - tomcat is handling its own webserving. We're hoping to upgrade the JDK. I can use JDK-1.5.0_21 successfully. When I start tomcat with JDK-1.6.0_16, I get one specific issue... Firefox, but not Safari or IE, will report on https connections: Secure Connection Error An error occurred during a connection to mysite.com:8443. Peer reports it experienced an internal error. (Error code: ssl_error_internal_error_alert) What kind of certificate is it? Self-Signed? Signed by a real CA? One of those new-fangled EV certs? If it's an EV cert, then you need not one but /two/ intermediate certs to be installed in your keystore and provided to the client during the SSL handshake. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrLbhMACgkQ9CaO5/Lv0PAGswCgu5JjYsBl4nDiUK6oabPW+RhC FHQAnRP5vVxBX/Oe2o9DAgfhx9AdUejn =RR+0 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl_error_internal_error_alert in firefox only, dependent on jdk version (tomcat 5.5.26)
Hi Chris, Thanks for responding to my question! I don't have an EV cert, it's just a standard cert signed by Equifax. I have similar certs working on other servers. Again, it's the upgrade from one java to another that seems to cause the problem - running java 1.5, I don't have this issue. But, this may be a case of me getting away with something under 1.5 that I wouldn't be able to get away with under 1.6. The two keys in the keystore currently look like: $ keytool -list -keystore /path/to/keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries root, Sep 29, 2009, trustedCertEntry, Certificate fingerprint (MD5): [...] tomcat, Sep 29, 2009, PrivateKeyEntry, Certificate fingerprint (MD5): [...] ... is this wrong? Thanks again for writing back, I really appreciate it. Christopher Schultz ch...@christopherschultz.net wrote: Firefox, but not Safari or IE, will report on https connections: Secure Connection Error An error occurred during a connection to mysite.com:8443. Peer reports it experienced an internal error. (Error code: ssl_error_internal_error_alert) What kind of certificate is it? Self-Signed? Signed by a real CA? One of those new-fangled EV certs? If it's an EV cert, then you need not one but /two/ intermediate certs to be installed in your keystore and provided to the client during the SSL handshake. my original message was: Hey everyone - I'm stuck on Tomcat 5.5.26 to support a specific application. This is a Solaris 9 server with no Apache - tomcat is handling its own webserving. We're hoping to upgrade the JDK. I can use JDK-1.5.0_21 successfully. When I start tomcat with JDK-1.6.0_16, I get one specific issue... Firefox, but not Safari or IE, will report on https connections: Secure Connection Error An error occurred during a connection to mysite.com:8443. Peer reports it experienced an internal error. (Error code: ssl_error_internal_error_alert) Weirdly, there is no error in any error log when this happens. I think this might be a configuration error on my part. Here's our SSL conf stanza: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/path/to/my/keystore keystorePass=somePass / ... I notice that in other people's configs, they have a specific reference to a TrustStore. I have the CA certs imported into the keystore, though, and I'm using this config on other servers, with other versions of tomcat, other versions of the JDK, etc. (However, those are all linux servers.) I'm especially suspicious about this possibility because lately there have been other Firefox https bugs (like the Flash uploader bug) that ultimately have to do with verifying the certificate authority. Adding in a truststore doesn't seem to help, but maybe i r doin it wrong. Thanks for any references or wild speculation you can provide. - Nada (p.s. if you're curious about the Flash uploader bug, see e.g.: http://bugs.adobe.com/jira/browse/FP-201 http://bugs.adobe.com/jira/browse/FP-226 https://bugs.adobe.com/jira/browse/SDK-13196 http://swfupload.org/forum/generaldiscussion/347 ) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ssl_error_internal_error_alert in firefox only, dependent on jdk version (tomcat 5.5.26)
Hey everyone - I'm stuck on Tomcat 5.5.26 to support a specific application. This is a Solaris 9 server with no Apache - tomcat is handling its own webserving. We're hoping to upgrade the JDK. I can use JDK-1.5.0_21 successfully. When I start tomcat with JDK-1.6.0_16, I get one specific issue... Firefox, but not Safari or IE, will report on https connections: Secure Connection Error An error occurred during a connection to mysite.com:8443. Peer reports it experienced an internal error. (Error code: ssl_error_internal_error_alert) Weirdly, there is no error in any error log when this happens. I think this might be a configuration error on my part. Here's our SSL conf stanza: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/path/to/my/keystore keystorePass=somePass / ... I notice that in other people's configs, they have a specific reference to a TrustStore. I have the CA certs imported into the keystore, though, and I'm using this config on other servers, with other versions of tomcat, other versions of the JDK, etc. (However, those are all linux servers.) I'm especially suspicious about this possibility because lately there have been other Firefox https bugs (like the Flash uploader bug) that ultimately have to do with verifying the certificate authority. Adding in a truststore doesn't seem to help, but maybe i r doin it wrong. Thanks for any references or wild speculation you can provide. - Nada (p.s. if you're curious about the Flash uploader bug, see e.g.: http://bugs.adobe.com/jira/browse/FP-201 http://bugs.adobe.com/jira/browse/FP-226 https://bugs.adobe.com/jira/browse/SDK-13196 http://swfupload.org/forum/generaldiscussion/347 ) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org