Re: Tomcat 7, no_cypher_overlap error, no solutions working, please help.

[Mark Thomas]

On 30 September 2015 16:13:38 BST, Kernel freak  wrote:
>Hi guys,
>
>I am trying to setup https on tomcat, but not having much luck since 5
>hours. I am always getting no_cypher_overlap errror.
>The certificate is not self-signed, but issued. The crt file I am
>importing
>for both root and tomcat alias.
>
>These are the files I have domainname.ca-bundle, .crt, .csr, .key,
>.p12,
>domainname.jks,
>
>THis is the command I gave :
>
>keytool -import -trustcacerts -alias root -file domainname.crt -keyalg
>RSA
>-keystore domainaname.jks
>
>Connector looks like this :
>
> maxThreads="200" compression="force"
>  compressionMinSize="1024" scheme="https" secure="true"
>clientAuth="false" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
>sslProtocol="TLS" URIEncoding="utf-8"
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/
>javascript,application/x-javascript,application/javascript"
>   keystoreFile="domain.jks" keystorePass="pass" />
>
>Still it is not working, there are so many users out there, who have
>the
>
>same problem, and still there is no good solution for this.
>
>I have also posted it on Stackoverflow(Link below), no help there too.
>If
>
>anyone knows what I can do, kindly let me know. THis is messed up to
>
>configure https for 5 hours with issued certificate. Thanks.
>
>http://stackoverflow.com/questions/32866528/apache-tomcat-importing-already-existing-certificates-into-keystore
>
>Regards,
>Kernel

ssllabs is your friend.

Mark

Tomcat 8 reliability/performance on Windows 2008 R2 Server vs. RHEL/CentOS

[Jason Britton]

Hello Good People -
We currently have multiple Tomcat instances deployed on RHEL in production
with no issues but I am getting asked why we shouldn't migrate everything
to run on Windows 2008 R2 Server instead.  My stomach churns at the thought
but I am looking for more concrete information about why this could be
problematic vs. running Tomcat on RHEL/CentOS.  My gut says far more Tomcat
deployments in production are done on top of Linux based OS's vs. Windows.
Any thoughts on making an argument for one OS vs another in deploying
Tomcat 8?  Thanks for your thoughts,

Jason

Re: Tomcat 8 reliability/performance on Windows 2008 R2 Server vs. RHEL/CentOS

[tomcat]

On 30.09.2015 22:23, Jason Britton wrote:

Hello Good People -
We currently have multiple Tomcat instances deployed on RHEL in production
with no issues but I am getting asked why we shouldn't migrate everything
to run on Windows 2008 R2 Server instead.  My stomach churns at the thought
but I am looking for more concrete information about why this could be
problematic vs. running Tomcat on RHEL/CentOS.  My gut says far more Tomcat
deployments in production are done on top of Linux based OS's vs. Windows.
Any thoughts on making an argument for one OS vs another in deploying
Tomcat 8?  Thanks for your thoughts,



This looks like the ideal start for some holy war.

Maybe you (not me) could argue that Tomcat being an Open-Source, free software, would 
undoubtedly feel more comfortable and cushy living inside a platform that is like him, 
open-source and free ?
(Whilst being perfectly able to run under Windows and other platforms, for being a 
versatile multi-platform Java application, it may nevertheless always feel a bit like an a 
not-so-well integrated immigrant there).


More seriously (and considering that you seem to express a slight personal preference for 
the one vs the other) :

The main difference for Tomcat itself is probably going to be in
- what kind of hardware would Tomcat be running on in either case ?
- how stable is the Java JVM which actually runs the Tomcat java code, in 
either case ?

But you may also want to give a thought to everything else, apart from Tomcat and around 
it, which is currently installed and running on your current platform, and whether the 
equivalent exists on the other platform. It may well be for example, that some auxiliary 
product of which you are currently using the open-source and free version, is not 
available on the other platform, or available only in a different and/or non-free version.


You may also want to consider how you are currently supporting/maintaining your Tomcat and 
its applications.  If you are using Linux/shell-based tools, that may be more difficult 
under Windows, and/or require other tools.


If that system is remote with reference to the people supporting/maintaining it, you may 
also want to investigate what kind of access tools you would have to a Windows platform.
In my experience for instance, accessing these platforms via SSH/SCP/SFTP requires some 
serious non-standard setup.  Also an access via Remote Desktop (almost the standard when 
talking about a Windows server), will require a VPN for working correctly, and even then 
any file transfers are likely to be much more of a hassle than with a Linux platform.
For example, the file drag-and-drop feature via Remote Desktop, is kind of neat 
graphically, but in the principle often turns out to be abysmally slow.

(And of course that works only if your own station is Windows).

You may also want to give a thought to who else (apart from yourself presumably) is going 
to provide the support for the platform in question and its OS, and its integration in the 
big scheme of things. Quite often in my experience, the teams in charge of each kind of 
platform are different.  Quite often also, they have a different focus and different sets 
of skills.


You may also be interested in finding out what kind of global security and other policies 
apply to this other platform.  Who for exmple enjoys admin rights to it, and/or how easy 
it is to obtain such rights when needed for installation-support-maintenance purposes ?
There may also be global policies regarding allowed and/or mandatory software updates and 
patches, different per platform type.  And there might be policies regarding mandatory 
usage of auxiliary things, such as virus scanners and the like.


Enough yet ?

P.S. In my line of business, we install and support our applications remotely on both 
kinds of platforms, and occasionally we move ditto applications from the one to the other 
at the customer's request.

(In the IT world, there are also fashions, which come and go).
Such moves are never to be considered lightly, even when you might think at first that 
being purely Tomcat and purely Java, it should not be an issue.  It usually is an issue, 
for the simple fact that over time, you have probably gotten used to the one platform and 
its tools and quirks, and you have probably accumulated a lot of peripheral stuff that is 
not really multi-platform hanging around, which you initially forget about because you 
have gotten so used to it.
So whatever you end up having to do (many times you don't get to choose), make sure that 
you and whoever else is concerned, at least have realistic expectations about the time and 
effort it takes to move.
It is not that the one platform is necesarily better or worse than the other.  It is the 
fact that they are *different*, and because of that a lot of things around them are 
different too.




-
To unsubscribe, e-mail: 

Re: Tomcat 8 reliability/performance on Windows 2008 R2 Server vs. RHEL/CentOS

[Mark Thomas]

On 30 September 2015 21:23:14 BST, Jason Britton  wrote:
>Hello Good People -
>We currently have multiple Tomcat instances deployed on RHEL in
>production
>with no issues but I am getting asked why we shouldn't migrate
>everything
>to run on Windows 2008 R2 Server instead.  My stomach churns at the
>thought
>but I am looking for more concrete information about why this could be
>problematic vs. running Tomcat on RHEL/CentOS.  My gut says far more
>Tomcat
>deployments in production are done on top of Linux based OS's vs.
>Windows.
>Any thoughts on making an argument for one OS vs another in deploying
>Tomcat 8?  Thanks for your thoughts,
>
>Jason

Generally, you should be fine running on any OS that has a suitable JRE 
available. Each OS has its eccentricities but as long as you have sys admins 
that know how to manage the OS you'll be fine.

Mark

Re: logjam attacks in tomcat 7

[Srikanth Hugar]

Configuration like mentioned below should be able to resolve your issue:



Srikanth Hugar
www.gharki.com



On Thu, Oct 1, 2015 at 10:22 AM, Rahul Singh  wrote:

> Dear Tomcat Support Team,Thanks for your continuous support.
> In our Application Tomcat V 7.0.54 is used. We are facing the problem of
> "Server has a weak, ephemeral Diffie-Hellman public key
> ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY"
> In chrome browser.
> Tomcat server .xml have following configuration, which does not contain
> chipher, it means it used default cipher.
>  port="8585" minSpareThreads="5"enableLookups="true"
> redirectPort="8282"acceptCount="32"
> connectionTimeout="6"/>  SSLEnabled="true"enableLookups="true"
>   acceptCount="32"  scheme="https" secure="true"
> clientAuth="false" sslEnabledProtocols="TLSv1.2"
>  
> algorithm="SunX509"/>
> Underline JAVA is : OpenJDK Runtime Environment (rhel-2.5.5.3.el6-x86_64
> u79-b14)
> So could ypu please assist me to understand the following things.
> 1- What value of default cipher is using in My application.2- Does it
> require to update for working with lates Browser chrome and fixing the
> "Diffie-Hellman" security issue.
> Regards,Rahul kumar Singh

logjam attacks in tomcat 7

[Rahul Singh]

Dear Tomcat Support Team,Thanks for your continuous support.
In our Application Tomcat V 7.0.54 is used. We are facing the problem of 
"Server has a weak, ephemeral Diffie-Hellman public key 
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY"
In chrome browser.
Tomcat server .xml have following configuration, which does not contain 
chipher, it means it used default cipher.
 
Underline JAVA is : OpenJDK Runtime Environment (rhel-2.5.5.3.el6-x86_64 
u79-b14)
So could ypu please assist me to understand the following things.
1- What value of default cipher is using in My application.2- Does it require 
to update for working with lates Browser chrome and fixing the "Diffie-Hellman" 
security issue.
Regards,Rahul kumar Singh 

RE: logjam attacks in tomcat 7

[Rahul Singh]

Yes i know this fix,
i just want to know, waht is deafult cipher deatil, in my existing server.xml 
no cipher parameter value is mentioned.So please help me to understand the same.




> Date: Thu, 1 Oct 2015 10:26:43 +0530
> Subject: Re: logjam attacks in tomcat 7
> From: srikanth.hu...@gmail.com
> To: users@tomcat.apache.org
> 
> Configuration like mentioned below should be able to resolve your issue:
> 
>  protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
>maxThreads="150" scheme="https" secure="true"
>keystoreType="JKS" keystoreFile="{{path_to_keystore}}"
> keystorePass="{{ keystore_password }}"
>clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1,
> TLSv1.2"
>  
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>  
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
>  
> TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
>  TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />
> 
> Srikanth Hugar
> www.gharki.com
> 
> 
> 
> On Thu, Oct 1, 2015 at 10:22 AM, Rahul Singh  wrote:
> 
> > Dear Tomcat Support Team,Thanks for your continuous support.
> > In our Application Tomcat V 7.0.54 is used. We are facing the problem of
> > "Server has a weak, ephemeral Diffie-Hellman public key
> > ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY"
> > In chrome browser.
> > Tomcat server .xml have following configuration, which does not contain
> > chipher, it means it used default cipher.
> >  > port="8585" minSpareThreads="5"enableLookups="true"
> > redirectPort="8282"acceptCount="32"
> > connectionTimeout="6"/>  > SSLEnabled="true"enableLookups="true"
> >   acceptCount="32"  scheme="https" secure="true"
> > clientAuth="false" sslEnabledProtocols="TLSv1.2"
> >  
> > algorithm="SunX509"/>
> > Underline JAVA is : OpenJDK Runtime Environment (rhel-2.5.5.3.el6-x86_64
> > u79-b14)
> > So could ypu please assist me to understand the following things.
> > 1- What value of default cipher is using in My application.2- Does it
> > require to update for working with lates Browser chrome and fixing the
> > "Diffie-Hellman" security issue.
> > Regards,Rahul kumar Singh
  

Tomcat 7, no_cypher_overlap error, no solutions working, please help.

[Kernel freak]

Hi guys,

I am trying to setup https on tomcat, but not having much luck since 5
hours. I am always getting no_cypher_overlap errror.
The certificate is not self-signed, but issued. The crt file I am importing
for both root and tomcat alias.

These are the files I have domainname.ca-bundle, .crt, .csr, .key, .p12,
domainname.jks,

THis is the command I gave :

keytool -import -trustcacerts -alias root -file domainname.crt -keyalg RSA
-keystore domainaname.jks

Connector looks like this :

 

Still it is not working, there are so many users out there, who have the

same problem, and still there is no good solution for this.

I have also posted it on Stackoverflow(Link below), no help there too. If

anyone knows what I can do, kindly let me know. THis is messed up to

configure https for 5 hours with issued certificate. Thanks.

http://stackoverflow.com/questions/32866528/apache-tomcat-importing-already-existing-certificates-into-keystore

Regards,
Kernel

Re: Tomcat 7, no_cypher_overlap error, no solutions working, please help.

[David kerber]

On 9/30/2015 11:13 AM, Kernel freak wrote:

Hi guys,

I am trying to setup https on tomcat, but not having much luck since 5
hours. I am always getting no_cypher_overlap errror.


This error means that your server and the client browser don't have any 
cypers in common (there are none that they can both work with).




The certificate is not self-signed, but issued. The crt file I am importing
for both root and tomcat alias.

These are the files I have domainname.ca-bundle, .crt, .csr, .key, .p12,
domainname.jks,

THis is the command I gave :

keytool -import -trustcacerts -alias root -file domainname.crt -keyalg RSA
-keystore domainaname.jks

Connector looks like this :

  

Still it is not working, there are so many users out there, who have the

same problem, and still there is no good solution for this.

I have also posted it on Stackoverflow(Link below), no help there too. If

anyone knows what I can do, kindly let me know. THis is messed up to

configure https for 5 hours with issued certificate. Thanks.

http://stackoverflow.com/questions/32866528/apache-tomcat-importing-already-existing-certificates-into-keystore

Regards,
Kernel




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org