I'm referring to when a certificate is a combo such as a GoDaddy g1_g2 root. The intermediate is usually fine.
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: dmccrthy Sent: Tuesday, September 1, 2015 4:12 PM To: Tomcat Users List Reply To: Tomcat Users List Subject: RE: Tomcat 7.0.55 Not loading truststore or keystore Hi Jeff, Our client keystore has one certificate, but the truststore has multiple certs. I'll try removing everything from the truststore except the server cert and see what happens. Thanks, Diarmuid On 1 Sep 2015 19:53, <jeffery.scott.cr...@gmail.com> wrote: > > >> openssl s_client -tls1 -connect server-dns-name:15305 -CAfile > server-cert-with-intermediate-and-root-in-one-file.cer -cert > client-public-key.cer -key client-private-key.key -pass > pass:client-private-key-password > > I've had trouble when there are more certificate packaged in the same file > as the root certificate. If you can separate the certificates your problem > should go away. > > Jeff Crump > > > Sent from Mail for Windows 10 > > > > From: George Stanchev > Sent: Tuesday, September 1, 2015 1:02 PM > To: Tomcat Users List > Subject: RE: Tomcat 7.0.55 Not loading truststore or keystore > > > Hi Diarmuid, > > We have run similar issue with client cert SSL. Is your 3rd party web > service hosted on Windows/IIS? > > George > > -----Original Message----- > From: dmccrthy [mailto:dmccr...@gmail.com] > Sent: Tuesday, September 01, 2015 11:07 AM > To: Tomcat Users List > Subject: Tomcat 7.0.55 Not loading truststore or keystore > > Hi All, > > I am having trouble getting Tomcat to load a truststore and keystore. > This seems to be a basic configuration issue but I can't figure out what > the problem is. Any insights would be gratefully received. > > The scenario is: > > * A 3rd party web application is deployed in Tomcat > * The 3rrd party web application is making outbound HTTPS connections to a > 3rd party web service > * Tomcat JVM parameters are configured with > > -Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks > -Djavax.net.ssl.trustStorePassword=<snip> > -Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks > -Djavax.net.ssl.keyStorePassword=<snip> > -Dhttps.protocols="TLSv1" > -Djavax.net.debug=ALL > > * Both truststore and keystore are JKS > * Mutual authentication is used for the SSL handshake > * There are no errors in the Tomcat logs to indicate a problem with the > truststore and keystore > * The Tomcat logs show the server-side certificate being downloaded but > not reporting the expected lines > > Found trusted certificate: > matching alias: <client cert alias> > > Or for the keystore, I am expecting to see a log that it is loading the > keystore (example below), but there is no sign that the keystore is being > loaded. I got the log extract below from a standalone java client which > successfully connects using MA to the remote service. > > keyStore is : c:\temp\DWCHASSMESA002.pfx > keyStore type is : PKCS12 > keyStore provider is : > init keystore > init keymanager of type SunX509 > > *** > found key for : dwchassmesa002 > chain [0] = [ > > * The Tomcat logs show that the SSL handshake gets as far as the > ClientKeyExchange, but there is no client certificate sent and the > handshake terminates with "Software caused connection abort: recv failed". > On DataPower the error is that the client is not sending the certificate. > > <sip> > http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13 > *** CertificateRequest > Cert Types: RSA, DSS > Cert Authorities: > <Empty> > > [read] MD5 and SHA1 hashes: len = 9 > 0000: 0D 00 00 05 02 01 02 00 00 ......... > *** ServerHelloDone > [read] MD5 and SHA1 hashes: len = 4 > 0000: 0E 00 00 00 .... > *** Certificate chain > *** > *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 [write] MD5 and SHA1 > hashes: len = 269 > > <snip> > http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 269 [Raw write]: > length = 274 > 0000: 16 03 01 01 0D 0B 00 00 03 00 00 00 10 00 01 02 ................ > <snip> > > 0110: 2E 32 .2 > SESSION KEYGEN: > PreMaster Secret: > <snip> > > http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 48 > http-bio-8080-exec-2, waiting for close_notify or alert: state 1 > http-bio-8080-exec-2, Exception while waiting for close > java.net.SocketException: Software caused connection abort: recv failed > http-bio-8080-exec-2, handling exception: java.net.SocketException: > Software caused connection abort: recv failed %% Invalidated: > [Session-163, TLS_RSA_WITH_AES_128_CBC_SHA] http-bio-8080-exec-2, called > close() http-bio-8080-exec-2, called closeInternal(true) > http-bio-8080-exec-2, called closeSocket( > > We are using the software below on the client environment: > > * Java(TM) SE Runtime Environment (build 1.7.0_67-b01) > * Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode) > * JCE Unlimited Security: No > * Apache Tomcat/7.0.55 > * Microsoft Windows Server 2008 R2 Enterprise 64-bit > > Analysis Steps > ============== > > 1) Openssl connects with MA parameters connects with no errors > > openssl s_client -tls1 -connect server-dns-name:15305 -CAfile > server-cert-with-intermediate-and-root-in-one-file.cer -cert > client-public-key.cer -key client-private-key.key -pass > pass:client-private-key-password > > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > 893D24420CC89DED5E8E0E18C3D97270C3DD04B7A4B86602D5B34FC5E58DDE8F > Session-ID-ctx: > Master-Key: > > 89ABDA0ED080567E0CB8494AC236B107B7430A5487986BE7F3B468AF81B19BC27FD9C7D3EBC46280B9A608E5517D447C > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1441125595 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > > 2) A standalone Java program with a couple of lines to open a HTTPS > connection to the 3rd party certificate works. This uses the same > truststore and keystore > 3) SoapUI works using the same truststore and keystore > 4) Our 3rd party vendor can connect > 5) I have googled various phrases like "Tomcat JVM not loading > truststore". There are hundreds of examples involving HTTPS connectors > and/or configuration errors. However we are not using server-side > connectors and I can't see anything wrong with the configuration. The only > potential hit I found for a defect was in Tomcat 6 > http://tomcat.10.x6.nabble.com/configured-truststore-ignored-by-tomcat-td4986884.html > > 6) I tried installing a HTTPS connector in our Tomcat client instance. > This then shows that the truststore is being loaded, but it is not used by > the outbound HTTPS client connections > > 7) Tried playing with the format of the file paths by adding double > quotes, changing the path separator to forward or backslash, moving the > location of the files. But this didn't make any difference. > > "d:\Tomcat_ENV1\DWCHASSMESA002_keystore.jks" > d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks > d:/Tomcat_ENV1/DWCHASSMESA002_keystore.jks > > Thanks, > Diarmuid > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > --- > This email has been checked for viruses by Avast antivirus software. > https://www.avast.com/antivirus > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
