Re: Apache Tomcat 8.5.24 SSL Configuration

[George S.]

On 12/21/2017 3:24 PM, Thomas Delaney wrote:

Thank you for the input so far!

I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
receive the same result

when running the openssl s_client command I recieved this as the Cipher and
SSL version
Protocol  : TLSv1.2
Cipher: DHE-RSA-AES256-GCM-SHA384

I also get a message saying  "verify error:num=20:unable to get local
issuer certificate"
"Verify return code: 20 (unable to get local issuer certificate)"


This may not be a meaningful error. Are you specifying the CAPath or 
CAFile arguments on the command line? See this page:


https://stackoverflow.com/questions/11548336/openssl-verify-return-code-20-unable-to-get-local-issuer-certificate.

You did double-check the path and permissions on your various 
certificate files right? Also, did you inspect your files using openssl? 
E.G.:


openssl x509 -in conf/CA_server_bundle.crt -text


You might try running Tomcat with:

|-Djavax.net.debug=ssl |

|to enable SSL Debugging. I'm not going to lie though, it can be pretty 
difficult to weed through the tons of content generated.|

||




On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 12/21/17 2:38 AM, l...@kreuser.name wrote:

Hi Thomas,


Am 21.12.2017 um 00:56 schrieb Thomas Delaney
:

Greetings,

I am having trouble regarding google chrome's behavior to Apache
Tomcat's SSL setup. I have been successful getting an ssl website
to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
on google chrome. Mozilla Firefox brings me to my site with no
problem.

When going to https://mydomain.com:8443 I recieve a message from
Google Chrome.

Google Chrome Error - This site can’t provide a secure
connection mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol The client and server don't support a common
SSL protocol version or cipher suite.

When checking Google Chrome's Browser console in the security tab
I recieve: Page is not secure Valid certificate secure resources

Here is the following background info I have for the
configuration I gave Apache Tomcat when setting up the 8443
connector

Chrome Version 63.0.3239.108 (Official Build) (64-bit)

Linux OS: SUSE Enterprise 12 sp1

Packages installed:

- OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79

That may be the culprit.

Apparently this (old) version of Java7 will not provide in the
default modern ciphers that Chrome requires. And the config is
using the JSSE SSL implementation. But as you have TC Native and
openssl 1.0.2 you should switch to openssl.

This probably isn't the problem since Thomas is using the APR
connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
not relevant.


- tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
tomcat-native-1.2.16-src

Server.xml apr connector (Certificates are signed from GoDaddy
and are placed in the conf directory of Apache Tomcat):

  
 

This looks okay to me. If you start Tomcat and then use "openssl
s_client -connect :", does openssl connect? It should
report the protocol and cipher suite being used to connect.

If you server is externally-accessible, consider using an external TLS
capabilities scanner such as that from Qualys,
https://www.ssllabs.com/ssltest/

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
/aq7VBV+GiEaWzZweAi8/k4R3wk=
=DEHk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Re: Apache Tomcat 8.5.24 SSL Configuration

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Thomas,

On 12/21/17 5:24 PM, Thomas Delaney wrote:
> Thank you for the input so far!
> 
> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and
> still receive the same result
> 
> when running the openssl s_client command I recieved this as the
> Cipher and SSL version Protocol  : TLSv1.2 Cipher:
> DHE-RSA-AES256-GCM-SHA384

Good, OpenSSL can connect which means that TLS is at least set up
properly and running.

> I also get a message saying  "verify error:num=20:unable to get
> local issuer certificate" "Verify return code: 20 (unable to get
> local issuer certificate)"

That's not a problem, especially if you are using a self-signed
certificate or a CA that OpenSSL doesn't recognize.

If you can't use SSLLabs's test, you might be able to use this one:
https://wiki.apache.org/tomcat/tools/SSLTest.java
(and)
https://wiki.apache.org/tomcat/tools/SSLUtils.java

- -chris

> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Peter,
> 
> On 12/21/17 2:38 AM, l...@kreuser.name wrote:
 
 Hi Thomas,
 
> Am 21.12.2017 um 00:56 schrieb Thomas Delaney 
> :
> 
> Greetings,
> 
> I am having trouble regarding google chrome's behavior to
> Apache Tomcat's SSL setup. I have been successful getting
> an ssl website to work with Apache HTTP web server, but not
> Apache Tomcat 8.5.24 on google chrome. Mozilla Firefox
> brings me to my site with no problem.
> 
> When going to https://mydomain.com:8443 I recieve a message
> from Google Chrome.
> 
> Google Chrome Error - This site can’t provide a secure 
> connection mydomain.com uses an unsupported protocol. 
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> 
> Unsupported protocol The client and server don't support a
> common SSL protocol version or cipher suite.
> 
> When checking Google Chrome's Browser console in the
> security tab I recieve: Page is not secure Valid
> certificate secure resources
> 
> Here is the following background info I have for the 
> configuration I gave Apache Tomcat when setting up the
> 8443 connector
> 
> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
> 
> Linux OS: SUSE Enterprise 12 sp1
> 
> Packages installed:
> 
> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
 
 That may be the culprit.
 
 Apparently this (old) version of Java7 will not provide in
 the default modern ciphers that Chrome requires. And the
 config is using the JSSE SSL implementation. But as you have
 TC Native and openssl 1.0.2 you should switch to openssl.
> 
> This probably isn't the problem since Thomas is using the APR 
> connector. TLS cipher suite support (or lack thereof) from Java 1.7
> is not relevant.
> 
> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - 
> tomcat-native-1.2.16-src
> 
> Server.xml apr connector (Certificates are signed from
> GoDaddy and are placed in the conf directory of Apache
> Tomcat):
> 
>  protocol="org.apache.coyote.http11.Http11AprProtocol" 
> maxThreads="150" SSLEnabled="true"
> defaultSSLHostConfigName=" mydomain.com" >  hostName="mydomain.com" protocols="TLSv1,TLSv1.1,TLSv1.2">
>  certificateFile="conf/server.crt" 
> certificateChainFile="conf/CA_server_bundle.crt" type="RSA"
> />  
> 
> This looks okay to me. If you start Tomcat and then use "openssl 
> s_client -connect :", does openssl connect? It
> should report the protocol and cipher suite being used to connect.
> 
> If you server is externally-accessible, consider using an external
> TLS capabilities scanner such as that from Qualys, 
> https://www.ssllabs.com/ssltest/
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo9SQIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFinRxAAgr+i0PtFCGPAqWJ7
Y0VvfFSGPsQCiUz3qkp9mCiXCl87TLy5PrbpPT9avDyTjjtA1gbl16goc4jtB5zt
zcjZuasQkwz9cDMkmlJ4T0USd/TfepJXbssaqi7tLUxFM0dBChoP7uzprO7HF3hE
yqGD7nm1YEDcSgVqXrx8FkHA5D9hY1yP47djPkJL9/yxWunc1BqeoJ2JMoXLX7Sx
78LYywT1oYm1fj+UP6wacKDU/6gZINBQsLRmCVkpE4iYlyUnswdo4FChSQb9HTMp
pK0nyCVXG4RWPO90qCdSbuTZmIy0WvHxZL9O6CSkBdIycz09nYDVxTQQuyJusrYh
35BGCxzAgRfoj9bu04O6ezXoIpmWXLB48cFu5BrhX2I6/WXy/a9SSCzgaztj9rGS
X/9TFrI7DvOkMw0VCI162159QpuzcpRG0H13VGq36ldqdfrQ0DUYSqSwuS36I+2P
aIJ2vY6T0P7G5KBg4uqKyTDTwNq5zANRpJqMfQkQHD3fh0tHT35dBWj46aFBtXrq
YUT2O99eA459XMGKl6j85d4LU3aSU35EK7xSqUQmWGHpgjDXMcktcF9opV3Tdb1h

Re: Apache Tomcat 8.5.24 SSL Configuration

[Peter Kreuser]

Thomas,

> Am 22.12.2017 um 15:38 schrieb Thomas Delaney :
> 
> I apologize for the poor grammar in my last response and extra email. The
> site I have setup is internal only. I will not be able to test the site
> using SSL Labs.
> 

You may try https://testssl.sh and download the script from there.
That works in internal networks.

It even simulates connects with different clients (eg Chrome)

Peter

> On Fri, Dec 22, 2017 at 9:37 AM, Thomas Delaney 
> wrote:
> 
>> The site is internal so I won't not be able to check via ssllabs
>> 
>>> On Thu, Dec 21, 2017 at 5:36 PM, George S.  wrote:
>>> 
 On 12/21/2017 3:24 PM, Thomas Delaney wrote:
 
 Thank you for the input so far!
 
 I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
 receive the same result
 
 when running the openssl s_client command I recieved this as the Cipher
 and
 SSL version
 Protocol  : TLSv1.2
 Cipher: DHE-RSA-AES256-GCM-SHA384
 
 I also get a message saying  "verify error:num=20:unable to get local
 issuer certificate"
 "Verify return code: 20 (unable to get local issuer certificate)"
 
>>> 
>>> I second Chris Schultz's recommendation that you run the site through the
>>> SSL Labs testing site and see what it points out. It's going to check a lot
>>> more things right off the bat and display them in an easier format:
>>> 
>>> https://www.ssllabs.com/ssltest/
>>> 
>>> 
>>> 
>>> 
>>> 
 On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
 ch...@christopherschultz.net> wrote:
 
 -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Peter,
> 
>> On 12/21/17 2:38 AM, l...@kreuser.name wrote:
>> 
>> Hi Thomas,
>> 
>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>>> :
>>> 
>>> Greetings,
>>> 
>>> I am having trouble regarding google chrome's behavior to Apache
>>> Tomcat's SSL setup. I have been successful getting an ssl website
>>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>>> on google chrome. Mozilla Firefox brings me to my site with no
>>> problem.
>>> 
>>> When going to https://mydomain.com:8443 I recieve a message from
>>> Google Chrome.
>>> 
>>> Google Chrome Error - This site can’t provide a secure
>>> connection mydomain.com uses an unsupported protocol.
>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>> 
>>> Unsupported protocol The client and server don't support a common
>>> SSL protocol version or cipher suite.
>>> 
>>> When checking Google Chrome's Browser console in the security tab
>>> I recieve: Page is not secure Valid certificate secure resources
>>> 
>>> Here is the following background info I have for the
>>> configuration I gave Apache Tomcat when setting up the 8443
>>> connector
>>> 
>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>> 
>>> Linux OS: SUSE Enterprise 12 sp1
>>> 
>>> Packages installed:
>>> 
>>> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
>>> 
>> That may be the culprit.
>> 
>> Apparently this (old) version of Java7 will not provide in the
>> default modern ciphers that Chrome requires. And the config is
>> using the JSSE SSL implementation. But as you have TC Native and
>> openssl 1.0.2 you should switch to openssl.
>> 
> This probably isn't the problem since Thomas is using the APR
> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
> not relevant.
> 
> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>>> tomcat-native-1.2.16-src
>>> 
>>> Server.xml apr connector (Certificates are signed from GoDaddy
>>> and are placed in the conf directory of Apache Tomcat):
>>> 
>>> >> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
>>> mydomain.com" > >> protocols="TLSv1,TLSv1.1,TLSv1.2"> >> certificateKeyFile="conf/server.key"
>>> certificateFile="conf/server.crt"
>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>>>  
>>> 
>> This looks okay to me. If you start Tomcat and then use "openssl
> s_client -connect :", does openssl connect? It should
> report the protocol and cipher suite being used to connect.
> 
> If you server is externally-accessible, consider using an external TLS
> capabilities scanner such as that from Qualys,
> https://www.ssllabs.com/ssltest/
> 
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
> 

Re: Apache Tomcat 8.5.24 SSL Configuration

[Thomas Delaney]

I apologize for the poor grammar in my last response and extra email. The
site I have setup is internal only. I will not be able to test the site
using SSL Labs.

On Fri, Dec 22, 2017 at 9:37 AM, Thomas Delaney 
wrote:

> The site is internal so I won't not be able to check via ssllabs
>
> On Thu, Dec 21, 2017 at 5:36 PM, George S.  wrote:
>
>> On 12/21/2017 3:24 PM, Thomas Delaney wrote:
>>
>>> Thank you for the input so far!
>>>
>>> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
>>> receive the same result
>>>
>>> when running the openssl s_client command I recieved this as the Cipher
>>> and
>>> SSL version
>>> Protocol  : TLSv1.2
>>> Cipher: DHE-RSA-AES256-GCM-SHA384
>>>
>>> I also get a message saying  "verify error:num=20:unable to get local
>>> issuer certificate"
>>> "Verify return code: 20 (unable to get local issuer certificate)"
>>>
>>
>> I second Chris Schultz's recommendation that you run the site through the
>> SSL Labs testing site and see what it points out. It's going to check a lot
>> more things right off the bat and display them in an easier format:
>>
>> https://www.ssllabs.com/ssltest/
>>
>>
>>
>>
>>
>>> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
>>> ch...@christopherschultz.net> wrote:
>>>
>>> -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Peter,

 On 12/21/17 2:38 AM, l...@kreuser.name wrote:

> Hi Thomas,
>
> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>> :
>>
>> Greetings,
>>
>> I am having trouble regarding google chrome's behavior to Apache
>> Tomcat's SSL setup. I have been successful getting an ssl website
>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>> on google chrome. Mozilla Firefox brings me to my site with no
>> problem.
>>
>> When going to https://mydomain.com:8443 I recieve a message from
>> Google Chrome.
>>
>> Google Chrome Error - This site can’t provide a secure
>> connection mydomain.com uses an unsupported protocol.
>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>
>> Unsupported protocol The client and server don't support a common
>> SSL protocol version or cipher suite.
>>
>> When checking Google Chrome's Browser console in the security tab
>> I recieve: Page is not secure Valid certificate secure resources
>>
>> Here is the following background info I have for the
>> configuration I gave Apache Tomcat when setting up the 8443
>> connector
>>
>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>
>> Linux OS: SUSE Enterprise 12 sp1
>>
>> Packages installed:
>>
>> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
>>
> That may be the culprit.
>
> Apparently this (old) version of Java7 will not provide in the
> default modern ciphers that Chrome requires. And the config is
> using the JSSE SSL implementation. But as you have TC Native and
> openssl 1.0.2 you should switch to openssl.
>
 This probably isn't the problem since Thomas is using the APR
 connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
 not relevant.

 - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>> tomcat-native-1.2.16-src
>>
>> Server.xml apr connector (Certificates are signed from GoDaddy
>> and are placed in the conf directory of Apache Tomcat):
>>
>> > protocol="org.apache.coyote.http11.Http11AprProtocol"
>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
>> mydomain.com" > > protocols="TLSv1,TLSv1.1,TLSv1.2"> > certificateKeyFile="conf/server.key"
>> certificateFile="conf/server.crt"
>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>>  
>>
> This looks okay to me. If you start Tomcat and then use "openssl
 s_client -connect :", does openssl connect? It should
 report the protocol and cipher suite being used to connect.

 If you server is externally-accessible, consider using an external TLS
 capabilities scanner such as that from Qualys,
 https://www.ssllabs.com/ssltest/

 - -chris
 -BEGIN PGP SIGNATURE-
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
 cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
 eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
 W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
 ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
 noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
 

Re: Apache Tomcat 8.5.24 SSL Configuration

[Thomas Delaney]

The site is internal so I won't not be able to check via ssllabs

On Thu, Dec 21, 2017 at 5:36 PM, George S.  wrote:

> On 12/21/2017 3:24 PM, Thomas Delaney wrote:
>
>> Thank you for the input so far!
>>
>> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
>> receive the same result
>>
>> when running the openssl s_client command I recieved this as the Cipher
>> and
>> SSL version
>> Protocol  : TLSv1.2
>> Cipher: DHE-RSA-AES256-GCM-SHA384
>>
>> I also get a message saying  "verify error:num=20:unable to get local
>> issuer certificate"
>> "Verify return code: 20 (unable to get local issuer certificate)"
>>
>
> I second Chris Schultz's recommendation that you run the site through the
> SSL Labs testing site and see what it points out. It's going to check a lot
> more things right off the bat and display them in an easier format:
>
> https://www.ssllabs.com/ssltest/
>
>
>
>
>
>> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA256
>>>
>>> Peter,
>>>
>>> On 12/21/17 2:38 AM, l...@kreuser.name wrote:
>>>
 Hi Thomas,

 Am 21.12.2017 um 00:56 schrieb Thomas Delaney
> :
>
> Greetings,
>
> I am having trouble regarding google chrome's behavior to Apache
> Tomcat's SSL setup. I have been successful getting an ssl website
> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
> on google chrome. Mozilla Firefox brings me to my site with no
> problem.
>
> When going to https://mydomain.com:8443 I recieve a message from
> Google Chrome.
>
> Google Chrome Error - This site can’t provide a secure
> connection mydomain.com uses an unsupported protocol.
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>
> Unsupported protocol The client and server don't support a common
> SSL protocol version or cipher suite.
>
> When checking Google Chrome's Browser console in the security tab
> I recieve: Page is not secure Valid certificate secure resources
>
> Here is the following background info I have for the
> configuration I gave Apache Tomcat when setting up the 8443
> connector
>
> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>
> Linux OS: SUSE Enterprise 12 sp1
>
> Packages installed:
>
> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
>
 That may be the culprit.

 Apparently this (old) version of Java7 will not provide in the
 default modern ciphers that Chrome requires. And the config is
 using the JSSE SSL implementation. But as you have TC Native and
 openssl 1.0.2 you should switch to openssl.

>>> This probably isn't the problem since Thomas is using the APR
>>> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
>>> not relevant.
>>>
>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
> tomcat-native-1.2.16-src
>
> Server.xml apr connector (Certificates are signed from GoDaddy
> and are placed in the conf directory of Apache Tomcat):
>
>  protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> mydomain.com" >  protocols="TLSv1,TLSv1.1,TLSv1.2">  certificateKeyFile="conf/server.key"
> certificateFile="conf/server.crt"
> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>  
>
 This looks okay to me. If you start Tomcat and then use "openssl
>>> s_client -connect :", does openssl connect? It should
>>> report the protocol and cipher suite being used to connect.
>>>
>>> If you server is externally-accessible, consider using an external TLS
>>> capabilities scanner such as that from Qualys,
>>> https://www.ssllabs.com/ssltest/
>>>
>>> - -chris
>>> -BEGIN PGP SIGNATURE-
>>> Comment: GPGTools - http://gpgtools.org
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
>>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
>>> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
>>> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
>>> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
>>> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
>>> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
>>> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
>>> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
>>> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
>>> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
>>> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
>>> /aq7VBV+GiEaWzZweAi8/k4R3wk=
>>> =DEHk
>>> -END PGP SIGNATURE-
>>>
>>> 

Re: Apache Tomcat 8.5.24 SSL Configuration

[George S.]

On 12/21/2017 3:24 PM, Thomas Delaney wrote:

Thank you for the input so far!

I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
receive the same result

when running the openssl s_client command I recieved this as the Cipher and
SSL version
Protocol  : TLSv1.2
Cipher: DHE-RSA-AES256-GCM-SHA384

I also get a message saying  "verify error:num=20:unable to get local
issuer certificate"
"Verify return code: 20 (unable to get local issuer certificate)"


I second Chris Schultz's recommendation that you run the site through 
the SSL Labs testing site and see what it points out. It's going to 
check a lot more things right off the bat and display them in an easier 
format:


https://www.ssllabs.com/ssltest/





On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 12/21/17 2:38 AM, l...@kreuser.name wrote:

Hi Thomas,


Am 21.12.2017 um 00:56 schrieb Thomas Delaney
:

Greetings,

I am having trouble regarding google chrome's behavior to Apache
Tomcat's SSL setup. I have been successful getting an ssl website
to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
on google chrome. Mozilla Firefox brings me to my site with no
problem.

When going to https://mydomain.com:8443 I recieve a message from
Google Chrome.

Google Chrome Error - This site can’t provide a secure
connection mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol The client and server don't support a common
SSL protocol version or cipher suite.

When checking Google Chrome's Browser console in the security tab
I recieve: Page is not secure Valid certificate secure resources

Here is the following background info I have for the
configuration I gave Apache Tomcat when setting up the 8443
connector

Chrome Version 63.0.3239.108 (Official Build) (64-bit)

Linux OS: SUSE Enterprise 12 sp1

Packages installed:

- OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79

That may be the culprit.

Apparently this (old) version of Java7 will not provide in the
default modern ciphers that Chrome requires. And the config is
using the JSSE SSL implementation. But as you have TC Native and
openssl 1.0.2 you should switch to openssl.

This probably isn't the problem since Thomas is using the APR
connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
not relevant.


- tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
tomcat-native-1.2.16-src

Server.xml apr connector (Certificates are signed from GoDaddy
and are placed in the conf directory of Apache Tomcat):

  
 

This looks okay to me. If you start Tomcat and then use "openssl
s_client -connect :", does openssl connect? It should
report the protocol and cipher suite being used to connect.

If you server is externally-accessible, consider using an external TLS
capabilities scanner such as that from Qualys,
https://www.ssllabs.com/ssltest/

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
/aq7VBV+GiEaWzZweAi8/k4R3wk=
=DEHk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Re: Apache Tomcat 8.5.24 SSL Configuration

[Jason Hall]

- Original Message -
From: Thomas Delaney <tdelaney@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Thu, 21 Dec 2017 17:24:06 -0500 (EST)
Subject: Re: Apache Tomcat 8.5.24 SSL Configuration

Thank you for the input so far!

I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
receive the same result

when running the openssl s_client command I recieved this as the Cipher and
SSL version
Protocol  : TLSv1.2
Cipher: DHE-RSA-AES256-GCM-SHA384

I also get a message saying  "verify error:num=20:unable to get local
issuer certificate"
"Verify return code: 20 (unable to get local issuer certificate)"

On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Peter,
>
> On 12/21/17 2:38 AM, l...@kreuser.name wrote:
> >
> > Hi Thomas,
> >
> >> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
> >> <tdelaney@gmail.com>:
> >>
> >> Greetings,
> >>
> >> I am having trouble regarding google chrome's behavior to Apache
> >> Tomcat's SSL setup. I have been successful getting an ssl website
> >> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
> >> on google chrome. Mozilla Firefox brings me to my site with no
> >> problem.
> >>
> >> When going to https://mydomain.com:8443 I recieve a message from
> >> Google Chrome.
> >>
> >> Google Chrome Error - This site can’t provide a secure
> >> connection mydomain.com uses an unsupported protocol.
> >> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> >>
> >> Unsupported protocol The client and server don't support a common
> >> SSL protocol version or cipher suite.
> >>
> >> When checking Google Chrome's Browser console in the security tab
> >> I recieve: Page is not secure Valid certificate secure resources
> >>
> >> Here is the following background info I have for the
> >> configuration I gave Apache Tomcat when setting up the 8443
> >> connector
> >>
> >> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
> >>
> >> Linux OS: SUSE Enterprise 12 sp1
> >>
> >> Packages installed:
> >>
> >> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
> >
> > That may be the culprit.
> >
> > Apparently this (old) version of Java7 will not provide in the
> > default modern ciphers that Chrome requires. And the config is
> > using the JSSE SSL implementation. But as you have TC Native and
> > openssl 1.0.2 you should switch to openssl.
>
> This probably isn't the problem since Thomas is using the APR
> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
> not relevant.
>
> >> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
> >> tomcat-native-1.2.16-src
> >>
> >> Server.xml apr connector (Certificates are signed from GoDaddy
> >> and are placed in the conf directory of Apache Tomcat):
> >>
> >>  >> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> >> mydomain.com" >  >> protocols="TLSv1,TLSv1.1,TLSv1.2">  >> certificateKeyFile="conf/server.key"
> >> certificateFile="conf/server.crt"
> >> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
> >>  
>
> This looks okay to me. If you start Tomcat and then use "openssl
> s_client -connect :", does openssl connect? It should
> report the protocol and cipher suite being used to connect.
>
> If you server is externally-accessible, consider using an external TLS
> capabilities scanner such as that from Qualys,
> https://www.ssllabs.com/ssltest/
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
> /aq7VBV+GiEaWzZweAi8/k4R3wk=
> =DEHk
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Just a guess, but does the whole chain need to leaded.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 8.5.24 SSL Configuration

[Thomas Delaney]

Thank you for the input so far!

I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
receive the same result

when running the openssl s_client command I recieved this as the Cipher and
SSL version
Protocol  : TLSv1.2
Cipher: DHE-RSA-AES256-GCM-SHA384

I also get a message saying  "verify error:num=20:unable to get local
issuer certificate"
"Verify return code: 20 (unable to get local issuer certificate)"

On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Peter,
>
> On 12/21/17 2:38 AM, l...@kreuser.name wrote:
> >
> > Hi Thomas,
> >
> >> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
> >> :
> >>
> >> Greetings,
> >>
> >> I am having trouble regarding google chrome's behavior to Apache
> >> Tomcat's SSL setup. I have been successful getting an ssl website
> >> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
> >> on google chrome. Mozilla Firefox brings me to my site with no
> >> problem.
> >>
> >> When going to https://mydomain.com:8443 I recieve a message from
> >> Google Chrome.
> >>
> >> Google Chrome Error - This site can’t provide a secure
> >> connection mydomain.com uses an unsupported protocol.
> >> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> >>
> >> Unsupported protocol The client and server don't support a common
> >> SSL protocol version or cipher suite.
> >>
> >> When checking Google Chrome's Browser console in the security tab
> >> I recieve: Page is not secure Valid certificate secure resources
> >>
> >> Here is the following background info I have for the
> >> configuration I gave Apache Tomcat when setting up the 8443
> >> connector
> >>
> >> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
> >>
> >> Linux OS: SUSE Enterprise 12 sp1
> >>
> >> Packages installed:
> >>
> >> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
> >
> > That may be the culprit.
> >
> > Apparently this (old) version of Java7 will not provide in the
> > default modern ciphers that Chrome requires. And the config is
> > using the JSSE SSL implementation. But as you have TC Native and
> > openssl 1.0.2 you should switch to openssl.
>
> This probably isn't the problem since Thomas is using the APR
> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
> not relevant.
>
> >> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
> >> tomcat-native-1.2.16-src
> >>
> >> Server.xml apr connector (Certificates are signed from GoDaddy
> >> and are placed in the conf directory of Apache Tomcat):
> >>
> >>  >> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> >> mydomain.com" >  >> protocols="TLSv1,TLSv1.1,TLSv1.2">  >> certificateKeyFile="conf/server.key"
> >> certificateFile="conf/server.crt"
> >> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
> >>  
>
> This looks okay to me. If you start Tomcat and then use "openssl
> s_client -connect :", does openssl connect? It should
> report the protocol and cipher suite being used to connect.
>
> If you server is externally-accessible, consider using an external TLS
> capabilities scanner such as that from Qualys,
> https://www.ssllabs.com/ssltest/
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
> /aq7VBV+GiEaWzZweAi8/k4R3wk=
> =DEHk
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Apache Tomcat 8.5.24 SSL Configuration

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Peter,

On 12/21/17 2:38 AM, l...@kreuser.name wrote:
> 
> Hi Thomas,
> 
>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>> :
>> 
>> Greetings,
>> 
>> I am having trouble regarding google chrome's behavior to Apache
>> Tomcat's SSL setup. I have been successful getting an ssl website
>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>> on google chrome. Mozilla Firefox brings me to my site with no
>> problem.
>> 
>> When going to https://mydomain.com:8443 I recieve a message from
>> Google Chrome.
>> 
>> Google Chrome Error - This site can’t provide a secure
>> connection mydomain.com uses an unsupported protocol. 
>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>> 
>> Unsupported protocol The client and server don't support a common
>> SSL protocol version or cipher suite.
>> 
>> When checking Google Chrome's Browser console in the security tab
>> I recieve: Page is not secure Valid certificate secure resources
>> 
>> Here is the following background info I have for the
>> configuration I gave Apache Tomcat when setting up the 8443
>> connector
>> 
>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>> 
>> Linux OS: SUSE Enterprise 12 sp1
>> 
>> Packages installed:
>> 
>> - OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
> 
> That may be the culprit.
> 
> Apparently this (old) version of Java7 will not provide in the
> default modern ciphers that Chrome requires. And the config is
> using the JSSE SSL implementation. But as you have TC Native and
> openssl 1.0.2 you should switch to openssl.

This probably isn't the problem since Thomas is using the APR
connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
not relevant.

>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>> tomcat-native-1.2.16-src
>> 
>> Server.xml apr connector (Certificates are signed from GoDaddy
>> and are placed in the conf directory of Apache Tomcat):
>> 
>> > protocol="org.apache.coyote.http11.Http11AprProtocol" 
>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName=" 
>> mydomain.com" > > protocols="TLSv1,TLSv1.1,TLSv1.2"> > certificateKeyFile="conf/server.key" 
>> certificateFile="conf/server.crt" 
>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" /> 
>>  

This looks okay to me. If you start Tomcat and then use "openssl
s_client -connect :", does openssl connect? It should
report the protocol and cipher suite being used to connect.

If you server is externally-accessible, consider using an external TLS
capabilities scanner such as that from Qualys,
https://www.ssllabs.com/ssltest/

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
/aq7VBV+GiEaWzZweAi8/k4R3wk=
=DEHk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 8.5.24 SSL Configuration

[logo]

Hi Thomas,

> Am 21.12.2017 um 00:56 schrieb Thomas Delaney :
> 
> Greetings,
> 
> I am having trouble regarding google chrome's behavior to Apache Tomcat's
> SSL setup. I have been successful getting an ssl website to work with
> Apache HTTP web server, but not Apache Tomcat 8.5.24 on google chrome.
> Mozilla Firefox brings me to my site with no problem.
> 
> When going to https://mydomain.com:8443 I recieve a message from Google
> Chrome.
> 
> Google Chrome Error -
> This site can’t provide a secure connection
> mydomain.com uses an unsupported protocol.
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> 
> Unsupported protocol
> The client and server don't support a common SSL protocol version or cipher
> suite.
> 
> When checking Google Chrome's Browser console in the security tab I
> recieve:
> Page is not secure
> Valid certificate
> secure resources
> 
> Here is the following background info I have for the configuration I gave
> Apache Tomcat when setting up the 8443 connector
> 
> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
> 
> Linux OS: SUSE Enterprise 12 sp1
> 
> Packages installed:
> 
> - OpenSSL 1.0.2n  7 Dec 2017
> - jdk version 1.7.0_79

That may be the culprit.

Apparently this (old) version of Java7 will not provide in the default modern 
ciphers that Chrome requires. And the config is using the JSSE SSL 
implementation.
But as you have TC Native and openssl 1.0.2 you should switch to openssl. 


> - tomcat version -> apache-tomcat-8.5.24
> - apr-1.6.3
> - tomcat-native-1.2.16-src
> 
> Server.xml apr connector (Certificates are signed from GoDaddy and are
> placed in the conf directory of Apache Tomcat):
> 
>maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> mydomain.com" >
> protocols="TLSv1,TLSv1.1,TLSv1.2">
> certificateFile="conf/server.crt"
> certificateChainFile="conf/CA_server_bundle.crt"
> type="RSA" />
>
>
> 
> 
My config for openssl is like this:


  


  

  

It contains openssl 1.1 ciphers but that will not matter for your config.

You may search this’ mailing list archive for some good posts on available 
ciphers.

Hope this helps.

Peter

> hostname displays properly when typing command: hostname -f and/or typing:
> cat /etc/HOSTNAME on the linux server

Apache Tomcat 8.5.24 SSL Configuration

[Thomas Delaney]

Greetings,

I am having trouble regarding google chrome's behavior to Apache Tomcat's
SSL setup. I have been successful getting an ssl website to work with
Apache HTTP web server, but not Apache Tomcat 8.5.24 on google chrome.
Mozilla Firefox brings me to my site with no problem.

When going to https://mydomain.com:8443 I recieve a message from Google
Chrome.

Google Chrome Error -
This site can’t provide a secure connection
mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol
The client and server don't support a common SSL protocol version or cipher
suite.

When checking Google Chrome's Browser console in the security tab I
recieve:
Page is not secure
Valid certificate
secure resources

Here is the following background info I have for the configuration I gave
Apache Tomcat when setting up the 8443 connector

Chrome Version 63.0.3239.108 (Official Build) (64-bit)

Linux OS: SUSE Enterprise 12 sp1

Packages installed:

- OpenSSL 1.0.2n  7 Dec 2017
- jdk version 1.7.0_79
- tomcat version -> apache-tomcat-8.5.24
- apr-1.6.3
- tomcat-native-1.2.16-src

Server.xml apr connector (Certificates are signed from GoDaddy and are
placed in the conf directory of Apache Tomcat):








hostname displays properly when typing command: hostname -f and/or typing:
cat /etc/HOSTNAME on the linux server

Re: Help with Apache Tomcat/7.0.53 SSL issue

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Edward,

On 10/7/14 2:35 PM, Brewer, Edward L wrote:
 Oh... Here is the entry in our server.xml (probably the most 
 important part)
 
 Connector port=Omitted address=Omitted
 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150
 scheme=https secure=true clientAuth=false 
 ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

 
keyAlias=omitted
 keystoreFile=/app001/shibboleth/idp/epass/current/credentials/idp.jks

 
keystorePass=omitted /

So you are using JSSE and haven't specified an sslProtocol, so you are
getting the default which is TLS (which, for Java, really means SSLv3,
TLSv1, TLSv1.1, and TLSv1.2).

You are specifying a very small number of cipher suites (only 3) so
perhaps that's the problem. Note that all your cipher suites start
with SSL_* and none with TLS_*. That's not in itself a problem, but
you are restricting your server to using old cipher suites and not
allowing new ones. You can find code in the archives to pull the list
of supported and enabled-by-default cipher suites for your JVM.

What happens if you lift the restriction on the ciphers list so that
JSSE will use its default set?

 Here is the error that I see from curl
 
 curl: (52) SSL read: error::lib(0):func(0):reason(0), errno
 104

Try using openssl s_client -- it gives much more information about
the connection.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUR7P4AAoJEBzwKT+lPKRY1SEP/1A+8i4Td8xD0xOcUe+P8oBK
wA6yjoo76MUqj4Nei0ZghXmzsrIUss/RsuazmLTJFTnJcEg3GThmjh1uKlHloUBR
2dFg6FhUDn4v+7P2sQiDuwtEd9oDx6aFA5j/DxSFCclnR7jq66vU0lxTjFdgd3jw
/G0dlF+iBnvBVEM2hojZAbv30qoIsxPAHXdsf7T13vcUQ/bVywmbqUPtoSR8hWzh
Mg+B+y7MEYJSUzeZf4JOqHuCe3nLHxOV7XNF7Mw5sZZ8DOvoay+tNU8mmeXmnHY0
zJe/4TICGz6BPYKaZNELwv8PiLZZ76mnu+c9I3Bcv3ZBC6D8p+yISA01apYOujgv
0Mfo9ilm/3E9dORHCX4497FyKLq6KjX3dPnlLD2G0YC7qRU6o1iA8pjFkbt38UgU
CeE8AMxu4sgQAyQVXkVlfs9T72JJmUdd3y+Jm5/WUreZoiTjS0gCEhwue9rUDOSo
B6wf7V971IlKQbbxMhpiqbf/2TsoS15REPviepsqCHXWVHxoOT/5etTN9V8vP2G6
fxeI4GaBIulGld+tNeVnR1Izi8sHz1GPYbGfD2zhwC1Br18MxiBdEtYQQI++LcTh
S2JdWtWmJBzgk/uHPB9Lm8oBwYplQYIHUPrF9XO3WJVBuThdeCDf9l5xfefSJktM
7aOx60/EkV878XIK/8Pm
=YDwk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Help with Apache Tomcat/7.0.53 SSL issue

[Jeffrey Janner]

 -Original Message-
 From: Brewer, Edward L [mailto:lee.bre...@vanderbilt.edu]
 Sent: Tuesday, October 07, 2014 1:36 PM
 To: Tomcat Users List
 Subject: RE: Help with Apache Tomcat/7.0.53 SSL issue
 
 To all,
 
 
 Oh...  Here is the entry in our server.xml  (probably the most important part)
 
 Connector port=Omitted address=Omitted protocol=HTTP/1.1
 SSLEnabled=true maxThreads=150 scheme=https secure=true
 clientAuth=false
 ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_
 DHE_RSA_WITH_3DES_EDE_CBC_SHA keyAlias=omitted
 keystoreFile=/app001/shibboleth/idp/epass/current/credentials/idp.jks
 keystorePass=omitted /
 
 Connector port=omitted address=omitted
 protocol=org.apache.coyote.http11.Http11Protocol maxthreads=150
 scheme=https SSLEnabled=true secure=true clientAuth=want
 ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_
 DHE_RSA_WITH_3DES_EDE_CBC_SHA keyAlias=omitted
 keystoreFile=/app001/shibboleth/idp/epass/current/credentials/idp.jks
 keystorePass=omitted /
 
 Users connect directly to first listed connection The second SSL port is 
 not
 currently used.
 
 Thanks,
 Lee
 
 From: Brewer, Edward L [mailto:lee.bre...@vanderbilt.edu]
 Sent: Tuesday, October 07, 2014 1:31 PM
 To: users@tomcat.apache.org
 Subject: Help with Apache Tomcat/7.0.53 SSL issue
 
 To all,
 
 I am using Apache Tomcat 7.0.53 and I am having an intermittent issue with
 SSL.  I am currently running three environments (Dev, UAT, and Prod. Prod
 comprises 4 VMs  (uname  states version as  2.6.32-431.11.2.el6.x86_x86_64
 GNU/Linux ) with each containing a local version of Java [ Java(TM) SE
 Runtime Environment (build 1.7.0_55-b13)  Java HotSpot(TM) 64-Bit Server
 VM (build 24.55-b03, mixed mode) ]  As well Tomcat and Java are owned by
 the user running the app.  The VMs are load balanced over two pair of LTMs
 (LTM1 balances node 1 and node 2;  LTM2 balances node 3 and node 4).  The
 test environment is scaled down to just one LTM with two nodes and
 development is just a single VM.
 
 Now, when I deployed dev and test I did not have any issues with SSL
 everything went as planned.  When I deployed into production, I started to
 get complaints about timeouts to the service.  After much troubleshooting...
 we were able to discern, using curl, that in production the LTM was not
 getting a response back from the application (using TCPDUMP)
 intermittently.   Our LTMs are configured to server as a SSL proxy.  On the
 VM, TCPDUMP shows that traffic is being presented to the socket but there
 is no response.  As far as I can tell the three environments (TOMCAT and
 JAVA) are the same.   I find nothing in the logs from both access and
 catalina.out.  When I restart the servers the problem goes away for about
 one hour then it comes back rapidly.  Using top and sar I do not see any
 issues with operating system performance.  Also,  by going done to one node
 the problem persists.  As well here are the options that are in setenv.sh
 
 export JAVA_OPTS=$JAVA_OPTS\
 -verbosegc\
 -Xms256m\
 -XX:+DisableExplicitGC\
 -Xmx2g
 
 
 Here is the error that I see from curl
 
 curl: (52) SSL read: error::lib(0):func(0):reason(0), errno 104
 
 Help,
 Lee Brewer

Lee, you say you checked the access  catalina logs, but did you check the 
stdout  stderr logs?
Since the problem goes away for about an hour after you restart, could you be 
having memory issues?  Those are usually reported in the stderr log.
Is 2g a valid value for -Xmx?  I've always specified it in terms of Megs, that 
is -Xmx2048m.
Jeff

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Help with Apache Tomcat/7.0.53 SSL issue

[Caldarale, Charles R]

 From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] 
 Subject: RE: Help with Apache Tomcat/7.0.53 SSL issue

 Is 2g a valid value for -Xmx?

Yes, at least with the Sun/Oracle JVM.  However, on 32-bit systems, that large 
a heap size will usually fail.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Help with Apache Tomcat/7.0.53 SSL issue

[Brewer, Edward L]

To all,

I am using Apache Tomcat 7.0.53 and I am having an intermittent issue with SSL. 
 I am currently running three environments (Dev, UAT, and Prod. Prod comprises 
4 VMs  (uname  states version as  2.6.32-431.11.2.el6.x86_x86_64 GNU/Linux ) 
with each containing a local version of Java [ Java(TM) SE Runtime Environment 
(build 1.7.0_55-b13)  Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed 
mode) ]  As well Tomcat and Java are owned by the user running the app.  The 
VMs are load balanced over two pair of LTMs (LTM1 balances node 1 and node 2;  
LTM2 balances node 3 and node 4).  The test environment is scaled down to just 
one LTM with two nodes and development is just a single VM.

Now, when I deployed dev and test I did not have any issues with SSL 
everything went as planned.  When I deployed into production, I started to get 
complaints about timeouts to the service.  After much troubleshooting... we 
were able to discern, using curl, that in production the LTM was not getting a 
response back from the application (using TCPDUMP) intermittently.   Our LTMs 
are configured to server as a SSL proxy.  On the VM, TCPDUMP shows that traffic 
is being presented to the socket but there is no response.  As far as I can 
tell the three environments (TOMCAT and JAVA) are the same.   I find nothing in 
the logs from both access and catalina.out.  When I restart the servers the 
problem goes away for about one hour then it comes back rapidly.  Using top and 
sar I do not see any issues with operating system performance.  Also,  by going 
done to one node the problem persists.  As well here are the options that are 
in setenv.sh

export JAVA_OPTS=$JAVA_OPTS\
-verbosegc\
-Xms256m\
-XX:+DisableExplicitGC\
-Xmx2g


Here is the error that I see from curl

curl: (52) SSL read: error::lib(0):func(0):reason(0), errno 104

Help,
Lee Brewer

Lee Brewer | Application Developer | Information Technology | Vanderbilt 
University
lee.bre...@vanderbilt.edu | phone 615.343.2802 | 
it.vanderbilt.eduhttp://it.vanderbilt.edu/
[Vanderbilt IT logo]

RE: Help with Apache Tomcat/7.0.53 SSL issue

[Brewer, Edward L]

To all,


Oh...  Here is the entry in our server.xml  (probably the most important part)

Connector port=Omitted address=Omitted protocol=HTTP/1.1 
SSLEnabled=true maxThreads=150 scheme=https secure=true 
clientAuth=false 
ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 keyAlias=omitted 
keystoreFile=/app001/shibboleth/idp/epass/current/credentials/idp.jks 
keystorePass=omitted /

Connector port=omitted address=omitted 
protocol=org.apache.coyote.http11.Http11Protocol maxthreads=150 
scheme=https SSLEnabled=true secure=true clientAuth=want 
ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 keyAlias=omitted 
keystoreFile=/app001/shibboleth/idp/epass/current/credentials/idp.jks 
keystorePass=omitted /

Users connect directly to first listed connection The second SSL port is 
not currently used.

Thanks,
Lee

From: Brewer, Edward L [mailto:lee.bre...@vanderbilt.edu]
Sent: Tuesday, October 07, 2014 1:31 PM
To: users@tomcat.apache.org
Subject: Help with Apache Tomcat/7.0.53 SSL issue

To all,

I am using Apache Tomcat 7.0.53 and I am having an intermittent issue with SSL. 
 I am currently running three environments (Dev, UAT, and Prod. Prod comprises 
4 VMs  (uname  states version as  2.6.32-431.11.2.el6.x86_x86_64 GNU/Linux ) 
with each containing a local version of Java [ Java(TM) SE Runtime Environment 
(build 1.7.0_55-b13)  Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed 
mode) ]  As well Tomcat and Java are owned by the user running the app.  The 
VMs are load balanced over two pair of LTMs (LTM1 balances node 1 and node 2;  
LTM2 balances node 3 and node 4).  The test environment is scaled down to just 
one LTM with two nodes and development is just a single VM.

Now, when I deployed dev and test I did not have any issues with SSL 
everything went as planned.  When I deployed into production, I started to get 
complaints about timeouts to the service.  After much troubleshooting... we 
were able to discern, using curl, that in production the LTM was not getting a 
response back from the application (using TCPDUMP) intermittently.   Our LTMs 
are configured to server as a SSL proxy.  On the VM, TCPDUMP shows that traffic 
is being presented to the socket but there is no response.  As far as I can 
tell the three environments (TOMCAT and JAVA) are the same.   I find nothing in 
the logs from both access and catalina.out.  When I restart the servers the 
problem goes away for about one hour then it comes back rapidly.  Using top and 
sar I do not see any issues with operating system performance.  Also,  by going 
done to one node the problem persists.  As well here are the options that are 
in setenv.sh

export JAVA_OPTS=$JAVA_OPTS\
-verbosegc\
-Xms256m\
-XX:+DisableExplicitGC\
-Xmx2g


Here is the error that I see from curl

curl: (52) SSL read: error::lib(0):func(0):reason(0), errno 104

Help,
Lee Brewer

Lee Brewer | Application Developer | Information Technology | Vanderbilt 
University
lee.bre...@vanderbilt.edumailto:lee.bre...@vanderbilt.edu | phone 
615.343.2802 | it.vanderbilt.eduhttp://it.vanderbilt.edu/
[Vanderbilt IT logo]

Re: Using the Apache Tomcat 6.0 SSL Configuration HOW-TO guide, but it is not working

[ML Harmon]

I don't see any log file? what would be the log files name?
On Fri, Oct 14, 2011 at 9:55 AM, Konstantin Kolinko
knst.koli...@gmail.comwrote:

 2011/10/14 ML Harmon mlhlanma...@gmail.com:
 
  I don't even know enough about Tomcat to know how to troubleshoot this,
 am
  very new to this.
 

 1) If you know where your server.xml is, you should know where your
 log files are as well.

 There is logs folder that is sibling to conf.

 2) There are two different implementations of SSL connector
 (Java-based and OpenSSL-based), that are configured rather
 differently.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Using the Apache Tomcat 6.0 SSL Configuration HOW-TO guide, but it is not working

[Pid *]

On 19 Oct 2011, at 16:15, ML Harmon mlhlanma...@gmail.com wrote:

 I don't see any log file? what would be the log files name?

Please don't top post (see below).


 On Fri, Oct 14, 2011 at 9:55 AM, Konstantin Kolinko
 knst.koli...@gmail.comwrote:

 2011/10/14 ML Harmon mlhlanma...@gmail.com:

 I don't even know enough about Tomcat to know how to troubleshoot this,
 am
 very new to this.


 1) If you know where your server.xml is, you should know where your
 log files are as well.

 There is logs folder that is sibling to conf.

Did you find the logs folder as indicated above? What is in it?


p



 2) There are two different implementations of SSL connector
 (Java-based and OpenSSL-based), that are configured rather
 differently.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Using the Apache Tomcat 6.0 SSL Configuration HOW-TO guide, but it is not working

[ML Harmon]

Using this link, to setup my Apache Tomcat 6.0 webserver with SSL, but I
can't get it to work. I am very new to Apache Tomcat 6.0. Infact this is the
first time I have ever worked with it.

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html


Our Apache Tomcat 6.0 is currently running on a Windows 2003 server. We *CAN
* currently bring up a browser and login to our application on port 8086,
and have been using this for several years.

But* now* we want to secure our connection with SSL, so I have been trying
to use the above link to set it up.

Here is what I have done.

1. Create a keystore file to store the server's private key and self-signed
certificate by executing the following command:

Windows:

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA




2. Uncomment the SSL HTTP/1.1 Connector entry in
$CATALINA_BASE/conf/server.xml and modify as described.

3.   Define a SLL Connector in my server.xml

 Define a SSL Coyote HTTP/1.1 Connector on port 8443 --

Connector
   port=8443 maxThreads=200
   scheme=https secure=true SSLEnabled=true
   keystoreFile=${user.home}/.keystore keystorePass=changeit
   clientAuth=false sslProtocol=TLS/
4.  Create a local certificate
 keytool -genkey -alias tomcat -keyalg RSA \
-keystore your_keystore_filename

5. Create a CSR for my Issuing RootCA to sign.
   keytool -certreq -keyalg RSA -alias tomcat -file
certreq.csr \ -keystore your_keystore_filename

6. Have my issuing RootCA sign and create my cert.

7. Import my Chain Certificate into my keystore i.e. I have created my on
RootCA certificate with a stand-alone CA since we are using a two tier
approach to creating certs. Our certs are created and signed on a Windows
2008 Certificate Service Server.
  keytool -import -alias root -keystore
your_keystore_filename \ -trustcacerts -file
filename_of_the_chain_certificate

8. Import my Certificate.
   keytool -import -alias tomcat -keystore
your_keystore_filename \ -file your_certificate_filename

RESULTS are as follows:

I can run http://localhost:8086 from my browser on our Tomcat Web server and
the default web page does load.
Running https://localhost:8443  does not display a web page.

I can at least load up a web page if I exclude  SSLEnabled=TRUE from my
connector entry using port 8443 but of course I don't have SSLEnabled=True.

I don't even know enough about Tomcat to know how to troubleshoot this, am
very new to this.

Re: Using the Apache Tomcat 6.0 SSL Configuration HOW-TO guide, but it is not working

[Konstantin Kolinko]

2011/10/14 ML Harmon mlhlanma...@gmail.com:

 I don't even know enough about Tomcat to know how to troubleshoot this, am
 very new to this.


1) If you know where your server.xml is, you should know where your
log files are as well.

There is logs folder that is sibling to conf.

2) There are two different implementations of SSL connector
(Java-based and OpenSSL-based), that are configured rather
differently.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache/Tomcat with SSL

[Pid]

On 29/09/2009 03:17, Crypto Sal wrote:

Miguel,

Do you have Tomcat serving up Port 80 traffic or is that Apache's httpd?



I suggest you have one web server handle both normal web traffic and SSL
traffic (if possible), since this page is a login page, you might want
to FORCE https on that page and not allow HTTP.





It would almost appear that you have Tomcat serving up port 80 traffic

 and Apache serving up SSL/TLS connections.

This is a confusing thing to say...


So if that were the case, use Tomcat to do the SSL as well and configure

 tomcat accordingly in the server.xml file.

Don't do that.  There's no point in using HTTPD in front of Tomcat if 
it's not doing any work.



Do keep in mind there is a difference between Tomcat and Apache (httpd).
Please clarify your setup for us.


@Miguel, the problem (from the URLs you supplied) is that Tomcat is not 
processing the JSP content, HTTPD is serving it as a static file.


This is caused by a broken mod_jk*, (or mod_proxy config), AND the HTTPD 
DocumentRoot being set to the same location as the Tomcat application 
directory - which is both bad practice and a fairly serious security 
problem.


(I've sent you a separate email demonstrating why this is so bad.)


You should not use the same directory to serve files from different 
servers.  Here's an example of how you could set it up:


For HTTPD:

 /sites/fun.macneillgroup.com/httpdocs
 /sites/fun.macneillgroup.com/httpdocs/images
 /sites/fun.macneillgroup.com/httpdocs/styles
 /sites/fun.macneillgroup.com/httpdocs/scripts

For Tomcat:

 /sites/fun.macneillgroup.com/webapps
 /sites/fun.macneillgroup.com/webapps/ROOT
 /sites/fun.macneillgroup.com/webapps/focus


When you do this, the HTTPD SSL instance will stop serving the JSPs as 
static files; it may stop serving them completely.


Then you will need help with your mod_jk set up.  You'll need to set 
that up for the :80 host and the :443 SSL host.  Typically, when I do 
this I use an include, so all of the config is in one file.



p



* Which are you using, mod_jk or mod_proxy?  I've assumed mod_jk so far.





On 09/28/2009 01:47 PM, Miguel Ortiz wrote:

Jorge,

I have setup the SSL through Apache and Tomcat, if there is a
different procedure for mod_ssl, I will try that as well. The site
comes up fine when I access it without the https, however when I use
the https, all I see is the jsp script.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com


-Original Message-
From: Jorge Medina [mailto:jmed...@e-dialog.com]
Sent: Monday, September 28, 2009 10:55 AM
To: Tomcat Users List
Subject: RE: Apache/Tomcat with SSL


Also, in order to configure Apache with SSL you must have the module
mod_ssl


-Original Message-
From: Jorge Medina [mailto:jmed...@e-dialog.com]
Sent: Monday, September 28, 2009 10:40 AM
To: Tomcat Users List
Subject: RE: Apache/Tomcat with SSL

Hola Miguel,

did you set up SSL in Apache ? Or did you do it in Tomcat ? Or in both ?

I am assuming that you want Apache to be the exposed server, therefore
SSL must be configured in Apache. You must also have configured Apache
to forward the requests to Tomcat by using the Apache modules mod_jk
or mod_proxy

-Jorge



-Original Message-
From: Miguel Ortiz [mailto:miguel.or...@macneillgroup.com]
Sent: Monday, September 28, 2009 8:32 AM
To: users@tomcat.apache.org
Subject: Apache/Tomcat with SSL

I recently setup a SSL cert on our Apache/Tomcat server. When I load
our page, I can see the lock in my browser with all the SSL info,
but the page only loads as a the jsp script and not the full page. Is
there some configuration setting that I have missed. I can provide
snippets from the server.xml, httpd.conf, and ssl.conf. Thanks in
advance.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com




This email and any files transmitted with it are the confidential
property of Focus Holdings, LLC and its subsidiaries, and intended
solely for the use of the individual or entity to whom they are
addressed. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended
recipient you are notified that disclosing, copying, distributing or
taking any action in reliance on the contents of this information is
strictly prohibited.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


No virus found in this incoming message.
Checked by AVG - www.avg.com
Version

Re: Apache/Tomcat with SSL

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Pid,

On 9/29/2009 4:12 AM, Pid wrote:
 @Miguel, the problem (from the URLs you supplied) is that Tomcat is not
 processing the JSP content, HTTPD is serving it as a static file.
 
 This is caused by a broken mod_jk*, (or mod_proxy) config

+1

My guess is that, when you set up SSL (which requires a separate
VirtualHost from the pre-existing one), you didn't copy the Jk* (if
mod_jk is in use) or Proxy* (if mod_proxy_ajp|http is in use) directives.

Check your (presumably) working HTTP configuration for directives such
as these and simply copy them into the new SSL-enabled VirtualHost.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrCIhUACgkQ9CaO5/Lv0PCq2QCZAUZYLciHpWmp4ELcwYGeHdtR
rPsAn3VUeNLOIa8NfFzZ/fc8a4kSIFFR
=Hbu3
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache/Tomcat with SSL

[Pid]

Pid,

 Thanks for the response, I have contacted the developers of our web 
site to separate the documentRoot directories. Also, I have tested the 
SSL with httpd turned off, and I don't seem to have the same luck. I 
received the following error: Error code: ssl_error_rx_record_too_long. 
I believe this was because Apache did not find the ssl.conf setting to 
enable SSL (I commented it out for testing).



 Once I re-enabled it the error went away, but I was wondering if this 
could mean that some configuration setting is missing or incorrect with 
Tomcat. I have researched the error, but haven't found anything that may 
help. Here is the snippet from server.xml that specifies the SSL settings:


!--  Define a SSL HTTP/1.1 Connector on port 8443
  --
  Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 
minSpareThreads=25 maxSpareThreads=75 enableLookups=false 
disableUploadTimeout=true acceptCount=100 scheme=https 
secure=true clientAuth=false sslProtocol=TLS 
keystoreFile=/usr/local/ssl/private/fun.macneillgroup.com.keystore 
keypass=nottherealkeypass 
truststoreFile=/usr/local/ssl/cert/fun.macneillgroup.com.crt 
truststorePass=nottherealkeypass /


Also, you mentioned a bad mod_jk. The httpd.conf calls mod_proxy, 
which currently doesn't have any specific settings. I tried to 
manipulate the entry to point to our site:443 but the page didn't display.


Sorry for explosion of thoughts. I want to make know (if my rambling 
hasn't already), I am very new to Apache/Tomcat. Is there a resource 
that I can use to identify good practices to manage this web server. 
Please note that this server was setup by a consulting company which 
created the page, I have been recently tasked to manage it and configure 
the SSL. Thanks again.




Either Apache HTTPD handles the SSL, or Tomcat does.

You've got a Tomcat connector set up for port 443, if you also have a 
port 443 set up in your HTTPD you have a problem right there.


If you want to use Apache HTTPD, then I'd advise that you configure it 
to handle the SSL as well - comment out the Tomcat SSL Connector in 
server.xml.


You state that you're using mod_proxy; is there also a LoadModule  for 
mod_proxy_ajp or mod_proxy_http?


What other Connectors are defined in server.xml?


p






On 28/09/2009 22:12, Jorge Medina wrote:

As suggested by André, you may want to join the Apache User's list and ask 
there your question.

You need to configure SSL in your Apache web server.
To configure SSL Apache Web server, the first thing you need to do is to verify 
that the module mod_ssl is available.
You may want to consider posting sections of your httpd.conf file (or any relevant file 
included by the Include directive) (Remove any sensitive information when 
posting your question)

-Jorge



-Original Message-
From: Miguel Ortiz [mailto:miguel.or...@macneillgroup.com]
Sent: Monday, September 28, 2009 3:19 PM
To: 'Tomcat Users List'; 'Tomcat Users List'
Subject: RE: Apache/Tomcat with SSL

André,

That is what I did and it still came up with server not found. If you would 
like to verify. Our site is http://fun.macneillgroup.com. The site we are 
currently testing is http://fun.macneillgroup.com/focus/common/Index.jsp. This 
page works, however the https form doesn't seem to produce the desired results.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com


-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Monday, September 28, 2009 3:02 PM
To: Tomcat Users List
Subject: Re: Apache/Tomcat with SSL

Miguel Ortiz wrote:

André,

This server was configured by our web development contractors. I was only 
tasked with setting up the SSL. When I go to the specified URL, firefox throws 
a server not found.



When I mentioned the URL
http://your-hostname/ROOT/WEB-INF/web.xml
I meant for you to replace the your-hostname part by your own host's name.
:-)

Also, basically I think that this discussion belongs more to the Apache user's 
list, than Tomcat's, because it seems that the SSL part is done at the Apache 
httpd level, not at Tomcat's level.
It is also not easy to just add SSL to an Apache httpd, if this Apache httpd 
uses VirtualHosts.

In the first responses to your first post, some very relevant questions were 
asked, which I don't think you have answered fully yet.  It is difficult for 
someone to help you with the partial information you have supplied so far.  
Tell us :
- on which platform (OS) this is running
- how Apache httpd and Tomcat are connected together (using mod_jk, 
mod_proxy_ajp, or mod_proxy_http?)
- is (was) your Apache httpd configured with multipleVirtualHost  sections ?
- can you append your main Apache httpd configuration file (httpd.conf or 
apache2.conf, depending on platform).  Don't put it as an attachment, because 
chances are this list will strip it. Paste it right into your message.
- what exactly did you add, and where, to add the SSL capability

Apache/Tomcat with SSL

[Miguel Ortiz]

I recently setup a SSL cert on our Apache/Tomcat server. When I load our page, 
I can see the lock in my browser with all the SSL info, but the page only 
loads as a the jsp script and not the full page. Is there some configuration 
setting that I have missed. I can provide snippets from the server.xml, 
httpd.conf, and ssl.conf. Thanks in advance.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com




This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

Re: Apache/Tomcat with SSL

[Peter Crowther]

2009/9/28 Miguel Ortiz miguel.or...@macneillgroup.com

 I recently setup a SSL cert on our Apache/Tomcat server. When I load our
 page, I can see the lock in my browser with all the SSL info, but the page
 only loads as a the jsp script and not the full page. Is there some
 configuration setting that I have missed. I can provide snippets from the
 server.xml, httpd.conf, and ssl.conf. Thanks in advance.


Have you ensured that all the links to other content on your page (CSS,
images etc) are appropriate for SSL access?  Are they either relative links
or starting with https://... when accessed over SSL?

What's in the access logs for httpd (I assume from Apache/Tomcat that
you're running httpd in front, though you don't say or give any version
information)?  What's in the access logs for Tomcat?  Do they match, or are
some requests being dropped?

If you use some appropriate logging tool* from your browser to examine
requests, what's happening?

- Peter

* Fiddler2's good for IE, Firebug works for Firefox, no idea for other
browsers!

RE: Apache/Tomcat with SSL

[Miguel Ortiz]

Peter,

I have checked the httpd logs. I didn't find anything that says why the page 
isn't loading. Here is a copy of the results for the various log files. I am 
running Apache/httpd 2.2.3 and Tomcat 5. Also, I have contacted our web 
developer to check the css and links for the page. Thanks again.

[u...@localhost conf.d]# tail -f /var/log/httpd/ssl_error_log
[Mon Sep 28 08:51:41 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
exist: /var/lib/tomcat5/webapps/favicon.ico
[Mon Sep 28 08:51:44 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
exist: /var/lib/tomcat5/webapps/favicon.ico
[Mon Sep 28 09:03:04 2009] [error] [client xxx.xxx.xxx.xxx] Directory index 
forbidden by Options directive: /var/lib/tomcat5/webapps/
[Mon Sep 28 09:17:32 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
exist: /var/lib/tomcat5/webapps/favicon.ico
[Mon Sep 28 09:17:35 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
exist: /var/lib/tomcat5/webapps/favicon.ico

[u...@localhost conf.d]# tail -f /var/log/httpd/ssl_access_log
xxx.xxx.xxx.xxx - - [28/Sep/2009:08:51:41 -0400] GET /favicon.ico HTTP/1.1 
404 296
xxx.xxx.xxx.xxx - - [28/Sep/2009:08:51:44 -0400] GET /favicon.ico HTTP/1.1 
404 296
xxx.xxx.xxx.xxx - - [28/Sep/2009:09:03:04 -0400] GET / HTTP/1.1 403 5043
xxx.xxx.xxx.xxx - - [28/Sep/2009:09:03:04 -0400] GET /icons/apache_pb.gif 
HTTP/1.1 200 2326
xxx.xxx.xxx.xxx - - [28/Sep/2009:09:03:04 -0400] GET /icons/powered_by_rh.png 
HTTP/1.1 200 1213
xxx.xxx.xxx.xxx - - [28/Sep/2009:09:17:32 -0400] GET /focus/common/Index.jsp 
HTTP/1.1 200 12414
xxx.xxx.xxx.xxx - - [28/Sep/2009:09:17:32 -0400] GET /favicon.ico HTTP/1.1 
404 296
xxx.xxx.xxx.xxx - - [28/Sep/2009:09:17:35 -0400] GET /favicon.ico HTTP/1.1 
404 296
xxx.xxx.xxx.xxx - - [28/Sep/2009:09:49:45 -0400] GET /focus/common/Index.jsp 
HTTP/1.1 200 12414
xxx.xxx.xxx.xxx - - [28/Sep/2009:09:49:45 -0400] GET /favicon.ico HTTP/1.1 
200 21630

[u...@localhost conf.d]# tail -f /var/log/httpd/error_log
[Sun Sep 27 04:02:28 2009] [notice] Digest: generating secret for digest 
authentication ...
[Sun Sep 27 04:02:28 2009] [notice] Digest: done
[Sun Sep 27 04:02:28 2009] [notice] mod_python: Creating 4 session mutexes 
based on 150 max processes and 0 max threads.
[Sun Sep 27 04:02:28 2009] [notice] Apache/2.2.3 (CentOS) configured -- 
resuming normal operations

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com


-Original Message-
From: peter.crowth...@googlemail.com [mailto:peter.crowth...@googlemail.com] On 
Behalf Of Peter Crowther
Sent: Monday, September 28, 2009 9:03 AM
To: Tomcat Users List
Subject: Re: Apache/Tomcat with SSL

2009/9/28 Miguel Ortiz miguel.or...@macneillgroup.com

 I recently setup a SSL cert on our Apache/Tomcat server. When I load our
 page, I can see the lock in my browser with all the SSL info, but the page
 only loads as a the jsp script and not the full page. Is there some
 configuration setting that I have missed. I can provide snippets from the
 server.xml, httpd.conf, and ssl.conf. Thanks in advance.


Have you ensured that all the links to other content on your page (CSS,
images etc) are appropriate for SSL access?  Are they either relative links
or starting with https://... when accessed over SSL?

What's in the access logs for httpd (I assume from Apache/Tomcat that
you're running httpd in front, though you don't say or give any version
information)?  What's in the access logs for Tomcat?  Do they match, or are
some requests being dropped?

If you use some appropriate logging tool* from your browser to examine
requests, what's happening?

- Peter

* Fiddler2's good for IE, Firebug works for Firefox, no idea for other
browsers!

No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/28/09 
05:51:00



This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Apache/Tomcat with SSL

[Jorge Medina]

Hola Miguel, 

   did you set up SSL in Apache ? Or did you do it in Tomcat ? Or in both ?

   I am assuming that you want Apache to be the exposed server, therefore SSL 
must be configured in Apache.  You must also have configured Apache to forward 
the requests to Tomcat by using the Apache modules mod_jk or mod_proxy 
   
-Jorge

 

-Original Message-
From: Miguel Ortiz [mailto:miguel.or...@macneillgroup.com] 
Sent: Monday, September 28, 2009 8:32 AM
To: users@tomcat.apache.org
Subject: Apache/Tomcat with SSL

I recently setup a SSL cert on our Apache/Tomcat server. When I load our page, 
I can see the lock in my browser with all the SSL info, but the page only 
loads as a the jsp script and not the full page. Is there some configuration 
setting that I have missed. I can provide snippets from the server.xml, 
httpd.conf, and ssl.conf. Thanks in advance.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com




This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Apache/Tomcat with SSL

[Jorge Medina]

Also, in order to configure Apache with SSL you must have the module mod_ssl


-Original Message-
From: Jorge Medina [mailto:jmed...@e-dialog.com] 
Sent: Monday, September 28, 2009 10:40 AM
To: Tomcat Users List
Subject: RE: Apache/Tomcat with SSL

Hola Miguel, 

   did you set up SSL in Apache ? Or did you do it in Tomcat ? Or in both ?

   I am assuming that you want Apache to be the exposed server, therefore SSL 
must be configured in Apache.  You must also have configured Apache to forward 
the requests to Tomcat by using the Apache modules mod_jk or mod_proxy 
   
-Jorge

 

-Original Message-
From: Miguel Ortiz [mailto:miguel.or...@macneillgroup.com]
Sent: Monday, September 28, 2009 8:32 AM
To: users@tomcat.apache.org
Subject: Apache/Tomcat with SSL

I recently setup a SSL cert on our Apache/Tomcat server. When I load our page, 
I can see the lock in my browser with all the SSL info, but the page only 
loads as a the jsp script and not the full page. Is there some configuration 
setting that I have missed. I can provide snippets from the server.xml, 
httpd.conf, and ssl.conf. Thanks in advance.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com




This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache/Tomcat with SSL

[André Warnier]

Miguel Ortiz wrote:
...

[u...@localhost conf.d]# tail -f /var/log/httpd/ssl_error_log
[Mon Sep 28 08:51:41 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
exist: /var/lib/tomcat5/webapps/favicon.ico
[Mon Sep 28 08:51:44 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
exist: /var/lib/tomcat5/webapps/favicon.ico
[Mon Sep 28 09:03:04 2009] [error] [client xxx.xxx.xxx.xxx] Directory index 
forbidden by Options directive: /var/lib/tomcat5/webapps/


Nothing to, I think, with your problem, but it would seem from the above 
that you have configured your Apache front-end with something like


DocumentRoot /var/lib/tomcat5/webapps

which, in principle, is not a good idea.
What do you get in your browser when you request
http://your-hostname/ROOT/WEB-INF/web.xml

(or with https:// as the case may be)
?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Apache/Tomcat with SSL

[Miguel Ortiz]

André,

This server was configured by our web development contractors. I was only 
tasked with setting up the SSL. When I go to the specified URL, firefox throws 
a server not found. 


Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com


-Original Message-
From: André Warnier [mailto:a...@ice-sa.com] 
Sent: Monday, September 28, 2009 11:25 AM
To: Tomcat Users List
Subject: Re: Apache/Tomcat with SSL

Miguel Ortiz wrote:
...
 [u...@localhost conf.d]# tail -f /var/log/httpd/ssl_error_log
 [Mon Sep 28 08:51:41 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
 exist: /var/lib/tomcat5/webapps/favicon.ico
 [Mon Sep 28 08:51:44 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
 exist: /var/lib/tomcat5/webapps/favicon.ico
 [Mon Sep 28 09:03:04 2009] [error] [client xxx.xxx.xxx.xxx] Directory index 
 forbidden by Options directive: /var/lib/tomcat5/webapps/

Nothing to, I think, with your problem, but it would seem from the above 
that you have configured your Apache front-end with something like

DocumentRoot /var/lib/tomcat5/webapps

which, in principle, is not a good idea.
What do you get in your browser when you request
http://your-hostname/ROOT/WEB-INF/web.xml

(or with https:// as the case may be)
?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/28/09 
05:51:00



This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Apache/Tomcat with SSL

[Miguel Ortiz]

Jorge,

I have setup the SSL through Apache and Tomcat, if there is a different 
procedure for mod_ssl, I will try that as well. The site comes up fine when I 
access it without the https, however when I use the https, all I see is the jsp 
script.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com


-Original Message-
From: Jorge Medina [mailto:jmed...@e-dialog.com] 
Sent: Monday, September 28, 2009 10:55 AM
To: Tomcat Users List
Subject: RE: Apache/Tomcat with SSL


Also, in order to configure Apache with SSL you must have the module mod_ssl


-Original Message-
From: Jorge Medina [mailto:jmed...@e-dialog.com] 
Sent: Monday, September 28, 2009 10:40 AM
To: Tomcat Users List
Subject: RE: Apache/Tomcat with SSL

Hola Miguel, 

   did you set up SSL in Apache ? Or did you do it in Tomcat ? Or in both ?

   I am assuming that you want Apache to be the exposed server, therefore SSL 
must be configured in Apache.  You must also have configured Apache to forward 
the requests to Tomcat by using the Apache modules mod_jk or mod_proxy 
   
-Jorge

 

-Original Message-
From: Miguel Ortiz [mailto:miguel.or...@macneillgroup.com]
Sent: Monday, September 28, 2009 8:32 AM
To: users@tomcat.apache.org
Subject: Apache/Tomcat with SSL

I recently setup a SSL cert on our Apache/Tomcat server. When I load our page, 
I can see the lock in my browser with all the SSL info, but the page only 
loads as a the jsp script and not the full page. Is there some configuration 
setting that I have missed. I can provide snippets from the server.xml, 
httpd.conf, and ssl.conf. Thanks in advance.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com




This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/28/09 
05:51:00



This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache/Tomcat with SSL

[André Warnier]

Miguel Ortiz wrote:

André,

This server was configured by our web development contractors. I was only tasked with setting up the SSL. When I go to the specified URL, firefox throws a server not found. 



When I mentioned the URL
http://your-hostname/ROOT/WEB-INF/web.xml
I meant for you to replace the your-hostname part by your own host's name.
:-)

Also, basically I think that this discussion belongs more to the Apache 
user's list, than Tomcat's, because it seems that the SSL part is done 
at the Apache httpd level, not at Tomcat's level.
It is also not easy to just add SSL to an Apache httpd, if this Apache 
httpd uses VirtualHosts.


In the first responses to your first post, some very relevant questions 
were asked, which I don't think you have answered fully yet.  It is 
difficult for someone to help you with the partial information you have 
supplied so far.  Tell us :

- on which platform (OS) this is running
- how Apache httpd and Tomcat are connected together (using mod_jk, 
mod_proxy_ajp, or mod_proxy_http?)
- is (was) your Apache httpd configured with multiple VirtualHost 
sections ?
- can you append your main Apache httpd configuration file (httpd.conf 
or apache2.conf, depending on platform).  Don't put it as an attachment, 
because chances are this list will strip it. Paste it right into your 
message.

- what exactly did you add, and where, to add the SSL capability ?









Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com


-Original Message-
From: André Warnier [mailto:a...@ice-sa.com] 
Sent: Monday, September 28, 2009 11:25 AM

To: Tomcat Users List
Subject: Re: Apache/Tomcat with SSL

Miguel Ortiz wrote:
...

[u...@localhost conf.d]# tail -f /var/log/httpd/ssl_error_log
[Mon Sep 28 08:51:41 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
exist: /var/lib/tomcat5/webapps/favicon.ico
[Mon Sep 28 08:51:44 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
exist: /var/lib/tomcat5/webapps/favicon.ico
[Mon Sep 28 09:03:04 2009] [error] [client xxx.xxx.xxx.xxx] Directory index 
forbidden by Options directive: /var/lib/tomcat5/webapps/


Nothing to, I think, with your problem, but it would seem from the above 
that you have configured your Apache front-end with something like


DocumentRoot /var/lib/tomcat5/webapps

which, in principle, is not a good idea.
What do you get in your browser when you request
http://your-hostname/ROOT/WEB-INF/web.xml

(or with https:// as the case may be)
?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/28/09 05:51:00




This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Apache/Tomcat with SSL

[Miguel Ortiz]

André,

That is what I did and it still came up with server not found. If you would 
like to verify. Our site is http://fun.macneillgroup.com. The site we are 
currently testing is http://fun.macneillgroup.com/focus/common/Index.jsp. This 
page works, however the https form doesn't seem to produce the desired results.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com


-Original Message-
From: André Warnier [mailto:a...@ice-sa.com] 
Sent: Monday, September 28, 2009 3:02 PM
To: Tomcat Users List
Subject: Re: Apache/Tomcat with SSL

Miguel Ortiz wrote:
 André,
 
 This server was configured by our web development contractors. I was only 
 tasked with setting up the SSL. When I go to the specified URL, firefox 
 throws a server not found. 
 

When I mentioned the URL
http://your-hostname/ROOT/WEB-INF/web.xml
I meant for you to replace the your-hostname part by your own host's name.
:-)

Also, basically I think that this discussion belongs more to the Apache 
user's list, than Tomcat's, because it seems that the SSL part is done 
at the Apache httpd level, not at Tomcat's level.
It is also not easy to just add SSL to an Apache httpd, if this Apache 
httpd uses VirtualHosts.

In the first responses to your first post, some very relevant questions 
were asked, which I don't think you have answered fully yet.  It is 
difficult for someone to help you with the partial information you have 
supplied so far.  Tell us :
- on which platform (OS) this is running
- how Apache httpd and Tomcat are connected together (using mod_jk, 
mod_proxy_ajp, or mod_proxy_http?)
- is (was) your Apache httpd configured with multiple VirtualHost 
sections ?
- can you append your main Apache httpd configuration file (httpd.conf 
or apache2.conf, depending on platform).  Don't put it as an attachment, 
because chances are this list will strip it. Paste it right into your 
message.
- what exactly did you add, and where, to add the SSL capability ?







 
 Miguel Ortiz
 Network Engineer
 x4818
 wk: 954-331-4818
 bbry: 954-649-1863
 miguel.or...@macneillgroup.com
 
 
 -Original Message-
 From: André Warnier [mailto:a...@ice-sa.com] 
 Sent: Monday, September 28, 2009 11:25 AM
 To: Tomcat Users List
 Subject: Re: Apache/Tomcat with SSL
 
 Miguel Ortiz wrote:
 ...
 [u...@localhost conf.d]# tail -f /var/log/httpd/ssl_error_log
 [Mon Sep 28 08:51:41 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
 exist: /var/lib/tomcat5/webapps/favicon.ico
 [Mon Sep 28 08:51:44 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
 exist: /var/lib/tomcat5/webapps/favicon.ico
 [Mon Sep 28 09:03:04 2009] [error] [client xxx.xxx.xxx.xxx] Directory index 
 forbidden by Options directive: /var/lib/tomcat5/webapps/
 
 Nothing to, I think, with your problem, but it would seem from the above 
 that you have configured your Apache front-end with something like
 
 DocumentRoot /var/lib/tomcat5/webapps
 
 which, in principle, is not a good idea.
 What do you get in your browser when you request
 http://your-hostname/ROOT/WEB-INF/web.xml
 
 (or with https:// as the case may be)
 ?
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 No virus found in this incoming message.
 Checked by AVG - www.avg.com 
 Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/28/09 
 05:51:00
 
 
 
 This email and any files transmitted with it are the confidential property of 
 Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
 the individual or entity to whom they are addressed. If you are not the named 
 addressee you should not disseminate, distribute or copy this e-mail. Please 
 notify the sender immediately by e-mail if you have received this e-mail by 
 mistake and delete this e-mail from your system. If you are not the intended 
 recipient you are notified that disclosing, copying, distributing or taking 
 any action in reliance on the contents of this information is strictly 
 prohibited.
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/28/09 
05:51:00



This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute

RE: Apache/Tomcat with SSL

[Jorge Medina]

As suggested by André, you may want to join the Apache User's list and ask 
there your question.

You need to configure SSL in your Apache web server.
To configure SSL Apache Web server, the first thing you need to do is to verify 
that the module mod_ssl is available. 
You may want to consider posting sections of your httpd.conf file (or any 
relevant file included by the Include directive) (Remove any sensitive 
information when posting your question)

-Jorge

 

-Original Message-
From: Miguel Ortiz [mailto:miguel.or...@macneillgroup.com] 
Sent: Monday, September 28, 2009 3:19 PM
To: 'Tomcat Users List'; 'Tomcat Users List'
Subject: RE: Apache/Tomcat with SSL

André,

That is what I did and it still came up with server not found. If you would 
like to verify. Our site is http://fun.macneillgroup.com. The site we are 
currently testing is http://fun.macneillgroup.com/focus/common/Index.jsp. This 
page works, however the https form doesn't seem to produce the desired results.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com


-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Monday, September 28, 2009 3:02 PM
To: Tomcat Users List
Subject: Re: Apache/Tomcat with SSL

Miguel Ortiz wrote:
 André,
 
 This server was configured by our web development contractors. I was only 
 tasked with setting up the SSL. When I go to the specified URL, firefox 
 throws a server not found. 
 

When I mentioned the URL
http://your-hostname/ROOT/WEB-INF/web.xml
I meant for you to replace the your-hostname part by your own host's name.
:-)

Also, basically I think that this discussion belongs more to the Apache user's 
list, than Tomcat's, because it seems that the SSL part is done at the Apache 
httpd level, not at Tomcat's level.
It is also not easy to just add SSL to an Apache httpd, if this Apache httpd 
uses VirtualHosts.

In the first responses to your first post, some very relevant questions were 
asked, which I don't think you have answered fully yet.  It is difficult for 
someone to help you with the partial information you have supplied so far.  
Tell us :
- on which platform (OS) this is running
- how Apache httpd and Tomcat are connected together (using mod_jk, 
mod_proxy_ajp, or mod_proxy_http?)
- is (was) your Apache httpd configured with multiple VirtualHost sections ?
- can you append your main Apache httpd configuration file (httpd.conf or 
apache2.conf, depending on platform).  Don't put it as an attachment, because 
chances are this list will strip it. Paste it right into your message.
- what exactly did you add, and where, to add the SSL capability ?







 
 Miguel Ortiz
 Network Engineer
 x4818
 wk: 954-331-4818
 bbry: 954-649-1863
 miguel.or...@macneillgroup.com
 
 
 -Original Message-
 From: André Warnier [mailto:a...@ice-sa.com]
 Sent: Monday, September 28, 2009 11:25 AM
 To: Tomcat Users List
 Subject: Re: Apache/Tomcat with SSL
 
 Miguel Ortiz wrote:
 ...
 [u...@localhost conf.d]# tail -f /var/log/httpd/ssl_error_log [Mon 
 Sep 28 08:51:41 2009] [error] [client xxx.xxx.xxx.xxx] File does not 
 exist: /var/lib/tomcat5/webapps/favicon.ico
 [Mon Sep 28 08:51:44 2009] [error] [client xxx.xxx.xxx.xxx] File does 
 not exist: /var/lib/tomcat5/webapps/favicon.ico
 [Mon Sep 28 09:03:04 2009] [error] [client xxx.xxx.xxx.xxx] Directory 
 index forbidden by Options directive: /var/lib/tomcat5/webapps/
 
 Nothing to, I think, with your problem, but it would seem from the 
 above that you have configured your Apache front-end with something 
 like
 
 DocumentRoot /var/lib/tomcat5/webapps
 
 which, in principle, is not a good idea.
 What do you get in your browser when you request 
 http://your-hostname/ROOT/WEB-INF/web.xml
 
 (or with https:// as the case may be)
 ?
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 No virus found in this incoming message.
 Checked by AVG - www.avg.com
 Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 
 09/28/09 05:51:00
 
 
 
 This email and any files transmitted with it are the confidential property of 
 Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
 the individual or entity to whom they are addressed. If you are not the named 
 addressee you should not disseminate, distribute or copy this e-mail. Please 
 notify the sender immediately by e-mail if you have received this e-mail by 
 mistake and delete this e-mail from your system. If you are not the intended 
 recipient you are notified that disclosing, copying, distributing or taking 
 any action in reliance on the contents of this information is strictly 
 prohibited.
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e

Re: Apache/Tomcat with SSL

[Bill Barker]

The most common cause of this is that you haven't copied your JkMount etc 
configuration statements to the SSL VirtualHost.  In this case, mod_jk 
doesn't think that it should be serving the .jsp file, so Apache (httpd) 
serves it instead.  Since httpd knows nothing about JSP, it just serves it 
as a text file.

As other people have pointed out, unless you really know what you are doing, 
it is generally a bad idea to share the httpd DocumentRoot with the Tomcat 
webapps directory.  And even if you do really know what you are doing, it is 
a significant amount of extra work to secure this configuration.

Miguel Ortiz miguel.or...@macneillgroup.com wrote in message 
news:bb7ef21e0428a445b16e49e814926426048...@macg-exch02.macneillgroup.local...
I recently setup a SSL cert on our Apache/Tomcat server. When I load our 
page, I can see the lock in my browser with all the SSL info, but the page 
only loads as a the jsp script and not the full page. Is there some 
configuration setting that I have missed. I can provide snippets from the 
server.xml, httpd.conf, and ssl.conf. Thanks in advance.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com




This email and any files transmitted with it are the confidential property 
of Focus Holdings, LLC and its subsidiaries, and intended solely for the use 
of the individual or entity to whom they are addressed. If you are not the 
named addressee you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system. If you are not 
the intended recipient you are notified that disclosing, copying, 
distributing or taking any action in reliance on the contents of this 
information is strictly prohibited.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache/Tomcat with SSL

[Crypto Sal]

Miguel,

Do you have Tomcat serving up Port 80 traffic or is that Apache's httpd? 
I suggest you have one web server handle both normal web traffic and SSL 
traffic (if possible), since this page is a login page, you might want 
to FORCE https on that page and not allow HTTP. It would almost appear 
that you have Tomcat serving up port 80 traffic and Apache serving up 
SSL/TLS connections. So if that were the case, use Tomcat to do the SSL 
as well and configure tomcat accordingly in the server.xml file.


Do keep in mind there is a difference between Tomcat and Apache (httpd). 
Please clarify your setup for us.






On 09/28/2009 01:47 PM, Miguel Ortiz wrote:

Jorge,

I have setup the SSL through Apache and Tomcat, if there is a different 
procedure for mod_ssl, I will try that as well. The site comes up fine when I 
access it without the https, however when I use the https, all I see is the jsp 
script.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com


-Original Message-
From: Jorge Medina [mailto:jmed...@e-dialog.com]
Sent: Monday, September 28, 2009 10:55 AM
To: Tomcat Users List
Subject: RE: Apache/Tomcat with SSL


Also, in order to configure Apache with SSL you must have the module mod_ssl


-Original Message-
From: Jorge Medina [mailto:jmed...@e-dialog.com]
Sent: Monday, September 28, 2009 10:40 AM
To: Tomcat Users List
Subject: RE: Apache/Tomcat with SSL

Hola Miguel,

did you set up SSL in Apache ? Or did you do it in Tomcat ? Or in both ?

I am assuming that you want Apache to be the exposed server, therefore SSL 
must be configured in Apache.  You must also have configured Apache to forward 
the requests to Tomcat by using the Apache modules mod_jk or mod_proxy

-Jorge



-Original Message-
From: Miguel Ortiz [mailto:miguel.or...@macneillgroup.com]
Sent: Monday, September 28, 2009 8:32 AM
To: users@tomcat.apache.org
Subject: Apache/Tomcat with SSL

I recently setup a SSL cert on our Apache/Tomcat server. When I load our page, I can see 
the lock in my browser with all the SSL info, but the page only loads as a 
the jsp script and not the full page. Is there some configuration setting that I have 
missed. I can provide snippets from the server.xml, httpd.conf, and ssl.conf. Thanks in 
advance.

Miguel Ortiz
Network Engineer
x4818
wk: 954-331-4818
bbry: 954-649-1863
miguel.or...@macneillgroup.com




This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/28/09 
05:51:00



This email and any files transmitted with it are the confidential property of 
Focus Holdings, LLC and its subsidiaries, and intended solely for the use of 
the individual or entity to whom they are addressed. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. If you are not the intended 
recipient you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly prohibited.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


   



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org