detailed APR/SSL logging

2014-01-07 Thread Sanaullah 
Hi,

Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to
know where my SSL session is getting broken? there is nothing in the
catalina.out log.

usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [
-nonaming ]  { -help | start | stop }
Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.1.
Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"]
Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 696 ms
Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
/opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
/opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
/opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
/opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
/opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8080"]
Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"]
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 935 ms


--
Server looks up properly with openssl and certs but when i try to connect
it with openssl s_client its getting error
--
root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
127.0.0.1:8443 -tls1_2 -debug
CONNECTED(0003)
write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F))
 - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45   :...6..R...E
0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57   ...&oX?W
0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30   ...I-R.0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3   .,.(.$.".!..
0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32   ...k.j.9.8.2
0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35   ...*.&...=.5
0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d   
0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09   ./.+.'.#
0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32   .g.@.3.2
0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25   .E.D.1.-.).%
00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11   ...<./...A..
00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09   
00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f   ...o
00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e   ...4.2..
00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16   
00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05   
0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11   
0110 - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03   .#.". ..
0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02   
0130 - 03 03 02 01 02 02 02 03-01 01 00 0f 00 01 01  ...
read from 0x8a03258 [0x8a08a93] (5 bytes => 5 (0x5))
 - 15 03 03 00 02.
read from 0x8a03258 [0x8a08a98] (2 bytes => 2 (0x2))
 - 02 28 .(
3074095420:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1256:SSL alert number 40
3074095420:error:1409E0E5:

Re: Packet misses in Tomcat

2014-01-07 Thread André Warnier 

Divyaprakash Y wrote:

Issue: Few packets do not reach the application servlet but tomcat receives 
them. The missing packets reach the HTTP layer and thereafter they disappear.

This issue is not frequent but occasionally consistent. For the POSTs of 
missing packet I am not able to find the entry in localhost_access_log.
How do you know that the packet reaches tomcat if there is no matching entry in 
localhost_access.log? Does all other access appear in this file?

I could see the packet in the wireshark capture and it has reached HTTP layer 
so I thought it has reached Tomcat; I may be wrong here. Also, as far as my 
observation, every hit to the application URLs was getting logged in local 
access log.


And is there anything in the Tomcat error logs ?
(Or the Windows Event logs)

A HTTP request might be discarded by Tomcat for various reasons (*)
before it is ever mapped to an application.
In such a case, there is probably also no log of the request in the Access log.
But I would expect some error message in the Tomcat error logs.

(*) Invalid HTTP request, incomplete request, etc..
If there are really packets being lost somewhere, then for POST
requests the request size would not match the Content-length header, and that 
may be one of these cases.

I must say that the "packets lost" hypothesis sound a bit iffy to me.
This is TCP, which should detect missing packets and cause a client
connection abort if it was the case.  The invalid HTTP request being rejected 
by Tomcat sounds more probable to me.
i
I could not find anything (Exception) in tomcat std error log file or any file 
in the log folder. But I  have not checked the Windows event logs. Will do that.

Regarding the content length, there is no mismatch as I have validated using 
Wireshark and also the same packets(In terms of structure) have reached the 
application previously.

W.r.t. the last point, I could see TCP ACK for the received packet in the 
wireshark and the packet has reached HTTP layer which goes missing thereafter.




What do you mean exactly by "the packet has reached HTTP layer" ?


Are you using the word "packet" in the TCP/IP sense here, or do you mean "HTTP 
request"
(composed of one or more TCP/IP packets) ?
Does one complete HTTP POST request (headers and body) fit into one TCP packet ?

And how exactly do you recognise that some particular packet (or HTTP request) 
has not been processed by the application ?
Do these disappearing requests have some special characteristic that allows you 
to distinguish them from other requests to the same application ?
Or is it so that all the requests for that same application "disappear" ?
Do all the ones that disappear have something in common, that other requests 
(which do not
disappear) do not have ?


Suggestion : paste the content of your Tomcat's "server.xml" file in your next 
message, after removing any private information such as host name or IP, passwords etc.
(Do not send it as attachment, this list often removes them).

Actually, I meant "HTTP request has reached HTTP Layer".

I could recognise the miss as some noticeable activity will happen upon the 
reception of the request in the application because of which it is easy to 
identify the misses in this case when compared to other requests.

For the query regarding "All requests", all requests do not disappear. More 
importantly, sometimes all requests  reach the application when I POST same set of 
requests. To give a rough picture, 1-2 requests fail in a set of 45-50 requests and this 
behaviour varies [The request which failed in my one test cycle succeeds in another 
cycle].

I could see this in Tomcat 7.0 and Tomcat 7.0.42.

Here is the server.xml details:





  
  
  
  


  
  
  
  
  
  

  
  


  

  
  






 















  
  

  
  


  

  







  

  




Hi.
There is nothing in the above server.xml that strikes me as particularly 
remarkable or wrong.

I do not pretend to know your system, nor your application, nor that the following is a 
definite explanation.  But on the base of the currently available data, I would say :
- it is quite unlikely that Tomcat 7 is randomly "dropping requests".  If it was, then I 
would imagine that this list would be overflowing with cries for help.
There is quite a bit of traffic on this list related to Tomcat 7, but I don't recall 
seeing any significant number of issues mentioning "dropped requests".
- it also doesn't seem, from your wireshark-related observations, that the requests are 
being lost outside of Tomcat.
- so I would say at this point, that the most likely place for requests to disappear is in 
your own application.


I am far from being an expert in that area, but I remember seeing multiple threads in this 
list that tended to indicate that this kind of thing can happen if you keep improper 
references to Request/Respons

RE: Packet misses in Tomcat

2014-01-07 Thread Divyaprakash Y 
 Issue: Few packets do not reach the application servlet but tomcat 
 receives them. The missing packets reach the HTTP layer and thereafter 
 they disappear.

 This issue is not frequent but occasionally consistent. For the POSTs of 
 missing packet I am not able to find the entry in localhost_access_log.
 How do you know that the packet reaches tomcat if there is no matching 
 entry in localhost_access.log? Does all other access appear in this file?
>>> I could see the packet in the wireshark capture and it has reached HTTP 
>>> layer so I thought it has reached Tomcat; I may be wrong here. Also, as far 
>>> as my observation, every hit to the application URLs was getting logged in 
>>> local access log.
>>>
>> And is there anything in the Tomcat error logs ?
>> (Or the Windows Event logs)
>>
>> A HTTP request might be discarded by Tomcat for various reasons (*)
>> before it is ever mapped to an application.
>> In such a case, there is probably also no log of the request in the Access 
>> log.
>> But I would expect some error message in the Tomcat error logs.
>>
>> (*) Invalid HTTP request, incomplete request, etc..
>> If there are really packets being lost somewhere, then for POST
>> requests the request size would not match the Content-length header, and 
>> that may be one of these cases.
>>
>> I must say that the "packets lost" hypothesis sound a bit iffy to me.
>> This is TCP, which should detect missing packets and cause a client
>> connection abort if it was the case.  The invalid HTTP request being 
>> rejected by Tomcat sounds more probable to me.
>> i
>> I could not find anything (Exception) in tomcat std error log file or any 
>> file in the log folder. But I  have not checked the Windows event logs. Will 
>> do that.
>>
>> Regarding the content length, there is no mismatch as I have validated using 
>> Wireshark and also the same packets(In terms of structure) have reached the 
>> application previously.
>>
>> W.r.t. the last point, I could see TCP ACK for the received packet in the 
>> wireshark and the packet has reached HTTP layer which goes missing 
>> thereafter.
>>
>
>> What do you mean exactly by "the packet has reached HTTP layer" ?
>
> Are you using the word "packet" in the TCP/IP sense here, or do you mean 
> "HTTP request"
> (composed of one or more TCP/IP packets) ?
> Does one complete HTTP POST request (headers and body) fit into one TCP 
> packet ?
>
> And how exactly do you recognise that some particular packet (or HTTP 
> request) has not been processed by the application ?
> Do these disappearing requests have some special characteristic that allows 
> you to distinguish them from other requests to the same application ?
> Or is it so that all the requests for that same application "disappear" ?
> Do all the ones that disappear have something in common, that other
> requests (which do not
> disappear) do not have ?
>
>
> Suggestion : paste the content of your Tomcat's "server.xml" file in your 
> next message, after removing any private information such as host name or IP, 
> passwords etc.
> (Do not send it as attachment, this list often removes them).
>
> Actually, I meant "HTTP request has reached HTTP Layer".
>
> I could recognise the miss as some noticeable activity will happen upon the 
> reception of the request in the application because of which it is easy to 
> identify the misses in this case when compared to other requests.
>
> For the query regarding "All requests", all requests do not disappear. More 
> importantly, sometimes all requests  reach the application when I POST same 
> set of requests. To give a rough picture, 1-2 requests fail in a set of 45-50 
> requests and this behaviour varies [The request which failed in my one test 
> cycle succeeds in another cycle].
>
> I could see this in Tomcat 7.0 and Tomcat 7.0.42.
>
> Here is the server.xml details:
>
> 
> 
>   port="8105" shutdown="SHUTDOWN">
>   
>   
>   
>SSLEngine="on" />
>
>
>   
>   
>   
>className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
>className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
>className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
> />
>
>   
>   
> 
>type="org.apache.catalina.UserDatabase"
>   description="User database that can be updated and saved"
>   factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>   pathname="conf/tomcat-users.xml" />
>   
>
>   
>   
>
> 
> 
>
>
> 
>  
> connectionTimeout="2"
>redirectPort="8443" allowTrace="true"/>
>
>
> 
> 
>
> 
> 
>
>
> 
>
> 
> 
>
>   
>   
>
>   
>   
> 
> resourceName="UserDatabase"/>
>   
>
>unpackWARs="false" autoDeploy="true">
>
> 
> 
>
> 
>  directory="logs"
>

RE: detailed APR/SSL logging

2014-01-07 Thread Martin Gainty 


  


> Date: Tue, 7 Jan 2014 14:51:21 +0500
> Subject: detailed APR/SSL logging
> From: sanaulla...@gmail.com
> To: users@tomcat.apache.org
> 
> Hi,
> 
> Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to
> know where my SSL session is getting broken? there is nothing in the
> catalina.out log.
> 
> usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [
> -nonaming ] { -help | start | stop }
> Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init
> INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
> version 1.5.1.
> Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init
> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
> [false], random [true].
> Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
> initializeSSL
> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
> Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-apr-8080"]
> Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"]
> Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load
> INFO: Initialization processed in 696 ms
> Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService
> startInternal
> INFO: Starting service Catalina
> Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine
> startInternal
> INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
> Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory
> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory
> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory
> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory
> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory
> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
> Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-apr-8080"]
> Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"]
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start
> INFO: Server startup in 935 ms
> 
> 
> --
> Server looks up properly with openssl and certs but when i try to connect
> it with openssl s_client its getting error
> --
> root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
> 127.0.0.1:8443 -tls1_2 -debug
> CONNECTED(0003)
> write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F))
>  - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E
> 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...&oX?W
> 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0
> 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.".!..
> 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2
> 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&...=.5
> 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 
> 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.#
> 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2
> 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).%
> 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 ...<./...A..
> 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 
> 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o
> 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...4.2..
> 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 
> 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 
> 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 
> 0110 - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.". ..
> 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 
> 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f 00 01 01 ...
> read from 0x8a03258 [0x8a08a93] (5 bytes => 5 (0x5))
>  - 15 03 03 00 02 .
> read from 0x8a03

Re: detailed APR/SSL logging

2014-01-07 Thread Sanaullah 
Here is my configuration. I am using openssl. I haven't installed any
certificate to JVM truststore.







On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty  wrote:

>
>
>
>
>
> > Date: Tue, 7 Jan 2014 14:51:21 +0500
> > Subject: detailed APR/SSL logging
> > From: sanaulla...@gmail.com
> > To: users@tomcat.apache.org
> >
> > Hi,
> >
> > Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to
> > know where my SSL session is getting broken? there is nothing in the
> > catalina.out log.
> >
> > usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [
> > -nonaming ] { -help | start | stop }
> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
> init
> > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
> > version 1.5.1.
> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
> init
> > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
> > [false], random [true].
> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
> > initializeSSL
> > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
> > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
> > INFO: Initializing ProtocolHandler ["http-apr-8080"]
> > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
> > INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"]
> > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load
> > INFO: Initialization processed in 696 ms
> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService
> > startInternal
> > INFO: Starting service Catalina
> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine
> > startInternal
> > INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
> > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig
> > deployDirectory
> > INFO: Deploying web application directory
> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> > deployDirectory
> > INFO: Deploying web application directory
> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> > deployDirectory
> > INFO: Deploying web application directory
> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> > deployDirectory
> > INFO: Deploying web application directory
> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> > deployDirectory
> > INFO: Deploying web application directory
> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
> > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
> > INFO: Starting ProtocolHandler ["http-apr-8080"]
> > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
> > INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"]
> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start
> > INFO: Server startup in 935 ms
> >
> >
> >
> --
> > Server looks up properly with openssl and certs but when i try to connect
> > it with openssl s_client its getting error
> >
> --
> > root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
> > 127.0.0.1:8443 -tls1_2 -debug
> > CONNECTED(0003)
> > write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F))
> >  - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E
> > 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...&oX?W
> > 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0
> > 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.".!..
> > 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2
> > 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&...=.5
> > 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 
> > 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.#
> > 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2
> > 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).%
> > 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 ...<./...A..
> > 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 
> > 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o
> > 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...4.2..
> > 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 
> > 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 
> > 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 0

Re: detailed APR/SSL logging

2014-01-07 Thread Sanaullah 
This issue is only with my ECC certificates. the whole configuration works
pretty good with TLS1.2 when i am using the RSA certs. openssl selfsinged
ECC certs are also working.


On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah  wrote:

> Here is my configuration. I am using openssl. I haven't installed any
> certificate to JVM truststore.
>
>  port="8443"
> SSLEnabled="true"
>maxThreads="150" scheme="https" secure="true"
>clientAuth="false"
>SSLProtocol="All"
>
> SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem"
>SSLCertificateFile="/home/san/certs/pay-test/test.pem"
>
> SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/>
>
>
>
>
>
> On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty  wrote:
>
>>
>>
>>
>>
>>
>> > Date: Tue, 7 Jan 2014 14:51:21 +0500
>> > Subject: detailed APR/SSL logging
>> > From: sanaulla...@gmail.com
>> > To: users@tomcat.apache.org
>> >
>> > Hi,
>> >
>> > Anyone knows, how do i can get the detailed APR/SSL debug logs. i need
>> to
>> > know where my SSL session is getting broken? there is nothing in the
>> > catalina.out log.
>> >
>> > usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ]
>> [
>> > -nonaming ] { -help | start | stop }
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
>> init
>> > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
>> > version 1.5.1.
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
>> init
>> > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
>> > [false], random [true].
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
>> > initializeSSL
>> > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
>> > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
>> > INFO: Initializing ProtocolHandler ["http-apr-8080"]
>> > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
>> > INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"]
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load
>> > INFO: Initialization processed in 696 ms
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService
>> > startInternal
>> > INFO: Starting service Catalina
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine
>> > startInternal
>> > INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig
>> > deployDirectory
>> > INFO: Deploying web application directory
>> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>> > deployDirectory
>> > INFO: Deploying web application directory
>> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>> > deployDirectory
>> > INFO: Deploying web application directory
>> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>> > deployDirectory
>> > INFO: Deploying web application directory
>> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>> > deployDirectory
>> > INFO: Deploying web application directory
>> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
>> > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
>> > INFO: Starting ProtocolHandler ["http-apr-8080"]
>> > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
>> > INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"]
>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start
>> > INFO: Server startup in 935 ms
>> >
>> >
>> >
>> --
>> > Server looks up properly with openssl and certs but when i try to
>> connect
>> > it with openssl s_client its getting error
>> >
>> --
>> > root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
>> > 127.0.0.1:8443 -tls1_2 -debug
>> > CONNECTED(0003)
>> > write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F))
>> >  - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E
>> > 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...&oX?W
>> > 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0
>> > 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.".!..
>> > 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2
>> > 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&...=.5
>> > 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d

Re: Packet misses in Tomcat

2014-01-07 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 1/7/14, 5:09 AM, André Warnier wrote:
> I do not pretend to know your system, nor your application, nor
> that the following is a definite explanation.  But on the base of
> the currently available data, I would say : - it is quite unlikely
> that Tomcat 7 is randomly "dropping requests". If it was, then I
> would imagine that this list would be overflowing with cries for
> help. There is quite a bit of traffic on this list related to
> Tomcat 7, but I don't recall seeing any significant number of
> issues mentioning "dropped requests". - it also doesn't seem, from
> your wireshark-related observations, that the requests are being
> lost outside of Tomcat. - so I would say at this point, that the
> most likely place for requests to disappear is in your own
> application.

It seems that Tomcat is not logging the request in its access log, so
it's more likely that the request is either malformed to such an
extent that Tomcat rejects the request altogether or that the request
never reaches Tomcat.

Divyaprakash, can you describe your deployment? Are you accessing
Tomcat directly via HTTP? What networking components are between your
test client(s) and Tomcat?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSzECoAAoJEBzwKT+lPKRY0PMQAJHco/XSh8G2JGPoOVliZwGr
nwa+Qrn3eFE491EyLO+y+J4A9nQABDjaYtYYCZpnEf4ZDHB8almmumBVghj48MZ4
3YyUVWQdFv9UsLMOAvUR8B8zL4O89WeaLPqoUHqJkEL6/8z3PmDIQqWb5t3Hjmsg
T+NI6Mw0ZbjmoxN2AVDdlSae8I63c93dYmAO8w3whifhHv+BGh2lJ+0GTX40LvHu
fk/s502w/zN82p3WQ8xJoeltJffXHurUHv8pn98q9uTmHWKErC+GlnnPIHf7cQvg
1rT95so1GhKeeGr+4nCHznQtKwPl3pwFyDo0G7NJYlRrh2qICgSeKfJ5UuC5uSJU
xoB6vbcDVZ/jhwmGMlRwnvEdMOAZGZv6UPMViMMuxk++DGHVEBt/RLcwwR3DZEnM
0jyF7vwA+5M9b4sTBbynvpnemw3VS4YVXiRpleoshPrjDDMKz2ZFp2EuMKMPRWOl
dIUm7ZED6lJV/HVdYYYtJZ6o78/4jFrNt6WgHI1bofOj2WPbOoUExCcvFLCDh2UL
+MkuonxYMocQOobXziNraU4XRl5Ukurz+vMak/KCYEL8tRh64j1H/Dk9DV9eUIeF
FWRu0XwuSgPSFoGGlCHlnKupWIL2OGKkuSJEGd7IS3YqbnpaLXr1EldkNb3nlKq2
z8ZF+xyfGdC3qnlz1uRm
=DRad
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: detailed APR/SSL logging

2014-01-07 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sanaullah,

On 1/7/14, 8:06 AM, Sanaullah wrote:
> This issue is only with my ECC certificates. the whole
> configuration works pretty good with TLS1.2 when i am using the RSA
> certs. openssl selfsinged ECC certs are also working.
> 
> 
> On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah 
> wrote:
> 
>> Here is my configuration. I am using openssl. I haven't installed
>> any certificate to JVM truststore.
>> 
>> > maxThreads="150" scheme="https" secure="true" clientAuth="false" 
>> SSLProtocol="All"
>> 
>> SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem" 
>> SSLCertificateFile="/home/san/certs/pay-test/test.pem"
>> 
>> SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/>
>> 
>> 
>> 
>> 
>> 
>> On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty
>>  wrote:
>> 
>>> 
>>> 
>>> 
>>> 
>>> 
 Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed
 APR/SSL logging From: sanaulla...@gmail.com To:
 users@tomcat.apache.org
 
 Hi,
 
 Anyone knows, how do i can get the detailed APR/SSL debug
 logs. i need
>>> to
 know where my SSL session is getting broken? there is nothing
 in the catalina.out log.
 
 usage: java org.apache.catalina.startup.Catalina [ -config
 {pathname} ]
>>> [
 -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM
 org.apache.catalina.core.AprLifecycleListener
>>> init
 INFO: Loaded APR based Apache Tomcat Native library 1.1.29
 using APR version 1.5.1. Jan 07, 2014 1:43:12 AM
 org.apache.catalina.core.AprLifecycleListener
>>> init
 INFO: APR capabilities: IPv6 [true], sendfile [true], accept
 filters [false], random [true]. Jan 07, 2014 1:43:12 AM
 org.apache.catalina.core.AprLifecycleListener initializeSSL 
 INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
 2013) Jan 07, 2014 1:43:12 AM
 org.apache.coyote.AbstractProtocol init INFO: Initializing
 ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:12 AM
 org.apache.coyote.AbstractProtocol init INFO: Initializing
 ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014
 1:43:12 AM org.apache.catalina.startup.Catalina load INFO:
 Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM
 org.apache.catalina.core.StandardService startInternal INFO:
 Starting service Catalina Jan 07, 2014 1:43:12 AM
 org.apache.catalina.core.StandardEngine startInternal INFO:
 Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014
 1:43:12 AM org.apache.catalina.startup.HostConfig 
 deployDirectory INFO: Deploying web application directory 
 /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs

 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
 deployDirectory INFO: Deploying web application directory 
 /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager

 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
 deployDirectory INFO: Deploying web application directory 
 /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT

 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
 deployDirectory INFO: Deploying web application directory 
 /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager

 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
 deployDirectory INFO: Deploying web application directory 
 /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples

 
Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
 INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 07, 2014
 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO:
 Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07,
 2014 1:43:13 AM org.apache.catalina.startup.Catalina start 
 INFO: Server startup in 935 ms
 
 
 
>>> --

>>> 
Server looks up properly with openssl and certs but when i try to
>>> connect
 it with openssl s_client its getting error
 
>>> --

>>> 
root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to
 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F))  - 16 03
 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E 
 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57
 ...&oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00
 00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0
 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.".!.. 0040 - 00 9f 00
 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050
 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35
 ...*.&...=.5 0060 -

Re: rc-10 bug?

2014-01-07 Thread Konstantin Kolinko 
2014/1/6 Peter :
> Thanks to an email from Martin, I had a strong indicator of where to look. I 
> checked out tomcat 8 from trunk and  validated in eclipse in debug mode. (FYI 
> build.properties.default is broken due to missing commons pool, had to tweak 
> a bit).
>
> From webappclassloader.java snippet below (line 737), jars[] does not only 
> contain jars, but also any other resources. i added a howTo.txt file in 
> WEB-INF/lib, which results in  jars.length will NEVER equal 
> jarModificationTimes.size().
>
> Fix is simple - just filter out the non-jar, non-executable elements b4 
> comparing. Workaround is equally trivial - remove said elements from the the 
> lib folder.
> Hope this helps,
> Peter
>
>
>
> // Check if JARs have been added or removed
> WebResource[] jars = resources.listResources("/WEB-INF/lib");
>
> if (jars.length > jarModificationTimes.size()) {
> log.info(sm.getString("webappClassLoader.jarsAdded",
> resources.getContext().getName()));
> return true;
> } else if (jars.length < jarModificationTimes.size()){
> log.info(sm.getString("webappClassLoader.jarsRemoved",
> resources.getContext().getName()));
> return true;
> }
>
> for (WebResource jar : jars) {
> if (jar.getName().endsWith(".jar") && jar.isFile() && 
> jar.canRead()) {

Thank you.
I filed this into Bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=55970

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Problem configuring SSL

2014-01-07 Thread Alex Kogan 
Gentlemen, thanks a lot for your help. I figured out what the problem was.
It was not related to tomcat configuration, but to my keystore. The reason
is that once you import a client certificate under the same alias as the
private pair, they both get merged under the same alias inside keystore.
Using keytool -delete command, meant to remove the certificate only,
deletes the private pair as well. I noticed that once I dumped keystore
content for my keystore and a keystore on one of my other servers. Luckily,
I had a backup of the keystore I made right after it was created. Importing
the certificates into that keystore resolved the issue.


On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 1/5/14, 12:30 PM, Alex Kogan wrote:
> > I have a strange problem configuring SSL to work with Tomcat.
> > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45
> >
> > It's a new Tomcat installation. All keystore operations were done
> > with keytool. I imported CA root/intermediate certificate and
> > client certificate, configured SSL connector in server.xml. I have
> > this same setup on another server that works fine. Connecting to
> > this server via http works.
> >
> > 1. If I try to connect this address via https in Chrome I get:
> > "This Webpage is not available." In Firefox: "Error code:
> > ssl_error_no_cypher_overlap"
>
> Sounds familiar.
>
> Please post your  configuration(s) from your server.xml
> file. Remember to remove any sensitive information from the configuration.
>
> Also please post all of the startup messages from Tomcat's
> logs/catalina.out file: we need to see the versions of various things
> and what components (if any) suffer problems starting up.
>
> > 3. Here's a list of enabled ciphers using SSLInfo:
> >
> > #java -showversion SSLInfo
>
> Nice to see someone is getting some use out of that. ;)
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS
> JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ
> +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC
> f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6
> bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8
> m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE
> /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD
> SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB
> Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu
> RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH
> 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+
> VCpWYwQ3I2qGEm5RBvbh
> =9FS1
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
Software Engineer
Department of Psychiatry and Behavioral Sciences
Northwestern University

a-ko...@northwestern.edu

Re: detailed APR/SSL logging

2014-01-07 Thread Sanaullah 
I am still stick to my opinion..
the patches were need to apply for TLS 1.2 SSL/APR. everything is working
after applying the patch just this chain ECC certs.  I am just looking
around where to get the detailed logs.




On Tue, Jan 7, 2014 at 11:11 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Sanaullah,
>
> On 1/7/14, 8:06 AM, Sanaullah wrote:
> > This issue is only with my ECC certificates. the whole
> > configuration works pretty good with TLS1.2 when i am using the RSA
> > certs. openssl selfsinged ECC certs are also working.
> >
> >
> > On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah 
> > wrote:
> >
> >> Here is my configuration. I am using openssl. I haven't installed
> >> any certificate to JVM truststore.
> >>
> >>  >> maxThreads="150" scheme="https" secure="true" clientAuth="false"
> >> SSLProtocol="All"
> >>
> >> SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem"
> >> SSLCertificateFile="/home/san/certs/pay-test/test.pem"
> >>
> >> SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/>
> >>
> >>
> >>
> >>
> >>
> >> On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty
> >>  wrote:
> >>
> >>>
> >>>
> >>>
> >>>
> >>>
>  Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed
>  APR/SSL logging From: sanaulla...@gmail.com To:
>  users@tomcat.apache.org
> 
>  Hi,
> 
>  Anyone knows, how do i can get the detailed APR/SSL debug
>  logs. i need
> >>> to
>  know where my SSL session is getting broken? there is nothing
>  in the catalina.out log.
> 
>  usage: java org.apache.catalina.startup.Catalina [ -config
>  {pathname} ]
> >>> [
>  -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM
>  org.apache.catalina.core.AprLifecycleListener
> >>> init
>  INFO: Loaded APR based Apache Tomcat Native library 1.1.29
>  using APR version 1.5.1. Jan 07, 2014 1:43:12 AM
>  org.apache.catalina.core.AprLifecycleListener
> >>> init
>  INFO: APR capabilities: IPv6 [true], sendfile [true], accept
>  filters [false], random [true]. Jan 07, 2014 1:43:12 AM
>  org.apache.catalina.core.AprLifecycleListener initializeSSL
>  INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
>  2013) Jan 07, 2014 1:43:12 AM
>  org.apache.coyote.AbstractProtocol init INFO: Initializing
>  ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:12 AM
>  org.apache.coyote.AbstractProtocol init INFO: Initializing
>  ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014
>  1:43:12 AM org.apache.catalina.startup.Catalina load INFO:
>  Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM
>  org.apache.catalina.core.StandardService startInternal INFO:
>  Starting service Catalina Jan 07, 2014 1:43:12 AM
>  org.apache.catalina.core.StandardEngine startInternal INFO:
>  Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014
>  1:43:12 AM org.apache.catalina.startup.HostConfig
>  deployDirectory INFO: Deploying web application directory
>  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
> 
> 
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>  deployDirectory INFO: Deploying web application directory
>  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
> 
> 
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>  deployDirectory INFO: Deploying web application directory
>  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
> 
> 
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>  deployDirectory INFO: Deploying web application directory
>  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
> 
> 
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>  deployDirectory INFO: Deploying web application directory
>  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
> 
> 
> Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
>  INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 07, 2014
>  1:43:13 AM org.apache.coyote.AbstractProtocol start INFO:
>  Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07,
>  2014 1:43:13 AM org.apache.catalina.startup.Catalina start
>  INFO: Server startup in 935 ms
> 
> 
> 
> >>>
> --
> 
> >>>
> Server looks up properly with openssl and certs but when i try to
> >>> connect
>  it with openssl s_client its getting error
> 
> >>>
> --
> 
> >>>
> root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
>  127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to
>  0x8a03258

Re: Problem configuring SSL

2014-01-07 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alex,

On 1/7/14, 2:41 PM, Alex Kogan wrote:
> Gentlemen, thanks a lot for your help. I figured out what the
> problem was. It was not related to tomcat configuration, but to my
> keystore. The reason is that once you import a client certificate
> under the same alias as the private pair, they both get merged
> under the same alias inside keystore. Using keytool -delete
> command, meant to remove the certificate only, deletes the private
> pair as well. I noticed that once I dumped keystore content for my
> keystore and a keystore on one of my other servers. Luckily, I had
> a backup of the keystore I made right after it was created.
> Importing the certificates into that keystore resolved the issue.

Java keystores are a nightmare. I try to avoid them whenever possible.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSzFt/AAoJEBzwKT+lPKRYKRwQALT9qv2bOPss+nT1uGQ8WoMY
KC6GvvO5RuoHa8ggd/pu7YS6G6czwZnFOYvldOh7BjvKpwppTr/e8uj6FCUv2n4v
592RykM82+tXWFrWEyT7TTwoWPdYDrnIIYFnemndj3trXWXfgR1LIZhtYUIJMofr
+h5biqeRRBrldvlZFXJU874Pg2IrwcTyJ4YfT8/XC5/Q196MXHOh0MiDMVJJ91l8
d3c/D6TQ8NWFZTu84ES6aPCh9FwOSxJhHEAllZqcOzRvLuXFhBOw9II9Q/Tto7wM
ZKlKRZ8sPJGi42WWYgTvHGlSZ+8kk0HijgbL6uGhHYQ8yIXPL2Jwu0igDFSzUGrU
MXe2Pevg1bP2gI3idnmnW+jWjaMujxb5EKW7+N44BqPk2zl/OTZ5hVf/t1E1SCGo
BPsulhuQvgXWhlF6GxBdwj0bWLCj8bIqIaAbHd8egT+s5smtKjoNpcVfMNE4xTwO
vdM7/MOKBIxLZyRjSw1bQFaxKXYJVnIwQlQSM74SRxNop1qcQhca7EdPMNB0+ojx
yM0m3zJNCaVsxg8RQ39Yb11YdfvVjkODV7S4D2uolezmJ6vOLCvgrdnpEtRp5QGt
MnQTEH1WLb1kX2p9HboCeTLsGh+XTX9joDqfTObSyFOPyN9ESPcVLgzWdaykHwXE
og/LPVC23d0adUNMV0Fz
=Qkfm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Packet misses in Tomcat

2014-01-07 Thread André Warnier 

Christopher,

Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 1/7/14, 5:09 AM, André Warnier wrote:

I do not pretend to know your system, nor your application, nor
that the following is a definite explanation.  But on the base of
the currently available data, I would say : - it is quite unlikely
that Tomcat 7 is randomly "dropping requests". If it was, then I
would imagine that this list would be overflowing with cries for
help. There is quite a bit of traffic on this list related to
Tomcat 7, but I don't recall seeing any significant number of
issues mentioning "dropped requests". - it also doesn't seem, from
your wireshark-related observations, that the requests are being
lost outside of Tomcat. - so I would say at this point, that the
most likely place for requests to disappear is in your own
application.


It seems that Tomcat is not logging the request in its access log, so
it's more likely that the request is either malformed to such an
extent that Tomcat rejects the request altogether or that the request
never reaches Tomcat.


...
Hi. Of course I am going essentially by what the OP provided earlier as information, and 
he has not provided much details on the "disappearing" requests themselves, or on the 
channel through which these requests were reaching Tomcat.
But one thing that he did mention, is that these requests are similar - and even in 
general the same - as other requests which do get processed normally.

As per his own words :

"For the query regarding "All requests", all requests do not disappear. More importantly, 
sometimes all requests  reach the application when I POST same set of requests. To give a 
rough picture, 1-2 requests fail in a set of 45-50 requests and this behaviour varies [The 
request which failed in my one test cycle succeeds in another cycle]."


If we take this at face value, then it should not be so that these requests are so 
malformed that Tomcat discards them without further ado.
Also - but maybe I'm wrong there - I would expect, if Tomcat discards a request for being 
malformed - that something would appear in the Tomcat error log.  But according to the OP 
it doesn't.
Finally - and there is a bit of an assumption on my part here - I assume that when the OP 
says that he sees the request with Wireshark (prior to it "disappearing" in Tomcat), he 
was running Wireshark on the Tomcat host itself.  That would make it unlikely that another 
external component is at play.


All of the above led me to suspect that something in the application itself may be playing 
a role here.


Of course, that all does not necessarily prove that some other component than Tomcat is 
not dropping some packets/requests.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Problem configuring SSL

2014-01-07 Thread Martin Gainty 
  


> Date: Tue, 7 Jan 2014 14:41:15 -0500
> Subject: Re: Problem configuring SSL
> From: a-ko...@northwestern.edu
> To: users@tomcat.apache.org
> 
> Gentlemen, thanks a lot for your help. I figured out what the problem was.
> It was not related to tomcat configuration, but to my keystore. The reason
> is that once you import a client certificate under the same alias as the
> private pair, they both get merged under the same alias inside keystore.
> Using keytool -delete command, meant to remove the certificate only,
> deletes the private pair as well. I noticed that once I dumped keystore
> content for my keystore and a keystore on one of my other servers. Luckily,
> I had a backup of the keystore I made right after it was created. Importing
> the certificates into that keystore resolved the issue.

MG>I *hope* you enabled at least ONE cipher for SSL Connector
MG>Usually the big players (Versign/Thawte) will provide valid CA cert/valid 
key in the supplied pfx
MG>glad to hear that worked for you
 
> 
> On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Alex,
> >
> > On 1/5/14, 12:30 PM, Alex Kogan wrote:
> > > I have a strange problem configuring SSL to work with Tomcat.
> > > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45
> > >
> > > It's a new Tomcat installation. All keystore operations were done
> > > with keytool. I imported CA root/intermediate certificate and
> > > client certificate, configured SSL connector in server.xml. I have
> > > this same setup on another server that works fine. Connecting to
> > > this server via http works.
> > >
> > > 1. If I try to connect this address via https in Chrome I get:
> > > "This Webpage is not available." In Firefox: "Error code:
> > > ssl_error_no_cypher_overlap"
> >
> > Sounds familiar.
> >
> > Please post your  configuration(s) from your server.xml
> > file. Remember to remove any sensitive information from the configuration.
> >
> > Also please post all of the startup messages from Tomcat's
> > logs/catalina.out file: we need to see the versions of various things
> > and what components (if any) suffer problems starting up.
> >
> > > 3. Here's a list of enabled ciphers using SSLInfo:
> > >
> > > #java -showversion SSLInfo
> >
> > Nice to see someone is getting some use out of that. ;)
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS
> > JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ
> > +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC
> > f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6
> > bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8
> > m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE
> > /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD
> > SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB
> > Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu
> > RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH
> > 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+
> > VCpWYwQ3I2qGEm5RBvbh
> > =9FS1
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> 
> 
> -- 
> Software Engineer
> Department of Psychiatry and Behavioral Sciences
> Northwestern University
> 
> a-ko...@northwestern.edu