RE: ssl_error_internal_error_alert in tomcat 7
Date: Fri, 20 Dec 2013 14:43:30 -0500 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: ssl_error_internal_error_alert in tomcat 7 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thanks for the suggestions!! Jaya, On 12/20/13, 2:13 PM, jaya ravindran wrote: Tried with -ssl3. Got back the following SSL handshake has read 3426 bytes and written 284 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit You really need to increase the size of your public key. 1024 bits is considered dangerous these days. Recently, Microsoft Windows (finally!) issued an update that requires all SSL/TLS connections to have 1024 bit key sizes. Any chance you're being bitten by that? These days, I wouldn't use anything less than a 4096-bit server key. Can you re-create your key, cert, etc.? The output of s_client shows you have a self-signed certificate so you shouldn't have any problem doing that. Perhaps it will fix everything. (?) Changed key size is not fixing the problem. I Secure Renegotiation IS supported SSL-Session: Protocol : SSLv3 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 52B4960B812952824F26DCA6DB67455143F624E615D1CAADA39E2831676944C7 Session-ID-ctx: Master-Key: A871539A23FD30DB1336B8B95AF50026DEDC0ADA79B80706E9B8CAA5E59E90AFAA2BEC8FA60FCCF32C0415EEA4D6F21B Key-Arg : None Start Time: 1387566603 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) The verify return code is different -- not sure what the difference between 18 and 19 is -- but otherwise things look okay to me. Is the site public? If so, can you email me the URL privately and I can take a look? Not a public site. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJStJ3iAAoJEBzwKT+lPKRY6hgP/2JxByzzNVwsAOowrzBVV8z3 nqP6DC8j+UoFsHBes946ofAi8o2uc7TIJ/TTW4ylf7OIc4sTGOV6X9pn68lHR4io 3ZzMgBHbuSAmVazVNa+7Syy1LkxfzT6fnD8NXF70M10r0XUTVJRGVBRqMbhxdAsj 4swWydanJz0Yjqbbn4vWZnvIMuwa4cKUCyLOwvKZwWTjtXqfZj3z7n6eiyHt9kBN Mo2BCrJpG52OBesELkTWZuawFm3Wpar0KaDm+34ve139lf2IOqqwoW3uXyLYfRTM BR0/2OxxY/KxwHUgsllgk6yOmKsdxvphAAVJKTWdl3J0I0EpaSvXBDXnJGGes6cl 6yhpITtmjx9xbrRuWWqvie5QWiZ3PxwoR8lsOR1tbLxeRSxgGsQ1KtjV5YSsmfb/ n3D/jhYevUYurE59gAjOSQqpLF+LYTVqhM4lNVGaGTMkDissCC/w9TIzZoJPK7UL d/Dh9+cpN2U0IqpV7QMwDu38rLetR+KqZYolFoTTdHBgc/q7R9r2y1vTdihK2NgL JJ98TQXRJ1v8iqfWenRSBgwFvCPzeATskYphxZHl3ANPQK218BlOUrc8TJTU5Dip 9d6VWlKdSqVgpzc/2FYhe9QoP9KlFj96NqlSw54Fw+g+zjD7VAILLrYX1GLWSd3t EkRYC/2aSmjZQu87Fb2P =y0Tn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: ssl_error_internal_error_alert in tomcat 7
From: mgai...@hotmail.com To: users@tomcat.apache.org Subject: RE: ssl_error_internal_error_alert in tomcat 7 Date: Thu, 19 Dec 2013 20:01:49 -0500 Date: Thu, 19 Dec 2013 15:41:13 -0500 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: ssl_error_internal_error_alert in tomcat 7 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jaya, On 12/19/13, 2:54 PM, jaya ravindran wrote: I am getting SSL error in firefox when connecting to tomcat server. Apache Tomcat Version 7.0.22 using JSSE configuration You should really upgrade from your 2-year-old version. Tomcat 7 is on version 7.0.47 these days. It's possible something has been fixed. JR Cannot upgrade right now. java version 1.6.0_41 using 64 bit . IE and Chrome works fine although I can see the following message in Chrome . The connection users SSL 3.0 When I edit firefox and set security.tls.version.max=0, I can get connection. My ssl config is below. MGsecurity.tls.version.min = 0 (SSL 3.0); JR I want to use TSL 1.0 connections . security.tls.version.max=1 and security.tls.version.min = 0 is default setting in firefox. That means it should support both TSL 1.0 and SSL 3.0 right ? Do you have any non-default setting for security.enable_ssl3 or security.enable_tls? JR No Can anyone suggest some possible reasons for this error? Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=my.keystore MGsslProtocol=SSLv3 keystorePass=acdfv123 truststoreFile=my.keystore truststorePass=acdfv123 connectionTimeout=2 redirectPort=18443 maxThreads=150 maxSpareThreads=75 enableLookups=false acceptCount=100 disableUploadTimeout=true URIEncoding=UTF-8 server=Apache / Can you try using OpenSSL's s_client with various options (for TLS protocol) to see which ones do and do not work? JR I tried with OpenSSL's s_client and got following No client certificate CA names sent --- SSL handshake has read 1166 bytes and written 303 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1023 bit Secure Renegotiation IS supported SSL-Session: Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 52B463FFE2D5638DE0E2AE86EE9AFB0DBD6F6DB4E042C411148491D76D8A4B09 Session-ID-ctx: Master-Key: 4AE6604C872A681708E872C970E4D3BADCE22701A2BE5E43110D0F99C86CA6A04313B3381E914A9BA460849C2C60C7F8 Key-Arg : None Start Time: 1387553791 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- closed That means server can do TLSv1. Then why can't it connect with TLS protocol on browsers. - -chris MGhttps://support.mozilla.org/en-US/questions/963325 JR Thanks for the answers. I would have posted in firefox forums of I was able to make TLS 1.0 conenction with chrome. But chrome says the connection is SSL 3.0. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSs1nnAAoJEBzwKT+lPKRYjaUP/2wwh/XACKSsPtFViWxz+78m aXOos8dB60Sx8czBsFfDsIzFfBdvCOEzmLl5ZlOUi7EyV8F+qwh6mG/x73vUIdrb LcLQlrYUJaDg8XXHMSRa5icATBE3sZQVITgDUUkF1dp0uyUoQmE/HLnZ3HZfIOA3 UQbHb/f7N5CHpb9LQ82YUlSRZ6v+feqsBEg0BPg4tf1x9eHEcf6xPUu6sCdzcdXC 01cpS2/5v8hyo2QmeG6shM+JBJoFAFKLisJrhVuSmFUMWLxqt9MykGlvkf/sfZIQ klSuCbQ74dxYS5OhcP3ipqD3nb7t3C93qRSZBqSGI8PZtWntwEZqTrR+obTxB3CZ H/nzKCupV+9s1NrHNO8q6fQ0UCrPCucwJS6WM9nIEczu5miMxpdb+mj8Qmj6dpYn 3b4IeLn4qfAk9FNGHuiiL4y87uMkR2+617+2L3VI2f/N/E2Y4bf0zeb7Du5UhuGn FxXLRjaNDIPj1yeJHqz7DiuArSv9eZwG1xWAWfBQIVwux+Vm4OCgjph52vGYp2n1 Y7Iht9/xb1qVxw1KUVeU+qevTszBYnf9V2UM6LPxBzZQwuBkXhZwOYIdRPC/CVn6 +U4+xf2/3IDpale2eO/453+0f2Zy7aApPKXPvgoAcy68jYBbxuSpL0gEQk1BIGhV y94bWDTJiTu9AIy0tiyj =KaW9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: ssl_error_internal_error_alert in tomcat 7
Date: Fri, 20 Dec 2013 14:06:30 -0500 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: ssl_error_internal_error_alert in tomcat 7 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jaya, On 12/20/13, 10:52 AM, jaya ravindran wrote: No client certificate CA names sent --- SSL handshake has read 1166 bytes and written 303 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1023 bit Secure Renegotiation IS supported SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 52B463FFE2D5638DE0E2AE86EE9AFB0DBD6F6DB4E042C411148491D76D8A4B09 Session-ID-ctx: Master-Key: 4AE6604C872A681708E872C970E4D3BADCE22701A2BE5E43110D0F99C86CA6A04313B3381E914A9BA460849C2C60C7F8 Key-Arg : None Start Time: 1387553791 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- closed That means server can do TLSv1. Then why can't it connect with TLS protocol on browsers. Well, did *did* explicitly disable TLS on your web browser, so maybe that's why. I can get TLS1.0 connection to some other sites. What if you use openssl s_client -ssl3? Tried with -ssl3. Got back the following SSL handshake has read 3426 bytes and written 284 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS supported SSL-Session: Protocol : SSLv3 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 52B4960B812952824F26DCA6DB67455143F624E615D1CAADA39E2831676944C7 Session-ID-ctx: Master-Key: A871539A23FD30DB1336B8B95AF50026DEDC0ADA79B80706E9B8CAA5E59E90AFAA2BEC8FA60FCCF32C0415EEA4D6F21B Key-Arg : None Start Time: 1387566603 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJStJUzAAoJEBzwKT+lPKRYNs8P/134CDbGmyX+w4LTpxEO+bG+ QmcnQgiOCz67vv4uoALNsBHDs04fqUDJVt0t4iVh4qUwzieeI0vyiTo8Gki1Aggb Qm4Y6SLrtuAXyo/bTecFIJjXd6CVmzBuRHyVus/yuIeCUlyIvmXDuBq/QKtw3Txp w8IFNsGTWhzxkYZpLkKGKOkbWWHKRlKQdOxd91EWBY92R7cmfWVI5H5NGyCVCYLZ TVhaoL3F+oT+abvLwHoMpOs+Rei6iuVXnpyDa8mXPs1Ci5mB3jvVlN8G313rqCV/ Xf3zicvSwyNzSBTAridl3si8mWXXWyN4LerDxc/+EOumakXb6M2okyGBIT9BJdhA 29H7DgfTYwjtmRhxIO2f6x/wcX74otZ/3tR2l64vAP1ZLCgzdHa+bTfmskDpBNSl 1trdUs9t/nUpCROjFPJUAzmwgYlxUIGX6Gyyy7akQEKd1X47AC2LESBr/nOZc/rT xqv2S6z45dj9KwcPaxK4eSmg01Qf+J4l0a9bqR3WpnXp5U5q9vn+yeKFpLRnsBSg a5GTZuBgg9x+GJ5xv3ukBeJs5bI8Fa96BwrJd7ZHLCkYuKR+k5J/9jYBSZhUdyzP 4/IFkpag+oAN1U9exhd5ispZBI5xbZVp6Naoekov6VUX67DW0NV7B2Ou5T+vmLoL ntnFhOgqN6LgHejUjd+R =ZFBX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ssl_error_internal_error_alert in tomcat 7
I am getting SSL error in firefox when connecting to tomcat server. Apache Tomcat Version 7.0.22 using JSSE configuration java version 1.6.0_41 using 64 bit . IE and Chrome works fine although I can see the following message in Chrome . The connection users SSL 3.0 When I edit firefox and set security.tls.version.max=0, I can get connection. My ssl config is below. Can anyone suggest some possible reasons for this error? Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=my.keystore keystorePass=acdfv123 truststoreFile=my.keystore truststorePass=acdfv123 connectionTimeout=2 redirectPort=18443 maxThreads=150 maxSpareThreads=75 enableLookups=false acceptCount=100 disableUploadTimeout=true URIEncoding=UTF-8 server=Apache / Thanks JR