Re: SSL Session Reuse in APR based connector

2015-11-27 Thread Sanaullah
Thanks Chirs.

On Thu, Nov 26, 2015 at 11:12 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Sanullah,
>
> On 11/26/15 11:21 AM, Sanaullah wrote:
> > we are currently running tomcat 8 and I am trying to achieve higher
> > performance. one of the process is to use the SSL Session reuse which
> will
> > reduce the CPU intensive computation.
> >
> > Can someone let me know if its supported for APR based connector and also
> > let me know the right parameter to use?
>
> Are you talking about "session tickets"?
>
> I don't believe Tomcat supports session tickets using any SSL connector.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


SSL Session Reuse in APR based connector

2015-11-26 Thread Sanaullah
Hi,

we are currently running tomcat 8 and I am trying to achieve higher
performance. one of the process is to use the SSL Session reuse which will
reduce the CPU intensive computation.

Can someone let me know if its supported for APR based connector and also
let me know the right parameter to use?

Regards,
Sanaullah


Re: Tomcat 7 and APR connector parameters

2015-09-21 Thread Sanaullah
Hi Igro,

I think you need to add the protocol attribute in the connector
configuration so that it will load the connector with APR

protocol="org.apache.coyote.http11.Http11AprProtocol"

If the PATH (Windows) or LD_LIBRARY_PATH (on most unix systems)
environment variables contain the Tomcat native library, the
APR/native connector will be used. If the native library cannot be
found, the blocking Java based connector will be used. Note that the
APR/native connector has different settings for HTTPS than the Java
connectors.

you can verify the protocol attribute document here [1]

https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support

Regards,

Sanaullah



On Mon, Sep 21, 2015 at 12:37 PM, Igor Cicimov <icici...@gmail.com> wrote:

> Hi all,
>
> After enabling the APR/Native connector I can see the following warning
> messages upon tomcat restart:
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLDisableCompression' to 'true' did not find a matching property.
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLHonorCipherOrder' to 'true' did not find a matching property.
>
> although I can see those options available in the documentation:
>
> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>
> The relevant config in server.xml:
>
>SSLEngine="on" />
>
> scheme="https" secure="true" SSLEnabled="true"
>SSLDisableCompression="true"
>SSLProtocol="all"
>SSLHonorCipherOrder="true"
>SSLCipherSuite="EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
> EECDH+ECDSA+SHA384
>EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
> EECDH+aRSA+RC4
>EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP
> !DSS !RC4"
>SSLCertificateChainFile="${catalina.base}/conf/cachain.pem"
>SSLCertificateFile="${catalina.base}/conf/star.pem"
>SSLCertificateKeyFile="${catalina.base}/conf/star_key.pem" />
>
> Am I missing something or am I maybe hitting some limitation related to
> tomcat/apr/tcnative version?
>
>
> OS: Ubuntu 12.04.5 LTS
> Tomcat: 7.0.26 (Ubuntu repository)
> openssl: 1.0.1-4ubuntu5.31
> libtcnative-1: 1.1.22-1build1
>
> Thanks,
> Igor
>


Re: FIPS compliancy on Tomcat 7.00.062

2015-08-05 Thread Sanaullah
Hi Nikhita,

run the sslscan tool from the command line or openssl s_client in debug mode
https://github.com/rbsec/sslscan

Regards,
Sanaullah

On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny nikki.be...@gmail.com wrote:

 Hi Mark,

 My server is not on a public domain.
 How can i verify the setup which is on a private network?

 Regards,
 Nikitha

 On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas ma...@apache.org wrote:

  On 05/08/2015 07:32, Nikitha Benny wrote:
   Hi Mark,
  
   When I try to run Tomcat on the https server port:
  
   *https://ip address:8444/*
  
   It says as below:
   --
  
   *SSL connection error*
  
   *ERR_SSL_PROTOCOL_ERROR*
  
   *Unable to make a secure connection to the server. This may be a
 problem
   with the server, or it may be requiring a client authentication
  certificate
   that you don't have*
   **
 
  That is the client side. What about server side logs?
 
   We have set the client authentication to False, so it does not need any
   client authorized certificate.
 
  I recommend you run https://www.ssllabs.com/ssltest/ against your
  server. That will tell you if you have a server side issue, a client
  side issue or simply a mismatch between the two.
 
  Mark
 
  
   Regards,
   Nikitha
  
   On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny nikki.be...@gmail.com
   wrote:
  
   But still Tomcat does not run on the https port.
  
   As in, when we run Tomcat on the https server port it does not display
  the
   page.
   Where as it goes through fine on the http port. The url opens.
  
  
  
   On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas ma...@apache.org wrote:
  
   On 04/08/2015 13:19, Nikitha Benny wrote:
   Hello Mark,
  
   Thanks for your valuable suggestion.
  
   We were successful in creating the pkcs12 keystore which picks up
   SHA256 as
   shown below:
  
   snip/
  
   But still Tomcat does not run on the https port.
  
   Define does not run.
  
   Any clue as to why this happens?
  
   Based on the information provided so far, no.
  
   The protocol I am using is*
  org.apache.coyote.http11.Http11Protocol.*
  
   OK. That is the HTTP BIO connector.
  
   Could it be because I am not using an APR connector protocol?
  
   No.
  
   Mark
  
  
   -
   To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
   For additional commands, e-mail: users-h...@tomcat.apache.org
  
  
  
  
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 



Re: FIPS compliancy on Tomcat 7.00.062

2015-08-05 Thread Sanaullah
run this command with debugging prints.

openssl s_client -connect 16.183.93.84:8444 -debug -msg

 Protocol  : *TLSv1.2*
 Cipher: 
it seems something broken as there is no Cipher

Regards,
Sanaullah



On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny nikki.be...@gmail.com wrote:

 Hi Mark, Sanaullah,

 Thank you for your valuable suggestion.

 I just ran the openssl s_client scan, and it looks like the server side is
 running fine on *TLSv1.2* Protocol.

 [root]## *openssl s_client -connect 16.183.93.84:8444
 http://16.183.93.84:8444*
 CONNECTED(0003)
 - - -  - -  - -
 - - -  - -  - -
 - - -  - -  - -
 - - -  - -  - -

 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP
 dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC
 Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU
 d/A4
 -END CERTIFICATE-
 subject=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
 IWFVM01284.hpswlabs.adapps.hp.com
 issuer=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
 IWFVM01284.hpswlabs.adapps.hp.com
 ---
 No client certificate CA names sent
 ---
 SSL handshake has read 1476 bytes and written 7 bytes
 ---
 New, (NONE), Cipher is (NONE)
 Server public key is 2048 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 SSL-Session:
 Protocol  : *TLSv1.2*
 Cipher: 
 Session-ID:
 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377
 Session-ID-ctx:
 Master-Key:
 Key-Arg   : None
 Krb5 Principal: None
 PSK identity: None
 PSK identity hint: None
 Start Time: 1438771286
 Timeout   : 300 (sec)
 Verify return code: 18 (self signed certificate)

 So could it be an issue with the browser?
 Since the browser is not FIPS compliant, could it be the reason for the
 issue?


 Regards,
 Nikitha

 On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah sanaulla...@gmail.com wrote:

  Hi Nikhita,
 
  run the sslscan tool from the command line or openssl s_client in debug
  mode
  https://github.com/rbsec/sslscan
 
  Regards,
  Sanaullah
 
  On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny nikki.be...@gmail.com
  wrote:
 
   Hi Mark,
  
   My server is not on a public domain.
   How can i verify the setup which is on a private network?
  
   Regards,
   Nikitha
  
   On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas ma...@apache.org wrote:
  
On 05/08/2015 07:32, Nikitha Benny wrote:
 Hi Mark,

 When I try to run Tomcat on the https server port:

 *https://ip address:8444/*

 It says as below:
 --

 *SSL connection error*

 *ERR_SSL_PROTOCOL_ERROR*

 *Unable to make a secure connection to the server. This may be a
   problem
 with the server, or it may be requiring a client authentication
certificate
 that you don't have*
 **
   
That is the client side. What about server side logs?
   
 We have set the client authentication to False, so it does not need
  any
 client authorized certificate.
   
I recommend you run https://www.ssllabs.com/ssltest/ against your
server. That will tell you if you have a server side issue, a client
side issue or simply a mismatch between the two.
   
Mark
   

 Regards,
 Nikitha

 On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny 
  nikki.be...@gmail.com
 wrote:

 But still Tomcat does not run on the https port.

 As in, when we run Tomcat on the https server port it does not
  display
the
 page.
 Where as it goes through fine on the http port. The url opens.



 On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas ma...@apache.org
  wrote:

 On 04/08/2015 13:19, Nikitha Benny wrote:
 Hello Mark,

 Thanks for your valuable suggestion.

 We were successful in creating the pkcs12 keystore which picks
 up
 SHA256 as
 shown below:

 snip/

 But still Tomcat does not run on the https port.

 Define does not run.

 Any clue as to why this happens?

 Based on the information provided so far, no.

 The protocol I am using is*
org.apache.coyote.http11.Http11Protocol.*

 OK. That is the HTTP BIO connector.

 Could it be because I am not using an APR connector protocol?

 No.

 Mark



  -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




   
   
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
   
   
  
 



Re: FIPS compliancy on Tomcat 7.00.062

2015-08-05 Thread Sanaullah
if you remove the entire ciphers attribute from the server.xml then by
default ssl/TLS session pick the best available cipher from the ssl/tls
handshake version.





On Wed, Aug 5, 2015 at 4:10 PM, Nikitha Benny nikki.be...@gmail.com wrote:

 Hi Sanaullah,

 That is because we have removed the entire ciphers attribute from the
 server.xml file.
 But that should be fine as the non complaint FIPS also has the cipher
 attribute removed and it shows the similar client to server conection and
 runs fine.

 Regards,
 Nikitha

 On Wed, Aug 5, 2015 at 4:28 PM, Sanaullah sanaulla...@gmail.com wrote:

  run this command with debugging prints.
 
  openssl s_client -connect 16.183.93.84:8444 -debug -msg
 
   Protocol  : *TLSv1.2*
   Cipher: 
  it seems something broken as there is no Cipher
 
  Regards,
  Sanaullah
 
 
 
  On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny nikki.be...@gmail.com
  wrote:
 
   Hi Mark, Sanaullah,
  
   Thank you for your valuable suggestion.
  
   I just ran the openssl s_client scan, and it looks like the server side
  is
   running fine on *TLSv1.2* Protocol.
  
   [root]## *openssl s_client -connect 16.183.93.84:8444
   http://16.183.93.84:8444*
   CONNECTED(0003)
   - - -  - -  - -
   - - -  - -  - -
   - - -  - -  - -
   - - -  - -  - -
  
   9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP
   dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC
   Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU
   d/A4
   -END CERTIFICATE-
   subject=/C=US/ST=California/L=Palo
 Alto/O=Hewlett-Packard/OU=OpenView/CN=
   IWFVM01284.hpswlabs.adapps.hp.com
   issuer=/C=US/ST=California/L=Palo
 Alto/O=Hewlett-Packard/OU=OpenView/CN=
   IWFVM01284.hpswlabs.adapps.hp.com
   ---
   No client certificate CA names sent
   ---
   SSL handshake has read 1476 bytes and written 7 bytes
   ---
   New, (NONE), Cipher is (NONE)
   Server public key is 2048 bit
   Secure Renegotiation IS supported
   Compression: NONE
   Expansion: NONE
   SSL-Session:
   Protocol  : *TLSv1.2*
   Cipher: 
   Session-ID:
   55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377
   Session-ID-ctx:
   Master-Key:
   Key-Arg   : None
   Krb5 Principal: None
   PSK identity: None
   PSK identity hint: None
   Start Time: 1438771286
   Timeout   : 300 (sec)
   Verify return code: 18 (self signed certificate)
  
   So could it be an issue with the browser?
   Since the browser is not FIPS compliant, could it be the reason for the
   issue?
  
  
   Regards,
   Nikitha
  
   On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah sanaulla...@gmail.com
 wrote:
  
Hi Nikhita,
   
run the sslscan tool from the command line or openssl s_client in
 debug
mode
https://github.com/rbsec/sslscan
   
Regards,
Sanaullah
   
On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny nikki.be...@gmail.com
 
wrote:
   
 Hi Mark,

 My server is not on a public domain.
 How can i verify the setup which is on a private network?

 Regards,
 Nikitha

 On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas ma...@apache.org
  wrote:

  On 05/08/2015 07:32, Nikitha Benny wrote:
   Hi Mark,
  
   When I try to run Tomcat on the https server port:
  
   *https://ip address:8444/*
  
   It says as below:
   --
  
   *SSL connection error*
  
   *ERR_SSL_PROTOCOL_ERROR*
  
   *Unable to make a secure connection to the server. This may be
 a
 problem
   with the server, or it may be requiring a client authentication
  certificate
   that you don't have*
   **
 
  That is the client side. What about server side logs?
 
   We have set the client authentication to False, so it does not
  need
any
   client authorized certificate.
 
  I recommend you run https://www.ssllabs.com/ssltest/ against
 your
  server. That will tell you if you have a server side issue, a
  client
  side issue or simply a mismatch between the two.
 
  Mark
 
  
   Regards,
   Nikitha
  
   On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny 
nikki.be...@gmail.com
   wrote:
  
   But still Tomcat does not run on the https port.
  
   As in, when we run Tomcat on the https server port it does not
display
  the
   page.
   Where as it goes through fine on the http port. The url opens.
  
  
  
   On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas ma...@apache.org
 
wrote:
  
   On 04/08/2015 13:19, Nikitha Benny wrote:
   Hello Mark,
  
   Thanks for your valuable suggestion.
  
   We were successful in creating the pkcs12 keystore which
 picks
   up
   SHA256 as
   shown below:
  
   snip/
  
   But still Tomcat does not run on the https port.
  
   Define does

Re: Setting SSL in Tomcat 7.0

2015-07-12 Thread Sanaullah
Hi Joby,

Where is your keystore file ?

keytool error: java.lang.Exception: Keystore file does not exist:
.keystore

The Error is self explanatory, Keystore file does not exist  could you
share your server.xml file configuration and also let us know the steps,
how did you create the keystore ?

Regards,
Sanaullah

On Sun, Jul 12, 2015 at 2:23 AM, Joby J. Joseph jjos...@bankboubyan.com
wrote:

  Hi,



 I need a help for setting up the SSL in Tomcat Server 7.0.



 I have created keystore and changed the server.xml file. But, I am getting
 the following exception.



 Screen for creating the keystore.





 After this, I did a listing for the keystore values. It shows an error.



 keytool -list -keystore .keystore

 and it gives..
 keytool error: java.lang.Exception: Keystore file does not exist: .keystore



 Any suggestion this error.

 Where is the keystore file located.





 Thanks in advance…







  Joby J. Joseph

  Systems Engineer -  Application Support




 **
 This message contains confidential information and is intended for the use
 of the addressee only. If you are not the intended recipient of this
 communication, please delete it immediately, do not copy, distribute or
 otherwise share this information, and notify the sender promptly.

 Any views or opinions presented in this e-mail are solely those of the
 author and do not necessarily represent those of the Bank. The Bank does
 not endorse or accept responsibility for such views and opinions and
 accordingly, they are not legally binding on the Bank.

 WARNING: Although the Bank has taken reasonable precautions to ensure no
 viruses are present in this e-mail, the Bank cannot accept responsibility
 for any loss or damage arising from the use of this e-mail or its
 attachments and shall not be liable for the e-mail content transmitted over
 the Internet.
 *



Re: Setting SSL in Tomcat 7.0

2015-07-12 Thread Sanaullah
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
I don't know whats the output of the above command which run and either its
executed successfully or not

You can follow the below example. I am using linux Machine.

root@ubuntu:/home/sanaullah# keytool -genkey -alias tomcat -keyalg RSA

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  PK
What is the name of your organizational unit?
  [Unknown]:  test
What is the name of your organization?
  [Unknown]:  test
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=PK, OU=test, O=test, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for tomcat
(RETURN if same as keystore password):
root@ubuntu:/home/sanaullah# ls
root@ubuntu:/home/sanaullah# ls /root/.keystore

As i was running the keytool command using root user so the keystore is
created in /root/.keystore. you must find the file somewhere in windows and
set its path in the connector configuration and also set its password

Connector
   protocol=org.apache.coyote.http11.Http11NioProtocol
   port=8443 maxThreads=200
   scheme=https secure=true SSLEnabled=true
   keystoreFile=${user.home}/.keystore keystorePass=changeit
   clientAuth=false sslProtocol=TLS/

Regards,
Sanaullah





On Sun, Jul 12, 2015 at 2:42 AM, Joby J. Joseph jjos...@bankboubyan.com
wrote:

 Hi,

 Thanks for the reply.
 I have followed the same steps provided by the tomcat documentation.

 https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration


 First I created the keystore file by executing the command ...

 %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA

 Then I added it in the config file.

 Connector
protocol=org.apache.coyote.http11.Http11NioProtocol
port=8443 maxThreads=200
scheme=https secure=true SSLEnabled=true
keystoreFile=${user.home}/.keystore keystorePass=changeit
clientAuth=false sslProtocol=TLS/

 Here. I got the error as...



 SEVERE: Failed to load keystore type JKS with path
 C:\Windows\system32\config\systemprofile/.keystore due to
 C:\Windows\system32\config\systemprofile\.keystore (The system cannot find
 the file specified)
 java.io.FileNotFoundException:
 C:\Windows\system32\config\systemprofile\.keystore (The system cannot find
 the file specified)
 at java.io.FileInputStream.open(Native Method)
 at java.io.FileInputStream.init(Unknown Source)
 at
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:400)
 at
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306)
 at
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)
 at
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)
 at
 org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:490)
 at
 org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:566)
 at
 org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:417)
 at
 org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
 at
 org.apache.catalina.connector.Connector.initInternal(Connector.java:956)
 at
 org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at
 org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
 at
 org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at
 org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
 at
 org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:624)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:649)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
 at java.lang.reflect.Method.invoke(Unknown Source)
 at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)


 So, I did a listing of the keystore file and I got the error as Keystore
 file does not exist.



  Joby J. Joseph
  Systems Engineer -  Application Support



 -Original Message-
 From: Sanaullah [mailto:sanaulla...@gmail.com]
 Sent: 12/07/2015 12:37 PM
 To: Tomcat Users List
 Subject: Re: Setting SSL in Tomcat 7.0

 Hi Joby,

 Where is your keystore file ?

 keytool error: java.lang.Exception: Keystore file does not exist:
 .keystore

 The Error is self explanatory, Keystore

Re: Problem with APR library - Tomcat 7

2015-05-19 Thread Sanaullah
so where did you specify your Apr lib path for tomcat?

you can set the Apr lib path in setenv.sh in tomcat bin folder

JAVA_OPTS=$JAVA_OPTS -Djavax.net.debug=all
CATALINA_OPTS=-Djava.library.path=/usr/lib/x86_64-linux-gnu/apr/lib
you should verify the path and restart the tomcat again also may be you
need to compile the apr-utils as well


On Tue, May 19, 2015 at 6:31 PM, Dejan Stamenov dejanstameno...@outlook.com
 wrote:

 Hello Chris,

 First, I have downloaded the APR library from here:
 http://apache.sunsite.ualberta.ca/apr/apr-1.5.2.tar.gz  . Following this
 tutorial:
 http://www.techsww.com/tutorials/libraries/apr/installation/installing_apache_portable_runtime_library_on_ubuntu_linux.php
 , I have installed this library into /usr/lib/x86_64-linux-gnu.
 After that, I have downloaded the tcnative library from the links Mark
 provided. Also, following the same links I run this config command:
 ./configure --with-apr=/usr/lib/x86_64-linux-gnu
 --with-java-home=/usr/lib/jvm/java-7-openjdk-amd64
 --with-ssl=yes
 --prefix=/usr/lib/x86_64-linux-gnu

 That --prefix location is where the error log file is expecting for the
 library to be found.
 Here is the error log:

 May 19, 2015 2:59:58 PM org.apache.catalina.startup.Catalina load
 INFO: Initialization processed in 1973 ms
 May 19, 2015 2:59:58 PM org.apache.catalina.core.StandardService
 startInternal
 INFO: Starting service Catalina
 May 19, 2015 2:59:58 PM org.apache.catalina.core.StandardEngine
 startInternal
 INFO: Starting Servlet Engine: Apache Tomcat/7.0.52 (Ubuntu)
 May 19, 2015 2:59:58 PM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /var/lib/tomcat7/webapps/ROOT
 May 19, 2015 3:00:02 PM org.apache.coyote.AbstractProtocol start
 INFO: Starting ProtocolHandler [http-bio-8080]
 May 19, 2015 3:00:02 PM org.apache.catalina.startup.Catalina start
 INFO: Server startup in 4014 ms
 May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol pause
 INFO: Pausing ProtocolHandler [http-bio-8080]
 May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol pause
 INFO: Pausing ProtocolHandler [http-apr-8443]
 May 19, 2015 3:06:39 PM org.apache.catalina.core.StandardService
 stopInternal
 INFO: Stopping service Catalina
 May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol stop
 INFO: Stopping ProtocolHandler [http-bio-8080]
 May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol destroy
 INFO: Destroying ProtocolHandler [http-bio-8080]
 May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol stop
 INFO: Stopping ProtocolHandler [http-apr-8443]
 May 19, 2015 3:06:39 PM org.apache.coyote.AbstractProtocol destroy
 INFO: Destroying ProtocolHandler [http-apr-8443]
 May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory
 validateFile
 WARNING: Problem with directory [/usr/share/tomcat7/common/classes],
 exists: [false], isDirectory: [false], canRead: [false]
 May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory
 validateFile
 WARNING: Problem with directory [/usr/share/tomcat7/common], exists:
 [false], isDirectory: [false], canRead: [false]
 May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory
 validateFile
 WARNING: Problem with directory [/usr/share/tomcat7/server/classes],
 exists: [false], isDirectory: [false], canRead: [false]
 May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory
 validateFile
 WARNING: Problem with directory [/usr/share/tomcat7/server], exists:
 [false], isDirectory: [false], canRead: [false]
 May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory
 validateFile
 WARNING: Problem with directory [/usr/share/tomcat7/shared/classes],
 exists: [false], isDirectory: [false], canRead: [false]
 May 19, 2015 3:07:08 PM org.apache.catalina.startup.ClassLoaderFactory
 validateFile
 WARNING: Problem with directory [/usr/share/tomcat7/shared], exists:
 [false], isDirectory: [false], canRead: [false]
 May 19, 2015 3:07:09 PM org.apache.catalina.core.AprLifecycleListener init
 INFO: The APR based Apache Tomcat Native library which allows optimal
 performance in production environments was not found on the
 java.library.path:
 /usr/java/packages/lib/amd64:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib
 May 19, 2015 3:07:10 PM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [http-bio-8080]
 May 19, 2015 3:07:10 PM org.apache.catalina.core.StandardService
 initInternal
 SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize component
 [Connector[HTTP/1.1-8443]]
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
 at
 org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
 at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
 at
 

Re: Problem with APR library - Tomcat 7

2015-05-19 Thread Sanaullah
I think in ubuntu/Debian, you can create the file in
/usr/share/tomcat7/bin/setenv.sh
but still you have to explore, as i am not using the deb package for tomcat
installation

On Tue, May 19, 2015 at 6:58 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Dejan,

 On 5/19/15 9:45 AM, Dejan Stamenov wrote:
  I have wrote in the message before, I have specified it at:
  /usr/lib/x86_64-linux-gnu. In this folder, I can see libapr-1.so,
  libapr-1.so.0.5.1. and libarputil-1.so.0.5.3 too.

 How about libtcnative?

  About the Tomcat /bin folder, it doesn't exist on my Tomcat path:
  /etc/tomcat7. Should I create it, including the file too?

 That's not necessary.

  When I do a search for the setenv.sh file, I can't find it either.

 Tomcat doesn't ship with a setenv.sh file. If you want to use one,
 you'll have to create it yourself. If you are using a package-managed
 version of Tomcat, those files could be anywhere. When using a
 standard Tomcat package downloaded from apache.org (or a mirror), then
 setenv.sh should be in CATALINA_BASE/bin/setenv.sh if you'd like to
 create one.

 Note that some methods for launching Tomcat ignore setenv.sh (like
 using jsvc, for instance). Make sure you know what you are doing
 before you do it.

 - -chris

  Date: Tue, 19 May 2015 18:38:23 +0500 Subject: Re: Problem with
  APR library - Tomcat 7 From: sanaulla...@gmail.com To:
  users@tomcat.apache.org
 
  so where did you specify your Apr lib path for tomcat?
 
  you can set the Apr lib path in setenv.sh in tomcat bin folder
 
  JAVA_OPTS=$JAVA_OPTS -Djavax.net.debug=all
  CATALINA_OPTS=-Djava.library.path=/usr/lib/x86_64-linux-gnu/apr/lib
 
 
 
 you should verify the path and restart the tomcat again also may be you
  need to compile the apr-utils as well
 
 
  On Tue, May 19, 2015 at 6:31 PM, Dejan Stamenov
  dejanstameno...@outlook.com
  wrote:
 
  Hello Chris,
 
  First, I have downloaded the APR library from here:
  http://apache.sunsite.ualberta.ca/apr/apr-1.5.2.tar.gz  .
  Following this tutorial:
  http://www.techsww.com/tutorials/libraries/apr/installation/installi
 ng_apache_portable_runtime_library_on_ubuntu_linux.php
 
 
 
 , I have installed this library into /usr/lib/x86_64-linux-gnu.
  After that, I have downloaded the tcnative library from the
  links Mark provided. Also, following the same links I run this
  config command: ./configure
  --with-apr=/usr/lib/x86_64-linux-gnu
  --with-java-home=/usr/lib/jvm/java-7-openjdk-amd64
  --with-ssl=yes --prefix=/usr/lib/x86_64-linux-gnu
 
  That --prefix location is where the error log file is
  expecting for the library to be found. Here is the error log:
 
  May 19, 2015 2:59:58 PM org.apache.catalina.startup.Catalina
  load INFO: Initialization processed in 1973 ms May 19, 2015
  2:59:58 PM org.apache.catalina.core.StandardService
  startInternal INFO: Starting service Catalina May 19, 2015
  2:59:58 PM org.apache.catalina.core.StandardEngine
  startInternal INFO: Starting Servlet Engine: Apache
  Tomcat/7.0.52 (Ubuntu) May 19, 2015 2:59:58 PM
  org.apache.catalina.startup.HostConfig deployDirectory INFO:
  Deploying web application directory
  /var/lib/tomcat7/webapps/ROOT May 19, 2015 3:00:02 PM
  org.apache.coyote.AbstractProtocol start INFO: Starting
  ProtocolHandler [http-bio-8080] May 19, 2015 3:00:02 PM
  org.apache.catalina.startup.Catalina start INFO: Server
  startup in 4014 ms May 19, 2015 3:06:39 PM
  org.apache.coyote.AbstractProtocol pause INFO: Pausing
  ProtocolHandler [http-bio-8080] May 19, 2015 3:06:39 PM
  org.apache.coyote.AbstractProtocol pause INFO: Pausing
  ProtocolHandler [http-apr-8443] May 19, 2015 3:06:39 PM
  org.apache.catalina.core.StandardService stopInternal INFO:
  Stopping service Catalina May 19, 2015 3:06:39 PM
  org.apache.coyote.AbstractProtocol stop INFO: Stopping
  ProtocolHandler [http-bio-8080] May 19, 2015 3:06:39 PM
  org.apache.coyote.AbstractProtocol destroy INFO: Destroying
  ProtocolHandler [http-bio-8080] May 19, 2015 3:06:39 PM
  org.apache.coyote.AbstractProtocol stop INFO: Stopping
  ProtocolHandler [http-apr-8443] May 19, 2015 3:06:39 PM
  org.apache.coyote.AbstractProtocol destroy INFO: Destroying
  ProtocolHandler [http-apr-8443] May 19, 2015 3:07:08 PM
  org.apache.catalina.startup.ClassLoaderFactory validateFile
  WARNING: Problem with directory
  [/usr/share/tomcat7/common/classes], exists: [false],
  isDirectory: [false], canRead: [false] May 19, 2015 3:07:08 PM
  org.apache.catalina.startup.ClassLoaderFactory validateFile
  WARNING: Problem with directory [/usr/share/tomcat7/common],
  exists: [false], isDirectory: [false], canRead: [false] May
  19, 2015 3:07:08 PM
  org.apache.catalina.startup.ClassLoaderFactory validateFile
  WARNING: Problem with directory
  [/usr/share/tomcat7/server/classes], exists: [false],
  isDirectory: [false], canRead: [false] May 19, 2015 3:07:08 PM
  org.apache.catalina.startup.ClassLoaderFactory 

Fwd: singed code deployment

2015-02-19 Thread Sanaullah
Any one there to help  me on this ?


Regards,
Sanaullah
-- Forwarded message --
From: Sanaullah sanaulla...@gmail.com
Date: Fri, Feb 13, 2015 at 10:48 PM
Subject: singed code deployment
To: Tomcat Users List users@tomcat.apache.org


Hi,

I have signed the ear package using jar signer and start the tomee using
./startup.sh  -security and also edit the catalina.policy file looks
below.

I am confused here, how code sign verification process is done? if the code
sign certificate is not the truststore still the tomcat server will start?
or it stops booting the application?

I haven't seen anything in the log related to code sign, how can i verify
this ?

grant signedBy codesigntest, codeBase
file:${catalina.base}/webapps/manager/- {
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.ha.session;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.manager;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.manager.util;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.util;
};
grant signedBy codesigntest, codeBase
file:${catalina.home}/webapps/manager/- {
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.ha.session;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.manager;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.manager.util;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.util;
};

grant signedBy codesigntest, codeBase
file:${catalina.home}/apps/ams_ear/ams_ear.ear {
  permission java.security.AllPermission;
};

 grant signedBy codesigntest, codeBase
file:${catalina.home}/apps/ams_ear/* {
  permission java.security.AllPermission;
 };

Regards,
Sanaullah


Re: singed code deployment

2015-02-19 Thread Sanaullah
Hey Chris,

I have imported the public key (singed certificate)  of the code signing
certificate using keytool to JVM cacerts
/usr/lib/jvm/jdk1.8.0_25/jre/lib/security/cacerts and certificate alias
name is codesigntest

I mentioned the same alias in in catalina.policy
 grant signedBy codesigntest

Regards,
Sanaullah

On Thu, Feb 19, 2015 at 8:13 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sanaullah,

 On 2/13/15 12:48 PM, Sanaullah wrote:
  I have signed the ear package using jar signer and start the tomee
  using ./startup.sh  -security and also edit the catalina.policy
  file looks like below.
 
  I am confused here, how code sign verification process is done? if
  the code sign certificate is not the truststore still the tomcat
  server will start? or it stops booting the application?
 
  I haven't seen anything in the log related to code sign, how can i
  verify this ?

 I'm no expert in use of a security manager or signed code, but where
 is your trust store located? How are you telling the JVM about where
 to find it?

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org

 iQIcBAEBCAAGBQJU5f2SAAoJEBzwKT+lPKRY7QwP/A1ErRELoaHDConRnqtC9sQf
 Ga9zopcoFwvb+85ei/UxjmjE1IaoxkCB7QLX3tGI36lz+RYc8nBa1aS0IN9qpDEM
 2qoMjKAwJqsG1EZOhVMq0liTlUnaKzb2UIh75daZlx6aaMjQu9oiLyRdwkEIkN73
 71v4hlLYMhg1HbxDPbyswn32fyQYbYk9RAi0XnU/dHISZSkQVaRc2LuQoIXAVIba
 iSzPrHQfGBA4HdQexRM5E58T9uLR8Q2ducDD2ybubrwYfZILsywRfBtIg256PS69
 HSSyXUQsliXaRWX6Z+wpR2XWcslAUd9jBy0OQYJBMqRR9vvJgHaC8sqMbCxZI6+9
 i8j+l3HXjZ/nTeHDJg/0R5VG5fDe1q99/I/Wgj6834/3kV5SOY5hnr+LGsV8xwcK
 CGj5+PPu6VqRaxIIMSf0qSz207aLP6GhXvHtvJvJJSZ1JWTaYoNTkf/Wdit/xqSJ
 uIbLbKhYyzhyy1rEUowcKD52nSbhIr96fXnt72zgwWKwjKjxbTesoSf4CAQ2r0YJ
 OpFPluD7VOm+QvfQyqYvUptfaDfOMYpl0zmmsGhETl5a58HddTx8KmQmEF1I9zpW
 Ws28KkU8P7l29bqJJULNbyjohFjuUEzu+2X4hZ0XGpCJje+2NL6SZyuIEwInrIbw
 BTz4sWkhCjS0QdhrxIMM
 =Z3Qo
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: singed code deployment

2015-02-19 Thread Sanaullah
I haven't seen anything in the log related to signature verification even i
wrote the wrong certificate alias in the catalina.policy file. the
resultant log will be the same




INFO - Loaded APR based Apache Tomcat Native library 1.1.32 using APR
version 1.5.1.
INFO - APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
INFO - OpenSSL successfully initialized (OpenSSL 1.0.1f 6 Jan 2014)
INFO - Initializing ProtocolHandler [http-apr-9009]
INFO - Initializing ProtocolHandler [http-bio-7443]
trustStore is: /usr/lib/jvm/jdk1.8.0_25/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
  Subject: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
  Issuer:  CN=SecureTrust CA, O=SecureTrust Corporation, C=US
  Algorithm: RSA; Serial number: 0xcf08e5c0816a5ad427ff0eb271859d0
  Valid from Tue Nov 07 19:31:18 UTC 2006 until Mon Dec 31 19:40:55 UTC 2029

adding as trusted cert:
  Subject: CN=Starfield Root Certificate Authority - G2, O=Starfield
Technologies, Inc., L=Scottsdale, ST=Arizona, C=US
  Issuer:  CN=Starfield Root Certificate Authority - G2, O=Starfield
Technologies, Inc., L=Scottsdale, ST=Arizona, C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Sep 01 00:00:00 UTC 2009 until Thu Dec 31 23:59:59 UTC 2037

adding as trusted cert:
  Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3,
OU=(c) 1999 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust
Network, O=VeriSign, Inc., C=US
  Issuer:  CN=VeriSign Class 2 Public Primary Certification Authority - G3,
OU=(c) 1999 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust
Network, O=VeriSign, Inc., C=US
  Algorithm: RSA; Serial number: 0x6170cb498c5f984529e7b0a6d9505b7a
  Valid from Fri Oct 01 00:00:00 UTC 1999 until Wed Jul 16 23:59:59 UTC 2036

adding as trusted cert:
  Subject: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
  Issuer:  OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Sep 30 04:20:49 UTC 2003 until Sat Sep 30 04:20:49 UTC 2023

adding as trusted cert:
  Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc,
C=US
  Issuer:  CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc,
C=US
  Algorithm: RSA; Serial number: 0x83be056904246b1a1756ac95991c74a
  Valid from Fri Nov 10 00:00:00 UTC 2006 until Mon Nov 10 00:00:00 UTC 2031

adding as trusted cert:
  Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999
Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.), O=Entrust.net
  Issuer:  CN=Entrust.net Certification Authority (2048), OU=(c) 1999
Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.), O=Entrust.net
  Algorithm: RSA; Serial number: 0x3863def8
  Valid from Fri Dec 24 17:50:51 UTC 1999 until Tue Jul 24 14:15:12 UTC 2029

adding as trusted cert:
  Subject: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
  Issuer:  CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
  Algorithm: RSA; Serial number: 0x4
  Valid from Mon Jun 21 04:00:00 UTC 1999 until Sun Jun 21 04:00:00 UTC 2020

adding as trusted cert:
  Subject: CN=thawte Primary Root CA, OU=(c) 2006 thawte, Inc. - For
authorized use only, OU=Certification Services Division, O=thawte, Inc.,
C=US
  Issuer:  CN=thawte Primary Root CA, OU=(c) 2006 thawte, Inc. - For
authorized use only, OU=Certification Services Division, O=thawte, Inc.,
C=US
  Algorithm: RSA; Serial number: 0x344ed55720d5edec49f42fce37db2b6d
  Valid from Fri Nov 17 00:00:00 UTC 2006 until Wed Jul 16 23:59:59 UTC 2036

adding as trusted cert:
  Subject: EMAILADDRESS=i...@valicert.com, CN=http://www.valicert.com/,
OU=ValiCert Class 2 Policy Validation Authority, O=ValiCert, Inc.,
L=ValiCert Validation Network
  Issuer:  EMAILADDRESS=i...@valicert.com, CN=http://www.valicert.com/,
OU=ValiCert Class 2 Policy Validation Authority, O=ValiCert, Inc.,
L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Sat Jun 26 00:19:54 UTC 1999 until Wed Jun 26 00:19:54 UTC 2019

adding as trusted cert:
  Subject: CN=Go Daddy Root Certificate Authority - G2, O=GoDaddy.com,
Inc., L=Scottsdale, ST=Arizona, C=US
  Issuer:  CN=Go Daddy Root Certificate Authority - G2, O=GoDaddy.com,
Inc., L=Scottsdale, ST=Arizona, C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Tue Sep 01 00:00:00 UTC 2009 until Thu Dec 31 23:59:59 UTC 2037

adding as trusted cert:
  Subject: EMAILADDRESS=personal-freem...@thawte.com, CN=Thawte Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
  Issuer:  EMAILADDRESS=personal-freem...@thawte.com, CN=Thawte Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town, ST=Western Cape, C=ZA
  Algorithm: RSA; Serial number: 0x123df0e7da2a2247a43889e08aeec967
  Valid from Mon Jan 

Re: singed code deployment

2015-02-19 Thread Sanaullah
Can you verify that the certificate is in there by doing keytool
- -list .../cacerts?

 keytool -v --list -keystore
/usr/lib/jvm/jdk1.8.0_25/jre/lib/security/cacerts |grep codesigntest
Enter keystore password:
Alias name: codesigntest
Owner: CN=codesigntest


 I mentioned the same alias in in catalina.policy grant signedBy
  codesigntest

Okay.

So that certificate directly-signed your JAR?

At runtime, do you get an error? What's the full message and stack trace?

I have signed the ams_ear.ear using jar signer prior to deploying it using
the following command
 root@pay:/home/sanaullah# jarsigner -verbose -keystore
/home/sanaullah/codesigntest.jks -storepass test
/home/sanaullah/apache-tomee-webprofile-2.0.0-SNAPSHOT/apps/ams_ear.ear
codesigntest
 updating: META-INF/CODESIGN.SF
 updating: META-INF/CODESIGN.RSA
   adding: lib/
  signing: lib/javax.json.jar
  signing: lib/javax.jms-api.jar
  signing: lib/ams_persistence.jar
  signing: lib/httpclient-4.3.4.jar
  signing: lib/httpcore-4.3.2.jar
  signing: lib/commons-logging-1.1.3.jar
  signing: lib/commons-codec-1.6.jar
  signing: lib/nekohtml-1.9.21.jar
  signing: lib/xercesImpl-2.10.0.jar
  signing: lib/xml-apis-1.4.01.jar
  signing: lib/commons-io-2.4.jar
  signing: lib/jcl-over-slf4j-1.7.5.jar
  signing: lib/slf4j-api-1.7.5.jar
  signing: lib/slf4j-log4j12-1.7.5.jar
  signing: lib/log4j-1.2.17.jar
  signing: lib/commons-lang3-3.1.jar
  signing: lib/jackson-core-2.4.0.jar
  signing: lib/jackson-databind-2.4.0.jar
  signing: lib/jackson-annotations-2.4.0.jar
  signing: lib/spring-integration-http-4.0.4.RELEASE.jar
  signing: lib/spring-webmvc-4.0.7.RELEASE.jar
  signing: lib/spring-beans-4.0.7.RELEASE.jar
  signing: lib/spring-core-4.0.7.RELEASE.jar
  signing: lib/spring-context-4.0.7.RELEASE.jar
  signing: lib/spring-aop-4.0.7.RELEASE.jar
  signing: lib/spring-expression-4.0.7.RELEASE.jar
  signing: lib/spring-web-4.0.7.RELEASE.jar
  signing: lib/rome-fetcher-1.0.0.jar
  signing: lib/jdom-1.0.jar
  signing: lib/rome-1.0.0.jar
  signing: lib/spring-integration-core-4.0.4.RELEASE.jar
  signing: lib/spring-tx-4.0.7.RELEASE.jar
  signing: lib/spring-retry-1.1.1.RELEASE.jar
  signing: lib/spring-messaging-4.0.7.RELEASE.jar
  signing: lib/spring-integration-jdbc-4.0.4.RELEASE.jar
  signing: lib/spring-jdbc-4.0.7.RELEASE.jar
  signing: lib/guava-16.0.1.jar
  signing: lib/spring-integration-stream-4.0.4.RELEASE.jar
  signing: lib/spring-integration-ws-4.0.4.RELEASE.jar
  signing: lib/spring-ws-core-2.2.0.RELEASE.jar
  signing: lib/spring-xml-2.2.0.RELEASE.jar
  signing: lib/spring-oxm-4.0.7.RELEASE.jar
  signing: lib/spring-aspects-4.0.7.RELEASE.jar
  signing: lib/aspectjweaver-1.8.2.jar
  signing: lib/spring-orm-4.0.7.RELEASE.jar
  signing: lib/aspectjrt-1.8.2.jar
  signing: lib/spring-integration-ftp-4.0.4.RELEASE.jar
  signing: lib/commons-net-3.3.jar
  signing: lib/spring-integration-file-4.0.4.RELEASE.jar
  signing: lib/spring-context-support-4.0.7.RELEASE.jar
  signing: lib/spring-integration-sftp-4.0.4.RELEASE.jar
  signing: lib/jsch-0.1.51.jar
  signing: ams_war.war
  signing: ams_ejb.jar
  signing: log4j.properties
jar signed.

Warning:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a
timestamp, users may not be able to validate this jar after the signer
certificate's expiration date (2016-11-02) or after any future revocation
date.


Regards,
Sanaullah


On Thu, Feb 19, 2015 at 9:09 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sanaullah,

 On 2/19/15 10:28 AM, Sanaullah wrote:
  I have imported the public key (singed certificate)  of the code
  signing certificate using keytool to JVM cacerts
  /usr/lib/jvm/jdk1.8.0_25/jre/lib/security/cacerts and certificate
  alias name is codesigntest

 Can you verify that the certificate is in there by doing keytool
 - -list .../cacerts?

  I mentioned the same alias in in catalina.policy grant signedBy
  codesigntest

 Okay.

 So that certificate directly-signed your JAR?

 At runtime, do you get an error? What's the full message and stack trace?

 Thanks,
 - -chris

  On Thu, Feb 19, 2015 at 8:13 PM, Christopher Schultz 
  ch...@christopherschultz.net wrote:
 
  Sanaullah,
 
  On 2/13/15 12:48 PM, Sanaullah wrote:
  I have signed the ear package using jar signer and start the
  tomee using ./startup.sh  -security and also edit the
  catalina.policy file looks like below.
 
  I am confused here, how code sign verification process is
  done? if the code sign certificate is not the truststore
  still the tomcat server will start? or it stops booting the
  application?
 
  I haven't seen anything in the log related to code sign, how
  can i verify this ?
 
  I'm no expert in use of a security manager or signed code, but
  where is your trust store located? How are you telling the JVM
  about where to find it?
 
  -chris
 
  -
 
 
 To unsubscribe, e-mail

Re: Fwd: singed code deployment

2015-02-19 Thread Sanaullah
Thanks David,

I think the security Manager is the same as tomcat[1] but need to get some
clue on how code signature verification is done?

tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html

Regards,
Sanaullah

On Thu, Feb 19, 2015 at 7:29 PM, David kerber dcker...@verizon.net wrote:

 On 2/19/2015 8:56 AM, Sanaullah wrote:

 Any one there to help  me on this ?


 I don't think there are many tomee people on this list, so you might get
 better responses somewhere else.



 Regards,
 Sanaullah
 -- Forwarded message --
 From: Sanaullah sanaulla...@gmail.com
 Date: Fri, Feb 13, 2015 at 10:48 PM
 Subject: singed code deployment
 To: Tomcat Users List users@tomcat.apache.org


 Hi,

 I have signed the ear package using jar signer and start the tomee using
 ./startup.sh  -security and also edit the catalina.policy file looks
 below.

 I am confused here, how code sign verification process is done? if the
 code
 sign certificate is not the truststore still the tomcat server will start?
 or it stops booting the application?

 I haven't seen anything in the log related to code sign, how can i verify
 this ?


 ...



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




singed code deployment

2015-02-13 Thread Sanaullah
Hi,

I have signed the ear package using jar signer and start the tomee using
./startup.sh  -security and also edit the catalina.policy file looks like
below.

I am confused here, how code sign verification process is done? if the code
sign certificate is not the truststore still the tomcat server will start?
or it stops booting the application?

I haven't seen anything in the log related to code sign, how can i verify
this ?

grant signedBy codesigntest, codeBase
file:${catalina.base}/webapps/manager/- {
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.ha.session;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.manager;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.manager.util;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.util;
};
grant signedBy codesigntest, codeBase
file:${catalina.home}/webapps/manager/- {
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.ha.session;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.manager;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.manager.util;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.util;
};

grant signedBy codesigntest, codeBase
file:${catalina.home}/apps/ams_ear/ams_ear.ear {
  permission java.security.AllPermission;
};

 grant signedBy codesigntest, codeBase
file:${catalina.home}/apps/ams_ear/* {
  permission java.security.AllPermission;
 };

Regards,
Sanaullah


Re: SSL issue in tomcat

2015-01-21 Thread Sanaullah
then may be its not the issue of tomcat.you can check you firewall? may be
your firewall dropping the correction after some time.

try to connect the server from localhost using  openssl s_client -connect
hostname:8443 -debug  may be you will found something use full.

On Wed, Jan 21, 2015 at 11:43 AM, Jason Y day...@gmail.com wrote:

 Got another issue...Tomcat is working fine after restart but it cannot last
 long.
 Now I cannot access https pages with any browsers. I didn't find anything
 useful in logs.
 After a restart, it works well again.

 Connector executor=tomcatThreadPool
port=8080 protocol=HTTP/1.1
connectionTimeout=2
redirectPort=8443 /
 Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol
maxThreads=150 SSLEnabled=true scheme=https
 secure=true
clientAuth=false sslProtocol=TLS
 sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1
 keystoreFile=lib/cert/.keystore
 keystorePass= /
 !-- Define an AJP 1.3 Connector on port 8009 --
 Connector port=8009 protocol=AJP/1.3 redirectPort=8443 /

 On Wed, Jan 21, 2015 at 10:01 AM, Sanaullah sanaulla...@gmail.com wrote:

  its not necessary to have ciphers properties but if you want to restrict
  the ciphers then you can use this property.
 
  On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote:
 
   Thank you all. Now it is working fine.
  
   Connector port=8443
 protocol=org.apache.coyote.http11.Http11Protocol
  maxThreads=150 SSLEnabled=true scheme=https
   secure=true
  clientAuth=false sslProtocol=TLS
   sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1
   keystoreFile=lib/cert/.keystore keystorePass=
   ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,
   TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA /
  
   By the way, do I need ciphers properties here?
  
   On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz 
   ch...@christopherschultz.net wrote:
  
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
   
Jason,
   
On 1/20/15 4:17 AM, Jason Y wrote:
 Recently my application cannot be accessible in browser with https
 version. I think it is due to vulnerability in ssl 3.0 issue.

 I checked my tomcat configuration and replaced sslProtocol=TLS
 with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL
 3.0.

 Connector port=8080 protocol=HTTP/1.1
 connectionTimeout=2 redirectPort=8443 / Connector
 port=8443 protocol=org.apache.coyote.http11.Http11Protocol
 maxThreads=150 SSLEnabled=true scheme=https secure=true
 clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2
 keystoreFile=xxx keystorePass=xxx / Connector port=8009
 protocol=AJP/1.3 redirectPort=8443 /
   
None of the responses you have gotten thus far are useful in any way.
   
Your configuration looks fine to me: sslEnabledProtocols is the way
 to
go, although in recent versions of Tomcat the default is NOT to
include any SSL protocols and only use the TLS ones, so if you
 are
running something recent, you should be okay.
   
 Then I can open my application https link in browser. BUT, good
 time never lasts too long, after several hours, I failed to access
 my https link again.
   
What kinds of errors do you get? What do the logs say? What are the
URLs you are using?
   
 Anyone has any ideas about this? please share your suggestions...My
 tomcat version is 7.0.55
   
Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you
should definitely keep your above configuration. There is no need to
add a trust store or cipher specification to that.
   
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
   
iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty
JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J
C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT
nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG
mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH
8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ
T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw
HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM
9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7
A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq
zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo
G5/ksEFNFSc9+yQSSC1H
=PVop
-END PGP SIGNATURE-
   
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
   
   
  
 



Re: SSL issue in tomcat

2015-01-20 Thread Sanaullah
Please follow the Apache document for the connector configuration.

Here is the sample connector configuration

 Connector port=7443 protocol=org.apache.coyote.http11.Http11Protocol
   maxThreads=150 SSLEnabled=true scheme=https
secure=true
   clientAuth=true sslProtocol=TLSv1.2
   keystoreFile=/opt/certs/pay.jks
   keystorePass=*** keyAlias=
   truststoreFile=/opt/certs/trust.jks
   truststorePass=**
   ciphers=*/

[1] http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

On Tue, Jan 20, 2015 at 2:17 PM, Jason Y day...@gmail.com wrote:

 Hi folks,

 Recently my application cannot be accessible in browser with https version.
 I think it is due to vulnerability in ssl 3.0 issue.

 I checked my tomcat configuration and replaced sslProtocol=TLS with
 sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0.

 Connector port=8080 protocol=HTTP/1.1
 connectionTimeout=2
 redirectPort=8443 /
  Connector port=8443
  protocol=org.apache.coyote.http11.Http11Protocol
 maxThreads=150 SSLEnabled=true scheme=https
  secure=true
 clientAuth=false
  sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx
  keystorePass=xxx /
  Connector port=8009 protocol=AJP/1.3 redirectPort=8443 /


 Then I can open my application https link in browser. BUT, good time never
 lasts too long, after several hours, I failed to access my https link
 again.

 Anyone has any ideas about this? please share your suggestions...My tomcat
 version is 7.0.55

 Thank you all very much.

 On Tue, Jan 20, 2015 at 3:56 PM, Jason Y day...@gmail.com wrote:

  Hi folks,
 
  Recently my application cannot be accessible in browser with https
  version. I think it is due to vulnerability in ssl 3.0 issue.
 
  I checked my tomcat configuration and replaced sslProtocol=TLS with
  sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL 3.0.
 
  Connector port=8080 protocol=HTTP/1.1
 connectionTimeout=2
 redirectPort=8443 /
  Connector port=8443
  protocol=org.apache.coyote.http11.Http11Protocol
 maxThreads=150 SSLEnabled=true scheme=https
  secure=true
 clientAuth=false
  sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 keystoreFile=xxx
  keystorePass=xxx /
  Connector port=8009 protocol=AJP/1.3 redirectPort=8443 /
 
 
  Then I can open my application https link in browser. BUT, good time
 never
  lasts too long, after several hours, I failed to access my https link
  again.
 
  Anyone has any ideas about this? please share your suggestions...My
 tomcat
  version is 7.0.55
 
  Thank you all very much.
 



Re: SSL issue in tomcat

2015-01-20 Thread Sanaullah
its not necessary to have ciphers properties but if you want to restrict
the ciphers then you can use this property.

On Wed, Jan 21, 2015 at 6:53 AM, Jason Y day...@gmail.com wrote:

 Thank you all. Now it is working fine.

 Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol
maxThreads=150 SSLEnabled=true scheme=https
 secure=true
clientAuth=false sslProtocol=TLS
 sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1
 keystoreFile=lib/cert/.keystore keystorePass=
 ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA /

 By the way, do I need ciphers properties here?

 On Tue, Jan 20, 2015 at 11:22 PM, Christopher Schultz 
 ch...@christopherschultz.net wrote:

  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Jason,
 
  On 1/20/15 4:17 AM, Jason Y wrote:
   Recently my application cannot be accessible in browser with https
   version. I think it is due to vulnerability in ssl 3.0 issue.
  
   I checked my tomcat configuration and replaced sslProtocol=TLS
   with sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2 to disable SSL
   3.0.
  
   Connector port=8080 protocol=HTTP/1.1
   connectionTimeout=2 redirectPort=8443 / Connector
   port=8443 protocol=org.apache.coyote.http11.Http11Protocol
   maxThreads=150 SSLEnabled=true scheme=https secure=true
   clientAuth=false sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2
   keystoreFile=xxx keystorePass=xxx / Connector port=8009
   protocol=AJP/1.3 redirectPort=8443 /
 
  None of the responses you have gotten thus far are useful in any way.
 
  Your configuration looks fine to me: sslEnabledProtocols is the way to
  go, although in recent versions of Tomcat the default is NOT to
  include any SSL protocols and only use the TLS ones, so if you are
  running something recent, you should be okay.
 
   Then I can open my application https link in browser. BUT, good
   time never lasts too long, after several hours, I failed to access
   my https link again.
 
  What kinds of errors do you get? What do the logs say? What are the
  URLs you are using?
 
   Anyone has any ideas about this? please share your suggestions...My
   tomcat version is 7.0.55
 
  Those SSL/TLS defaults I mentioned above were done in 7.0.57, so you
  should definitely keep your above configuration. There is no need to
  add a trust store or cipher specification to that.
 
  - -chris
  -BEGIN PGP SIGNATURE-
  Version: GnuPG v1
  Comment: GPGTools - http://gpgtools.org
 
  iQIcBAEBCAAGBQJUvnKiAAoJEBzwKT+lPKRYQtsP/00rm7rdKVUID9YVQ4WJk3ty
  JVQa/g0Kg4prYC+w5AFvZaiDK6EC014GKoTz4ktUzY4Ubnyd3vxsRTV+6/JOig0J
  C9HcXKEZf63KS2uro71ymXNH0glDGJWtkCeTLR60elBUnyoOIat6ifQ9DqbH9BGT
  nxJLRq4GZg8aaqKqToJNREY/6nX09+qmPYgpvzrdNlhDgxdb97o9hEPPQA85DMmG
  mDMyP/TdnIcOdYa8n94/yFjaLQBqCAMl7li2VugbVMkSZMriz/NXnr52xTvZsFtH
  8x4D5z5AzU+8+3P+vULmogW6418igLLWZHf03FAh2Wh5RKmvqKjaMzhC9qACYooJ
  T7F1QfCZVqsEd5edzP17sUPjG62A1awwfMHB3/qmMpWz+Fde4taz2t+Pz652fugw
  HrfhERRjkdpogfHmrAhBgZ/r89GpYlqEvMguW2PW6zL/ku51wx+aMfujrXO63+ZM
  9psUeSvsR823foOYa6C3UV3MFbGWE7awUWuIBQi1bOxsP/ldKvEESGtdu9GpLHw7
  A/5fyZ2a6+99HC56lvraGvPi+5ZI52Ej1mR0Ckk9RHRWqoCApTYsCzAPWd5Fntuq
  zuNoyI6onNFKNDZ+17Nm55rywgHR/5hh5CLbf1PwSJRw2mJXbEnoXXUo1XoCS+Oo
  G5/ksEFNFSc9+yQSSC1H
  =PVop
  -END PGP SIGNATURE-
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 



Re: Can't make SSL work on Tomcat7 on Ubuntu Server 14.04

2015-01-14 Thread Sanaullah
  Connector port=8443
  protocol=org.apache.coyote.
http11.Http11Protocol
  SSLEnabled=true maxThreads=200 scheme=https
  secure=true keystoreFile=/home/myuser/key.keystore
  keystorePass=mypass clientAuth=false sslProtocol=TLS
  /


May be its due to the truststore file ? I haven't seen any truststore file
in your connector configuration


On Wed, Jan 14, 2015 at 11:18 PM, Alexandre Lima lexsombra...@gmail.com
wrote:

 On 13 January 2015 at 18:20, Christopher Schultz 
 ch...@christopherschultz.net wrote:

  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Alexandre,
 
  On 1/13/15 2:41 PM, Alexandre Lima wrote:
   On 13 January 2015 at 16:11, Christopher Schultz 
   ch...@christopherschultz.net wrote:
  
   Alexandre,
  
   On 1/13/15 1:37 PM, Alexandre Lima wrote:
   Hello! This is the first time I'm using tomcat, so I'm a
   little bit lost...
  
   Welcome! Configuring SSL always turns out to be a pain in the
   neck.
  
   Using the tutorials, I could make the server and the
   application I want to run with it work. The only modification
   I did until now was changing the http port from 8080 to 80, I
   did that changing the http conector on servers.xml, enabling
   authbind and executing the folowing commands:
  
   sudo touch /etc/authbind/byport/80 sudo chmod 500
   /etc/authbind/byport/80 sudo chown tomcat7
   /etc/authbind/byport/80
  
   So, the server and the application I want to use with it are
   actually working on port 80
  
   You've confirmed this? I've never used authbind before, so I just
   wanted to make sure that you have Tomcat working properly with
   non-SSL before you try to add SSL.
  
   , but the next and last step, which is enabling an SSL
   connection, isn't working.
  
   What I did following the site's tutorial was: created my
   self signed certificate with keytools and put it on
   /home/myuser/key.keystore
  
   Can you outline the steps you took? Where is your keystore?
  
   Additionally, I've created the folowing conector:
  
   Connector port=8443
   protocol=org.apache.coyote.http11.Http11Protocol
   SSLEnabled=true maxThreads=200 scheme=https
   secure=true keystoreFile=/home/myuser/key.keystore
   keystorePass=mypass clientAuth=false sslProtocol=TLS
   /
  
   That looks good so far.
  
   Saved it, restarted server and accessed https://myip:8443,
   but it isn't working. Chrome says No data recieved and
   Unable to load the webpage because the server sent no data
   and Error code: ERR_EMPTY_RESPONSE.
  
   Firefox says that the connection was reset while the page was
   being loaded.
  
   That's where I am now. I don't know what to try anymore.
  
   Try:
  
   $ telnet localhost 8443
  
   (on the server with Tomcat running)
  
   That will tell you if the port is open (it should be, otherwise
   you'd be getting different errors from Chrome and ff) and what, if
   anything, gets dumped to it when you connect.
  
   If you get a connection and nothing happens, try submitting a
   request like this:
  
   $ telnet localhost 8443 GET /
  
   [output goes here]
  
   Post the results of the above if you get anything.
  
   Dumb question: you restarted Tomcat after updating server.xml,
   right?
  
   -chris
  
   -
  
  
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
   For additional commands, e-mail: users-h...@tomcat.apache.org
  
  
   Thank you for the reply Christopher! I've used the command: keytool
   -genkey -alias tomcat -keyalg RSA -keystore
   /home/myuser/key.keystore to generate the keystore. I should put
   the keystore in some special directory or this one is fine? So,
   after, requesting:   telnet localhost 8443
  
   I got some strange stuff:
  
   ~$ telnet localhost 8443 Trying ::1... Connected to localhost.
   Escape character is '^]'. GET / ^U^C^A^@^B^B
  
  
  
   And yes, I've restarted it :)
 
  Good. Now, try this:
 
  $ openssl s_client -debug -connect localhost:8443
 
  Assuming that the server is running and listening for SSL connections,
  s_client should be able to connect, and it should give you tons of
  good information about what's happening, there.
 
  - -chris
  -BEGIN PGP SIGNATURE-
  Version: GnuPG v1
  Comment: GPGTools - http://gpgtools.org
 
  iQIcBAEBCAAGBQJUtYwOAAoJEBzwKT+lPKRYkRIQAKFA3/GpDdzT5ZVWZ8+VXjQr
  AYgy42TqufEs8RicHNjB0Ey92azX4zNMau4yBxQ3dqv660vOqW3PW1XSVC8yF+ke
  +QBwivtJCglep+7nsPTTL4nSM4yAOCGMzYKGXidNdczvqcnoM2XA8jg0JiM68gBx
  Jxl7MdM/S2ktngs8tuG6SSaiY5eyPB1ySUwXOD3zfrVLJK7Ex4y2USt9IKAEYhBl
  A3kxWHIjlV+1m+ZAf6WmwWMmsBWxtVVx6iDAiR/ZIzvY/VMpqtSZ0rSGeM7OnfhV
  ER2NN+4z+2kqskj5WJ6ZX2Q6i7CbdPfrCq6RstPOLaWNZICIoqVlR43I21+BOc5o
  ugORSS97XBuQy5fXfBbgOJoN0wupttBNB44We9ZmHexuInVl3uxbyDra8yRkVT8M
  qT7jcDW8lMFmCxmbilelsDRpnYj55j5OA+453nI0vQap/ojZBTb/fgRsl6PnPTRG
  omd+jC1wMFIfycu+2ahJB1YHNTGTfD3MWP/Wey/82u3X9QJD35TTcNt+gyVrCLtw
  eLoUUqkaCSZNuudWBpm61/2gp//c9adWRZTozd9/c4Yasp8f2ruLDK3+6rA7ohM5
  

Re: Invalid Server SSL Protocol on Tomcat 8.0.15 with Tomcat Native library 1.1.32 and APR 1.5.1

2014-12-17 Thread Sanaullah
Hi Mike.

here is my working configuration with APR.


  Connector port=7443
protocol=org.apache.coyote.http11.Http11AprProtocol
   maxThreads=150 SSLEnabled=true scheme=https
secure=true
   clientAuth=true sslProtocol=TLSv1.2
 SSLCertificateFile=/opt/_cdrom_apache/certs/dev-apr.pem
   SSLCertificateKeyFile=/opt/_cdrom_apache/certs/key.pem
   SSLCACertificateFile=/opt/_cdrom_apache/certs/CA.pem
   /

I hope this will work for you.

Regards,
Sanaullah


On Thu, Dec 18, 2014 at 6:15 AM, Mike Wertheim m...@hyperreal.org wrote:

 I should have included this in the previous message.

 The AprLifecycleListener is declared in server.xml like this:
   Listener className=org.apache.catalina.core.AprLifecycleListener
 SSLEngine=on /




 On Wed, Dec 17, 2014 at 5:12 PM, Mike Wertheim m...@hyperreal.org wrote:
 
  I'm trying to upgrade from Tomcat 7.0.41 with APR to Tomcat 8.0.15 with
  APR.  (I'm using JDK 1.8.0.25 on CentOS.)
 
  My first step was to upgrade to Tomcat Native library 1.1.32 and APR
 1.5.1
  while still using Tomcat 7.0.41.  This combination works great.  My
 webapp
  starts up and is accessible using either SSL or non-SSL.
 
  Next I upgraded to Tomcat 8.0.15 (again with Tomcat Native library 1.1.32
  and APR 1.5.1).  Tomcat 8.0.15 starts up, and the first lines of
  catalina.out are a message that shows that Tomcat Native library 1.1.32
 and
  APR 1.5.1 are indeed in use.  My webapp starts up and is accessible using
  non-SSL requests, but SSL requests don't work.
 
  When I saw that SSL wasn't working, I looked in catalina.out and saw
 this:
 
  org.apache.coyote.AbstractProtocol.init Failed to initialize end point
  associated with ProtocolHandler [http-apr-8443]
   java.lang.Exception: Unable to create SSLContext. Check that SSLEngine
 is
  enabled in the AprLifecycleListener, the AprLifecycleListener has
  initialised correctly and that a valid SSLProtocol has been specified
  at
  org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:532)
  at
 
 org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:730)
  [...]
  Caused by: java.lang.Exception: Invalid Server SSL Protocol
  (error::lib(0):func(0):reason(0
  ))
  at org.apache.tomcat.jni.SSLContext.make(Native Method)
  at
  org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:527)
 
 
  The SSL Connector in server.xml looks like this:
  Connector port=8443 URIEncoding=utf-8
  maxKeepAliveRequests=3 keepAliveTimeout=3000
  scheme=https secure=true SSLEnabled=true
  SSLCertificateFile=/home/scuser/ssl/cert.crt
  SSLCertificateKeyFile=/home/scuser/ssl/cert.key
 
  SSLCertificateChainFile=/home/scuser/ssl/intermediateCA.cer
  clientAuth=false sslProtocol=TLS/
 
  Can anyone see what might be going wrong?
 
 
  Thanks,
  Mike
 
 



Re: APR with PKCS11 support

2014-12-01 Thread Sanaullah
Hi Chris,

I have attached the diff.let me know if its ok?

Regards,
Sanaullah

On Fri, Nov 21, 2014 at 2:08 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sanaullah,

 On 11/18/14 10:26 PM, Sanaullah wrote:
  Hi Chris,
 
  Engine is loaded Successfully. the issue is with tcnative.
  tcnative was not loading any engine and it was due to
  HAVE_ENGINE_LOAD_BUILTIN_ENGINES preprocessor which is unable to
  call ENGINE_load_builtin_engines. I made one change and in ssl.c of
  tomcat-native-1.1.31
 
  original Preprocessor #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
 
  Changed to
 
  #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup();
 
  #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES
  ENGINE_load_builtin_engines(); #endif

 Can you give me a patch in diff -U form? I'd like to take a look at it
 formally.

 Thanks for doing the digging to figure out how to make this work. I
 don't have a non-standard engine available to play with.

 Thanks,
 - -chris

  On Wed, Nov 19, 2014 at 12:36 AM, Christopher Schultz 
  ch...@christopherschultz.net wrote:
 
  Sanaullah,
 
  On 11/14/14 10:04 PM, Sanaullah wrote:
  The Engine name is correct its LunaCA3 Here is the code
  snippet from the openssl for the confirmation.
 
  openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID
  LunaCA3
 
  I think the issue is with static and shared libraries of
  openssl.
 
  It could be. Since you are building on *NIX, you should probably
  be using dynamically-linked shared-libraries. But you have to be
  careful about the load-ordering if you are using an OpenSSL that is
  not the system default (e.g. in /usr/lib).
 
  if openssl build as shared then this LunaCA3 engine is not
  working for nodejs and even for Apache as well both required
  openssl to build static.
 
  Interesting...
 
  I tried to follow the Build document of tomcat native.
  Building statically linked library on Unixes
  
 
  To statically link apr and openssl dependencies use the
  following procedure.
 
  You will need to build static version of openssl library.
 
  ./config --prefix=~/natives/openssl no-shared -fPIC make
  make install_sw
  Apr by default builds both static and dynamic libraries.
 
  ./configure --prefix=~/natives/apr make make install
 
  After that edit the ~/natives/apr/lib/libapr-1.la file and
  comment or delete the following sections: dlname='...' and
  library_names='...' This is needed so that libtool picks the
  static version of the library.
 
  Build Tomcat native by executing
 
  ./configure --with-apr=~/natives/apr
  --with-ssl=~/natives/openssl
  --prefix=~/natives/tomcat
  make make install
 
  You're reaching the limits of my knowledge about building the
  whole bundle statically. I'll ping Rainer (CC'd here) who knows
  more than I do.
 
  here is something strange, Openssl successully build and
  install with -fPIC but tcnative still give me error.
 
  /usr/bin/ld:
  /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation
  R_X86_64_32 against `.rodata' can not be used when making a
  shared object; recompile with -fPIC
  /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad
  value collect2: error: ld returned 1 exit status make[1]:
  *** [libtcnative-1.la] Error 1 make[1]: Leaving directory
  `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: ***
  [all-recursive] Error 1
 
  I am not sure what to do here ?
 
  Hmm. Let's see if Rainer (or anyone else!) replies.
 
  -chris
 
 
  -
 
 
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org

 iQIcBAEBCAAGBQJUblhaAAoJEBzwKT+lPKRY4Y4P/jz71yNBd5eqCoddMlRZ3ISV
 Zd5xFv2O42EKNb+Hh2ImbG+yC/PyNW/3K7vSFlMELcUOsvdjBht1GfEgMLba+dhm
 utoUiNj9ueavF/Ip7EC2dTgmcx1CYFjYlcPieRWQjU//i+oBBKw514lckBQUc+y/
 ScSU2ReMPUuWQ3C3sHVUYZcKoJNRYLFqXkcCc7GzNn+leNHfp55OqB/lVwCU06AE
 BbGA+tVTBL2cjbTV8qGvDSY4UuGlZU7JoOMRaliAJhgsyDl20kIVyi7pTL52ieAV
 jmhU+K34RMGxiDp2XpsKf9lLnOTW2JdMmir+XrOsrEHn9ZQ3lYo3fKgUa0a38maR
 zH5+bJ3L5aDL3ifZdcg0bozs+6l3rxC52Itwzskh2ZfPWsIbZaT7NMXjrQQ1KoGB
 yFE+JUg/M1WxikWsgkkmTVEMY2/VqJqNIplk8KZohCC6SnXxz4rjNAVV1jZUnzSZ
 gpEjyc71ElUO7KqD7HMtK9fXTYvBdUmXCWCuSZQ+LW1Z37CfXTLfQd9/jQDe2OL2
 ylseItc9mnyKiZ8X8dRUUjlqyiUIyOUCCBnI/Wm13sh8RQ7G0bvA63Lc0xhYbORf
 xQfmSguArnSDnMoNAswyl9taqHXUyZRtw+xSQVgBSDgww9KJc/SJzkrS++4xjs8o
 NUgaRzlaV134AyVsDxYb
 =1n83
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


304c304
 #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES
---
 #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
661c661
 #if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES

Re: APR with PKCS11 support

2014-11-18 Thread Sanaullah
Hi Chris,

Engine is loaded Successfully. the issue is with tcnative.  tcnative was
not loading any engine and it was due to HAVE_ENGINE_LOAD_BUILTIN_ENGINES
preprocessor which is unable to call ENGINE_load_builtin_engines. I made
one change and in ssl.c of tomcat-native-1.1.31

original Preprocessor
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES

Changed to

#if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_cleanup();

#if 1 //HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_load_builtin_engines();
#endif


Regards,
Sanaullah




On Wed, Nov 19, 2014 at 12:36 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sanaullah,

 On 11/14/14 10:04 PM, Sanaullah wrote:
  The Engine name is correct its LunaCA3 Here is the code snippet
  from the openssl for the confirmation.
 
  openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID
  LunaCA3
 
  I think the issue is with static and shared libraries of openssl.

 It could be. Since you are building on *NIX, you should probably be
 using dynamically-linked shared-libraries. But you have to be careful
 about the load-ordering if you are using an OpenSSL that is not the
 system default (e.g. in /usr/lib).

  if openssl build as shared then this LunaCA3 engine is not working
  for nodejs and even for Apache as well both required openssl to
  build static.

 Interesting...

  I tried to follow the Build document of tomcat native. Building
  statically linked library on Unixes
  
 
  To statically link apr and openssl dependencies use the following
  procedure.
 
  You will need to build static version of openssl library.
 
  ./config --prefix=~/natives/openssl no-shared -fPIC make make
  install_sw
  Apr by default builds both static and dynamic libraries.
 
  ./configure --prefix=~/natives/apr make make install
 
  After that edit the ~/natives/apr/lib/libapr-1.la file and comment
  or delete the following sections: dlname='...' and
  library_names='...' This is needed so that libtool picks the
  static version of the library.
 
  Build Tomcat native by executing
 
  ./configure --with-apr=~/natives/apr
  --with-ssl=~/natives/openssl
  --prefix=~/natives/tomcat
  make make install

 You're reaching the limits of my knowledge about building the whole
 bundle statically. I'll ping Rainer (CC'd here) who knows more than I do.

  here is something strange, Openssl successully build and install
  with -fPIC but tcnative still give me error.
 
  /usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o):
  relocation R_X86_64_32 against `.rodata' can not be used when
  making a shared object; recompile with -fPIC
  /usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value
  collect2: error: ld returned 1 exit status make[1]: ***
  [libtcnative-1.la] Error 1 make[1]: Leaving directory
  `/opt/aprtc/tomcat-native-1.1.31-src/jni/native' make: ***
  [all-recursive] Error 1
 
  I am not sure what to do here ?

 Hmm. Let's see if Rainer (or anyone else!) replies.

 - -chris

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org

 iQIcBAEBCAAGBQJUa5+0AAoJEBzwKT+lPKRYBsoP/33HiFbBQpcM7SR+BQRyl/Tx
 DhA8AcP5jBQgkLkE3ZJy04QUgL6JWvX1vyxfQJxtMp1agmBtcMMgnkpUMIxLB7yP
 pOqy5mJJOsFL1hvg22n+MCfoT3+zAzFOhZvnTOXOp8OczVtJ35ZWcXl3oDaXHSyR
 mdkFCMXD8USwKVBv5PZm/OD+S5NEnv8PgxWiaFtNtSlfC38H+SLbf1JaMYvjhdAa
 PKcLpE2aI0efUX4tWG8bYK+hbzDkoL1D+3qEccCoKJ9DooMVHKiu+PB1Gf6oS5tD
 qS7ZblkqiBxwS5GOFBaoch29C+jQAB81Mrj9ndhD7BZ5o852NQUeIChWrKuX+QLw
 jWiPWaSU459uPdj1UZW0JibsN7U6N8V+hR1RvYNAL3kXRuJ9WjbHw5HmyiX0QeoF
 OwDAuKMOifXNnYsfxHtoNoNebB8smXntzMPA0b3mksywTDfI288vCOiAQm7XT44m
 u5MvyVIjpoWz/NZNm8t2Er1B1dceiRBpr9urO8HcljWY3oT8dMsfapEEDh2jlFV+
 LZphHn3Cu3FzEwbclAhD4hCbb6kUVxpZnBm8eAD9BvDn8Ym+nfrs+dGBVBMhf7le
 1t4ayKz0A2VAldPOa9WsOO/g8VUoLGW7cKaKSAJfOdJFcnnpg7pYPy0Pj5bcmJrn
 xIF9OeYjsCFOhml42lpV
 =j3PO
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: APR with PKCS11 support

2014-11-14 Thread Sanaullah
Hi Chris,

The Engine name is correct its LunaCA3 Here is the code snippet from the
openssl for the confirmation.

openssl-1.0.1g/engines/e_lunaca3.c:#define ENGINE_LUNACA3_ID  LunaCA3

I think the issue is with static and shared libraries of openssl. if
openssl build as shared then this LunaCA3 engine is not working for nodejs
and even for Apache as well both required openssl to build static.

I tried to follow the Build document of tomcat native.
Building statically linked library on Unixes


To statically link apr and openssl dependencies use the following
procedure.

You will need to build static version of openssl library.

 ./config --prefix=~/natives/openssl no-shared -fPIC
 make
 make install_sw
Apr by default builds both static and dynamic libraries.

 ./configure --prefix=~/natives/apr
 make
 make install

After that edit the ~/natives/apr/lib/libapr-1.la file
and comment or delete the following sections:
dlname='...' and library_names='...'
This is needed so that libtool picks the static version of the library.

Build Tomcat native by executing

 ./configure --with-apr=~/natives/apr --with-ssl=~/natives/openssl
--prefix=~/natives/tomcat
 make
 make install


here is something strange, Openssl successully build and install with -fPIC
but tcnative still give me error.

/usr/bin/ld: /usr/local/apache2/lib/libapr-1.a(apr_snprintf.o): relocation
R_X86_64_32 against `.rodata' can not be used when making a shared object;
recompile with -fPIC
/usr/local/apache2/lib/libapr-1.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
make[1]: *** [libtcnative-1.la] Error 1
make[1]: Leaving directory `/opt/aprtc/tomcat-native-1.1.31-src/jni/native'
make: *** [all-recursive] Error 1

I am not sure what to do here ?

Regards,
Sanaullah

On Sat, Nov 15, 2014 at 7:16 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sanaullah,

 On 10/29/14 9:54 AM, Sanaullah wrote:
  I again started working on SSLEngine with safenet and i need some
  help, how to enable the debugging? I configure the engine as
  LunaCA3.
 
  Listener class=org.apache.catalina.core.AprLifecycleListener
  SSLEngine=LunaCA3 /
 
  Here is error log after starting the server.
 
  Oct 29, 2014 1:40:21 PM
  org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
  based Apache Tomcat Native library 1.1.31 using APR version 1.5.1.
  Oct 29, 2014 1:40:22 PM
  org.apache.catalina.core.AprLifecycleListener init INFO: APR
  capabilities: IPv6 [true], sendfile [true], accept filters [false],
  random [true]. Oct 29, 2014 1:40:22 PM
  org.apache.catalina.core.AprLifecycleListener lifecycleEvent
  SEVERE: Failed to initialize the SSLEngine.
  org.apache.tomcat.jni.Error: 70023: This function has not been
  implemented on this platform

 So the error code 70023 is (at least on my Linux system) equal to the
 APR error code with the label APR_ENOTIMPL. I can see that in a few
 places in the native implementation of the initialize method:

 Starting on line native/src/ssl.c:679:
 if ((ee = ENGINE_by_id(J2S(engine))) == NULL
  (ee = ssl_try_load_engine(J2S(engine))) == NULL)
 err = APR_ENOTIMPL;
 else {
 if (strcmp(J2S(engine), chil) == 0)
 ENGINE_ctrl(ee, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1,
 0, 0);
 if (!ENGINE_set_default(ee, ENGINE_METHOD_ALL))
 err = APR_ENOTIMPL;
 }

 Again, starting on native/src/ssl.c:711:
 SSL_TMP_KEYS_INIT(r);
 if (r) {
 TCN_FREE_CSTRING(engine);
 ssl_init_cleanup(NULL);
 tcn_ThrowAPRException(e, APR_ENOTIMPL);
 return APR_ENOTIMPL;
 }

 So, either the engine cannot be loaded, or we can't call
 ENGINE_set_default, or SSL_TMP_KEYS_INIT fails. I suspect it's not the
 key init that's failing, given that you are trying to use a special
 engine.

 Are you comfortable modifying the code for tcnative? If you are on a
 UNIX platform, (re-)compilation is pretty easy. You can add some code
 to dump-out the state of things while the code executes.

 I noticed at some point (re-reading the thread) that you were using
 SSLCryptoDevice LunaCA but then somehow you and I started using
 LunaCA3. Have you tried with LunaCA (without the 3)?

 When you can get httpd to do this for you, do you have to modify the
 LD_LIBRARY_PATH or put a library anywhere, or does OpenSSL already
 have whatever it needs in order to support the hardware crypto device?

 I'm wondering if the JVM doesn't have the appropriate library
 available for some reason.

 What do you get when you run openssl engine from your command-line
 without any other special circumstances?

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org

 iQIcBAEBCAAGBQJUZreIAAoJEBzwKT+lPKRYbOEP/3ix/d/bWeQVWSjrimLGBosd
 XgyF7Z4PqC4oChGYguxfu6K

Re: APR with PKCS11 support

2014-10-29 Thread Sanaullah
I again started working on SSLEngine with safenet and i need some help, how
to enable the debugging? I configure the engine as LunaCA3.

Listener class=org.apache.catalina.core.AprLifecycleListener
SSLEngine=LunaCA3 /


Here is error log after starting the server.

Oct 29, 2014 1:40:21 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.31 using APR
version 1.5.1.
Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Oct 29, 2014 1:40:22 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
org.apache.tomcat.jni.Error: 70023: This function has not been implemented
on this platform
at org.apache.tomcat.jni.SSL.initialize(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270)
at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Oct 29, 2014 1:40:22 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8080]
Oct 29, 2014 1:40:23 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8443]
Oct 29, 2014 1:40:23 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler
[http-apr-8443]
java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is
enabled in the AprLifecycleListener, the AprLifecycleListener has
initialised cor$
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.lang.Exception: Invalid Server SSL Protocol
(error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5 routines)
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
... 16 more




Regards,
Sanaullah





On Wed, Aug 6, 2014 at 5:12 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sunaullah,

 On 7/26/14, 4:50 AM, Sanaullah wrote:
  I tried that configuration but getting errrors.

 I just want you to know that you haven't been forgotten: I'm on
 vacation for a bit but I'd really like to take a look at this issue
 when I return.

 In the meantime, feel free to check out the tcnative code if you want
 to see what is going

Re: Does APR/tomcat-native support TLS 1.2?

2014-09-02 Thread Sanaullah
I face the same issue with tomcat 7.0.47. you can find the details below,
how i apply the patches and things get worked.

By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you
have to apply these two patches in order to run TLSv1.1 and tlsv1.2
https://issues.apache.org/bugzilla/attachment.cgi?id=30150
https://issues.apache.org/bugzilla/attachment.cgi?id=30166

I spend 5 hours to test this. I am using ubuntu trusty.

Here is my test result

root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect
127.0.0.1:8443
CONNECTED(0003)
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify error:num=18:self signed certificate
verify return:1
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify return:1
---
Certificate chain
 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
   i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---

Server certificate
-BEGIN CERTIFICATE-
MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
+aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
EmVg3uQq9XxPfiI=
-END CERTIFICATE-
subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu

---
No client certificate CA names sent
---
SSL handshake has read 828 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384

Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDH-ECDSA-AES256-GCM-SHA384
Session-ID:
AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C
Session-ID-ctx:
Master-Key:
45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A

Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51
...V..IQ
0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf   ..+.aE
..PP...A.
0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9
.v)..[5.;m.
0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21
..T#.9-Z..^!
0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed
..7.fY.._..*
0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16
]r..^.)..I..P...
0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6
#..cy.6#...5y.h.
0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a   ..w'
..
0080 - 40 11 a1 d2 8e 8a 68 ab-5e c9 81 3d 72 46 56 d8
@.h.^..=rFV.
0090 - 84 66 b7 6f 57 ce 0f 05-d0 52 a4 d3 9c 66 de b4
.f.oWR...f..
00a0 - 85 cb 9f fe 85 16 e2 35-df 46 c2 c8 fc 37 bb 48
...5.F...7.H

Start Time: 1388926368

Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=0


/***Server.xml***///

 Connector port=8443

protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true
   maxThreads=150 scheme=https secure=true
   SSLProtocol=all
   clientAuth=false

   SSLCertificateFile=/home/san/sinful.pem
   SSLCertificateKeyFile=/home/san/sinful.key /



How To Apply the patches.

1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch
will be applied to tomcat-native-1.1.29.  after the patch compile it using
cd tomcat-native-1.1.29/jni/native/
./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes
--with-apr=/usr/bin/apr-1-config
make
cd tomcat-native-1.1.29/jni
ant

copy the libs and place them to default lib directory of ubuntu
cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/


2- Get the source code of tomcat-7.0.47.
install  jdk6

apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166
to tomcat-7.0.47.
export the jdk6 path.
run ant in the source folder. this will download many files and also
compile the code.

there will be some errors related to SSLV2. comment that code. as sslv2
will no more supported. after the successful build start the tomcat server.

let me know if there is still any errors.

Regards,
Sanaullah

Re: APR with PKCS11 support

2014-08-25 Thread Sanaullah
Hi Chris,

did you get any chance to take a look into the issue ?

Regards,
Sanaullah


On Wed, Aug 6, 2014 at 5:12 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sunaullah,

 On 7/26/14, 4:50 AM, Sanaullah wrote:
  I tried that configuration but getting errrors.

 I just want you to know that you haven't been forgotten: I'm on
 vacation for a bit but I'd really like to take a look at this issue
 when I return.

 In the meantime, feel free to check out the tcnative code if you want
 to see what is going on, or someone else could chime-in and give an
 opinion (or -- *gasp* -- a proposed patch!).

 Thanks,
 - -chris

  NFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR
  version 1.4.6. Jul 23, 2014 3:06:40 AM
  org.apache.catalina.core.AprLifecycleListener init INFO: APR
  capabilities: IPv6 [true], sendfile [true], accept filters [false],
  random [true]. Jul 23, 2014 3:06:40 AM
  org.apache.catalina.core.AprLifecycleListener lifecycleEvent
  SEVERE: Failed to initialize the SSLEngine.
  org.apache.tomcat.jni.Error: 70023: This function has not been
  implemented on this platform at
  org.apache.tomcat.jni.SSL.initialize(Native Method) at
  sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
 
 sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
 
 
 at
 
 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
 
 at java.lang.reflect.Method.invoke(Method.java:606)
  at
 
 org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270)
 
 
 at
 
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124)
 
 
 at
 
 org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
 
 
 at
 
 org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
 
 
 at
 
 org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
 
 
 at
  org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at
  org.apache.catalina.startup.Catalina.load(Catalina.java:663) at
  sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
 
 sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
 
 
 at
 
 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 
 
 at java.lang.reflect.Method.invoke(Method.java:606)
  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
 
 
 
  On Fri, Jul 25, 2014 at 8:05 PM, Christopher Schultz 
  ch...@christopherschultz.net wrote:
 
  Sanaullah,
 
  On 7/25/14, 9:16 AM, Sanaullah wrote:
  httpd is working with HSM with addition of parameter
  SSLCryptoDevice=LunaCA  but when i try the same parameter in
  tomEE. TomEE don't recognized this parameters.
 
  WARNING: [SetAllPropertiesRule]{Server/Service/Connector}
  Setting property 'SSLCryptoDevice' to 'LunaCA3' did not find
  a matching property.
 
  Any Idea?
 
  Try setting SSLEngine=LunaCA3 instead of SSLEngine=on in your:
 
  Listener class=org.apache.catalina.core.AprLifecycleListener
  SSLEngine=on /
 
  -chris
 
  On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz 
  ch...@christopherschultz.net wrote:
 
  Sanaullah,
 
  On 7/10/14, 4:19 AM, Sanaullah wrote:
  is there a way i can use pkcs11 supported
  SmartCard/token when using APR based SSL Connector in
  tomcat ? PEM encoded certificates and keys are stored
  in smartcard.
 
  I know BIO/NIO connectors supported token/HSM but I am
  looking for APR based connectors?
 
  I'm no expert at such configurations, but since tcnative/APR
  uses OpenSSL for its crypto engine, then it can do anything
  OpenSSL can do. Have you been able to configure e.g. httpd to
  use this kind of setup? If so, there ought to be a way to
  make it happen using Tomcat's APR connector.
 
  -chris
 
  -
 
 
 
 
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail:
  users-h...@tomcat.apache.org
 
 
 
 
  -
 
 
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJT4XLjAAoJEBzwKT+lPKRYmFkP/2/C0lSRB17qjX3F3IC8CCUK
 1ROyaFgdEMQHWtv6Ri9pKSTPhty60W69pDdz4WGTl7AYnrmkuzdaTA8OdG5RxrzM
 iEgmhrj9VRJE8qEwsXkbaVNytcxG1guesygUH8RODOdlA9yfbamkpR8wWqFjXwwp
 8xiFbEr+I6cIMliznEAwD1rtry4u+usFRVPPG892v1h6TLOp0I//TSq/7G4Iwmhs
 9wnK+1acNlC4rAIgNI1fgXv/Rgel3nn9KIQk3y4KM7HGx0BVVOBu+Hl335wMv9N6
 eNoQPe+v7/gfs6iADwG/ROPZcYU

Re: JSSE or APR

2014-08-20 Thread Sanaullah
you can verify this in your connector configuration and also in the logs.
Here are the connector attributes.


org.apache.coyote.http11.Http11Protocol - blocking Java connector
org.apache.coyote.http11.Http11NioProtocol - non blocking Java connector
org.apache.coyote.http11.Http11AprProtocol - the APR/native connector.
[1]
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native

Regards,
Sanaullah

On Wed, Aug 20, 2014 at 9:08 PM, John McLean johnmclea...@gmail.com wrote:

 I'm reading through the following guide:


 http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority

 and i'm bit confused about whether I should be using (am using) JSSE or
 APR, this has implications for how I adjust the tomcat config file.

 I used the following ubuntu guide to create my csr:

 https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html

 This used openssl so does than mean I'm using APR?

 Other posts seem to point out that chances are, i'm using JSSE, if I don't
 know better, which I think is where I am, hence my confusion.

 I guess what I'm asking is, how do I confirm if I am using JSSE or APR ?

 Thanks
 John



Re: JKS keystore password Encryption

2014-08-05 Thread Sanaullah
Hi Chris,

I don't want to pass the audit. I am just curious why Jboss implemented
that ? and whats the purpose of SRP protocol implementation just to pass
the audit?

[1]
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Development_Guide/#sect-Secure_Remote_Password_Protocol


Regards,
Sanaullah


On Wed, Aug 6, 2014 at 5:34 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sanaullah,

 On 8/4/14, 9:19 PM, Sanaullah wrote:
  Thanks to all.
 
  I was looking something similar to this [1] which is implemented in
  JBoss.
 
  [1]
 
 https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html

 Congratulations:
 
 you'll pass a security audit that flags this as a
 problem.

 Fail: you have moved your password to another file, and not gained a
 single thing.

 You may now celebrate the incompetence of both your auditors and
 engineering staff for sidestepping an issue rather than soberly
 dealing with it head-on.

 This is why formal risk analyses are much better than crappy
 script-based security audits. First of all, they force you to be much
 more creative than a script you paid someone a huge sum of money to
 run that only tells you obvious things that a light reading of any
 OWASP documentation would already tell you, *and* it gives you the
 opportunity to say this thing doesn't matter at all, and even if we
 *did* do something about it, it wouldn't make any damn bit of difference.

 It's time engineering teams started teaching management about security.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJT4XgpAAoJEBzwKT+lPKRYE+MP/1uza2WXqwKMW1QwsoANQgGi
 Y+rzWmnMJJipG3E/gq2DhtorhARov2NadoHW0GGo+xoSU3ldnn0+ljJllX5hfs9s
 jMsO1aqtOYXmFHQYr9qo0js03DIE8IE1PsPZA+JGLgzw8h8/5NlfcIrjFpCWHf2r
 04MXGTGLDryIgLPc5uO2RS0Tyl8XDky9do7GZ9B4Ykn/zgP/KqIHi1zQhwYv1BJM
 QF2GIEcFwc599+cH1ZlGJWJogAP7QsgxMFWIFH7Y4PmJcXHaJ3PyIAK7VG2vowcC
 KiERaVFd/RPtOqdaBf7xpqeKa3GUSF1c02AGz01xJuIB0U7tqA+ta4rdyUVvHGV8
 oyCRT48o6HuymO7/lXumTWBvBkPnuh+co7bN7Z4axVroeXBUCG5ldGY60VZlCYs5
 qfeSVbdwJzhZxvujnxigfJr9X41ZDKMs2aJ+bFkp28mLyKUYxCRA8RWbf0zqL3uN
 j8dnODehFnmpsEAxIa/zaq70MElKJLJ0QTUVKnnunTaOmZbopr25h9DL0XtA1Gft
 cS+0M++ic3zCJ57Md8VAYum8BksxcKiPmlQFu5shITYVmtntSimgCNU5nEooiJ45
 xvd03vioJJ7RCSVmciBM/wsFKhfgUFmgOc5bNG8KSFqhjh0A09t9JnEpB8CGVRGW
 jlzixmv5BOQjMFUJActT
 =yOJq
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




JKS keystore password Encryption

2014-08-04 Thread Sanaullah
Hi,

is there a way i ca replace plain JKS keystore password with encrypted
password in tomcat server.xml?

Regards,
Sanaullah


Re: JKS keystore password Encryption

2014-08-04 Thread Sanaullah
Thanks Andre and Ulises.

I will also search the archive as well.

Regards,
Sanaullah


On Mon, Aug 4, 2014 at 8:07 PM, Ulises González Horta ul...@ulinxonline.net
 wrote:

 On Mon 04 Aug 2014 09:17:47 André Warnier escribió:
  And if someone non-authorized has access to Tomcat's server.xml, then you
  have bigger  problems than a non-encrypted password.

 Maybe the best solution could be put the right permission to sever.xml and
  do
 not give the root password to other users

 
 Salu2, Ulinx
 En un problema con n ecuaciones
 siempre habrá al menos n+1 incógnitas
 Linux user 366775

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: JKS keystore password Encryption

2014-08-04 Thread Sanaullah
Thanks to all.

I was looking something similar to this [1] which is implemented in JBoss.

[1]
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html



On Tue, Aug 5, 2014 at 3:43 AM, Ognjen Blagojevic 
ognjen.d.blagoje...@gmail.com wrote:

 Sanaullah,


 On 4.8.2014 17:26, Sanaullah wrote:

 I will also search the archive as well.


 You may find Wiki also useful:

   http://wiki.apache.org/tomcat/FAQ/Password

 -Ognjen


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: APR with PKCS11 support

2014-07-26 Thread Sanaullah
I tried that configuration but getting errrors.

NFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version
1.4.6.
Jul 23, 2014 3:06:40 AM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jul 23, 2014 3:06:40 AM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
org.apache.tomcat.jni.Error: 70023: This function has not been implemented
on this platform
at org.apache.tomcat.jni.SSL.initialize(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:270)
at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:124)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)



On Fri, Jul 25, 2014 at 8:05 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sanaullah,

 On 7/25/14, 9:16 AM, Sanaullah wrote:
  httpd is working with HSM with addition of parameter
  SSLCryptoDevice=LunaCA  but when i try the same parameter in tomEE.
  TomEE don't recognized this parameters.
 
  WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
  property 'SSLCryptoDevice' to 'LunaCA3' did not find a matching
  property.
 
  Any Idea?

 Try setting SSLEngine=LunaCA3 instead of SSLEngine=on in your:

   Listener
  class=org.apache.catalina.core.AprLifecycleListener
  SSLEngine=on /

 - -chris

  On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz 
  ch...@christopherschultz.net wrote:
 
  Sanaullah,
 
  On 7/10/14, 4:19 AM, Sanaullah wrote:
  is there a way i can use pkcs11 supported SmartCard/token
  when using APR based SSL Connector in tomcat ? PEM encoded
  certificates and keys are stored in smartcard.
 
  I know BIO/NIO connectors supported token/HSM but I am
  looking for APR based connectors?
 
  I'm no expert at such configurations, but since tcnative/APR uses
  OpenSSL for its crypto engine, then it can do anything OpenSSL can
  do. Have you been able to configure e.g. httpd to use this kind of
  setup? If so, there ought to be a way to make it happen using
  Tomcat's APR connector.
 
  -chris
 
  -
 
 
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJT0nI3AAoJEBzwKT+lPKRYIA4P/3KOY/Tq+cLqR/i22DZijqUA
 5mzghWY2UnV0U091piNteVgpQmLf+299//3g1V3E9xpLmuYMsID3bIURKCR3UZp8
 rSO+IAIqs8hupN1uwM+ngQALGFd2BQ+AJWW2lMgzksCWV9OOuABnN2a0QqN1oQPK
 OOI5MjIMrl5O1eLW2IA9Iw/prwCSuvIaxl7v/BRCVYudfzh9unoNmOmhPHpXJ5/c
 KKf9dn3k3Fs2Y1WBzzPWK52YD2ooT6p6XaecsDwix01LNaJLS/sCmxz1riHxMxey
 nlJKY7AiTOYl/ynGeuZFBxy3okzf6ye/yxVMhw+LY/MKC8OpeBC86QWMBSaL/w2s
 6uJPogprWaLqccuKS3Fs+qAr8i5cgREb/mSb5YxG49OGqtf1xqjQr1cvSu08/qx7
 adfq26LjSZok7tnhDV6Fa/RiSJ0p3Be0jvU5XY4n5WMVAqJcc9Z1QomXpxpc+1oU
 KQzVLwIcMTeoyFwEfPKtxjU92Gyk+RlBR/lm/i2QreFXqO3MM2rOvYqKnjol4576
 PRfiH3UbcUTlf6fWLCFB7G58HqTuWIp9eZK2GNY1zh+73pBFNAj7+GA3jnBk68MS
 NMJnu7gdgSviWEow9K2eDb2by3cPyXjHhmkmPkX+3B567ZPs4EPDHmYBu5FhtaNw
 E/iZZ+RLlTWGfUVk2DdJ
 =9d4n
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: APR with PKCS11 support

2014-07-25 Thread Sanaullah
Hi Chris,

httpd is working with HSM with addition of parameter
SSLCryptoDevice=LunaCA  but when i try the same parameter in tomEE. TomEE
don't recognized this parameters.

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'SSLCryptoDevice' to 'LunaCA3' did not find a matching property.

Any Idea?

Regards,
Sanaullah






On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sanaullah,

 On 7/10/14, 4:19 AM, Sanaullah wrote:
  is there a way i can use pkcs11 supported SmartCard/token when
  using APR based SSL Connector in tomcat ? PEM encoded certificates
  and keys are stored in smartcard.
 
  I know BIO/NIO connectors supported token/HSM but I am  looking for
  APR based connectors?

 I'm no expert at such configurations, but since tcnative/APR uses
 OpenSSL for its crypto engine, then it can do anything OpenSSL can do.
 Have you been able to configure e.g. httpd to use this kind of setup?
 If so, there ought to be a way to make it happen using Tomcat's APR
 connector.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJTvqXWAAoJEBzwKT+lPKRY91AP/0StCi50JhOl0/cWSKDLoIFp
 fB18Yp1W/M72Km0TktBgpB1vGJry3aEyjaZfqL6rUpkhMouuGLKT3gFw1nNLKzw4
 g0b9ZbV7FJFIjyUNtEIIzD172TX6jf5Huh0dsPWpITqMpWiLdcrx825HGan9iUM1
 pjkdy+NIUcSWveBi2pWlw2GuAe2lMmEPRyAn1E5TuO32RKmivoFAIoobpz9Eho/T
 IdvwKa2zTOhYqhti35Bx9lMFfFP/1j5vwV8DHb8z28xFts3JsK2fEYCSbvW4nbRP
 ASKen6ibIBDlHTqFQzxKjeImmn6m5u1/MPjoE1YOJATkf/HL8M6WQF0JCI10nSzh
 xAwgQYUO77H4B+r6aRAhn0YaPpy3XdOdsjxrQeCF6IRWzwwUOyqWcNroNgiNnXLd
 xgzhxoH5RcMAE2F8941CnrPzqUOsPA18lmqvQUCZ2Qv6hZ8Tfp2Qysciz5Wj7Zn+
 QuFzAZQ85Vb0SbLK+JG9f6L5OUJQZcD2jeVwSHFXy333X0CgCwOQfkLRp13ugmOp
 DIt3Mbt5t1KpvWeNesmAAiAtcgbt9ubrcC+CsX4XE+egZMpc1Nl3uhW9n8GU+sgS
 eWXNVP0liJGQccehw7nHui8xDFcFbquhvWyAaSsDu+8RthL1sySSo+nVYEjni8WY
 eY83nmjfecWeS81bCvqu
 =44eq
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




APR with PKCS11 support

2014-07-10 Thread Sanaullah
Hi All,

is there a way i can use pkcs11 supported SmartCard/token when using APR
based SSL Connector in tomcat ? PEM encoded certificates and keys are
stored in smartcard.

I know BIO/NIO connectors supported token/HSM but I am  looking for APR
based connectors?

Regards,
Sanaullah


Re: APR with PKCS11 support

2014-07-10 Thread Sanaullah
Thanks chris,

I haven't tried such configurations with httpd. I will explore now.

Regards,
Sanaullah


On Thu, Jul 10, 2014 at 7:40 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sanaullah,

 On 7/10/14, 4:19 AM, Sanaullah wrote:
  is there a way i can use pkcs11 supported SmartCard/token when
  using APR based SSL Connector in tomcat ? PEM encoded certificates
  and keys are stored in smartcard.
 
  I know BIO/NIO connectors supported token/HSM but I am  looking for
  APR based connectors?

 I'm no expert at such configurations, but since tcnative/APR uses
 OpenSSL for its crypto engine, then it can do anything OpenSSL can do.
 Have you been able to configure e.g. httpd to use this kind of setup?
 If so, there ought to be a way to make it happen using Tomcat's APR
 connector.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJTvqXWAAoJEBzwKT+lPKRY91AP/0StCi50JhOl0/cWSKDLoIFp
 fB18Yp1W/M72Km0TktBgpB1vGJry3aEyjaZfqL6rUpkhMouuGLKT3gFw1nNLKzw4
 g0b9ZbV7FJFIjyUNtEIIzD172TX6jf5Huh0dsPWpITqMpWiLdcrx825HGan9iUM1
 pjkdy+NIUcSWveBi2pWlw2GuAe2lMmEPRyAn1E5TuO32RKmivoFAIoobpz9Eho/T
 IdvwKa2zTOhYqhti35Bx9lMFfFP/1j5vwV8DHb8z28xFts3JsK2fEYCSbvW4nbRP
 ASKen6ibIBDlHTqFQzxKjeImmn6m5u1/MPjoE1YOJATkf/HL8M6WQF0JCI10nSzh
 xAwgQYUO77H4B+r6aRAhn0YaPpy3XdOdsjxrQeCF6IRWzwwUOyqWcNroNgiNnXLd
 xgzhxoH5RcMAE2F8941CnrPzqUOsPA18lmqvQUCZ2Qv6hZ8Tfp2Qysciz5Wj7Zn+
 QuFzAZQ85Vb0SbLK+JG9f6L5OUJQZcD2jeVwSHFXy333X0CgCwOQfkLRp13ugmOp
 DIt3Mbt5t1KpvWeNesmAAiAtcgbt9ubrcC+CsX4XE+egZMpc1Nl3uhW9n8GU+sgS
 eWXNVP0liJGQccehw7nHui8xDFcFbquhvWyAaSsDu+8RthL1sySSo+nVYEjni8WY
 eY83nmjfecWeS81bCvqu
 =44eq
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




detailed APR/SSL logging

2014-01-07 Thread Sanaullah
Hi,

Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to
know where my SSL session is getting broken? there is nothing in the
catalina.out log.

usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [
-nonaming ]  { -help | start | stop }
Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.1.
Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8080]
Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-0.0.0.0-8443]
Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 696 ms
Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
/opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
/opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
/opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
/opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory
/opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [http-apr-8080]
Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [http-apr-0.0.0.0-8443]
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 935 ms


--
Server looks up properly with openssl and certs but when i try to connect
it with openssl s_client its getting error
--
root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
127.0.0.1:8443 -tls1_2 -debug
CONNECTED(0003)
write to 0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F))
 - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45   :...6..R...E
0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57   ...oX?W
0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30   ...I-R.0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3   .,.(.$..!..
0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32   ...k.j.9.8.2
0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35   ...*=.5
0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d   
0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09   ./.+.'.#
0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32   .g.@.3.2
0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25   .E.D.1.-.).%
00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11   /...A..
00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09   
00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f   ...o
00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e   ...4.2..
00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16   
00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05   
0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11   
0110 - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03   .#.. ..
0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02   
0130 - 03 03 02 01 02 02 02 03-01 01 00 0f 00 01 01  ...
read from 0x8a03258 [0x8a08a93] (5 bytes = 5 (0x5))
 - 15 03 03 00 02.
read from 0x8a03258 [0x8a08a98] (2 bytes = 2 (0x2))
 - 02 28 .(
3074095420:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1256:SSL alert number 40
3074095420:error:1409E0E5:SSL 

Re: detailed APR/SSL logging

2014-01-07 Thread Sanaullah
Here is my configuration. I am using openssl. I haven't installed any
certificate to JVM truststore.

Connector address=0.0.0.0
port=8443
SSLEnabled=true
   maxThreads=150 scheme=https secure=true
   clientAuth=false
   SSLProtocol=All
SSLCertificateChainFile=/home/san/certs/pay-test/chain.pem
   SSLCertificateFile=/home/san/certs/pay-test/test.pem

SSLCertificateKeyFile=/home/san/certs/pay-test/test-key.pem/





On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty mgai...@hotmail.com wrote:






  Date: Tue, 7 Jan 2014 14:51:21 +0500
  Subject: detailed APR/SSL logging
  From: sanaulla...@gmail.com
  To: users@tomcat.apache.org
 
  Hi,
 
  Anyone knows, how do i can get the detailed APR/SSL debug logs. i need to
  know where my SSL session is getting broken? there is nothing in the
  catalina.out log.
 
  usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [
  -nonaming ] { -help | start | stop }
  Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
 init
  INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
  version 1.5.1.
  Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
 init
  INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
  [false], random [true].
  Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
  initializeSSL
  INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
  Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
  INFO: Initializing ProtocolHandler [http-apr-8080]
  Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
  INFO: Initializing ProtocolHandler [http-apr-0.0.0.0-8443]
  Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load
  INFO: Initialization processed in 696 ms
  Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService
  startInternal
  INFO: Starting service Catalina
  Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine
  startInternal
  INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
  Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig
  deployDirectory
  INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
  Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory
  INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
  Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory
  INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
  Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory
  INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
  Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory
  INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
  Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
  INFO: Starting ProtocolHandler [http-apr-8080]
  Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
  INFO: Starting ProtocolHandler [http-apr-0.0.0.0-8443]
  Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start
  INFO: Server startup in 935 ms
 
 
 
 --
  Server looks up properly with openssl and certs but when i try to connect
  it with openssl s_client its getting error
 
 --
  root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
  127.0.0.1:8443 -tls1_2 -debug
  CONNECTED(0003)
  write to 0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F))
   - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E
  0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...oX?W
  0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0
  0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!..
  0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2
  0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*=.5
  0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 
  0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.#
  0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2
  0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).%
  00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 /...A..
  00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 
  00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...o
  00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 

Re: detailed APR/SSL logging

2014-01-07 Thread Sanaullah
This issue is only with my ECC certificates. the whole configuration works
pretty good with TLS1.2 when i am using the RSA certs. openssl selfsinged
ECC certs are also working.


On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah sanaulla...@gmail.com wrote:

 Here is my configuration. I am using openssl. I haven't installed any
 certificate to JVM truststore.

 Connector address=0.0.0.0
 port=8443
 SSLEnabled=true
maxThreads=150 scheme=https secure=true
clientAuth=false
SSLProtocol=All

 SSLCertificateChainFile=/home/san/certs/pay-test/chain.pem
SSLCertificateFile=/home/san/certs/pay-test/test.pem

 SSLCertificateKeyFile=/home/san/certs/pay-test/test-key.pem/





 On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty mgai...@hotmail.com wrote:






  Date: Tue, 7 Jan 2014 14:51:21 +0500
  Subject: detailed APR/SSL logging
  From: sanaulla...@gmail.com
  To: users@tomcat.apache.org
 
  Hi,
 
  Anyone knows, how do i can get the detailed APR/SSL debug logs. i need
 to
  know where my SSL session is getting broken? there is nothing in the
  catalina.out log.
 
  usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ]
 [
  -nonaming ] { -help | start | stop }
  Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
 init
  INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
  version 1.5.1.
  Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
 init
  INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
  [false], random [true].
  Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
  initializeSSL
  INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
  Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
  INFO: Initializing ProtocolHandler [http-apr-8080]
  Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
  INFO: Initializing ProtocolHandler [http-apr-0.0.0.0-8443]
  Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load
  INFO: Initialization processed in 696 ms
  Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService
  startInternal
  INFO: Starting service Catalina
  Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine
  startInternal
  INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
  Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig
  deployDirectory
  INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
  Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory
  INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
  Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory
  INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
  Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory
  INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
  Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory
  INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
  Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
  INFO: Starting ProtocolHandler [http-apr-8080]
  Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
  INFO: Starting ProtocolHandler [http-apr-0.0.0.0-8443]
  Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start
  INFO: Server startup in 935 ms
 
 
 
 --
  Server looks up properly with openssl and certs but when i try to
 connect
  it with openssl s_client its getting error
 
 --
  root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
  127.0.0.1:8443 -tls1_2 -debug
  CONNECTED(0003)
  write to 0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F))
   - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E
  0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...oX?W
  0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.0
  0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!..
  0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2
  0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*=.5
  0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d 
  0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ./.+.'.#
  0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .g.@.3.2
  0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .E.D.1.-.).%
  00a0 - c0 0e

Re: detailed APR/SSL logging

2014-01-07 Thread Sanaullah
I am still stick to my opinion..
the patches were need to apply for TLS 1.2 SSL/APR. everything is working
after applying the patch just this chain ECC certs.  I am just looking
around where to get the detailed logs.




On Tue, Jan 7, 2014 at 11:11 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Sanaullah,

 On 1/7/14, 8:06 AM, Sanaullah wrote:
  This issue is only with my ECC certificates. the whole
  configuration works pretty good with TLS1.2 when i am using the RSA
  certs. openssl selfsinged ECC certs are also working.
 
 
  On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah sanaulla...@gmail.com
  wrote:
 
  Here is my configuration. I am using openssl. I haven't installed
  any certificate to JVM truststore.
 
  Connector address=0.0.0.0 port=8443 SSLEnabled=true
  maxThreads=150 scheme=https secure=true clientAuth=false
  SSLProtocol=All
 
  SSLCertificateChainFile=/home/san/certs/pay-test/chain.pem
  SSLCertificateFile=/home/san/certs/pay-test/test.pem
 
  SSLCertificateKeyFile=/home/san/certs/pay-test/test-key.pem/
 
 
 
 
 
  On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty
  mgai...@hotmail.com wrote:
 
 
 
 
 
 
  Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed
  APR/SSL logging From: sanaulla...@gmail.com To:
  users@tomcat.apache.org
 
  Hi,
 
  Anyone knows, how do i can get the detailed APR/SSL debug
  logs. i need
  to
  know where my SSL session is getting broken? there is nothing
  in the catalina.out log.
 
  usage: java org.apache.catalina.startup.Catalina [ -config
  {pathname} ]
  [
  -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM
  org.apache.catalina.core.AprLifecycleListener
  init
  INFO: Loaded APR based Apache Tomcat Native library 1.1.29
  using APR version 1.5.1. Jan 07, 2014 1:43:12 AM
  org.apache.catalina.core.AprLifecycleListener
  init
  INFO: APR capabilities: IPv6 [true], sendfile [true], accept
  filters [false], random [true]. Jan 07, 2014 1:43:12 AM
  org.apache.catalina.core.AprLifecycleListener initializeSSL
  INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
  2013) Jan 07, 2014 1:43:12 AM
  org.apache.coyote.AbstractProtocol init INFO: Initializing
  ProtocolHandler [http-apr-8080] Jan 07, 2014 1:43:12 AM
  org.apache.coyote.AbstractProtocol init INFO: Initializing
  ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07, 2014
  1:43:12 AM org.apache.catalina.startup.Catalina load INFO:
  Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM
  org.apache.catalina.core.StandardService startInternal INFO:
  Starting service Catalina Jan 07, 2014 1:43:12 AM
  org.apache.catalina.core.StandardEngine startInternal INFO:
  Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014
  1:43:12 AM org.apache.catalina.startup.HostConfig
  deployDirectory INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
 
 
 Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
 
 
 Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
 
 
 Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
 
 
 Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
  deployDirectory INFO: Deploying web application directory
  /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
 
 
 Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
  INFO: Starting ProtocolHandler [http-apr-8080] Jan 07, 2014
  1:43:13 AM org.apache.coyote.AbstractProtocol start INFO:
  Starting ProtocolHandler [http-apr-0.0.0.0-8443] Jan 07,
  2014 1:43:13 AM org.apache.catalina.startup.Catalina start
  INFO: Server startup in 935 ms
 
 
 
 
 --
 
 
 Server looks up properly with openssl and certs but when i try to
  connect
  it with openssl s_client its getting error
 
 
 --
 
 
 root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
  127.0.0.1:8443 -tls1_2 -debug CONNECTED(0003) write to
  0x8a03258 [0x8a0cfe3] (319 bytes = 319 (0x13F))  - 16 03
  01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 :...6..R...E
  0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57
  ...oX?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00
  00 9e c0 30 ...I-R.0 0030 - c0 2c c0 28 c0 24 c0
  14-c0 0a c0 22 c0 21 00 a3 .,.(.$..!.. 0040 - 00 9f 00
  6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.2 0050

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-05 Thread Sanaullah
most of the people puking here regarding the tlsv1.1 and tlsv1.2 support in
tomcat 7.0.47 or just trying them-self to look over smart.

Hi Mudassir,

By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you
have to apply these two patches in order to run TLSv1.1 and tlsv1.2
https://issues.apache.org/bugzilla/attachment.cgi?id=30150
https://issues.apache.org/bugzilla/attachment.cgi?id=30166

I spend 5 hours to test this. I am using ubuntu trusty.

Here is my test result

root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect
127.0.0.1:8443
CONNECTED(0003)
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify error:num=18:self signed certificate
verify return:1
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify return:1
---
Certificate chain
 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
   i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---
Server certificate
-BEGIN CERTIFICATE-
MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
+aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
EmVg3uQq9XxPfiI=
-END CERTIFICATE-
subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---
No client certificate CA names sent
---
SSL handshake has read 828 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDH-ECDSA-AES256-GCM-SHA384
Session-ID:
AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C
Session-ID-ctx:
Master-Key:
45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51
...V..IQ
0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf   ..+.aE
..PP...A.
0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9
.v)..[5.;m.
0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21
..T#.9-Z..^!
0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed
..7.fY.._..*
0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16
]r..^.)..I..P...
0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6
#..cy.6#...5y.h.
0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a   ..w'
..
0080 - 40 11 a1 d2 8e 8a 68 ab-5e c9 81 3d 72 46 56 d8
@.h.^..=rFV.
0090 - 84 66 b7 6f 57 ce 0f 05-d0 52 a4 d3 9c 66 de b4
.f.oWR...f..
00a0 - 85 cb 9f fe 85 16 e2 35-df 46 c2 c8 fc 37 bb 48
...5.F...7.H

Start Time: 1388926368
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=0


/***Server.xml***///

 Connector port=8443

protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true
   maxThreads=150 scheme=https secure=true
   SSLProtocol=all
   clientAuth=false
   SSLCertificateFile=/home/san/sinful.pem
   SSLCertificateKeyFile=/home/san/sinful.key /



How To Apply the patches.

1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch
will be applied to tomcat-native-1.1.29.  after the patch compile it using
cd tomcat-native-1.1.29/jni/native/
./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes
--with-apr=/usr/bin/apr-1-config
make
cd tomcat-native-1.1.29/jni
ant

copy the libs and place them to default lib directory of ubuntu
cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/


2- Get the source code of tomcat-7.0.47.
install  jdk6

apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166
to tomcat-7.0.47.
export the jdk6 path.
run ant in the source folder. this will download many files and also
compile the code.

there will be some errors related to SSLV2. comment that code. as sslv2
will no more supported. after the successful build start the tomcat server.

let me know if there is still any errors.


Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Sanaullah
you can create the ECC self singed certificates using the below two
commands of Openssl

openssl ecparam -out sinful.key -name prime256v1 -genkey
openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM
-days 3650

root@ubuntu:/# openssl s_client -connect localhost:8443
CONNECTED(0003)
Server certificate
-BEGIN CERTIFICATE-
MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
+aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
EmVg3uQq9XxPfiI=
-END CERTIFICATE-

---
SSL handshake has read 836 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: ECDH-ECDSA-AES256-SHA
Session-ID:
0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12
Session-ID-ctx:
Master-Key:
7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
 - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de
9._1x.f}G{..
0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e
...%.7s.P..
0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05
.Qb..m.6
0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f
q^.4..[.
0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4
\?m...;..6.?..U.
0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36
H7s.u..(...|..6
0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab
D13nQ.O^
0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c
..{.i..w.:.j..0|
0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84
...?..a.-XK.
0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91
ILmV.U..'z?
00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68
...Nw.h

Start Time: 1388891510
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---


I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers

Here is my config
tomcat 7.0.47
libapr 1.5.0-1
tcnative 1.1.29-1

Connector port=8443
   SSLEnabled=true
   maxThreads=150 scheme=https secure=true
   clientAuth=false sslProtocol=TLS
   SSLProtocol=all
   SSLCertificateFile=/home/san/sinful.pem
   SSLCertificateKeyFile=/home/san/sinful.key /




On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Mark,

 On 1/4/14, 6:37 PM, Mark Eggers wrote:
  On 1/4/2014 1:18 PM, Christopher Schultz wrote:
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
 
  Musassir,
 
  On 1/4/14, 4:08 PM, Christopher Schultz wrote:
  Musassir,
 
  On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
  Again, we have to submit this as a bug.TLS 1.2 is not
  working in Tomcat
 
  Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
  (essentially 1.2.29
 
  tcnative$ make clean tcnative$ ./configure --with-apr=`which
  apr-config` --with-java-home=/usr/local/java-7 --with-ssl
  tcnative$ time make [...] make[1]: Leaving directory
  `/home/cschultz/projects/tomcat-native-1.1.x/native'
 
  real0m14.790s user0m15.300s sys0m1.840s
 
  tcnative$ cp -d .libs/* $CATALINA_HOME/bin
 
  tcnative$ cd $CATALINA_BASE
 
  tomcat$ cat conf/server.xml
 
  [...] Connector port=8218
  protocol=org.apache.coyote.http11.Http11AprProtocol
  SSLEnabled=true secure=true scheme=https
  SSLCertificateKeyFile=[...] SSLCertificateFile=[...]
  SSLCertificateChainFile=[...] SSLProtocol=all
  executor=tomcatThreadPool URIEncoding=UTF-8 / [...]
 
  tomcat$ bin/startup.sh
 
  [...] Jan 04, 2014 3:17:26 PM
  org.apache.catalina.core.AprLifecycleListener init INFO: Loaded
  APR based Apache Tomcat Native library 1.1.30 using APR version
  1.4.6. Jan 04, 2014 3:17:26 PM
  org.apache.catalina.core.AprLifecycleListener init INFO: APR
  capabilities: IPv6 [true], sendfile [true], accept filters
  [false], random [true]. Jan 04, 2014 3:17:26 PM
  org.apache.catalina.core.AprLifecycleListener initializeSSL
  INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
  2013) [...]
 
  tomcat$ openssl s_client -connect myhost:8218 [...] verify
  error:num=19:self signed 

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Sanaullah
there is also a bug fixed for the support of TLS1.1 and TLS1.2 by Marcel
Šebek. may be that need to apply
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952#c1



On Sun, Jan 5, 2014 at 8:18 AM, Sanaullah sanaulla...@gmail.com wrote:

 you can create the ECC self singed certificates using the below two
 commands of Openssl

 openssl ecparam -out sinful.key -name prime256v1 -genkey
 openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM
 -days 3650

 root@ubuntu:/# openssl s_client -connect localhost:8443
 CONNECTED(0003)
 Server certificate
 -BEGIN CERTIFICATE-
 MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
 TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
 YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
 MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
 VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
 hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
 +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
 FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
 JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
 X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
 EmVg3uQq9XxPfiI=
 -END CERTIFICATE-

 ---
 SSL handshake has read 836 bytes and written 453 bytes
 ---
 New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA
 Server public key is 256 bit
 Secure Renegotiation IS supported

 Compression: NONE
 Expansion: NONE
 SSL-Session:
 Protocol  : TLSv1
 Cipher: ECDH-ECDSA-AES256-SHA
 Session-ID:
 0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12
 Session-ID-ctx:
 Master-Key:
 7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1

 Key-Arg   : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 TLS session ticket lifetime hint: 7200 (seconds)
 TLS session ticket:
  - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de
 9._1x.f}G{..
 0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e
 ...%.7s.P..
 0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05
 .Qb..m.6
 0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f
 q^.4..[.
 0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4
 \?m...;..6.?..U.
 0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36
 H7s.u..(...|..6
 0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab
 D13nQ.O^
 0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c
 ..{.i..w.:.j..0|
 0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84
 ...?..a.-XK.
 0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91
 ILmV.U..'z?
 00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68
 ...Nw.h

 Start Time: 1388891510
 Timeout   : 300 (sec)
 Verify return code: 18 (self signed certificate)
 ---


 I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers

 Here is my config
 tomcat 7.0.47
 libapr 1.5.0-1
 tcnative 1.1.29-1

 Connector port=8443
SSLEnabled=true
maxThreads=150 scheme=https secure=true
clientAuth=false sslProtocol=TLS
SSLProtocol=all
SSLCertificateFile=/home/san/sinful.pem
SSLCertificateKeyFile=/home/san/sinful.key /




 On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz 
 ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Mark,

 On 1/4/14, 6:37 PM, Mark Eggers wrote:
  On 1/4/2014 1:18 PM, Christopher Schultz wrote:
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
 
  Musassir,
 
  On 1/4/14, 4:08 PM, Christopher Schultz wrote:
  Musassir,
 
  On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
  Again, we have to submit this as a bug.TLS 1.2 is not
  working in Tomcat
 
  Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
  (essentially 1.2.29
 
  tcnative$ make clean tcnative$ ./configure --with-apr=`which
  apr-config` --with-java-home=/usr/local/java-7 --with-ssl
  tcnative$ time make [...] make[1]: Leaving directory
  `/home/cschultz/projects/tomcat-native-1.1.x/native'
 
  real0m14.790s user0m15.300s sys0m1.840s
 
  tcnative$ cp -d .libs/* $CATALINA_HOME/bin
 
  tcnative$ cd $CATALINA_BASE
 
  tomcat$ cat conf/server.xml
 
  [...] Connector port=8218
  protocol=org.apache.coyote.http11.Http11AprProtocol
  SSLEnabled=true secure=true scheme=https
  SSLCertificateKeyFile=[...] SSLCertificateFile=[...]
  SSLCertificateChainFile=[...] SSLProtocol=all
  executor=tomcatThreadPool URIEncoding=UTF-8 / [...]
 
  tomcat$ bin/startup.sh
 
  [...] Jan 04, 2014 3:17:26 PM
  org.apache.catalina.core.AprLifecycleListener init INFO: Loaded
  APR based Apache Tomcat Native library 1.1.30 using APR version
  1.4.6. Jan 04, 2014 3:17:26 PM
  org.apache.catalina.core.AprLifecycleListener init INFO: APR
  capabilities

Fwd: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Sanaullah
Hi Chuck.

I just also took interest to dig this issue.

The Document which you were referring
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native,
is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol
Attribute.

SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3,
TLSV1.

TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and
TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link.
http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites

I am happy to see if someone enabled below ciphers without enabling the
TLSv1.2

 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256
 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384
 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256
 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384

Regards,
San





On Fri, Jan 3, 2014 at 12:59 PM, Mudassir Aftab withmudas...@gmail.comwrote:



 -- Forwarded message --
 From: Caldarale, Charles R chuck.caldar...@unisys.com
 Date: Fri, Jan 3, 2014 at 10:45 AM
 Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
 To: Tomcat Users List users@tomcat.apache.org


  From: Mudassir Aftab [mailto:withmudas...@gmail.com]
  Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

  Should i use following APR connector attribute ?
 Connector port=8443
 protocol=org.apache.coyote.http11.Http11AprProtocol
 maxThreads=200
 sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2
 clientAuth=false
 ciphers=AES256-SHA256
 scheme=https secure=true SSLEnabled=true
 SSLCertificateFile=p.pem
 SSLCertificateKeyFile=key.pem
 SSLCACertificateFile=AdminCA1.pem /

 For the third time, the APR Connector has no sslProtocol nor
 sslEnabledProtocols attributes; the proper ones for specifying the protocol
 and encryption algorithms are SSLProtocol and SSLCipherSuite, respectively.
  For the last time, read the doc:

 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native

 (If you don't start paying attention to the responses you're getting, you
 will end up just being ignored.)

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org