Tomcat 5.5 won't do TLS

[Looijmans, Mike]

I'm trying to enable TLS (or SSL) in a Tomcat 5.5.29 server, on a
Windows XP machine.
 
Whatever I do, I always end up with a server that just delivers plain
HTML on port 443, and it doesn't even try to use TLS. That is, I can
connect to http://localhost:443/ and get the same as http://localhost/
and https://localhost/ just displays an invalid response error which
makes perfect sense because the webserver isn't attempting TLS
negotiation at all.
 
So far, I've followed various recipes for creating a selfsigned key that
Tomcat might want to use, but I am suspecting now that the key is not
the problem at all, because there is no error whatsoever in the log
files.
 
All my attempts have by now been accompagnied by completely removing
Tomcat, removing all left-over directories and installing it again
before attempting anything else.
 
The only change to the configuration is in conf/server.xml, I changed
the connectors:

!-- Define a non-SSL HTTP/1.1 Connector on port 80 --
Connector port=80 maxHttpHeaderSize=8192
   maxThreads=150 minSpareThreads=2 maxSpareThreads=75
   enableLookups=false redirectPort=443 acceptCount=10
   connectionTimeout=2 disableUploadTimeout=true /

!-- Define a SSL HTTP/1.1 Connector on port 443 --
Connector port=443 maxHttpHeaderSize=8192
   maxThreads=150 minSpareThreads=2 maxSpareThreads=75
   enableLookups=false disableUploadTimeout=true
   acceptCount=10 scheme=https secure=true
   clientAuth=false sslProtocol=TLS
   keystoreFile=conf/server.ks
   keystorePass=tomcat
/

All the rest is default, and yes, I removed the comment !-- -- markers
around this directive. In the catalina.2010-05-04.log file, I see the
following output if I start the tomcat service:

May 4, 2010 3:13:52 PM org.apache.catalina.core.AprLifecycleListener
init
INFO: Cannot find message associated with key aprListener.tcnValid
May 4, 2010 3:13:52 PM org.apache.catalina.core.AprLifecycleListener
init
INFO: Cannot find message associated with key aprListener.flags
May 4, 2010 3:13:52 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
May 4, 2010 3:13:52 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
May 4, 2010 3:13:52 PM org.apache.coyote.ajp.AjpAprProtocol init
INFO: Initializing Coyote AJP/1.3 on ajp-8009
May 4, 2010 3:13:52 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 672 ms
May 4, 2010 3:13:52 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
May 4, 2010 3:13:52 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.29
May 4, 2010 3:13:52 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
May 4, 2010 3:13:53 PM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-80
May 4, 2010 3:13:53 PM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-443
May 4, 2010 3:13:53 PM org.apache.coyote.ajp.AjpAprProtocol start
INFO: Starting Coyote AJP/1.3 on ajp-8009
May 4, 2010 3:13:53 PM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
May 4, 2010 3:13:53 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 453 ms

Changing the keystoreFile to bogus does not seem to provoke any error
either.

No other webserver or anything is listening on port 80 or 443.

What am I missing?
--
Mike

This message and attachment(s) are intended solely for use by the addressee and 
may contain information that is privileged, confidential or otherwise exempt 
from disclosure under applicable law.

If you are not the intended recipient or agent thereof responsible for 
delivering this message to the intended recipient, you are hereby notified that 
any dissemination, distribution or copying of this communication is strictly 
prohibited.

If you have received this communication in error, please notify the sender 
immediately by telephone and with a 'reply' message.

Thank you for your co-operation.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 5.5 won't do TLS

[Peter Crowther]

On 4 May 2010 14:22, Looijmans, Mike mike.looijm...@oce.com wrote:
 I'm trying to enable TLS (or SSL) in a Tomcat 5.5.29 server, on a
 Windows XP machine.

 Whatever I do, I always end up with a server that just delivers plain
 HTML on port 443, and it doesn't even try to use TLS.
[...]
    !-- Define a SSL HTTP/1.1 Connector on port 443 --
    Connector port=443 maxHttpHeaderSize=8192
               maxThreads=150 minSpareThreads=2 maxSpareThreads=75
               enableLookups=false disableUploadTimeout=true
               acceptCount=10 scheme=https secure=true
               clientAuth=false sslProtocol=TLS
               keystoreFile=conf/server.ks
               keystorePass=tomcat
                /

See http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html .  I
suspect you're missing:
SSLEnabled=true

- Peter

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 5.5 won't do TLS

[Konstantin Kolinko]

2010/5/4 Looijmans, Mike mike.looijm...@oce.com:
 May 4, 2010 3:13:52 PM org.apache.coyote.http11.Http11AprProtocol init
 INFO: Initializing Coyote HTTP/1.1 on http-443

The Apr in the above message means that you are using APR version
of the connector.

!-- Define a SSL HTTP/1.1 Connector on port 443 --
Connector port=443 maxHttpHeaderSize=8192
   maxThreads=150 minSpareThreads=2 maxSpareThreads=75
   enableLookups=false disableUploadTimeout=true
   acceptCount=10 scheme=https secure=true
   clientAuth=false sslProtocol=TLS
   keystoreFile=conf/server.ks
   keystorePass=tomcat
/

When APR version of the connector is used, you should specify the
SSLCertificateFile and SSLCertificateKeyFile attributes. The
keystoreFile attribute is ignored.

 See http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

See also configuration reference:
http://tomcat.apache.org/tomcat-5.5-doc/config/http.html

If you do not want to use the APR connector, you can either remove
bin/tcnative-1.dll, or set
protocol=org.apache.coyote.http11.Http11Protocol


FIXME:
1) The SSLEnabled attribute is @since Tomcat 6.
It should not be present in the examples, though it does not hurt,
because unknown configuration attributes are ignored in Tomcat 5.5
2) SSLCertificateFile, SSLCertificateKeyFile are not mentioned in the
configuration reference (config/http.html).

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 5.5 won't do TLS

[Caldarale, Charles R]

 From: Looijmans, Mike [mailto:mike.looijm...@oce.com]
 Subject: Tomcat 5.5 won't do TLS
 
 Connector port=443 maxHttpHeaderSize=8192
   maxThreads=150 minSpareThreads=2 maxSpareThreads=75
   enableLookups=false disableUploadTimeout=true
   acceptCount=10 scheme=https secure=true
   clientAuth=false sslProtocol=TLS
   keystoreFile=conf/server.ks
   keystorePass=tomcat
 /

Note that the above is for the Java-based SSL connector, but...

 May 4, 2010 3:13:52 PM org.apache.coyote.http11.Http11AprProtocol init
 INFO: Initializing Coyote HTTP/1.1 on http-443

You're using the APR version, since you have tcnative-1.dll in Tomcat's bin 
directory.

You can either disable APR by renaming or deleting the above .dll file (and 
adding the SSLEnabled=true attribute, as Peter mentioned), or change your SSL 
configuration to the APR settings:

http://tomcat.apache.org/tomcat-5.5-doc/apr.html#HTTPS

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org