RE: Problem configuring SSL
> Date: Tue, 7 Jan 2014 14:41:15 -0500 > Subject: Re: Problem configuring SSL > From: a-ko...@northwestern.edu > To: users@tomcat.apache.org > > Gentlemen, thanks a lot for your help. I figured out what the problem was. > It was not related to tomcat configuration, but to my keystore. The reason > is that once you import a client certificate under the same alias as the > private pair, they both get merged under the same alias inside keystore. > Using keytool -delete command, meant to remove the certificate only, > deletes the private pair as well. I noticed that once I dumped keystore > content for my keystore and a keystore on one of my other servers. Luckily, > I had a backup of the keystore I made right after it was created. Importing > the certificates into that keystore resolved the issue. MG>I *hope* you enabled at least ONE cipher for SSL Connector MG>Usually the big players (Versign/Thawte) will provide valid CA cert/valid key in the supplied pfx MG>glad to hear that worked for you > > On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Alex, > > > > On 1/5/14, 12:30 PM, Alex Kogan wrote: > > > I have a strange problem configuring SSL to work with Tomcat. > > > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 > > > > > > It's a new Tomcat installation. All keystore operations were done > > > with keytool. I imported CA root/intermediate certificate and > > > client certificate, configured SSL connector in server.xml. I have > > > this same setup on another server that works fine. Connecting to > > > this server via http works. > > > > > > 1. If I try to connect this address via https in Chrome I get: > > > "This Webpage is not available." In Firefox: "Error code: > > > ssl_error_no_cypher_overlap" > > > > Sounds familiar. > > > > Please post your configuration(s) from your server.xml > > file. Remember to remove any sensitive information from the configuration. > > > > Also please post all of the startup messages from Tomcat's > > logs/catalina.out file: we need to see the versions of various things > > and what components (if any) suffer problems starting up. > > > > > 3. Here's a list of enabled ciphers using SSLInfo: > > > > > > #java -showversion SSLInfo > > > > Nice to see someone is getting some use out of that. ;) > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v1 > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > > iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS > > JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ > > +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC > > f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 > > bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 > > m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE > > /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD > > SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB > > Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu > > RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH > > 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ > > VCpWYwQ3I2qGEm5RBvbh > > =9FS1 > > -END PGP SIGNATURE- > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > -- > Software Engineer > Department of Psychiatry and Behavioral Sciences > Northwestern University > > a-ko...@northwestern.edu
Re: Problem configuring SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/7/14, 2:41 PM, Alex Kogan wrote: > Gentlemen, thanks a lot for your help. I figured out what the > problem was. It was not related to tomcat configuration, but to my > keystore. The reason is that once you import a client certificate > under the same alias as the private pair, they both get merged > under the same alias inside keystore. Using keytool -delete > command, meant to remove the certificate only, deletes the private > pair as well. I noticed that once I dumped keystore content for my > keystore and a keystore on one of my other servers. Luckily, I had > a backup of the keystore I made right after it was created. > Importing the certificates into that keystore resolved the issue. Java keystores are a nightmare. I try to avoid them whenever possible. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSzFt/AAoJEBzwKT+lPKRYKRwQALT9qv2bOPss+nT1uGQ8WoMY KC6GvvO5RuoHa8ggd/pu7YS6G6czwZnFOYvldOh7BjvKpwppTr/e8uj6FCUv2n4v 592RykM82+tXWFrWEyT7TTwoWPdYDrnIIYFnemndj3trXWXfgR1LIZhtYUIJMofr +h5biqeRRBrldvlZFXJU874Pg2IrwcTyJ4YfT8/XC5/Q196MXHOh0MiDMVJJ91l8 d3c/D6TQ8NWFZTu84ES6aPCh9FwOSxJhHEAllZqcOzRvLuXFhBOw9II9Q/Tto7wM ZKlKRZ8sPJGi42WWYgTvHGlSZ+8kk0HijgbL6uGhHYQ8yIXPL2Jwu0igDFSzUGrU MXe2Pevg1bP2gI3idnmnW+jWjaMujxb5EKW7+N44BqPk2zl/OTZ5hVf/t1E1SCGo BPsulhuQvgXWhlF6GxBdwj0bWLCj8bIqIaAbHd8egT+s5smtKjoNpcVfMNE4xTwO vdM7/MOKBIxLZyRjSw1bQFaxKXYJVnIwQlQSM74SRxNop1qcQhca7EdPMNB0+ojx yM0m3zJNCaVsxg8RQ39Yb11YdfvVjkODV7S4D2uolezmJ6vOLCvgrdnpEtRp5QGt MnQTEH1WLb1kX2p9HboCeTLsGh+XTX9joDqfTObSyFOPyN9ESPcVLgzWdaykHwXE og/LPVC23d0adUNMV0Fz =Qkfm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem configuring SSL
Gentlemen, thanks a lot for your help. I figured out what the problem was. It was not related to tomcat configuration, but to my keystore. The reason is that once you import a client certificate under the same alias as the private pair, they both get merged under the same alias inside keystore. Using keytool -delete command, meant to remove the certificate only, deletes the private pair as well. I noticed that once I dumped keystore content for my keystore and a keystore on one of my other servers. Luckily, I had a backup of the keystore I made right after it was created. Importing the certificates into that keystore resolved the issue. On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 1/5/14, 12:30 PM, Alex Kogan wrote: > > I have a strange problem configuring SSL to work with Tomcat. > > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 > > > > It's a new Tomcat installation. All keystore operations were done > > with keytool. I imported CA root/intermediate certificate and > > client certificate, configured SSL connector in server.xml. I have > > this same setup on another server that works fine. Connecting to > > this server via http works. > > > > 1. If I try to connect this address via https in Chrome I get: > > "This Webpage is not available." In Firefox: "Error code: > > ssl_error_no_cypher_overlap" > > Sounds familiar. > > Please post your configuration(s) from your server.xml > file. Remember to remove any sensitive information from the configuration. > > Also please post all of the startup messages from Tomcat's > logs/catalina.out file: we need to see the versions of various things > and what components (if any) suffer problems starting up. > > > 3. Here's a list of enabled ciphers using SSLInfo: > > > > #java -showversion SSLInfo > > Nice to see someone is getting some use out of that. ;) > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS > JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ > +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC > f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 > bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 > m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE > /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD > SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB > Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu > RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH > 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ > VCpWYwQ3I2qGEm5RBvbh > =9FS1 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Software Engineer Department of Psychiatry and Behavioral Sciences Northwestern University a-ko...@northwestern.edu
Re: Problem configuring SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/5/14, 12:30 PM, Alex Kogan wrote: > I have a strange problem configuring SSL to work with Tomcat. > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 > > It's a new Tomcat installation. All keystore operations were done > with keytool. I imported CA root/intermediate certificate and > client certificate, configured SSL connector in server.xml. I have > this same setup on another server that works fine. Connecting to > this server via http works. > > 1. If I try to connect this address via https in Chrome I get: > "This Webpage is not available." In Firefox: "Error code: > ssl_error_no_cypher_overlap" Sounds familiar. Please post your configuration(s) from your server.xml file. Remember to remove any sensitive information from the configuration. Also please post all of the startup messages from Tomcat's logs/catalina.out file: we need to see the versions of various things and what components (if any) suffer problems starting up. > 3. Here's a list of enabled ciphers using SSLInfo: > > #java -showversion SSLInfo Nice to see someone is getting some use out of that. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ VCpWYwQ3I2qGEm5RBvbh =9FS1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org