detailed APR/SSL logging
Hi, Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to know where my SSL session is getting broken? there is nothing in the catalina.out log. usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 935 ms -- Server looks up properly with openssl and certs but when i try to connect it with openssl s_client its getting error -- root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to 0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F)) - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 /...A.. 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...4.2.. 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 0110 - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.. .. 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f 00 01 01 ... read from 0x8a03258 [0x8a08a93] (5 bytes = 5 (0x5)) - 15 03 03 00 02. read from 0x8a03258 [0x8a08a98] (2 bytes = 2 (0x2)) - 02 28 .( 3074095420:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 3074095420:error:1409E0E5:SSL
Re: Packet misses in Tomcat
Divyaprakash Y wrote: Issue: Few packets do not reach the application servlet but tomcat receives them. The missing packets reach the HTTP layer and thereafter they disappear. This issue is not frequent but occasionally consistent. For the POSTs of missing packet I am not able to find the entry in localhost_access_log. How do you know that the packet reaches tomcat if there is no matching entry in localhost_access.log? Does all other access appear in this file? I could see the packet in the wireshark capture and it has reached HTTP layer so I thought it has reached Tomcat; I may be wrong here. Also, as far as my observation, every hit to the application URLs was getting logged in local access log. And is there anything in the Tomcat error logs ? (Or the Windows Event logs) A HTTP request might be discarded by Tomcat for various reasons (*) before it is ever mapped to an application. In such a case, there is probably also no log of the request in the Access log. But I would expect some error message in the Tomcat error logs. (*) Invalid HTTP request, incomplete request, etc.. If there are really packets being lost somewhere, then for POST requests the request size would not match the Content-length header, and that may be one of these cases. I must say that the packets lost hypothesis sound a bit iffy to me. This is TCP, which should detect missing packets and cause a client connection abort if it was the case. The invalid HTTP request being rejected by Tomcat sounds more probable to me. i I could not find anything (Exception) in tomcat std error log file or any file in the log folder. But I have not checked the Windows event logs. Will do that. Regarding the content length, there is no mismatch as I have validated using Wireshark and also the same packets(In terms of structure) have reached the application previously. W.r.t. the last point, I could see TCP ACK for the received packet in the wireshark and the packet has reached HTTP layer which goes missing thereafter. What do you mean exactly by the packet has reached HTTP layer ? Are you using the word packet in the TCP/IP sense here, or do you mean HTTP request (composed of one or more TCP/IP packets) ? Does one complete HTTP POST request (headers and body) fit into one TCP packet ? And how exactly do you recognise that some particular packet (or HTTP request) has not been processed by the application ? Do these disappearing requests have some special characteristic that allows you to distinguish them from other requests to the same application ? Or is it so that all the requests for that same application disappear ? Do all the ones that disappear have something in common, that other requests (which do not disappear) do not have ? Suggestion : paste the content of your Tomcat's server.xml file in your next message, after removing any private information such as host name or IP, passwords etc. (Do not send it as attachment, this list often removes them). Actually, I meant HTTP request has reached HTTP Layer. I could recognise the miss as some noticeable activity will happen upon the reception of the request in the application because of which it is easy to identify the misses in this case when compared to other requests. For the query regarding All requests, all requests do not disappear. More importantly, sometimes all requests reach the application when I POST same set of requests. To give a rough picture, 1-2 requests fail in a set of 45-50 requests and this behaviour varies [The request which failed in my one test cycle succeeds in another cycle]. I could see this in Tomcat 7.0 and Tomcat 7.0.42. Here is the server.xml details: ?xml version='1.0' encoding='utf-8'? !-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- !-- Note: A Server is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/server.html -- Server port=8105 shutdown=SHUTDOWN !-- Security listener. Documentation at /docs/config/listeners.html Listener className=org.apache.catalina.security.SecurityListener / -- !--APR library loader. Documentation at /docs/apr.html -- ! Listener
RE: Packet misses in Tomcat
Issue: Few packets do not reach the application servlet but tomcat receives them. The missing packets reach the HTTP layer and thereafter they disappear. This issue is not frequent but occasionally consistent. For the POSTs of missing packet I am not able to find the entry in localhost_access_log. How do you know that the packet reaches tomcat if there is no matching entry in localhost_access.log? Does all other access appear in this file? I could see the packet in the wireshark capture and it has reached HTTP layer so I thought it has reached Tomcat; I may be wrong here. Also, as far as my observation, every hit to the application URLs was getting logged in local access log. And is there anything in the Tomcat error logs ? (Or the Windows Event logs) A HTTP request might be discarded by Tomcat for various reasons (*) before it is ever mapped to an application. In such a case, there is probably also no log of the request in the Access log. But I would expect some error message in the Tomcat error logs. (*) Invalid HTTP request, incomplete request, etc.. If there are really packets being lost somewhere, then for POST requests the request size would not match the Content-length header, and that may be one of these cases. I must say that the packets lost hypothesis sound a bit iffy to me. This is TCP, which should detect missing packets and cause a client connection abort if it was the case. The invalid HTTP request being rejected by Tomcat sounds more probable to me. i I could not find anything (Exception) in tomcat std error log file or any file in the log folder. But I have not checked the Windows event logs. Will do that. Regarding the content length, there is no mismatch as I have validated using Wireshark and also the same packets(In terms of structure) have reached the application previously. W.r.t. the last point, I could see TCP ACK for the received packet in the wireshark and the packet has reached HTTP layer which goes missing thereafter. What do you mean exactly by the packet has reached HTTP layer ? Are you using the word packet in the TCP/IP sense here, or do you mean HTTP request (composed of one or more TCP/IP packets) ? Does one complete HTTP POST request (headers and body) fit into one TCP packet ? And how exactly do you recognise that some particular packet (or HTTP request) has not been processed by the application ? Do these disappearing requests have some special characteristic that allows you to distinguish them from other requests to the same application ? Or is it so that all the requests for that same application disappear ? Do all the ones that disappear have something in common, that other requests (which do not disappear) do not have ? Suggestion : paste the content of your Tomcat's server.xml file in your next message, after removing any private information such as host name or IP, passwords etc. (Do not send it as attachment, this list often removes them). Actually, I meant HTTP request has reached HTTP Layer. I could recognise the miss as some noticeable activity will happen upon the reception of the request in the application because of which it is easy to identify the misses in this case when compared to other requests. For the query regarding All requests, all requests do not disappear. More importantly, sometimes all requests reach the application when I POST same set of requests. To give a rough picture, 1-2 requests fail in a set of 45-50 requests and this behaviour varies [The request which failed in my one test cycle succeeds in another cycle]. I could see this in Tomcat 7.0 and Tomcat 7.0.42. Here is the server.xml details: ?xml version='1.0' encoding='utf-8'? !-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- !-- Note: A Server is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/server.html -- Server port=8105 shutdown=SHUTDOWN !-- Security listener. Documentation at /docs/config/listeners.html Listener className=org.apache.catalina.security.SecurityListener / -- !--APR library loader. Documentation at /docs/apr.html --
RE: detailed APR/SSL logging
Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed APR/SSL logging From: sanaulla...@gmail.com To: users@tomcat.apache.org Hi, Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to know where my SSL session is getting broken? there is nothing in the catalina.out log. usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 935 ms -- Server looks up properly with openssl and certs but when i try to connect it with openssl s_client its getting error -- root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to 0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F)) - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 /...A.. 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...4.2.. 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 0110 - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.. .. 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f 00 01 01 ... read from 0x8a03258 [0x8a08a93] (5 bytes = 5 (0x5)) - 15 03 03 00 02 . read from 0x8a03258 [0x8a08a98] (2 bytes = 2 (0x2)) - 02 28 .( 3074095420:error:14094410:SSL
Re: detailed APR/SSL logging
Here is my configuration. I am using openssl. I haven't installed any certificate to JVM truststore. Connector address=0.0.0.0 port=8443 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false SSLProtocol=All SSLCertificateChainFile=/home/san/certs/pay-test/chain.pem SSLCertificateFile=/home/san/certs/pay-test/test.pem SSLCertificateKeyFile=/home/san/certs/pay-test/test-key.pem/ On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty mgai...@hotmail.com wrote: Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed APR/SSL logging From: sanaulla...@gmail.com To: users@tomcat.apache.org Hi, Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to know where my SSL session is getting broken? there is nothing in the catalina.out log. usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 935 ms -- Server looks up properly with openssl and certs but when i try to connect it with openssl s_client its getting error -- root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to 0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F)) - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 /...A.. 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34
Re: detailed APR/SSL logging
This issue is only with my ECC certificates. the whole configuration works pretty good with TLS1.2 when i am using the RSA certs. openssl selfsinged ECC certs are also working. On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah sanaulla...@gmail.com wrote: Here is my configuration. I am using openssl. I haven't installed any certificate to JVM truststore. Connector address=0.0.0.0 port=8443 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false SSLProtocol=All SSLCertificateChainFile=/home/san/certs/pay-test/chain.pem SSLCertificateFile=/home/san/certs/pay-test/test.pem SSLCertificateKeyFile=/home/san/certs/pay-test/test-key.pem/ On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty mgai...@hotmail.com wrote: Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed APR/SSL logging From: sanaulla...@gmail.com To: users@tomcat.apache.org Hi, Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to know where my SSL session is getting broken? there is nothing in the catalina.out log. usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 935 ms -- Server looks up properly with openssl and certs but when i try to connect it with openssl s_client its getting error -- root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to 0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F)) - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% 00a0 - c0 0e
Re: Packet misses in Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 1/7/14, 5:09 AM, André Warnier wrote: I do not pretend to know your system, nor your application, nor that the following is a definite explanation. But on the base of the currently available data, I would say : - it is quite unlikely that Tomcat 7 is randomly dropping requests. If it was, then I would imagine that this list would be overflowing with cries for help. There is quite a bit of traffic on this list related to Tomcat 7, but I don't recall seeing any significant number of issues mentioning dropped requests. - it also doesn't seem, from your wireshark-related observations, that the requests are being lost outside of Tomcat. - so I would say at this point, that the most likely place for requests to disappear is in your own application. It seems that Tomcat is not logging the request in its access log, so it's more likely that the request is either malformed to such an extent that Tomcat rejects the request altogether or that the request never reaches Tomcat. Divyaprakash, can you describe your deployment? Are you accessing Tomcat directly via HTTP? What networking components are between your test client(s) and Tomcat? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSzECoAAoJEBzwKT+lPKRY0PMQAJHco/XSh8G2JGPoOVliZwGr nwa+Qrn3eFE491EyLO+y+J4A9nQABDjaYtYYCZpnEf4ZDHB8almmumBVghj48MZ4 3YyUVWQdFv9UsLMOAvUR8B8zL4O89WeaLPqoUHqJkEL6/8z3PmDIQqWb5t3Hjmsg T+NI6Mw0ZbjmoxN2AVDdlSae8I63c93dYmAO8w3whifhHv+BGh2lJ+0GTX40LvHu fk/s502w/zN82p3WQ8xJoeltJffXHurUHv8pn98q9uTmHWKErC+GlnnPIHf7cQvg 1rT95so1GhKeeGr+4nCHznQtKwPl3pwFyDo0G7NJYlRrh2qICgSeKfJ5UuC5uSJU xoB6vbcDVZ/jhwmGMlRwnvEdMOAZGZv6UPMViMMuxk++DGHVEBt/RLcwwR3DZEnM 0jyF7vwA+5M9b4sTBbynvpnemw3VS4YVXiRpleoshPrjDDMKz2ZFp2EuMKMPRWOl dIUm7ZED6lJV/HVdYYYtJZ6o78/4jFrNt6WgHI1bofOj2WPbOoUExCcvFLCDh2UL +MkuonxYMocQOobXziNraU4XRl5Ukurz+vMak/KCYEL8tRh64j1H/Dk9DV9eUIeF FWRu0XwuSgPSFoGGlCHlnKupWIL2OGKkuSJEGd7IS3YqbnpaLXr1EldkNb3nlKq2 z8ZF+xyfGdC3qnlz1uRm =DRad -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: detailed APR/SSL logging
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 1/7/14, 8:06 AM, Sanaullah wrote: This issue is only with my ECC certificates. the whole configuration works pretty good with TLS1.2 when i am using the RSA certs. openssl selfsinged ECC certs are also working. On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah sanaulla...@gmail.com wrote: Here is my configuration. I am using openssl. I haven't installed any certificate to JVM truststore. Connector address=0.0.0.0 port=8443 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false SSLProtocol=All SSLCertificateChainFile=/home/san/certs/pay-test/chain.pem SSLCertificateFile=/home/san/certs/pay-test/test.pem SSLCertificateKeyFile=/home/san/certs/pay-test/test-key.pem/ On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty mgai...@hotmail.com wrote: Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed APR/SSL logging From: sanaulla...@gmail.com To: users@tomcat.apache.org Hi, Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to know where my SSL session is getting broken? there is nothing in the catalina.out log. usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 935 ms -- Server looks up properly with openssl and certs but when i try to connect it with openssl s_client its getting error -- root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to 0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F)) - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.# 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00
Re: rc-10 bug?
2014/1/6 Peter peterdni...@yahoo.com: Thanks to an email from Martin, I had a strong indicator of where to look. I checked out tomcat 8 from trunk and validated in eclipse in debug mode. (FYI build.properties.default is broken due to missing commons pool, had to tweak a bit). From webappclassloader.java snippet below (line 737), jars[] does not only contain jars, but also any other resources. i added a howTo.txt file in WEB-INF/lib, which results in jars.length will NEVER equal jarModificationTimes.size(). Fix is simple - just filter out the non-jar, non-executable elements b4 comparing. Workaround is equally trivial - remove said elements from the the lib folder. Hope this helps, Peter // Check if JARs have been added or removed WebResource[] jars = resources.listResources(/WEB-INF/lib); if (jars.length jarModificationTimes.size()) { log.info(sm.getString(webappClassLoader.jarsAdded, resources.getContext().getName())); return true; } else if (jars.length jarModificationTimes.size()){ log.info(sm.getString(webappClassLoader.jarsRemoved, resources.getContext().getName())); return true; } for (WebResource jar : jars) { if (jar.getName().endsWith(.jar) jar.isFile() jar.canRead()) { Thank you. I filed this into Bugzilla https://issues.apache.org/bugzilla/show_bug.cgi?id=55970 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem configuring SSL
Gentlemen, thanks a lot for your help. I figured out what the problem was. It was not related to tomcat configuration, but to my keystore. The reason is that once you import a client certificate under the same alias as the private pair, they both get merged under the same alias inside keystore. Using keytool -delete command, meant to remove the certificate only, deletes the private pair as well. I noticed that once I dumped keystore content for my keystore and a keystore on one of my other servers. Luckily, I had a backup of the keystore I made right after it was created. Importing the certificates into that keystore resolved the issue. On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/5/14, 12:30 PM, Alex Kogan wrote: I have a strange problem configuring SSL to work with Tomcat. Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 It's a new Tomcat installation. All keystore operations were done with keytool. I imported CA root/intermediate certificate and client certificate, configured SSL connector in server.xml. I have this same setup on another server that works fine. Connecting to this server via http works. 1. If I try to connect this address via https in Chrome I get: This Webpage is not available. In Firefox: Error code: ssl_error_no_cypher_overlap Sounds familiar. Please post your Connector configuration(s) from your server.xml file. Remember to remove any sensitive information from the configuration. Also please post all of the startup messages from Tomcat's logs/catalina.out file: we need to see the versions of various things and what components (if any) suffer problems starting up. 3. Here's a list of enabled ciphers using SSLInfo: #java -showversion SSLInfo Nice to see someone is getting some use out of that. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ VCpWYwQ3I2qGEm5RBvbh =9FS1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Software Engineer Department of Psychiatry and Behavioral Sciences Northwestern University a-ko...@northwestern.edu
Re: detailed APR/SSL logging
I am still stick to my opinion.. the patches were need to apply for TLS 1.2 SSL/APR. everything is working after applying the patch just this chain ECC certs. I am just looking around where to get the detailed logs. On Tue, Jan 7, 2014 at 11:11 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 1/7/14, 8:06 AM, Sanaullah wrote: This issue is only with my ECC certificates. the whole configuration works pretty good with TLS1.2 when i am using the RSA certs. openssl selfsinged ECC certs are also working. On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah sanaulla...@gmail.com wrote: Here is my configuration. I am using openssl. I haven't installed any certificate to JVM truststore. Connector address=0.0.0.0 port=8443 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false SSLProtocol=All SSLCertificateChainFile=/home/san/certs/pay-test/chain.pem SSLCertificateFile=/home/san/certs/pay-test/test.pem SSLCertificateKeyFile=/home/san/certs/pay-test/test-key.pem/ On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty mgai...@hotmail.com wrote: Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed APR/SSL logging From: sanaulla...@gmail.com To: users@tomcat.apache.org Hi, Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to know where my SSL session is getting broken? there is nothing in the catalina.out log. usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 935 ms -- Server looks up properly with openssl and certs but when i try to connect it with openssl s_client its getting error -- root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect 127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to 0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F)) - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!.. 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050 -
Re: Problem configuring SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/7/14, 2:41 PM, Alex Kogan wrote: Gentlemen, thanks a lot for your help. I figured out what the problem was. It was not related to tomcat configuration, but to my keystore. The reason is that once you import a client certificate under the same alias as the private pair, they both get merged under the same alias inside keystore. Using keytool -delete command, meant to remove the certificate only, deletes the private pair as well. I noticed that once I dumped keystore content for my keystore and a keystore on one of my other servers. Luckily, I had a backup of the keystore I made right after it was created. Importing the certificates into that keystore resolved the issue. Java keystores are a nightmare. I try to avoid them whenever possible. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSzFt/AAoJEBzwKT+lPKRYKRwQALT9qv2bOPss+nT1uGQ8WoMY KC6GvvO5RuoHa8ggd/pu7YS6G6czwZnFOYvldOh7BjvKpwppTr/e8uj6FCUv2n4v 592RykM82+tXWFrWEyT7TTwoWPdYDrnIIYFnemndj3trXWXfgR1LIZhtYUIJMofr +h5biqeRRBrldvlZFXJU874Pg2IrwcTyJ4YfT8/XC5/Q196MXHOh0MiDMVJJ91l8 d3c/D6TQ8NWFZTu84ES6aPCh9FwOSxJhHEAllZqcOzRvLuXFhBOw9II9Q/Tto7wM ZKlKRZ8sPJGi42WWYgTvHGlSZ+8kk0HijgbL6uGhHYQ8yIXPL2Jwu0igDFSzUGrU MXe2Pevg1bP2gI3idnmnW+jWjaMujxb5EKW7+N44BqPk2zl/OTZ5hVf/t1E1SCGo BPsulhuQvgXWhlF6GxBdwj0bWLCj8bIqIaAbHd8egT+s5smtKjoNpcVfMNE4xTwO vdM7/MOKBIxLZyRjSw1bQFaxKXYJVnIwQlQSM74SRxNop1qcQhca7EdPMNB0+ojx yM0m3zJNCaVsxg8RQ39Yb11YdfvVjkODV7S4D2uolezmJ6vOLCvgrdnpEtRp5QGt MnQTEH1WLb1kX2p9HboCeTLsGh+XTX9joDqfTObSyFOPyN9ESPcVLgzWdaykHwXE og/LPVC23d0adUNMV0Fz =Qkfm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Packet misses in Tomcat
Christopher, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 1/7/14, 5:09 AM, André Warnier wrote: I do not pretend to know your system, nor your application, nor that the following is a definite explanation. But on the base of the currently available data, I would say : - it is quite unlikely that Tomcat 7 is randomly dropping requests. If it was, then I would imagine that this list would be overflowing with cries for help. There is quite a bit of traffic on this list related to Tomcat 7, but I don't recall seeing any significant number of issues mentioning dropped requests. - it also doesn't seem, from your wireshark-related observations, that the requests are being lost outside of Tomcat. - so I would say at this point, that the most likely place for requests to disappear is in your own application. It seems that Tomcat is not logging the request in its access log, so it's more likely that the request is either malformed to such an extent that Tomcat rejects the request altogether or that the request never reaches Tomcat. ... Hi. Of course I am going essentially by what the OP provided earlier as information, and he has not provided much details on the disappearing requests themselves, or on the channel through which these requests were reaching Tomcat. But one thing that he did mention, is that these requests are similar - and even in general the same - as other requests which do get processed normally. As per his own words : For the query regarding All requests, all requests do not disappear. More importantly, sometimes all requests reach the application when I POST same set of requests. To give a rough picture, 1-2 requests fail in a set of 45-50 requests and this behaviour varies [The request which failed in my one test cycle succeeds in another cycle]. If we take this at face value, then it should not be so that these requests are so malformed that Tomcat discards them without further ado. Also - but maybe I'm wrong there - I would expect, if Tomcat discards a request for being malformed - that something would appear in the Tomcat error log. But according to the OP it doesn't. Finally - and there is a bit of an assumption on my part here - I assume that when the OP says that he sees the request with Wireshark (prior to it disappearing in Tomcat), he was running Wireshark on the Tomcat host itself. That would make it unlikely that another external component is at play. All of the above led me to suspect that something in the application itself may be playing a role here. Of course, that all does not necessarily prove that some other component than Tomcat is not dropping some packets/requests. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem configuring SSL
Date: Tue, 7 Jan 2014 14:41:15 -0500 Subject: Re: Problem configuring SSL From: a-ko...@northwestern.edu To: users@tomcat.apache.org Gentlemen, thanks a lot for your help. I figured out what the problem was. It was not related to tomcat configuration, but to my keystore. The reason is that once you import a client certificate under the same alias as the private pair, they both get merged under the same alias inside keystore. Using keytool -delete command, meant to remove the certificate only, deletes the private pair as well. I noticed that once I dumped keystore content for my keystore and a keystore on one of my other servers. Luckily, I had a backup of the keystore I made right after it was created. Importing the certificates into that keystore resolved the issue. MGI *hope* you enabled at least ONE cipher for SSL Connector MGUsually the big players (Versign/Thawte) will provide valid CA cert/valid key in the supplied pfx MGglad to hear that worked for you On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/5/14, 12:30 PM, Alex Kogan wrote: I have a strange problem configuring SSL to work with Tomcat. Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 It's a new Tomcat installation. All keystore operations were done with keytool. I imported CA root/intermediate certificate and client certificate, configured SSL connector in server.xml. I have this same setup on another server that works fine. Connecting to this server via http works. 1. If I try to connect this address via https in Chrome I get: This Webpage is not available. In Firefox: Error code: ssl_error_no_cypher_overlap Sounds familiar. Please post your Connector configuration(s) from your server.xml file. Remember to remove any sensitive information from the configuration. Also please post all of the startup messages from Tomcat's logs/catalina.out file: we need to see the versions of various things and what components (if any) suffer problems starting up. 3. Here's a list of enabled ciphers using SSLInfo: #java -showversion SSLInfo Nice to see someone is getting some use out of that. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ VCpWYwQ3I2qGEm5RBvbh =9FS1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Software Engineer Department of Psychiatry and Behavioral Sciences Northwestern University a-ko...@northwestern.edu