detailed APR/SSL logging
Hi, Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to know where my SSL session is getting broken? there is nothing in the catalina.out log. usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 935 ms -- Server looks up properly with openssl and certs but when i try to connect it with openssl s_client its getting error -- root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F)) - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...&oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.".!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&...=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 ...<./...A.. 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...4.2.. 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 0110 - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.". .. 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f 00 01 01 ... read from 0x8a03258 [0x8a08a93] (5 bytes => 5 (0x5)) - 15 03 03 00 02. read from 0x8a03258 [0x8a08a98] (2 bytes => 2 (0x2)) - 02 28 .( 3074095420:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 3074095420:error:1409E0E5:
Re: Packet misses in Tomcat
Divyaprakash Y wrote: Issue: Few packets do not reach the application servlet but tomcat receives them. The missing packets reach the HTTP layer and thereafter they disappear. This issue is not frequent but occasionally consistent. For the POSTs of missing packet I am not able to find the entry in localhost_access_log. How do you know that the packet reaches tomcat if there is no matching entry in localhost_access.log? Does all other access appear in this file? I could see the packet in the wireshark capture and it has reached HTTP layer so I thought it has reached Tomcat; I may be wrong here. Also, as far as my observation, every hit to the application URLs was getting logged in local access log. And is there anything in the Tomcat error logs ? (Or the Windows Event logs) A HTTP request might be discarded by Tomcat for various reasons (*) before it is ever mapped to an application. In such a case, there is probably also no log of the request in the Access log. But I would expect some error message in the Tomcat error logs. (*) Invalid HTTP request, incomplete request, etc.. If there are really packets being lost somewhere, then for POST requests the request size would not match the Content-length header, and that may be one of these cases. I must say that the "packets lost" hypothesis sound a bit iffy to me. This is TCP, which should detect missing packets and cause a client connection abort if it was the case. The invalid HTTP request being rejected by Tomcat sounds more probable to me. i I could not find anything (Exception) in tomcat std error log file or any file in the log folder. But I have not checked the Windows event logs. Will do that. Regarding the content length, there is no mismatch as I have validated using Wireshark and also the same packets(In terms of structure) have reached the application previously. W.r.t. the last point, I could see TCP ACK for the received packet in the wireshark and the packet has reached HTTP layer which goes missing thereafter. What do you mean exactly by "the packet has reached HTTP layer" ? Are you using the word "packet" in the TCP/IP sense here, or do you mean "HTTP request" (composed of one or more TCP/IP packets) ? Does one complete HTTP POST request (headers and body) fit into one TCP packet ? And how exactly do you recognise that some particular packet (or HTTP request) has not been processed by the application ? Do these disappearing requests have some special characteristic that allows you to distinguish them from other requests to the same application ? Or is it so that all the requests for that same application "disappear" ? Do all the ones that disappear have something in common, that other requests (which do not disappear) do not have ? Suggestion : paste the content of your Tomcat's "server.xml" file in your next message, after removing any private information such as host name or IP, passwords etc. (Do not send it as attachment, this list often removes them). Actually, I meant "HTTP request has reached HTTP Layer". I could recognise the miss as some noticeable activity will happen upon the reception of the request in the application because of which it is easy to identify the misses in this case when compared to other requests. For the query regarding "All requests", all requests do not disappear. More importantly, sometimes all requests reach the application when I POST same set of requests. To give a rough picture, 1-2 requests fail in a set of 45-50 requests and this behaviour varies [The request which failed in my one test cycle succeeds in another cycle]. I could see this in Tomcat 7.0 and Tomcat 7.0.42. Here is the server.xml details: Hi. There is nothing in the above server.xml that strikes me as particularly remarkable or wrong. I do not pretend to know your system, nor your application, nor that the following is a definite explanation. But on the base of the currently available data, I would say : - it is quite unlikely that Tomcat 7 is randomly "dropping requests". If it was, then I would imagine that this list would be overflowing with cries for help. There is quite a bit of traffic on this list related to Tomcat 7, but I don't recall seeing any significant number of issues mentioning "dropped requests". - it also doesn't seem, from your wireshark-related observations, that the requests are being lost outside of Tomcat. - so I would say at this point, that the most likely place for requests to disappear is in your own application. I am far from being an expert in that area, but I remember seeing multiple threads in this list that tended to indicate that this kind of thing can happen if you keep improper references to Request/Respons
RE: Packet misses in Tomcat
Issue: Few packets do not reach the application servlet but tomcat receives them. The missing packets reach the HTTP layer and thereafter they disappear. This issue is not frequent but occasionally consistent. For the POSTs of missing packet I am not able to find the entry in localhost_access_log. How do you know that the packet reaches tomcat if there is no matching entry in localhost_access.log? Does all other access appear in this file? >>> I could see the packet in the wireshark capture and it has reached HTTP >>> layer so I thought it has reached Tomcat; I may be wrong here. Also, as far >>> as my observation, every hit to the application URLs was getting logged in >>> local access log. >>> >> And is there anything in the Tomcat error logs ? >> (Or the Windows Event logs) >> >> A HTTP request might be discarded by Tomcat for various reasons (*) >> before it is ever mapped to an application. >> In such a case, there is probably also no log of the request in the Access >> log. >> But I would expect some error message in the Tomcat error logs. >> >> (*) Invalid HTTP request, incomplete request, etc.. >> If there are really packets being lost somewhere, then for POST >> requests the request size would not match the Content-length header, and >> that may be one of these cases. >> >> I must say that the "packets lost" hypothesis sound a bit iffy to me. >> This is TCP, which should detect missing packets and cause a client >> connection abort if it was the case. The invalid HTTP request being >> rejected by Tomcat sounds more probable to me. >> i >> I could not find anything (Exception) in tomcat std error log file or any >> file in the log folder. But I have not checked the Windows event logs. Will >> do that. >> >> Regarding the content length, there is no mismatch as I have validated using >> Wireshark and also the same packets(In terms of structure) have reached the >> application previously. >> >> W.r.t. the last point, I could see TCP ACK for the received packet in the >> wireshark and the packet has reached HTTP layer which goes missing >> thereafter. >> > >> What do you mean exactly by "the packet has reached HTTP layer" ? > > Are you using the word "packet" in the TCP/IP sense here, or do you mean > "HTTP request" > (composed of one or more TCP/IP packets) ? > Does one complete HTTP POST request (headers and body) fit into one TCP > packet ? > > And how exactly do you recognise that some particular packet (or HTTP > request) has not been processed by the application ? > Do these disappearing requests have some special characteristic that allows > you to distinguish them from other requests to the same application ? > Or is it so that all the requests for that same application "disappear" ? > Do all the ones that disappear have something in common, that other > requests (which do not > disappear) do not have ? > > > Suggestion : paste the content of your Tomcat's "server.xml" file in your > next message, after removing any private information such as host name or IP, > passwords etc. > (Do not send it as attachment, this list often removes them). > > Actually, I meant "HTTP request has reached HTTP Layer". > > I could recognise the miss as some noticeable activity will happen upon the > reception of the request in the application because of which it is easy to > identify the misses in this case when compared to other requests. > > For the query regarding "All requests", all requests do not disappear. More > importantly, sometimes all requests reach the application when I POST same > set of requests. To give a rough picture, 1-2 requests fail in a set of 45-50 > requests and this behaviour varies [The request which failed in my one test > cycle succeeds in another cycle]. > > I could see this in Tomcat 7.0 and Tomcat 7.0.42. > > Here is the server.xml details: > > > > port="8105" shutdown="SHUTDOWN"> > > > >SSLEngine="on" /> > > > > > >className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> >className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> >className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" > /> > > > > >type="org.apache.catalina.UserDatabase" > description="User database that can be updated and saved" > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > pathname="conf/tomcat-users.xml" /> > > > > > > > > > > > > connectionTimeout="2" >redirectPort="8443" allowTrace="true"/> > > > > > > > > > > > > > > > > > > > > > resourceName="UserDatabase"/> > > >unpackWARs="false" autoDeploy="true"> > > > > > > directory="logs" >
RE: detailed APR/SSL logging
> Date: Tue, 7 Jan 2014 14:51:21 +0500 > Subject: detailed APR/SSL logging > From: sanaulla...@gmail.com > To: users@tomcat.apache.org > > Hi, > > Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to > know where my SSL session is getting broken? there is nothing in the > catalina.out log. > > usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ > -nonaming ] { -help | start | stop } > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR > version 1.5.1. > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters > [false], random [true]. > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener > initializeSSL > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["http-apr-8080"] > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"] > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load > INFO: Initialization processed in 696 ms > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService > startInternal > INFO: Starting service Catalina > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine > startInternal > INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-apr-8080"] > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start > INFO: Server startup in 935 ms > > > -- > Server looks up properly with openssl and certs but when i try to connect > it with openssl s_client its getting error > -- > root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect > 127.0.0.1:8443 -tls1_2 -debug > CONNECTED(0003) > write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F)) > - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E > 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...&oX?W > 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 > 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.".!.. > 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 > 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&...=.5 > 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d > 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# > 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 > 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% > 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 ...<./...A.. > 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 > 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o > 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...4.2.. > 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 > 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 > 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 > 0110 - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.". .. > 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 > 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f 00 01 01 ... > read from 0x8a03258 [0x8a08a93] (5 bytes => 5 (0x5)) > - 15 03 03 00 02 . > read from 0x8a03
Re: detailed APR/SSL logging
Here is my configuration. I am using openssl. I haven't installed any certificate to JVM truststore. On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty wrote: > > > > > > > Date: Tue, 7 Jan 2014 14:51:21 +0500 > > Subject: detailed APR/SSL logging > > From: sanaulla...@gmail.com > > To: users@tomcat.apache.org > > > > Hi, > > > > Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to > > know where my SSL session is getting broken? there is nothing in the > > catalina.out log. > > > > usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ > > -nonaming ] { -help | start | stop } > > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener > init > > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR > > version 1.5.1. > > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener > init > > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters > > [false], random [true]. > > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener > > initializeSSL > > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) > > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init > > INFO: Initializing ProtocolHandler ["http-apr-8080"] > > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init > > INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"] > > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load > > INFO: Initialization processed in 696 ms > > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService > > startInternal > > INFO: Starting service Catalina > > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine > > startInternal > > INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 > > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig > > deployDirectory > > INFO: Deploying web application directory > > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > > deployDirectory > > INFO: Deploying web application directory > > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > > deployDirectory > > INFO: Deploying web application directory > > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > > deployDirectory > > INFO: Deploying web application directory > > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > > deployDirectory > > INFO: Deploying web application directory > > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples > > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start > > INFO: Starting ProtocolHandler ["http-apr-8080"] > > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start > > INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start > > INFO: Server startup in 935 ms > > > > > > > -- > > Server looks up properly with openssl and certs but when i try to connect > > it with openssl s_client its getting error > > > -- > > root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect > > 127.0.0.1:8443 -tls1_2 -debug > > CONNECTED(0003) > > write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F)) > > - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E > > 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...&oX?W > > 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 > > 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.".!.. > > 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 > > 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&...=.5 > > 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d > > 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# > > 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 > > 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% > > 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 ...<./...A.. > > 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 > > 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o > > 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...4.2.. > > 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 > > 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 > > 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 0
Re: detailed APR/SSL logging
This issue is only with my ECC certificates. the whole configuration works pretty good with TLS1.2 when i am using the RSA certs. openssl selfsinged ECC certs are also working. On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah wrote: > Here is my configuration. I am using openssl. I haven't installed any > certificate to JVM truststore. > > port="8443" > SSLEnabled="true" >maxThreads="150" scheme="https" secure="true" >clientAuth="false" >SSLProtocol="All" > > SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem" >SSLCertificateFile="/home/san/certs/pay-test/test.pem" > > SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/> > > > > > > On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty wrote: > >> >> >> >> >> >> > Date: Tue, 7 Jan 2014 14:51:21 +0500 >> > Subject: detailed APR/SSL logging >> > From: sanaulla...@gmail.com >> > To: users@tomcat.apache.org >> > >> > Hi, >> > >> > Anyone knows, how do i can get the detailed APR/SSL debug logs. i need >> to >> > know where my SSL session is getting broken? there is nothing in the >> > catalina.out log. >> > >> > usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] >> [ >> > -nonaming ] { -help | start | stop } >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener >> init >> > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR >> > version 1.5.1. >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener >> init >> > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters >> > [false], random [true]. >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener >> > initializeSSL >> > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) >> > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init >> > INFO: Initializing ProtocolHandler ["http-apr-8080"] >> > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init >> > INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"] >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load >> > INFO: Initialization processed in 696 ms >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService >> > startInternal >> > INFO: Starting service Catalina >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine >> > startInternal >> > INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 >> > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig >> > deployDirectory >> > INFO: Deploying web application directory >> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs >> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig >> > deployDirectory >> > INFO: Deploying web application directory >> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager >> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig >> > deployDirectory >> > INFO: Deploying web application directory >> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT >> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig >> > deployDirectory >> > INFO: Deploying web application directory >> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager >> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig >> > deployDirectory >> > INFO: Deploying web application directory >> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples >> > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start >> > INFO: Starting ProtocolHandler ["http-apr-8080"] >> > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start >> > INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] >> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start >> > INFO: Server startup in 935 ms >> > >> > >> > >> -- >> > Server looks up properly with openssl and certs but when i try to >> connect >> > it with openssl s_client its getting error >> > >> -- >> > root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect >> > 127.0.0.1:8443 -tls1_2 -debug >> > CONNECTED(0003) >> > write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F)) >> > - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E >> > 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...&oX?W >> > 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 >> > 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.".!.. >> > 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 >> > 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&...=.5 >> > 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d
Re: Packet misses in Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 1/7/14, 5:09 AM, André Warnier wrote: > I do not pretend to know your system, nor your application, nor > that the following is a definite explanation. But on the base of > the currently available data, I would say : - it is quite unlikely > that Tomcat 7 is randomly "dropping requests". If it was, then I > would imagine that this list would be overflowing with cries for > help. There is quite a bit of traffic on this list related to > Tomcat 7, but I don't recall seeing any significant number of > issues mentioning "dropped requests". - it also doesn't seem, from > your wireshark-related observations, that the requests are being > lost outside of Tomcat. - so I would say at this point, that the > most likely place for requests to disappear is in your own > application. It seems that Tomcat is not logging the request in its access log, so it's more likely that the request is either malformed to such an extent that Tomcat rejects the request altogether or that the request never reaches Tomcat. Divyaprakash, can you describe your deployment? Are you accessing Tomcat directly via HTTP? What networking components are between your test client(s) and Tomcat? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSzECoAAoJEBzwKT+lPKRY0PMQAJHco/XSh8G2JGPoOVliZwGr nwa+Qrn3eFE491EyLO+y+J4A9nQABDjaYtYYCZpnEf4ZDHB8almmumBVghj48MZ4 3YyUVWQdFv9UsLMOAvUR8B8zL4O89WeaLPqoUHqJkEL6/8z3PmDIQqWb5t3Hjmsg T+NI6Mw0ZbjmoxN2AVDdlSae8I63c93dYmAO8w3whifhHv+BGh2lJ+0GTX40LvHu fk/s502w/zN82p3WQ8xJoeltJffXHurUHv8pn98q9uTmHWKErC+GlnnPIHf7cQvg 1rT95so1GhKeeGr+4nCHznQtKwPl3pwFyDo0G7NJYlRrh2qICgSeKfJ5UuC5uSJU xoB6vbcDVZ/jhwmGMlRwnvEdMOAZGZv6UPMViMMuxk++DGHVEBt/RLcwwR3DZEnM 0jyF7vwA+5M9b4sTBbynvpnemw3VS4YVXiRpleoshPrjDDMKz2ZFp2EuMKMPRWOl dIUm7ZED6lJV/HVdYYYtJZ6o78/4jFrNt6WgHI1bofOj2WPbOoUExCcvFLCDh2UL +MkuonxYMocQOobXziNraU4XRl5Ukurz+vMak/KCYEL8tRh64j1H/Dk9DV9eUIeF FWRu0XwuSgPSFoGGlCHlnKupWIL2OGKkuSJEGd7IS3YqbnpaLXr1EldkNb3nlKq2 z8ZF+xyfGdC3qnlz1uRm =DRad -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: detailed APR/SSL logging
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 1/7/14, 8:06 AM, Sanaullah wrote: > This issue is only with my ECC certificates. the whole > configuration works pretty good with TLS1.2 when i am using the RSA > certs. openssl selfsinged ECC certs are also working. > > > On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah > wrote: > >> Here is my configuration. I am using openssl. I haven't installed >> any certificate to JVM truststore. >> >> > maxThreads="150" scheme="https" secure="true" clientAuth="false" >> SSLProtocol="All" >> >> SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem" >> SSLCertificateFile="/home/san/certs/pay-test/test.pem" >> >> SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/> >> >> >> >> >> >> On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty >> wrote: >> >>> >>> >>> >>> >>> Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed APR/SSL logging From: sanaulla...@gmail.com To: users@tomcat.apache.org Hi, Anyone knows, how do i can get the detailed APR/SSL debug logs. i need >>> to know where my SSL session is getting broken? there is nothing in the catalina.out log. usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] >>> [ -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener >>> init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener >>> init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 935 ms >>> -- >>> Server looks up properly with openssl and certs but when i try to >>> connect it with openssl s_client its getting error >>> -- >>> root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F)) - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...&oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.".!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&...=.5 0060 -
Re: rc-10 bug?
2014/1/6 Peter : > Thanks to an email from Martin, I had a strong indicator of where to look. I > checked out tomcat 8 from trunk and validated in eclipse in debug mode. (FYI > build.properties.default is broken due to missing commons pool, had to tweak > a bit). > > From webappclassloader.java snippet below (line 737), jars[] does not only > contain jars, but also any other resources. i added a howTo.txt file in > WEB-INF/lib, which results in jars.length will NEVER equal > jarModificationTimes.size(). > > Fix is simple - just filter out the non-jar, non-executable elements b4 > comparing. Workaround is equally trivial - remove said elements from the the > lib folder. > Hope this helps, > Peter > > > > // Check if JARs have been added or removed > WebResource[] jars = resources.listResources("/WEB-INF/lib"); > > if (jars.length > jarModificationTimes.size()) { > log.info(sm.getString("webappClassLoader.jarsAdded", > resources.getContext().getName())); > return true; > } else if (jars.length < jarModificationTimes.size()){ > log.info(sm.getString("webappClassLoader.jarsRemoved", > resources.getContext().getName())); > return true; > } > > for (WebResource jar : jars) { > if (jar.getName().endsWith(".jar") && jar.isFile() && > jar.canRead()) { Thank you. I filed this into Bugzilla https://issues.apache.org/bugzilla/show_bug.cgi?id=55970 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem configuring SSL
Gentlemen, thanks a lot for your help. I figured out what the problem was. It was not related to tomcat configuration, but to my keystore. The reason is that once you import a client certificate under the same alias as the private pair, they both get merged under the same alias inside keystore. Using keytool -delete command, meant to remove the certificate only, deletes the private pair as well. I noticed that once I dumped keystore content for my keystore and a keystore on one of my other servers. Luckily, I had a backup of the keystore I made right after it was created. Importing the certificates into that keystore resolved the issue. On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 1/5/14, 12:30 PM, Alex Kogan wrote: > > I have a strange problem configuring SSL to work with Tomcat. > > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 > > > > It's a new Tomcat installation. All keystore operations were done > > with keytool. I imported CA root/intermediate certificate and > > client certificate, configured SSL connector in server.xml. I have > > this same setup on another server that works fine. Connecting to > > this server via http works. > > > > 1. If I try to connect this address via https in Chrome I get: > > "This Webpage is not available." In Firefox: "Error code: > > ssl_error_no_cypher_overlap" > > Sounds familiar. > > Please post your configuration(s) from your server.xml > file. Remember to remove any sensitive information from the configuration. > > Also please post all of the startup messages from Tomcat's > logs/catalina.out file: we need to see the versions of various things > and what components (if any) suffer problems starting up. > > > 3. Here's a list of enabled ciphers using SSLInfo: > > > > #java -showversion SSLInfo > > Nice to see someone is getting some use out of that. ;) > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS > JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ > +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC > f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 > bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 > m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE > /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD > SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB > Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu > RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH > 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ > VCpWYwQ3I2qGEm5RBvbh > =9FS1 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Software Engineer Department of Psychiatry and Behavioral Sciences Northwestern University a-ko...@northwestern.edu
Re: detailed APR/SSL logging
I am still stick to my opinion.. the patches were need to apply for TLS 1.2 SSL/APR. everything is working after applying the patch just this chain ECC certs. I am just looking around where to get the detailed logs. On Tue, Jan 7, 2014 at 11:11 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sanaullah, > > On 1/7/14, 8:06 AM, Sanaullah wrote: > > This issue is only with my ECC certificates. the whole > > configuration works pretty good with TLS1.2 when i am using the RSA > > certs. openssl selfsinged ECC certs are also working. > > > > > > On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah > > wrote: > > > >> Here is my configuration. I am using openssl. I haven't installed > >> any certificate to JVM truststore. > >> > >> >> maxThreads="150" scheme="https" secure="true" clientAuth="false" > >> SSLProtocol="All" > >> > >> SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem" > >> SSLCertificateFile="/home/san/certs/pay-test/test.pem" > >> > >> SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/> > >> > >> > >> > >> > >> > >> On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty > >> wrote: > >> > >>> > >>> > >>> > >>> > >>> > Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed > APR/SSL logging From: sanaulla...@gmail.com To: > users@tomcat.apache.org > > Hi, > > Anyone knows, how do i can get the detailed APR/SSL debug > logs. i need > >>> to > know where my SSL session is getting broken? there is nothing > in the catalina.out log. > > usage: java org.apache.catalina.startup.Catalina [ -config > {pathname} ] > >>> [ > -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM > org.apache.catalina.core.AprLifecycleListener > >>> init > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 > using APR version 1.5.1. Jan 07, 2014 1:43:12 AM > org.apache.catalina.core.AprLifecycleListener > >>> init > INFO: APR capabilities: IPv6 [true], sendfile [true], accept > filters [false], random [true]. Jan 07, 2014 1:43:12 AM > org.apache.catalina.core.AprLifecycleListener initializeSSL > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb > 2013) Jan 07, 2014 1:43:12 AM > org.apache.coyote.AbstractProtocol init INFO: Initializing > ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:12 AM > org.apache.coyote.AbstractProtocol init INFO: Initializing > ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014 > 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: > Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM > org.apache.catalina.core.StandardService startInternal INFO: > Starting service Catalina Jan 07, 2014 1:43:12 AM > org.apache.catalina.core.StandardEngine startInternal INFO: > Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 > 1:43:12 AM org.apache.catalina.startup.HostConfig > deployDirectory INFO: Deploying web application directory > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs > > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > deployDirectory INFO: Deploying web application directory > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager > > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > deployDirectory INFO: Deploying web application directory > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT > > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > deployDirectory INFO: Deploying web application directory > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager > > > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig > deployDirectory INFO: Deploying web application directory > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples > > > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 07, 2014 > 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: > Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, > 2014 1:43:13 AM org.apache.catalina.startup.Catalina start > INFO: Server startup in 935 ms > > > > >>> > -- > > >>> > Server looks up properly with openssl and certs but when i try to > >>> connect > it with openssl s_client its getting error > > >>> > -- > > >>> > root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect > 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to > 0x8a03258
Re: Problem configuring SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/7/14, 2:41 PM, Alex Kogan wrote: > Gentlemen, thanks a lot for your help. I figured out what the > problem was. It was not related to tomcat configuration, but to my > keystore. The reason is that once you import a client certificate > under the same alias as the private pair, they both get merged > under the same alias inside keystore. Using keytool -delete > command, meant to remove the certificate only, deletes the private > pair as well. I noticed that once I dumped keystore content for my > keystore and a keystore on one of my other servers. Luckily, I had > a backup of the keystore I made right after it was created. > Importing the certificates into that keystore resolved the issue. Java keystores are a nightmare. I try to avoid them whenever possible. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSzFt/AAoJEBzwKT+lPKRYKRwQALT9qv2bOPss+nT1uGQ8WoMY KC6GvvO5RuoHa8ggd/pu7YS6G6czwZnFOYvldOh7BjvKpwppTr/e8uj6FCUv2n4v 592RykM82+tXWFrWEyT7TTwoWPdYDrnIIYFnemndj3trXWXfgR1LIZhtYUIJMofr +h5biqeRRBrldvlZFXJU874Pg2IrwcTyJ4YfT8/XC5/Q196MXHOh0MiDMVJJ91l8 d3c/D6TQ8NWFZTu84ES6aPCh9FwOSxJhHEAllZqcOzRvLuXFhBOw9II9Q/Tto7wM ZKlKRZ8sPJGi42WWYgTvHGlSZ+8kk0HijgbL6uGhHYQ8yIXPL2Jwu0igDFSzUGrU MXe2Pevg1bP2gI3idnmnW+jWjaMujxb5EKW7+N44BqPk2zl/OTZ5hVf/t1E1SCGo BPsulhuQvgXWhlF6GxBdwj0bWLCj8bIqIaAbHd8egT+s5smtKjoNpcVfMNE4xTwO vdM7/MOKBIxLZyRjSw1bQFaxKXYJVnIwQlQSM74SRxNop1qcQhca7EdPMNB0+ojx yM0m3zJNCaVsxg8RQ39Yb11YdfvVjkODV7S4D2uolezmJ6vOLCvgrdnpEtRp5QGt MnQTEH1WLb1kX2p9HboCeTLsGh+XTX9joDqfTObSyFOPyN9ESPcVLgzWdaykHwXE og/LPVC23d0adUNMV0Fz =Qkfm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Packet misses in Tomcat
Christopher, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 1/7/14, 5:09 AM, André Warnier wrote: I do not pretend to know your system, nor your application, nor that the following is a definite explanation. But on the base of the currently available data, I would say : - it is quite unlikely that Tomcat 7 is randomly "dropping requests". If it was, then I would imagine that this list would be overflowing with cries for help. There is quite a bit of traffic on this list related to Tomcat 7, but I don't recall seeing any significant number of issues mentioning "dropped requests". - it also doesn't seem, from your wireshark-related observations, that the requests are being lost outside of Tomcat. - so I would say at this point, that the most likely place for requests to disappear is in your own application. It seems that Tomcat is not logging the request in its access log, so it's more likely that the request is either malformed to such an extent that Tomcat rejects the request altogether or that the request never reaches Tomcat. ... Hi. Of course I am going essentially by what the OP provided earlier as information, and he has not provided much details on the "disappearing" requests themselves, or on the channel through which these requests were reaching Tomcat. But one thing that he did mention, is that these requests are similar - and even in general the same - as other requests which do get processed normally. As per his own words : "For the query regarding "All requests", all requests do not disappear. More importantly, sometimes all requests reach the application when I POST same set of requests. To give a rough picture, 1-2 requests fail in a set of 45-50 requests and this behaviour varies [The request which failed in my one test cycle succeeds in another cycle]." If we take this at face value, then it should not be so that these requests are so malformed that Tomcat discards them without further ado. Also - but maybe I'm wrong there - I would expect, if Tomcat discards a request for being malformed - that something would appear in the Tomcat error log. But according to the OP it doesn't. Finally - and there is a bit of an assumption on my part here - I assume that when the OP says that he sees the request with Wireshark (prior to it "disappearing" in Tomcat), he was running Wireshark on the Tomcat host itself. That would make it unlikely that another external component is at play. All of the above led me to suspect that something in the application itself may be playing a role here. Of course, that all does not necessarily prove that some other component than Tomcat is not dropping some packets/requests. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem configuring SSL
> Date: Tue, 7 Jan 2014 14:41:15 -0500 > Subject: Re: Problem configuring SSL > From: a-ko...@northwestern.edu > To: users@tomcat.apache.org > > Gentlemen, thanks a lot for your help. I figured out what the problem was. > It was not related to tomcat configuration, but to my keystore. The reason > is that once you import a client certificate under the same alias as the > private pair, they both get merged under the same alias inside keystore. > Using keytool -delete command, meant to remove the certificate only, > deletes the private pair as well. I noticed that once I dumped keystore > content for my keystore and a keystore on one of my other servers. Luckily, > I had a backup of the keystore I made right after it was created. Importing > the certificates into that keystore resolved the issue. MG>I *hope* you enabled at least ONE cipher for SSL Connector MG>Usually the big players (Versign/Thawte) will provide valid CA cert/valid key in the supplied pfx MG>glad to hear that worked for you > > On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Alex, > > > > On 1/5/14, 12:30 PM, Alex Kogan wrote: > > > I have a strange problem configuring SSL to work with Tomcat. > > > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 > > > > > > It's a new Tomcat installation. All keystore operations were done > > > with keytool. I imported CA root/intermediate certificate and > > > client certificate, configured SSL connector in server.xml. I have > > > this same setup on another server that works fine. Connecting to > > > this server via http works. > > > > > > 1. If I try to connect this address via https in Chrome I get: > > > "This Webpage is not available." In Firefox: "Error code: > > > ssl_error_no_cypher_overlap" > > > > Sounds familiar. > > > > Please post your configuration(s) from your server.xml > > file. Remember to remove any sensitive information from the configuration. > > > > Also please post all of the startup messages from Tomcat's > > logs/catalina.out file: we need to see the versions of various things > > and what components (if any) suffer problems starting up. > > > > > 3. Here's a list of enabled ciphers using SSLInfo: > > > > > > #java -showversion SSLInfo > > > > Nice to see someone is getting some use out of that. ;) > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v1 > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > > iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS > > JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ > > +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC > > f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 > > bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 > > m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE > > /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD > > SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB > > Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu > > RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH > > 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ > > VCpWYwQ3I2qGEm5RBvbh > > =9FS1 > > -END PGP SIGNATURE- > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > -- > Software Engineer > Department of Psychiatry and Behavioral Sciences > Northwestern University > > a-ko...@northwestern.edu