Re: Tomcat 7, no_cypher_overlap error, no solutions working, please help.
On 30 September 2015 16:13:38 BST, Kernel freakwrote: >Hi guys, > >I am trying to setup https on tomcat, but not having much luck since 5 >hours. I am always getting no_cypher_overlap errror. >The certificate is not self-signed, but issued. The crt file I am >importing >for both root and tomcat alias. > >These are the files I have domainname.ca-bundle, .crt, .csr, .key, >.p12, >domainname.jks, > >THis is the command I gave : > >keytool -import -trustcacerts -alias root -file domainname.crt -keyalg >RSA >-keystore domainaname.jks > >Connector looks like this : > > maxThreads="200" compression="force" > compressionMinSize="1024" scheme="https" secure="true" >clientAuth="false" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" >sslProtocol="TLS" URIEncoding="utf-8" > compressableMimeType="text/html,text/xml,text/plain,text/css,text/ >javascript,application/x-javascript,application/javascript" > keystoreFile="domain.jks" keystorePass="pass" /> > >Still it is not working, there are so many users out there, who have >the > >same problem, and still there is no good solution for this. > >I have also posted it on Stackoverflow(Link below), no help there too. >If > >anyone knows what I can do, kindly let me know. THis is messed up to > >configure https for 5 hours with issued certificate. Thanks. > >http://stackoverflow.com/questions/32866528/apache-tomcat-importing-already-existing-certificates-into-keystore > >Regards, >Kernel ssllabs is your friend. Mark
Tomcat 8 reliability/performance on Windows 2008 R2 Server vs. RHEL/CentOS
Hello Good People - We currently have multiple Tomcat instances deployed on RHEL in production with no issues but I am getting asked why we shouldn't migrate everything to run on Windows 2008 R2 Server instead. My stomach churns at the thought but I am looking for more concrete information about why this could be problematic vs. running Tomcat on RHEL/CentOS. My gut says far more Tomcat deployments in production are done on top of Linux based OS's vs. Windows. Any thoughts on making an argument for one OS vs another in deploying Tomcat 8? Thanks for your thoughts, Jason
Re: Tomcat 8 reliability/performance on Windows 2008 R2 Server vs. RHEL/CentOS
On 30.09.2015 22:23, Jason Britton wrote: Hello Good People - We currently have multiple Tomcat instances deployed on RHEL in production with no issues but I am getting asked why we shouldn't migrate everything to run on Windows 2008 R2 Server instead. My stomach churns at the thought but I am looking for more concrete information about why this could be problematic vs. running Tomcat on RHEL/CentOS. My gut says far more Tomcat deployments in production are done on top of Linux based OS's vs. Windows. Any thoughts on making an argument for one OS vs another in deploying Tomcat 8? Thanks for your thoughts, This looks like the ideal start for some holy war. Maybe you (not me) could argue that Tomcat being an Open-Source, free software, would undoubtedly feel more comfortable and cushy living inside a platform that is like him, open-source and free ? (Whilst being perfectly able to run under Windows and other platforms, for being a versatile multi-platform Java application, it may nevertheless always feel a bit like an a not-so-well integrated immigrant there). More seriously (and considering that you seem to express a slight personal preference for the one vs the other) : The main difference for Tomcat itself is probably going to be in - what kind of hardware would Tomcat be running on in either case ? - how stable is the Java JVM which actually runs the Tomcat java code, in either case ? But you may also want to give a thought to everything else, apart from Tomcat and around it, which is currently installed and running on your current platform, and whether the equivalent exists on the other platform. It may well be for example, that some auxiliary product of which you are currently using the open-source and free version, is not available on the other platform, or available only in a different and/or non-free version. You may also want to consider how you are currently supporting/maintaining your Tomcat and its applications. If you are using Linux/shell-based tools, that may be more difficult under Windows, and/or require other tools. If that system is remote with reference to the people supporting/maintaining it, you may also want to investigate what kind of access tools you would have to a Windows platform. In my experience for instance, accessing these platforms via SSH/SCP/SFTP requires some serious non-standard setup. Also an access via Remote Desktop (almost the standard when talking about a Windows server), will require a VPN for working correctly, and even then any file transfers are likely to be much more of a hassle than with a Linux platform. For example, the file drag-and-drop feature via Remote Desktop, is kind of neat graphically, but in the principle often turns out to be abysmally slow. (And of course that works only if your own station is Windows). You may also want to give a thought to who else (apart from yourself presumably) is going to provide the support for the platform in question and its OS, and its integration in the big scheme of things. Quite often in my experience, the teams in charge of each kind of platform are different. Quite often also, they have a different focus and different sets of skills. You may also be interested in finding out what kind of global security and other policies apply to this other platform. Who for exmple enjoys admin rights to it, and/or how easy it is to obtain such rights when needed for installation-support-maintenance purposes ? There may also be global policies regarding allowed and/or mandatory software updates and patches, different per platform type. And there might be policies regarding mandatory usage of auxiliary things, such as virus scanners and the like. Enough yet ? P.S. In my line of business, we install and support our applications remotely on both kinds of platforms, and occasionally we move ditto applications from the one to the other at the customer's request. (In the IT world, there are also fashions, which come and go). Such moves are never to be considered lightly, even when you might think at first that being purely Tomcat and purely Java, it should not be an issue. It usually is an issue, for the simple fact that over time, you have probably gotten used to the one platform and its tools and quirks, and you have probably accumulated a lot of peripheral stuff that is not really multi-platform hanging around, which you initially forget about because you have gotten so used to it. So whatever you end up having to do (many times you don't get to choose), make sure that you and whoever else is concerned, at least have realistic expectations about the time and effort it takes to move. It is not that the one platform is necesarily better or worse than the other. It is the fact that they are *different*, and because of that a lot of things around them are different too. - To unsubscribe, e-mail:
Re: Tomcat 8 reliability/performance on Windows 2008 R2 Server vs. RHEL/CentOS
On 30 September 2015 21:23:14 BST, Jason Brittonwrote: >Hello Good People - >We currently have multiple Tomcat instances deployed on RHEL in >production >with no issues but I am getting asked why we shouldn't migrate >everything >to run on Windows 2008 R2 Server instead. My stomach churns at the >thought >but I am looking for more concrete information about why this could be >problematic vs. running Tomcat on RHEL/CentOS. My gut says far more >Tomcat >deployments in production are done on top of Linux based OS's vs. >Windows. >Any thoughts on making an argument for one OS vs another in deploying >Tomcat 8? Thanks for your thoughts, > >Jason Generally, you should be fine running on any OS that has a suitable JRE available. Each OS has its eccentricities but as long as you have sys admins that know how to manage the OS you'll be fine. Mark
Re: logjam attacks in tomcat 7
Configuration like mentioned below should be able to resolve your issue: Srikanth Hugar www.gharki.com On Thu, Oct 1, 2015 at 10:22 AM, Rahul Singhwrote: > Dear Tomcat Support Team,Thanks for your continuous support. > In our Application Tomcat V 7.0.54 is used. We are facing the problem of > "Server has a weak, ephemeral Diffie-Hellman public key > ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY" > In chrome browser. > Tomcat server .xml have following configuration, which does not contain > chipher, it means it used default cipher. > port="8585" minSpareThreads="5"enableLookups="true" > redirectPort="8282"acceptCount="32" > connectionTimeout="6"/> SSLEnabled="true"enableLookups="true" > acceptCount="32" scheme="https" secure="true" > clientAuth="false" sslEnabledProtocols="TLSv1.2" > > algorithm="SunX509"/> > Underline JAVA is : OpenJDK Runtime Environment (rhel-2.5.5.3.el6-x86_64 > u79-b14) > So could ypu please assist me to understand the following things. > 1- What value of default cipher is using in My application.2- Does it > require to update for working with lates Browser chrome and fixing the > "Diffie-Hellman" security issue. > Regards,Rahul kumar Singh
logjam attacks in tomcat 7
Dear Tomcat Support Team,Thanks for your continuous support. In our Application Tomcat V 7.0.54 is used. We are facing the problem of "Server has a weak, ephemeral Diffie-Hellman public key ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY" In chrome browser. Tomcat server .xml have following configuration, which does not contain chipher, it means it used default cipher. Underline JAVA is : OpenJDK Runtime Environment (rhel-2.5.5.3.el6-x86_64 u79-b14) So could ypu please assist me to understand the following things. 1- What value of default cipher is using in My application.2- Does it require to update for working with lates Browser chrome and fixing the "Diffie-Hellman" security issue. Regards,Rahul kumar Singh
RE: logjam attacks in tomcat 7
Yes i know this fix, i just want to know, waht is deafult cipher deatil, in my existing server.xml no cipher parameter value is mentioned.So please help me to understand the same. > Date: Thu, 1 Oct 2015 10:26:43 +0530 > Subject: Re: logjam attacks in tomcat 7 > From: srikanth.hu...@gmail.com > To: users@tomcat.apache.org > > Configuration like mentioned below should be able to resolve your issue: > > protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" >maxThreads="150" scheme="https" secure="true" >keystoreType="JKS" keystoreFile="{{path_to_keystore}}" > keystorePass="{{ keystore_password }}" >clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, > TLSv1.2" > > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, > > TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" /> > > Srikanth Hugar > www.gharki.com > > > > On Thu, Oct 1, 2015 at 10:22 AM, Rahul Singhwrote: > > > Dear Tomcat Support Team,Thanks for your continuous support. > > In our Application Tomcat V 7.0.54 is used. We are facing the problem of > > "Server has a weak, ephemeral Diffie-Hellman public key > > ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY" > > In chrome browser. > > Tomcat server .xml have following configuration, which does not contain > > chipher, it means it used default cipher. > > > port="8585" minSpareThreads="5"enableLookups="true" > > redirectPort="8282"acceptCount="32" > > connectionTimeout="6"/> > SSLEnabled="true"enableLookups="true" > > acceptCount="32" scheme="https" secure="true" > > clientAuth="false" sslEnabledProtocols="TLSv1.2" > > > > algorithm="SunX509"/> > > Underline JAVA is : OpenJDK Runtime Environment (rhel-2.5.5.3.el6-x86_64 > > u79-b14) > > So could ypu please assist me to understand the following things. > > 1- What value of default cipher is using in My application.2- Does it > > require to update for working with lates Browser chrome and fixing the > > "Diffie-Hellman" security issue. > > Regards,Rahul kumar Singh
Tomcat 7, no_cypher_overlap error, no solutions working, please help.
Hi guys, I am trying to setup https on tomcat, but not having much luck since 5 hours. I am always getting no_cypher_overlap errror. The certificate is not self-signed, but issued. The crt file I am importing for both root and tomcat alias. These are the files I have domainname.ca-bundle, .crt, .csr, .key, .p12, domainname.jks, THis is the command I gave : keytool -import -trustcacerts -alias root -file domainname.crt -keyalg RSA -keystore domainaname.jks Connector looks like this : Still it is not working, there are so many users out there, who have the same problem, and still there is no good solution for this. I have also posted it on Stackoverflow(Link below), no help there too. If anyone knows what I can do, kindly let me know. THis is messed up to configure https for 5 hours with issued certificate. Thanks. http://stackoverflow.com/questions/32866528/apache-tomcat-importing-already-existing-certificates-into-keystore Regards, Kernel
Re: Tomcat 7, no_cypher_overlap error, no solutions working, please help.
On 9/30/2015 11:13 AM, Kernel freak wrote: Hi guys, I am trying to setup https on tomcat, but not having much luck since 5 hours. I am always getting no_cypher_overlap errror. This error means that your server and the client browser don't have any cypers in common (there are none that they can both work with). The certificate is not self-signed, but issued. The crt file I am importing for both root and tomcat alias. These are the files I have domainname.ca-bundle, .crt, .csr, .key, .p12, domainname.jks, THis is the command I gave : keytool -import -trustcacerts -alias root -file domainname.crt -keyalg RSA -keystore domainaname.jks Connector looks like this : Still it is not working, there are so many users out there, who have the same problem, and still there is no good solution for this. I have also posted it on Stackoverflow(Link below), no help there too. If anyone knows what I can do, kindly let me know. THis is messed up to configure https for 5 hours with issued certificate. Thanks. http://stackoverflow.com/questions/32866528/apache-tomcat-importing-already-existing-certificates-into-keystore Regards, Kernel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org