Re: JSVC error
I'm able to build the jsvc successfully from "commons-daemon-1.0.15-native-src" file. Thanks for suggesting that . I've configured below in my tomcat startup script with this I am able to start my tomcat without any Segmentation error. I need this JSVC setup in order to start/stop tomcat instance from PSI PROBE application (http://code.google.com/p/psi-probe/) The problem now is that my tomcat is getting started properly with below script even then on PROBE screen i'm seeing the below message. ++ PROBE Message on Wrapper Control link +++ this JVM is not controlled by Java Service Wrapper +++ I was under the impression with JSVC I'm able to start/stop JVM via PROBE but its not happening ,please suggest what wrong I m doing Startup script CATALINA_BASE=/root/test/tomcattest CATALINA_HOME=/root/test/apache-tomcat-7.0.39 cd $CATALINA_BASE ./bin/jsvc \ -cp $CATALINA_HOME/bin/bootstrap.jar:$CATALINA_HOME/bin/tomcat-juli.jar \ -outfile $CATALINA_BASE/logs/catalina.out \ -errfile $CATALINA_BASE/logs/catalina.err \ -Dcatalina.home=$CATALINA_HOME \ -pidfile "/root/test/tomcattest/pid" \ -Dcatalina.base=$CATALINA_BASE \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties \ org.apache.catalina.startup.Bootstrap start + From: vicky To: Tomcat Users List ; Tomcat Users List Sent: Saturday, 4 January 2014 9:37 AM Subject: Re: JSVC error Thanks everybody for sharing your thoughts Can you also please suggest that out of following which file do I need to download for my Linux machine as I' m not sure which one to select Download link ==> http://www.apache.org/dist/commons/daemon/source/ commons-daemon-1.0.15-native-src.tar.gz 2013-04-02 14:03 200K GZIP compressed document commons-daemon-1.0.15-native-src.tar.gz.asc 2013-04-02 14:03 230 OpenPGP ASCII armored signature commons-daemon-1.0.15-native-src.tar.gz.md5 2013-04-02 14:03 74 MD5 checksum file commons-daemon-1.0.15-native-src.tar.gz.sha1 2013-04-02 14:03 82 SHA1 checksum file commons-daemon-1.0.15-native-src.zip 2013-04-02 14:03 255K ZIP compressed archive commons-daemon-1.0.15-native-src.zip.asc 2013-04-02 14:03 230 OpenPGP ASCII armored signature commons-daemon-1.0.15-native-src.zip.md5 2013-04-02 14:03 71 MD5 checksum file commons-daemon-1.0.15-native-src.zip.sha1 2013-04-02 14:03 79 SHA1 checksum file commons-daemon-1.0.15-src.tar.gz 2013-04-02 14:03 284K GZIP compressed document commons-daemon-1.0.15-src.tar.gz.asc 2013-04-02 14:03 230 OpenPGP ASCII armored signature commons-daemon-1.0.15-src.tar.gz.md5 2013-04-02 14:03 67 MD5 checksum file commons-daemon-1.0.15-src.tar.gz.sha1 2013-04-02 14:03 75 SHA1 checksum file commons-daemon-1.0.15-src.zip 2013-04-02 14:03 377K ZIP compressed archive commons-daemon-1.0.15-src.zip.asc 2013-04-02 14:03 230 OpenPGP ASCII armored signature commons-daemon-1.0.15-src.zip.md5 2013-04-02 14:03 64 MD5 checksum file commons-daemon-1.0.15-src.zip.sha1 2013-04-02 14:03 72 SHA1 checksum file Thanks Vicky From: André Warnier To: Tomcat Users List Sent: Friday, 3 January 2014 3:18 AM Subject: Re: JSVC error Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > André, > > On 12/31/13, 10:04 AM, André Warnier wrote: >> vicky wrote: >>> Even after defining the $CATALINA_PID & $JAVA_HOME variable , >>> i'm still the getting segmentation error(detailed error mentioned >>> below) >>> >> In my experience, a "segmentation fault" often occurs when the >> *binary* that you are trying to run, is not made for the platform >> on which you are trying to run it. > > Nah, you get way weirder errors when that happens. jsvc is probably > somewhat fragile when it gets unexpected input. While that should > probably be fixed, the problem here is very likely to be > configuration-related. > I was only talking about my experience. I don't usually do weird things. Your mileage may be different. The OP never told us what "file jsvc" is telling him though. For example on one of our systems : # uname -a Linux server.company.com 2.6.26-2-amd64 #1 SMP Tue Jan 25 05:59:43 UTC 2011 x86_64 GNU/Linux # find / -name jsvc -exec file {} \; /usr/share/doc/jsvc: directory /usr/bin/jsvc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, stripped - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h..
Re: JSVC error
Thanks everybody for sharing your thoughts Can you also please suggest that out of following which file do I need to download for my Linux machine as I' m not sure which one to select Download link ==> http://www.apache.org/dist/commons/daemon/source/ commons-daemon-1.0.15-native-src.tar.gz 2013-04-02 14:03 200K GZIP compressed document commons-daemon-1.0.15-native-src.tar.gz.asc 2013-04-02 14:03 230 OpenPGP ASCII armored signature commons-daemon-1.0.15-native-src.tar.gz.md5 2013-04-02 14:03 74 MD5 checksum file commons-daemon-1.0.15-native-src.tar.gz.sha1 2013-04-02 14:03 82 SHA1 checksum file commons-daemon-1.0.15-native-src.zip 2013-04-02 14:03 255K ZIP compressed archive commons-daemon-1.0.15-native-src.zip.asc 2013-04-02 14:03 230 OpenPGP ASCII armored signature commons-daemon-1.0.15-native-src.zip.md5 2013-04-02 14:03 71 MD5 checksum file commons-daemon-1.0.15-native-src.zip.sha1 2013-04-02 14:03 79 SHA1 checksum file commons-daemon-1.0.15-src.tar.gz 2013-04-02 14:03 284K GZIP compressed document commons-daemon-1.0.15-src.tar.gz.asc 2013-04-02 14:03 230 OpenPGP ASCII armored signature commons-daemon-1.0.15-src.tar.gz.md5 2013-04-02 14:03 67 MD5 checksum file commons-daemon-1.0.15-src.tar.gz.sha1 2013-04-02 14:03 75 SHA1 checksum file commons-daemon-1.0.15-src.zip 2013-04-02 14:03 377K ZIP compressed archive commons-daemon-1.0.15-src.zip.asc 2013-04-02 14:03 230 OpenPGP ASCII armored signature commons-daemon-1.0.15-src.zip.md5 2013-04-02 14:03 64 MD5 checksum file commons-daemon-1.0.15-src.zip.sha1 2013-04-02 14:03 72 SHA1 checksum file Thanks Vicky From: André Warnier To: Tomcat Users List Sent: Friday, 3 January 2014 3:18 AM Subject: Re: JSVC error Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > André, > > On 12/31/13, 10:04 AM, André Warnier wrote: >> vicky wrote: >>> Even after defining the $CATALINA_PID & $JAVA_HOME variable , >>> i'm still the getting segmentation error(detailed error mentioned >>> below) >>> >> In my experience, a "segmentation fault" often occurs when the >> *binary* that you are trying to run, is not made for the platform >> on which you are trying to run it. > > Nah, you get way weirder errors when that happens. jsvc is probably > somewhat fragile when it gets unexpected input. While that should > probably be fixed, the problem here is very likely to be > configuration-related. > I was only talking about my experience. I don't usually do weird things. Your mileage may be different. The OP never told us what "file jsvc" is telling him though. For example on one of our systems : # uname -a Linux server.company.com 2.6.26-2-amd64 #1 SMP Tue Jan 25 05:59:43 UTC 2011 x86_64 GNU/Linux # find / -name jsvc -exec file {} \; /usr/share/doc/jsvc: directory /usr/bin/jsvc: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, stripped - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Symantec SSL cert in tomcat 6
Martin, On 4.1.2014 0:27, Martin Gainty wrote: With JKS keystore you must keep private key and certificates in the same keystore. MG>Since A pfx that Verisign provides contains key and cert MG>"Windows servers use .pfx files to contain the public key files (your SSL Certificate files, provided by DigiCert) and MG>the associated private key file (generated by your server as part of the CSR). " MG>perhaps you are referring to the key/certificate combination in pfx? No, not really. We are talking about Tomcat and JKS, not Windows servers and pfx. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 2:43 PM, Caldarale, Charles R wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat The only evidence you have provided is that your single chosen cipher is not implemented by the version of Firefox you're using - which has nothing to do with Tomcat. The TCP capture you provided is just text rather than a useful .pcap file, and no one's going to waste their time digging through raw bits when any decent protocol analyzer would do the job automatically. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. It's been years (more than I care to count) since I've read raw packet data, but at first glance I do not see the browser (172.16.50.10) initiating a TLSv1.2 Client Hello. I'm looking at the following line: 0030 c0 0a c0 14 00 88 00 87 00 39 00 38 c0 0f c0 05 .9.8 I expect to see something like: 16 03 01 starting at octet 36. Instead, I see: 00 87 00 I don't know if that's because the information is encrypted, or what. However, it doesn't look like what I see when I aim Firefox 26.0 at an HTTPS site. I don't know if gnome-wireshark is available for Ubuntu (I use Fedora or CentOS). If so, get that and look for the TLSv1.2 Client Hello coming from your browser. If it's not coming from your browser, then something else is wrong. Are you addressing example.com with https://example.com:8443/ in your browser? As has been pointed out, this is an all-volunteer list (taking a break from writing an RFP here). Making it difficult to answer questions (incorrect, incomplete, or difficult to parse information) will not encourage volunteers to step forth. . . . . Friday night RFP response writing /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat I wouldn't be too sure of that. It might be that Firefox doesn't implement your chosen cipher. On Jan 4, 2014 3:16 AM, "Caldarale, Charles R" wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Did you get wireshark filtered output ? Everybody on this list is a volunteer, with their own real jobs to take care of. If you want immediate attention, you bloody well need to pay for it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Symantec SSL cert in tomcat 6
MG>Ongnjen > Gene, > > On 3.1.2014 14:55, Gene Matthews wrote: > > Thie symantec instructions say to ensure the alias for the ssl cert has an > > Entry Type of PrivateKeyEntry. Mine DOES NOT. Instructions say if it does > > not, to please import the certificate in the “Private Key” alias. > > With JKS keystore you must keep private key and certificates in the same > keystore. MG>Since A pfx that Verisign provides contains key and cert MG>"Windows servers use .pfx files to contain the public key files (your SSL Certificate files, provided by DigiCert) and MG>the associated private key file (generated by your server as part of the CSR). " MG>perhaps you are referring to the key/certificate combination in pfx? Therefore, you shouldn't import server certificate and inter. > certificates into brand new keystore, but into the "old" keystore -- the > one you used to create key pair, and to generate CSR. MG>CSR is the request to CA Authority (verisign ) to sign (digitally identify) this certificate MG> certificate signing request (also CSR or certification request) is a message sent from an applicant to a MG>certificate authority in order to apply for a digital identity certificate. The most common format for CSRs is the MG>PKCS#10 specification MG> > > I find it strange that Symantec/Verisign didn't mention that explicitly > in their documentation. MG>agreed > > > It also says to ensure the Certificate chain length is 4. > > Once you import certificates into the right keystore, check that again. > > > > PS: How does one search the archives of this list? When I browse the > > archive site I don’t see a search field anywhere. So I’ve been googling > > without coming up with a solution. it is probably out there but I don’t > > know enough to recognize it :-( > > http://tomcat.apache.org/lists.html > > Search for "Archives". > > -Ognjen > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Mudassir Aftab [mailto:withmudas...@gmail.com] > Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat The only evidence you have provided is that your single chosen cipher is not implemented by the version of Firefox you're using - which has nothing to do with Tomcat. The TCP capture you provided is just text rather than a useful .pcap file, and no one's going to waste their time digging through raw bits when any decent protocol analyzer would do the job automatically. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat On Jan 4, 2014 3:16 AM, "Caldarale, Charles R" wrote: > > From: Mudassir Aftab [mailto:withmudas...@gmail.com] > > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > > > Did you get wireshark filtered output ? > > Everybody on this list is a volunteer, with their own real jobs to take > care of. If you want immediate attention, you bloody well need to pay for > it. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail and > its attachments from all computers. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Mudassir Aftab [mailto:withmudas...@gmail.com] > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > Did you get wireshark filtered output ? Everybody on this list is a volunteer, with their own real jobs to take care of. If you want immediate attention, you bloody well need to pay for it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Did you get wireshark filtered output ? Mudassir On Sat, Jan 4, 2014 at 2:50 AM, Mudassir Aftab wrote: > Please find attached wireshark file. > > > On Sat, Jan 4, 2014 at 1:59 AM, Caldarale, Charles R < > chuck.caldar...@unisys.com> wrote: > >> > From: Mudassir Aftab [mailto:withmudas...@gmail.com] >> > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 >> >> > Also attached TCP dump logs >> >> Actually, you only attached the TCP headers, not the full capture. The >> headers can't tell us anything. >> >> > I am again getting following error on FF26 with TLS 1.2 support >> > Cannot communicate securely with peer: no common encryption >> algorithm(s). >> > (Error code: ssl_error_no_cypher_overlap) >> >> Which would again indicate that the client (FF26) does not implement your >> chosen cipher. >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you >> received this in error, please contact the sender and delete the e-mail and >> its attachments from all computers. >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
Re: Symantec SSL cert in tomcat 6
Gene, On 3.1.2014 14:55, Gene Matthews wrote: Thie symantec instructions say to ensure the alias for the ssl cert has an Entry Type of PrivateKeyEntry. Mine DOES NOT. Instructions say if it does not, to please import the certificate in the “Private Key” alias. With JKS keystore you must keep private key and certificates in the same keystore. Therefore, you shouldn't import server certificate and inter. certificates into brand new keystore, but into the "old" keystore -- the one you used to create key pair, and to generate CSR. I find it strange that Symantec/Verisign didn't mention that explicitly in their documentation. It also says to ensure the Certificate chain length is 4. Once you import certificates into the right keystore, check that again. PS: How does one search the archives of this list? When I browse the archive site I don’t see a search field anywhere. So I’ve been googling without coming up with a solution. it is probably out there but I don’t know enough to recognize it :-( http://tomcat.apache.org/lists.html Search for "Archives". -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Mudassir Aftab [mailto:withmudas...@gmail.com] > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > Also attached TCP dump logs Actually, you only attached the TCP headers, not the full capture. The headers can't tell us anything. > I am again getting following error on FF26 with TLS 1.2 support > Cannot communicate securely with peer: no common encryption algorithm(s). > (Error code: ssl_error_no_cypher_overlap) Which would again indicate that the client (FF26) does not implement your chosen cipher. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi , I have compiled tomcat-native-1.1.29-src.tar.gz with 1.0.1e-3ubuntu1 and test it with fresh apache-tomcat-7.0.47.tar.gz. and with following connector settings Tomcat Logs: Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8443"] Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8080"] Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["ajp-apr-8009"] Jan 03, 2014 8:25:33 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3189 ms Jan 03, 2014 8:25:33 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 03, 2014 8:25:33 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 03, 2014 8:25:33 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 03, 2014 8:25:55 PM org.apache.catalina.util.SessionIdGenerator createSecureRandom INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [19,247] milliseconds. Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 03, 2014 8:25:56 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 03, 2014 8:25:57 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8443"] Jan 03, 2014 8:25:57 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 03, 2014 8:25:58 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["ajp-apr-8009"] Also attached TCP dump logs , I am again getting following error on FF26 with TLS 1.2 support Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) 20:36:23.496965 IP 10.10.0.147.18938 > example.com.8443: Flags [S], seq 435979095, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0 20:36:23.497066 IP example.com.8443 > 10.10.0.147.18938: Flags [S.], seq 1576579154, ack 435979096, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 20:36:23.739969 IP 10.10.0.147.18938 > example.com.8443: Flags [.], ack 1, win 4098, length 0 20:36:24.023396 IP 10.10.0.147.18938 > example.com.8443: Flags [P.], seq 1:202, ack 1, win 4098, length 201 20:36:24.023471 IP example.com.8443 > 10.10.0.147.18938: Flags [.], ack 202, win 237, length 0 20:36:24.023964 IP example.com.8443 > 10.10.0.147.18938: Flags [P.], seq 1:8, ack 202, win 237, length 7 20:36:24.024187 IP example.com.8443 > 10.10.0.147.18938: Flags [F.], seq 8, ack 202, win 237, length 0 20:36:24.713659 IP 10.10.0.147.18938 > example.com.8443: Flags [F.], seq 202, ack 8, win 4096, length 0 20:36:24.713726 IP example.com.8443 > 10.10.0.147.18938: Flags [.], ack 203, win 237, length 0 20:36:24.956342 IP 10.10.0.147.18939 > example.com.8443: Flags [S], seq 3315815756, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0 20:36:24.956402 IP example.com.8443 > 10.10.0.147.18939: Flags [S.], seq 3575233717, ack 3315815757, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 20:36:24.956415 IP 10.10.0.147.18938 > example.com.8443: Flags [.], ack 9, win 4096, length 0 20:36:25.225229 IP 10.10.0.147.18940 > example.com.8443: Flags [S], seq 821209259, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0 20:36:25.225278 IP example.com.8443 > 10.10.0.147.18940: Flags [S.], seq 2980117984, ack 821209260, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 20:36:25.468393 IP 10.10.0.147.18939 > example.com.8443: Flags [.], ack 1, win 4098, length 0 20:36:25.468436 IP 10.10.0.147.18939 > example.com.8443: Flags [P.], seq 1:180, ack 1, win 4098, length 179 20:36:25.468481 IP example.com.8443 > 10.10.0.147.18939: Flags [.], ack 180, win 237, length 0 20:36:25.469227 IP example.com.8443 > 10.10.0.147.18939: Flags [P.],
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi, I am getting following error while compiling tomcat-native-1.1.29-src with 1.0.1e-3ubuntu1, shell i ignore this ? src/sslcontext.c: In function 'Java_org_apache_tomcat_jni_SSLContext_make': src/sslcontext.c:77:17: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [enabled by default] ctx = SSL_CTX_new(SSLv2_client_method()); ^ In file included from /opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0, from src/sslcontext.c:30: /usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD *' but argument is of type 'int' SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); ^ src/sslcontext.c:79:17: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [enabled by default] ctx = SSL_CTX_new(SSLv2_server_method()); ^ In file included from /opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0, from src/sslcontext.c:30: /usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD *' but argument is of type 'int' SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); ^ src/sslcontext.c:81:17: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [enabled by default] ctx = SSL_CTX_new(SSLv2_method()); ^ In file included from /opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0, from src/sslcontext.c:30: /usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD *' but argument is of type 'int' SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Sanaullah [mailto:sanaulla...@gmail.com] > Subject: Fwd: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > The Document which you were referring > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, > is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol > Attribute. TLSv1.1 and TLSv1.2 are included in TLSv1, when using the appropriate ciphers. > TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and > TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link. > http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites That's backwards; TLSv1.1 and TLSv1.2 are used automatically if TLSv1 is enabled and the client and server support v1.1 or v1.2 ciphers. > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256 > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384 > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256 > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384 Those all appear to be supported in OpenSSL 1.0.1e. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi, I just bold it from GMAIL :)
RE: rc-10 bug?
> From: Peter [mailto:peterdni...@yahoo.com] > Subject: rc-10 bug? > In RC-10, testcase 2 seems to work, but every few seconds the contains > restarts with the following message: > Jan 03, 2014 12:39:16 PM org.apache.catalina.loader.WebappClassLoader modified > INFO: One of more JARs have been added to the web application > [/Cssp3FactorySample] Any chance that the timestamps on the various JARs are in the future? (Judging from the timestamp on the log entry, the system clock appears to be ok.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
rc-10 bug?
I have 2 integration scenarios, both work in all earlier tomcat 6,7,and 8.0.0.rc5: 1) tomcat.zip , unzipped, deployed ServletSample.war 2) tomcat.zip, unzipped, Spring jars added to tomcat lib, SpringSample.war deployed In RC-10, testcase 2 seems to work, but every few seconds the contains restarts with the following message: Jan 03, 2014 12:39:16 PM org.apache.catalina.loader.WebappClassLoader modified INFO: One of more JARs have been added to the web application [/Cssp3FactorySample] Jan 03, 2014 12:39:16 PM org.apache.catalina.core.StandardContext reload INFO: Reloading Context with name [/Cssp3FactorySample] has started Just a heads up - if there are any suggestions to enable specific logging, I am willing to try. Thanks, - Peter
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Mudassir Aftab [mailto:withmudas...@gmail.com] > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > protocol="org.apache.coyote.http11.Http11AprProtocol" >maxThreads="200" >clientAuth="false" >*SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"* Why are there asterisks on that config line? Remove them if they're actually present. Don't try to get cute with formatting tricks like bolding text, since this is a plaintext mailing list. > Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener > initializeSSL > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) You need to update the OpenSSL version to 1.0.1e, which contains fixes for TLS 1.1 and 1.2 negotiation. Once that's installed (and tcnative rebuilt), verify that the desired cipher is available with the "openssl ciphers" command. You also need to confirm that your client is capable of TLSv1.2 using the above cipher. As stated before, getting a Wireshark or tcpdump trace of the negotiation would show what the client allows. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 12:14 PM, Mudassir Aftab wrote: *Connector Settings:* Do you really have the asterisks around this in your config? scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="/home/mudassir/pay/p.pem" SSLCertificateKeyFile="/home/mudassir/p-key.pem" SSLCACertificateFile="/home/mudassir/AdminCA1.pem" /> *Tomcat Logs:* *Firefox Error: Version 26* Secure Connection Failed An error occurred during a connection to pay.upaga.net:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) Does firefox support "ECDHE-ECDSA-AES128-SHA256"? I don't know... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: What if my database is unavailable at startup?
> -Original Message- > From: Jose María Zaragoza [mailto:demablo...@gmail.com] > Sent: Friday, December 13, 2013 2:33 PM > To: Tomcat Users List > Subject: Re: What if my database is unavailable at startup? > > 2013/12/13 Dames, Kristopher J : > >> With testOnBorrow="true" ( I think that is the default value in Tomcat > >> 6 ) + validationQuery="SELECT 1 FROM DUAL" , that should work > >> > > > > So you are saying my configuration should work as-is to allow Tomcat to > create a database connection pool to a database that was unavailable when > Tomcat was started? > > > Yes , I do it and it works > But I dont use some parameters like maxOpenPreparedStatements , > accessToUnderlyingConnectionAllowed > Furthermore, I use default values for testOnXXX > The others , at first sight, are similar > Tomcat appears to be working properly. Another webapp in the same Tomcat instance does recover once the database becomes available. The one that does not is using an older Oracle driver. In addition, both are JRuby on Rails webapps and the non-working one is using an older version of Rails. So the issue seems to be with the webapp instead of with Tomcat itself. Thank you all for the input and direction! -- Kris Dames > >> I've never used > >> > >> maxOpenPreparedStatements="0" > >> accessToUnderlyingConnectionAllowed="false" > >> > >> what are they for ? > >> > > > > maxOpenPreparedStatements: The maximum number of open statements that can be > allocated from the statement pool at the same time > > accessToUnderlyingConnectionAllowed: Allows the raw physical connection to > the database to be accessed by the webapp > > > > This email contains information which may be PROPRIETARY IN NATURE OR > OTHERWISE PROTECTED BY LAW FROM DISCLOSURE and is intended only for the use of > the addresses(s) named above. If you have received this email in error, > please contact the sender immediately. > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org This email contains information which may be PROPRIETARY IN NATURE OR OTHERWISE PROTECTED BY LAW FROM DISCLOSURE and is intended only for the use of the addresses(s) named above. If you have received this email in error, please contact the sender immediately. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
*Connector Settings:* *Tomcat Logs:* Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8443"] Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8080"] Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["ajp-apr-8009"] Jan 03, 2014 5:09:50 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 2757 ms Jan 03, 2014 5:09:50 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 03, 2014 5:09:50 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 03, 2014 5:09:51 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 03, 2014 5:09:54 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8443"] Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["ajp-apr-8009"] *Firefox Error: Version 26* Secure Connection Failed An error occurred during a connection to pay.upaga.net:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 11:18 AM, Mudassir Aftab wrote: then what could be the working config !!! , can u edit and send it to me ? Regards, Mudassir Aftab Go back and read this thread carefully. There have been several errors pointed out to you which you haven't yet fixed. Fix them (proofreading carefully!), test it, and if it still doesn't work, post your full config. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
then what could be the working config !!! , can u edit and send it to me ? Regards, Mudassir Aftab
Re: Define static html page or servlet if war is missing
2014/1/3 Beutel, Stephan : > Hello, > > I want to display a static html page to the user if he wants to access a > missing application. > The goal is to display this page while updating (redeploy) the application to > Tomcat. > If the application is available, the user must access the application. > > Is there a possibility to do this? > Thread "Context Path for a subdirectory", December 2012 http://markmail.org/message/enzvids3wjm2jydl Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: David kerber [mailto:dcker...@verizon.net] > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > > Sorry for asking u same thing again and again, i have tried many things > > from above document, but nothing works for me, also no errors in the log > > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > maxThreads="200" > > clientAuth="false" > > ciphers="ECDH-ECDSA-AES128-GCM-SHA256" > > scheme="https" secure="true" SSLEnabled="true" > > SSLCertificateFile="/home/mudassir/pay/p.pem" > > SSLCertificateKeyFile="/home/mudassir/p-key.pem" > > SSLCACertificateFile="/home/mudassir/AdminCA1.pem" /> > > > >SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256" > If what you list here is what is really in your config file, you're not > proofreading your configuration entries very well. You have > SSLCipherSuite misspelled (two missing letters), and it's not inside the > connector configuration entry. Not to mention still having the ciphers attribute, which is not used with APR. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
also following setting is working for TLS v1 but not with TLS v1.2, so its a bug !!! On Fri, Jan 3, 2014 at 6:56 PM, Mudassir Aftab wrote: > HI, > > That was just typo error but on system it is fine and i am keep checking > logs, no warning in it > > also what about following post > > > I just also took interest to dig this issue. > > The Document which you were referring > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, > is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol > Attribute. > > SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3, > TLSV1. > > TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and > TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl > link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites > > I am happy to see if someone enabled below ciphers without enabling the > TLSv1.2 > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256 > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384 > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256 > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384 > > > > > On Fri, Jan 3, 2014 at 6:00 PM, David kerber wrote: > >> On 1/3/2014 3:28 AM, Mudassir Aftab wrote: >> >>> Hi, >>> >>> Sorry for asking u same thing again and again, i have tried many things >>> from above document, but nothing works for me, also no errors in the log >>> >>> >> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> maxThreads="200" >>> clientAuth="false" >>> ciphers="ECDH-ECDSA-AES128-GCM-SHA256" >>> scheme="https" secure="true" SSLEnabled="true" >>> SSLCertificateFile="/home/mudassir/pay/p.pem" >>> SSLCertificateKeyFile="/home/mudassir/p-key.pem" >>> SSLCACertificateFile="/home/mudassir/AdminCA1.pem" /> >>> >>>SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256" >>> >>> I really appreciate your help >>> >>> >> If what you list here is what is really in your config file, you're not >> proofreading your configuration entries very well. You have SSLCipherSuite >> misspelled (two missing letters), and it's not inside the connector >> configuration entry. >> >> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
Define static html page or servlet if war is missing
Hello, I want to display a static html page to the user if he wants to access a missing application. The goal is to display this page while updating (redeploy) the application to Tomcat. If the application is available, the user must access the application. Is there a possibility to do this? Thanks for help. Stephan
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
HI, That was just typo error but on system it is fine and i am keep checking logs, no warning in it also what about following post I just also took interest to dig this issue. The Document which you were referring http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol Attribute. SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3, TLSV1. TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites I am happy to see if someone enabled below ciphers without enabling the TLSv1.2 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384 On Fri, Jan 3, 2014 at 6:00 PM, David kerber wrote: > On 1/3/2014 3:28 AM, Mudassir Aftab wrote: > >> Hi, >> >> Sorry for asking u same thing again and again, i have tried many things >> from above document, but nothing works for me, also no errors in the log >> >> > protocol="org.apache.coyote.http11.Http11AprProtocol" >> maxThreads="200" >> clientAuth="false" >> ciphers="ECDH-ECDSA-AES128-GCM-SHA256" >> scheme="https" secure="true" SSLEnabled="true" >> SSLCertificateFile="/home/mudassir/pay/p.pem" >> SSLCertificateKeyFile="/home/mudassir/p-key.pem" >> SSLCACertificateFile="/home/mudassir/AdminCA1.pem" /> >> >>SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256" >> >> I really appreciate your help >> >> > If what you list here is what is really in your config file, you're not > proofreading your configuration entries very well. You have SSLCipherSuite > misspelled (two missing letters), and it's not inside the connector > configuration entry. > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Symantec SSL cert in tomcat 6
Hi, We have a working tomcat 6 installation with a self-signed cert. We have received a certificate from Symantec (x509) and are trying to get it working in our tomcat 6 installation. So far, I’ve had no luck. What I have done so far: 1) Followed instructions from https://knowledge.verisign.com/support/mpki-for-ssl-support/index?page=content&actp=CROSSLINK&id=AR124 - downloaded primary & secondary intermediate CA from Symantec - imported into a brand new keystone using keytool -import -trustcacerts -alias primaryIntermediate -keystore geneKeystore -file priimary_inter.cer keytool -import -trustcacerts -alias secondaryIntermediate -keystore geneKeystore -file secondary_inter.cer keystore didn’t exist prior to the first import above but it seemed top create it ok and prompt for passwords. - install the SSL cert from Symantec keytool -import -trustcacerts -alias myalias -keystore geneKeystore -file ssl_cert.cer - verify contents of keystone keytool -list -v -keystore geneKeystore Thie symantec instructions say to ensure the alias for the ssl cert has an Entry Type of PrivateKeyEntry. Mine DOES NOT. Instructions say if it does not, to please import the certificate in the “Private Key” alias. I’m not sure what that means. I’m assuming it does not mean to import the cert using the alias of ‘PrivateKey” as I believe the alias has to match what was in the CSR?? It also says to ensure the Certificate chain length is 4. The Symantec example shows sample output the above command with the “Certificate chain length: 4’ in the output but I don’t get that in mine. My keystone type is JKS and provider is SUN as in their example though. I do see four extensions listed under the ‘myalias’ alias; not sure if that would imply a chain length of four. As you can already guess, I’m no SSL expert (or even tomcat expert for that matter). Since I wasn’t sure what to do here I left his alone and moved on. 2) edit server.xml 3) restart tomcat -verified tomcat is running -verified something listening on port 8443 (netstat -an |grep 8443) -catalina.out contents below: Jan 03, 2014 8:43:43 AM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: :/usr/share/tomcat6/lib:/usr/share/tomcat6/lib:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib Jan 03, 2014 8:43:43 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'minSpareThreads' to '25' did not find a matching property. Jan 03, 2014 8:43:43 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property. Jan 03, 2014 8:43:43 AM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Jan 03, 2014 8:43:44 AM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector INFO: Using a shared selector for servlet write/read Jan 03, 2014 8:43:44 AM org.apache.coyote.http11.Http11NioProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Jan 03, 2014 8:43:44 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1217 ms Jan 03, 2014 8:43:44 AM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Jan 03, 2014 8:43:44 AM org.apache.catalina.core.StandardEngine start ... Jan 03, 2014 8:43:53 AM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Jan 03, 2014 8:43:53 AM org.apache.coyote.http11.Http11NioProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Jan 03, 2014 8:43:53 AM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Jan 03, 2014 8:43:53 AM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/49 config=null Jan 03, 2014 8:43:53 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 9583 ms I’m not doing something correctly but I’m not sure what that is. If anyone can point me in the right direction I would appreciate it. Thanks, Gene PS: How does one search the archives of this list? When I browse the archive site I don’t see a search field anywhere. So I’ve been googling without coming up with a solution. it is probably out there but I don’t know enough to recognize it :-( - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Fwd: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi Chuck. I just also took interest to dig this issue. The Document which you were referring http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol Attribute. SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3, TLSV1. TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites I am happy to see if someone enabled below ciphers without enabling the TLSv1.2 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384 Regards, San On Fri, Jan 3, 2014 at 12:59 PM, Mudassir Aftab wrote: > > > -- Forwarded message -- > From: Caldarale, Charles R > Date: Fri, Jan 3, 2014 at 10:45 AM > Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > To: Tomcat Users List > > > > From: Mudassir Aftab [mailto:withmudas...@gmail.com] > > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > > > Should i use following APR connector attribute ? > > >protocol="org.apache.coyote.http11.Http11AprProtocol" > >maxThreads="200" > >sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2" > >clientAuth="false" > >ciphers="AES256-SHA256" > >scheme="https" secure="true" SSLEnabled="true" > >SSLCertificateFile="p.pem" > >SSLCertificateKeyFile="key.pem" > >SSLCACertificateFile="AdminCA1.pem" /> > > For the third time, the APR has no sslProtocol nor > sslEnabledProtocols attributes; the proper ones for specifying the protocol > and encryption algorithms are SSLProtocol and SSLCipherSuite, respectively. > For the last time, read the doc: > > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native > > (If you don't start paying attention to the responses you're getting, you > will end up just being ignored.) > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail and > its attachments from all computers. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > >
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 3:28 AM, Mudassir Aftab wrote: Hi, Sorry for asking u same thing again and again, i have tried many things from above document, but nothing works for me, also no errors in the log SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256" I really appreciate your help If what you list here is what is really in your config file, you're not proofreading your configuration entries very well. You have SSLCipherSuite misspelled (two missing letters), and it's not inside the connector configuration entry. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Session Replication across common base domain
Hi, I am using Tomcat 7.0.47 on windows 7 with JDK 1.7. I want to achieve session replications on multiple subdomains. If I have a domain as xyz.example.com and abc.example.com, then I would like to store session cookie on "example.com" and hence then I would be able to access same session on both domains. By default session cookie is set on whole domain, if I access xyz.example.com then session cookie will be set on this domain. I went through the documentation for Tomcat 7 and found that in element type I can add attribute like "sessionCookieDomain". I can easily set this attribute to base domain like ".example.com" and this works like charm. But my requirement is slightly different. I have single tomcat serving multiple domains. They all different base domains as well. So hardcoding would not help me out here. So I tried following. In docs I found this link, http://tomcat.apache.org/tomcat-7.0-doc/config/context.html. It says that className attribute can be set for context. So I wrote my own class MyStandardContext which extends org.apache.catalina.core.StandardContext. I overridden public String getSessionCookieDomain() method. I want to return base domain of the URL from this domain so that tomcat will set cookie on this domain. But to my surprise I do not have access to Request URI. If I could get access to this URI somehow then I would be able to extract base domain. It is not possible. is it? I also tried adding multiple hosts in conf/server.xml under . This loads context multiple times, which I do not wish. My question is there any way I can get access to request URI in MyStandardContext? Or is there any configuration which forces tomcat to set cookie on base domain instead full domain? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi, Sorry for asking u same thing again and again, i have tried many things from above document, but nothing works for me, also no errors in the log SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256" I really appreciate your help