RE: Tomcat SSL stops working after an undetermined amount of time
This is nice to know. Thank you for the details. You may want to check the contents of the "java.security" file, to assess, if they have configured BC like this : security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider Number 10 can be some other number in your environment. If you see BC configured in here, you can comment (or remove ) that line. Recycle the JVM and test again. Thanks, -Raghu -Original Message- From: Christopher Schultz Sent: Tuesday, June 15, 2021 4:10 PM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ezsra, On 6/15/21 17:43, Ezsra McDonald wrote: > Sorry for the delay. > > I was finally able to track down the location of the BouncyCastle library. > It is located in the individual application libraries and cannot be > disabled. There are newer versions of BC available and I have asked > the software developers to consider upgrading the applications. > > Disabling RSASSA-PSS alone did not work. I had to also disable > TLSv1.3. I tried only disabling TLSv1.3 but the instance continued to > show the same issues. So, I had to disable both. > > The error occurred across all browsers. There was some earlier > confusion when I had the HTTPS connector configured incorrectly. Now > the connector works for all browsers initially until one of the apps > loads the BouncyCastle library. At that point the SSL handshake begins > to fail for any browser. Disabling the RSASSA-PSS and TLSv1.3 > protocols and ciphers is a temporary work around. It is my hope that > upgrading the BC jar will resolve the conflicts. > > I am open to any other suggestions but for now my instances have > stabilized and I am in a holding pattern waiting for the software > developers to upgrade BC in the individual applications. > > Thanks to everyone who assisted me with this issue. I will keep you > posted on results of the BC upgrade. Sounds good. I don't see any place in Tomcat to specify the JSSE provider. Perhaps we should expose that to the administrator in some way. -chris > On Thu, May 27, 2021 at 11:23 AM Mysore, Raghunath > > wrote: > >> Hi Ezsra, >> I concur with suggestions from Chris Schultz. >> Would you clarify the following items ? >> The current focus is to understand the prevailing environment >> configuration, in context of the stack trace you shared earlier. >> >> (1) To go back, did you check for ".jar" files with names like "bouncy" >> ? >> The point here is - to understand where BC is configured (to assess >> if it can be commented) >> (2) Apart from considering to turnoff BC, have you tried disabling >> RSASSA-PSS algorithm ? >> (3) When you test using a Safari browser - is the application on a >> happy path (meaning SSL works all fine) ? >> And you have the issue only when testing from a Chrome browser ? >> >> Thanks, >> -Raghu >> >> -Original Message- >> From: Ezsra McDonald >> Sent: Thursday, May 27, 2021 8:56 AM >> To: Tomcat Users List >> Subject: Re: Tomcat SSL stops working after an undetermined amount of >> time >> >> Thanks for the responses, >> >> So, I need to understand a little more about Bouncycastle. I >> inherited the tomcat environment so I do not know how or why BC came >> to be installed in the containers. I will do some research on BC so I >> understand it better. My assumption from the responses is that BC is >> not a standard part of Tomcat or Java install. >> >> If the BC is part of an application running in the container and >> comes from a war file, can it be causing this issue? Or is BC most >> likely loaded when the container starts? >> >> --Ez >> >> On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >>> Raghunath, >>> >>> On 5/26/21 19:08, Mysore, Raghunath wrote: >>>> To track if BC is configured in your environment, you may want to >>>> assess if BC is listed as a "security.provider" in the following >>>> "java.security" file >>>> >>>> >>>> >>>> File : /jre/lib/security/java.security >>>> >>>> Check for record (example below) : >>>> >>>> security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProv >>>> i >>>> der >>>> >>>> >>>> >>>> >>>> Note the Number 10, above may be something different in your >&
Re: Tomcat SSL stops working after an undetermined amount of time
Ezsra, On 6/15/21 17:43, Ezsra McDonald wrote: Sorry for the delay. I was finally able to track down the location of the BouncyCastle library. It is located in the individual application libraries and cannot be disabled. There are newer versions of BC available and I have asked the software developers to consider upgrading the applications. Disabling RSASSA-PSS alone did not work. I had to also disable TLSv1.3. I tried only disabling TLSv1.3 but the instance continued to show the same issues. So, I had to disable both. The error occurred across all browsers. There was some earlier confusion when I had the HTTPS connector configured incorrectly. Now the connector works for all browsers initially until one of the apps loads the BouncyCastle library. At that point the SSL handshake begins to fail for any browser. Disabling the RSASSA-PSS and TLSv1.3 protocols and ciphers is a temporary work around. It is my hope that upgrading the BC jar will resolve the conflicts. I am open to any other suggestions but for now my instances have stabilized and I am in a holding pattern waiting for the software developers to upgrade BC in the individual applications. Thanks to everyone who assisted me with this issue. I will keep you posted on results of the BC upgrade. Sounds good. I don't see any place in Tomcat to specify the JSSE provider. Perhaps we should expose that to the administrator in some way. -chris On Thu, May 27, 2021 at 11:23 AM Mysore, Raghunath wrote: Hi Ezsra, I concur with suggestions from Chris Schultz. Would you clarify the following items ? The current focus is to understand the prevailing environment configuration, in context of the stack trace you shared earlier. (1) To go back, did you check for ".jar" files with names like "bouncy" ? The point here is - to understand where BC is configured (to assess if it can be commented) (2) Apart from considering to turnoff BC, have you tried disabling RSASSA-PSS algorithm ? (3) When you test using a Safari browser - is the application on a happy path (meaning SSL works all fine) ? And you have the issue only when testing from a Chrome browser ? Thanks, -Raghu -Original Message- From: Ezsra McDonald Sent: Thursday, May 27, 2021 8:56 AM To: Tomcat Users List Subject: Re: Tomcat SSL stops working after an undetermined amount of time Thanks for the responses, So, I need to understand a little more about Bouncycastle. I inherited the tomcat environment so I do not know how or why BC came to be installed in the containers. I will do some research on BC so I understand it better. My assumption from the responses is that BC is not a standard part of Tomcat or Java install. If the BC is part of an application running in the container and comes from a war file, can it be causing this issue? Or is BC most likely loaded when the container starts? --Ez On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < ch...@christopherschultz.net> wrote: Raghunath, On 5/26/21 19:08, Mysore, Raghunath wrote: To track if BC is configured in your environment, you may want to assess if BC is listed as a "security.provider" in the following "java.security" file File : /jre/lib/security/java.security Check for record (example below) : security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvi der Note the Number 10, above may be something different in your environment's "java.security" file (presuming BC is configured here) Well, the error being encountered is definite within BC, so I'd venture a guess that BC is indeed being used. -chris -Original Message- From: Christopher Schultz Sent: Wednesday, May 26, 2021 4:35 PM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ezsra, On 5/26/21 18:11, Ezsra McDonald wrote: Well, I still have issues. I think it is the same thing hit by these guys: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fj ira .atlassian.com %2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c 477 d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC 4wL jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sd ata =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3Dreserved=0 https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs tac koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org- bou ncycastle-crypto-signers-psssigner-generatesignatdata=04%7C01% 7Cr mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d 4ee 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZs b3d 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D %7C 1000sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D mp; reserved=0 I'll try their fix. My
Re: Tomcat SSL stops working after an undetermined amount of time
Sorry for the delay. I was finally able to track down the location of the BouncyCastle library. It is located in the individual application libraries and cannot be disabled. There are newer versions of BC available and I have asked the software developers to consider upgrading the applications. Disabling RSASSA-PSS alone did not work. I had to also disable TLSv1.3. I tried only disabling TLSv1.3 but the instance continued to show the same issues. So, I had to disable both. The error occurred across all browsers. There was some earlier confusion when I had the HTTPS connector configured incorrectly. Now the connector works for all browsers initially until one of the apps loads the BouncyCastle library. At that point the SSL handshake begins to fail for any browser. Disabling the RSASSA-PSS and TLSv1.3 protocols and ciphers is a temporary work around. It is my hope that upgrading the BC jar will resolve the conflicts. I am open to any other suggestions but for now my instances have stabilized and I am in a holding pattern waiting for the software developers to upgrade BC in the individual applications. Thanks to everyone who assisted me with this issue. I will keep you posted on results of the BC upgrade. -Ez On Thu, May 27, 2021 at 11:23 AM Mysore, Raghunath wrote: > Hi Ezsra, > I concur with suggestions from Chris Schultz. > Would you clarify the following items ? > The current focus is to understand the prevailing environment > configuration, in context of the stack trace you shared earlier. > > (1) To go back, did you check for ".jar" files with names like "bouncy" > ? > The point here is - to understand where BC is configured (to assess if it > can be commented) > (2) Apart from considering to turnoff BC, have you tried disabling > RSASSA-PSS algorithm ? > (3) When you test using a Safari browser - is the application on a happy > path (meaning SSL works all fine) ? > And you have the issue only when testing from a Chrome browser ? > > Thanks, > -Raghu > > -Original Message- > From: Ezsra McDonald > Sent: Thursday, May 27, 2021 8:56 AM > To: Tomcat Users List > Subject: Re: Tomcat SSL stops working after an undetermined amount of time > > Thanks for the responses, > > So, I need to understand a little more about Bouncycastle. I inherited the > tomcat environment so I do not know how or why BC came to be installed in > the containers. I will do some research on BC so I understand it better. My > assumption from the responses is that BC is not a standard part of Tomcat > or Java install. > > If the BC is part of an application running in the container and comes > from a war file, can it be causing this issue? Or is BC most likely loaded > when the container starts? > > --Ez > > On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > Raghunath, > > > > On 5/26/21 19:08, Mysore, Raghunath wrote: > > > To track if BC is configured in your environment, you may want to > > > assess if BC is listed as a "security.provider" in the following > > > "java.security" file > > > > > > > > > > > > File : /jre/lib/security/java.security > > > > > > Check for record (example below) : > > > > > > security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvi > > > der > > > > > > > > > > > > > > > Note the Number 10, above may be something different in your > > > environment's "java.security" file (presuming BC is configured here) > > > > Well, the error being encountered is definite within BC, so I'd > > venture a guess that BC is indeed being used. > > > > -chris > > > > > -Original Message- From: Christopher Schultz > > > Sent: Wednesday, May 26, 2021 4:35 PM > > > To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working > > > after an undetermined amount of time > > > > > > > > > > > > Ezsra, > > > > > > > > > > > > On 5/26/21 18:11, Ezsra McDonald wrote: > > > > > >> Well, I still have issues. I think it is the same thing hit by > > >> these guys: > > > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fj > > >> ira > > > > > >> > > >> .atlassian.com > %2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. > > > > > >> > > >> com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c > > >> 477 >
RE: Tomcat SSL stops working after an undetermined amount of time
Hi Ezsra, I concur with suggestions from Chris Schultz. Would you clarify the following items ? The current focus is to understand the prevailing environment configuration, in context of the stack trace you shared earlier. (1) To go back, did you check for ".jar" files with names like "bouncy" ? The point here is - to understand where BC is configured (to assess if it can be commented) (2) Apart from considering to turnoff BC, have you tried disabling RSASSA-PSS algorithm ? (3) When you test using a Safari browser - is the application on a happy path (meaning SSL works all fine) ? And you have the issue only when testing from a Chrome browser ? Thanks, -Raghu -Original Message- From: Ezsra McDonald Sent: Thursday, May 27, 2021 8:56 AM To: Tomcat Users List Subject: Re: Tomcat SSL stops working after an undetermined amount of time Thanks for the responses, So, I need to understand a little more about Bouncycastle. I inherited the tomcat environment so I do not know how or why BC came to be installed in the containers. I will do some research on BC so I understand it better. My assumption from the responses is that BC is not a standard part of Tomcat or Java install. If the BC is part of an application running in the container and comes from a war file, can it be causing this issue? Or is BC most likely loaded when the container starts? --Ez On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Raghunath, > > On 5/26/21 19:08, Mysore, Raghunath wrote: > > To track if BC is configured in your environment, you may want to > > assess if BC is listed as a "security.provider" in the following > > "java.security" file > > > > > > > > File : /jre/lib/security/java.security > > > > Check for record (example below) : > > > > security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvi > > der > > > > > > > > > > Note the Number 10, above may be something different in your > > environment's "java.security" file (presuming BC is configured here) > > Well, the error being encountered is definite within BC, so I'd > venture a guess that BC is indeed being used. > > -chris > > > -Original Message- From: Christopher Schultz > > Sent: Wednesday, May 26, 2021 4:35 PM > > To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working > > after an undetermined amount of time > > > > > > > > Ezsra, > > > > > > > > On 5/26/21 18:11, Ezsra McDonald wrote: > > > >> Well, I still have issues. I think it is the same thing hit by > >> these guys: > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fj > >> ira > > > >> > >> .atlassian.com%2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. > > > >> > >> com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c > >> 477 > > > >> > >> d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC > >> 4wL > > > >> > >> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sd > >> ata > > > >> > >> =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3Dreserved=0 > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fs > >> tac > > > >> > >> koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org- > >> bou > > > >> > >> ncycastle-crypto-signers-psssigner-generatesignatdata=04%7C01% > >> 7Cr > > > >> > >> mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d > >> 4ee > > > >> > >> 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZs > >> b3d > > > >> > >> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D > >> %7C > > > >> > >> 1000sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D > >> mp; > > > >> reserved=0 > > > >> > > > >> I'll try their fix. My main concern is that I do not want to > >> disable > > > >> TLSv1.3. > > > > > > > > If you don't want to disable TLSv1.3, then you want: > > > > > > > > > > > protocols="TLSv1.2,TLSv1.3" > > > > /> > > > > > > > > If BC is failing you, I'd want to find out if you really need BC. > > > > > > > > That first link above seems
Re: Tomcat SSL stops working after an undetermined amount of time
Thanks for the responses, So, I need to understand a little more about Bouncycastle. I inherited the tomcat environment so I do not know how or why BC came to be installed in the containers. I will do some research on BC so I understand it better. My assumption from the responses is that BC is not a standard part of Tomcat or Java install. If the BC is part of an application running in the container and comes from a war file, can it be causing this issue? Or is BC most likely loaded when the container starts? --Ez On Thu, May 27, 2021 at 8:37 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Raghunath, > > On 5/26/21 19:08, Mysore, Raghunath wrote: > > To track if BC is configured in your environment, you may want to > > assess if BC is listed as a "security.provider" in the following > > "java.security" file > > > > > > > > File : /jre/lib/security/java.security > > > > Check for record (example below) : > > > > security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider > > > > > > > > > > Note the Number 10, above may be something different in your > > environment's "java.security" file (presuming BC is configured here) > > Well, the error being encountered is definite within BC, so I'd venture > a guess that BC is indeed being used. > > -chris > > > -Original Message- From: Christopher Schultz > > Sent: Wednesday, May 26, 2021 4:35 PM > > To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working > > after an undetermined amount of time > > > > > > > > Ezsra, > > > > > > > > On 5/26/21 18:11, Ezsra McDonald wrote: > > > >> Well, I still have issues. I think it is the same thing hit by > >> these guys: > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira > > > >> > >> .atlassian.com%2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. > > > >> > >> com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477 > > > >> > >> d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL > > > >> > >> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata > > > >> > >> =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3Dreserved=0 > > > >> https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstac > > > >> > >> koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org-bou > > > >> > >> ncycastle-crypto-signers-psssigner-generatesignatdata=04%7C01%7Cr > > > >> > >> mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee > > > >> > >> 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d > > > >> > >> 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C > > > >> > >> 1000sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D > > > >> reserved=0 > > > >> > > > >> I'll try their fix. My main concern is that I do not want to > >> disable > > > >> TLSv1.3. > > > > > > > > If you don't want to disable TLSv1.3, then you want: > > > > > > > > > > > protocols="TLSv1.2,TLSv1.3" > > > > /> > > > > > > > > If BC is failing you, I'd want to find out if you really need BC. > > > > > > > > That first link above seems to suggest that when using Tomcat you > > MUST disable TLSv1.3. That seems odd. What version of BC are you > > using? > > > > Search for .jar files with names like "bouncy". > > > > > > > > Do you have the option to downgrade Java? > > > > > > > > Have you tried disabling the RSASSA-PSS algorithm as per their > > instructions? It seems ... far-fetched that would fix the problem, > > but ... okay. > > > > > > > > Note that at some time in the past, Java 1.8 did not support TLSv1.3 > > and lots of people who were stuck on Java 1.8 decided to switch to BC > > which did have TLSv1.3 support. With that version of Java 1.8 (_281), > > you should have native JDK support for TLSv1.3. Perhaps BC is not > > necessary at all. > > > > > > > > -chris > > > > > > > >> On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald > > > >> mailto:ezsra.mcdon...@gmail.com>> > > > >> wrote: >
Re: Tomcat SSL stops working after an undetermined amount of time
Raghunath, On 5/26/21 19:08, Mysore, Raghunath wrote: To track if BC is configured in your environment, you may want to assess if BC is listed as a "security.provider" in the following "java.security" file File : /jre/lib/security/java.security Check for record (example below) : security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider Note the Number 10, above may be something different in your environment's "java.security" file (presuming BC is configured here) Well, the error being encountered is definite within BC, so I'd venture a guess that BC is indeed being used. -chris -Original Message- From: Christopher Schultz Sent: Wednesday, May 26, 2021 4:35 PM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ezsra, On 5/26/21 18:11, Ezsra McDonald wrote: Well, I still have issues. I think it is the same thing hit by these guys: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira .atlassian.com%2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477 d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3Dreserved=0 https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstac koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org-bou ncycastle-crypto-signers-psssigner-generatesignatdata=04%7C01%7Cr mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C 1000sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D reserved=0 I'll try their fix. My main concern is that I do not want to disable TLSv1.3. If you don't want to disable TLSv1.3, then you want: If BC is failing you, I'd want to find out if you really need BC. That first link above seems to suggest that when using Tomcat you MUST disable TLSv1.3. That seems odd. What version of BC are you using? Search for .jar files with names like "bouncy". Do you have the option to downgrade Java? Have you tried disabling the RSASSA-PSS algorithm as per their instructions? It seems ... far-fetched that would fix the problem, but ... okay. Note that at some time in the past, Java 1.8 did not support TLSv1.3 and lots of people who were stuck on Java 1.8 decided to switch to BC which did have TLSv1.3 support. With that version of Java 1.8 (_281), you should have native JDK support for TLSv1.3. Perhaps BC is not necessary at all. -chris On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald mailto:ezsra.mcdon...@gmail.com>> wrote: Lots of good information was provided. This afternoon I plan to test the "sslProtocol" to "protocols" change in our lower environments. I will reply back with any findings. Thank you everyone for your responses. regards, -- Ez On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath mailto:rmys...@visa.com.invalid>> wrote: Hi Chris, -Original Message- From: Christopher Schultz mailto:ch...@christopherschultz.net>> Sent: Tuesday, May 25, 2021 9:10 AM To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ronald, On 5/25/21 09:31, Roskens, Ronald wrote: -Original Message- From: Christopher Schultz mailto:ch...@christopherschultz.net>> Sent: Monday, May 24, 2021 1:56 PM To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an undetermined amount of time CAUTION: This email originated from outside of the organization. DO NOT CLICK on links or open attachments unless you recognize the sender and know the content is safe. Ezsra, On 5/24/21 10:30, Ezsra McDonald wrote: I am enabling SSL debugging this morning. I did catch this in the log for an instance that started erroring out this morning. Seems like it may be too generic to help solve my problem. Here it is: 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.NullPointerException at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unkno wn Source) at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) Oh. You are using BouncyCastle. I've never tried to do that. I'm not sure how well BC will work with Tomcat. We don't officially support that configuration, but that d
RE: Tomcat SSL stops working after an undetermined amount of time
To track if BC is configured in your environment, you may want to assess if BC is listed as a "security.provider" in the following "java.security" file File : /jre/lib/security/java.security Check for record (example below) : security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider Note the Number 10, above may be something different in your environment's "java.security" file (presuming BC is configured here) -Original Message- From: Christopher Schultz Sent: Wednesday, May 26, 2021 4:35 PM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ezsra, On 5/26/21 18:11, Ezsra McDonald wrote: > Well, I still have issues. I think it is the same thing hit by these guys: > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjira > .atlassian.com%2Fbrowse%2FBAM-21157data=04%7C01%7Crmysore%40visa. > com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee888b9c4db1c477 > d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata > =QnzOhDNvEy%2FVBRmUz0B2F0iqOlH9gpBUJBwqNzHwz%2F4%3Dreserved=0 > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstac > koverflow.com%2Fquestions%2F65691480%2Fnullpointerexception-at-org-bou > ncycastle-crypto-signers-psssigner-generatesignatdata=04%7C01%7Cr > mysore%40visa.com%7C0235cf7ab3c7461705ba08d9209694da%7C38305e12e15d4ee > 888b9c4db1c477d76%7C0%7C0%7C637576653404214193%7CUnknown%7CTWFpbGZsb3d > 8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C > 1000sdata=PtS%2BltOexMX3CmAFTFc11Gt%2B57LoHvUgPu2k0nxJQ2M%3D > reserved=0 > > I'll try their fix. My main concern is that I do not want to disable > TLSv1.3. If you don't want to disable TLSv1.3, then you want: If BC is failing you, I'd want to find out if you really need BC. That first link above seems to suggest that when using Tomcat you MUST disable TLSv1.3. That seems odd. What version of BC are you using? Search for .jar files with names like "bouncy". Do you have the option to downgrade Java? Have you tried disabling the RSASSA-PSS algorithm as per their instructions? It seems ... far-fetched that would fix the problem, but ... okay. Note that at some time in the past, Java 1.8 did not support TLSv1.3 and lots of people who were stuck on Java 1.8 decided to switch to BC which did have TLSv1.3 support. With that version of Java 1.8 (_281), you should have native JDK support for TLSv1.3. Perhaps BC is not necessary at all. -chris > On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald > mailto:ezsra.mcdon...@gmail.com>> > wrote: > >> Lots of good information was provided. >> >> This afternoon I plan to test the "sslProtocol" to "protocols" >> change in our lower environments. I will reply back with any findings. >> >> Thank you everyone for your responses. >> >> regards, >> >> -- Ez >> >> On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath >> mailto:rmys...@visa.com.invalid>> wrote: >> >>> Hi Chris, >>> >>> -Original Message- >>> From: Christopher Schultz >>> mailto:ch...@christopherschultz.net>> >>> Sent: Tuesday, May 25, 2021 9:10 AM >>> To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> >>> Subject: Re: Tomcat SSL stops working after an undetermined amount >>> of time >>> >>> Ronald, >>> >>> On 5/25/21 09:31, Roskens, Ronald wrote: >>>> >>>>> -Original Message- >>>>> From: Christopher Schultz >>>>> mailto:ch...@christopherschultz.net>> >>>>> Sent: Monday, May 24, 2021 1:56 PM >>>>> To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> >>>>> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an >>>>> undetermined amount of time >>>>> >>>>> CAUTION: This email originated from outside of the organization. >>>>> DO NOT CLICK on links or open attachments unless you recognize the >>>>> sender and know the content is safe. >>>>> >>>>> Ezsra, >>>>> >>>>> On 5/24/21 10:30, Ezsra McDonald wrote: >>>>>> I am enabling SSL debugging this morning. I did catch this in the >>>>>> log for an instance that started erroring out this morning. Seems >>>>>> like it may be too generic to help solve my problem. Here it is: >>>>>>
Re: Tomcat SSL stops working after an undetermined amount of time
Ezsra, On 5/26/21 18:11, Ezsra McDonald wrote: Well, I still have issues. I think it is the same thing hit by these guys: https://jira.atlassian.com/browse/BAM-21157 https://stackoverflow.com/questions/65691480/nullpointerexception-at-org-bouncycastle-crypto-signers-psssigner-generatesignat I'll try their fix. My main concern is that I do not want to disable TLSv1.3. If you don't want to disable TLSv1.3, then you want: If BC is failing you, I'd want to find out if you really need BC. That first link above seems to suggest that when using Tomcat you MUST disable TLSv1.3. That seems odd. What version of BC are you using? Search for .jar files with names like "bouncy". Do you have the option to downgrade Java? Have you tried disabling the RSASSA-PSS algorithm as per their instructions? It seems ... far-fetched that would fix the problem, but ... okay. Note that at some time in the past, Java 1.8 did not support TLSv1.3 and lots of people who were stuck on Java 1.8 decided to switch to BC which did have TLSv1.3 support. With that version of Java 1.8 (_281), you should have native JDK support for TLSv1.3. Perhaps BC is not necessary at all. -chris On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald wrote: Lots of good information was provided. This afternoon I plan to test the "sslProtocol" to "protocols" change in our lower environments. I will reply back with any findings. Thank you everyone for your responses. regards, -- Ez On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath wrote: Hi Chris, -Original Message- From: Christopher Schultz Sent: Tuesday, May 25, 2021 9:10 AM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ronald, On 5/25/21 09:31, Roskens, Ronald wrote: -Original Message- From: Christopher Schultz Sent: Monday, May 24, 2021 1:56 PM To: users@tomcat.apache.org Subject: [EXTERNAL] Re: Tomcat SSL stops working after an undetermined amount of time CAUTION: This email originated from outside of the organization. DO NOT CLICK on links or open attachments unless you recognize the sender and know the content is safe. Ezsra, On 5/24/21 10:30, Ezsra McDonald wrote: I am enabling SSL debugging this morning. I did catch this in the log for an instance that started erroring out this morning. Seems like it may be too generic to help solve my problem. Here it is: 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.NullPointerException at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown Source) at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) Oh. You are using BouncyCastle. I've never tried to do that. I'm not sure how well BC will work with Tomcat. We don't officially support that configuration, but that doesn't mean we won't try to help. This isn't a Tomcat issue but an interoperability issue between BouncyCastle & OpenJDK. * https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633data=04%7C01%7Crmysore%40v isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db1 c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000s data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3Dreserved=0 * https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs .openjdk.java.net%2Fbrowse%2FJDK-8216039data=04%7C01%7Crmysore%40 visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000 sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3Dreserved=0 Oh, great. Looks like a BC upgrade will fix the NPE. But possibly something downstream will still fail... Just to add my 2 cents here : Per the problem posed in the very first email, we see the SSL/TLS issue between Oracle JDK 8 and Tomcat 8.5 Environment: OS: CentOS 7 Apache: apache-tomcat-8.5.65 Java: jdk1.8.0_281 Note that the following link - talks about issues between OpenJDK 11 and BC. https://bugs.openjdk.java.net/browse/JDK-8216039. This morning's suggestion (about changing from "sslProtocol" to "protocols" ) from Christopher Schultz, sounds promising, in that the interaction between the Browser-clients and Tomcat 8.5.x server, will be limited only to TLS1.2 Making this change, will preclude other old protocols - like TLS 1, TLS 11 etc in communication between the clients and the Tomcat server. We will need tests after making the change to "protocols" attribute in the HTTPS connector block. In context of the above mentioned change -we may not need any editing of "java.security" file contents (discussed last evening). Thanks, -Raghu --
Re: Tomcat SSL stops working after an undetermined amount of time
Well, I still have issues. I think it is the same thing hit by these guys: https://jira.atlassian.com/browse/BAM-21157 https://stackoverflow.com/questions/65691480/nullpointerexception-at-org-bouncycastle-crypto-signers-psssigner-generatesignat I'll try their fix. My main concern is that I do not want to disable TLSv1.3. Any other suggestions? --Ez On Tue, May 25, 2021 at 11:09 AM Ezsra McDonald wrote: > Lots of good information was provided. > > This afternoon I plan to test the "sslProtocol" to "protocols" change in > our lower environments. I will reply back with any findings. > > Thank you everyone for your responses. > > regards, > > -- Ez > > On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath > wrote: > >> Hi Chris, >> >> -Original Message- >> From: Christopher Schultz >> Sent: Tuesday, May 25, 2021 9:10 AM >> To: users@tomcat.apache.org >> Subject: Re: Tomcat SSL stops working after an undetermined amount of time >> >> Ronald, >> >> On 5/25/21 09:31, Roskens, Ronald wrote: >> > >> >> -Original Message----- >> >> From: Christopher Schultz >> >> Sent: Monday, May 24, 2021 1:56 PM >> >> To: users@tomcat.apache.org >> >> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an >> >> undetermined amount of time >> >> >> >> CAUTION: This email originated from outside of the organization. DO >> >> NOT CLICK on links or open attachments unless you recognize the >> >> sender and know the content is safe. >> >> >> >> Ezsra, >> >> >> >> On 5/24/21 10:30, Ezsra McDonald wrote: >> >>> I am enabling SSL debugging this morning. I did catch this in the >> >>> log for an instance that started erroring out this morning. Seems >> >>> like it may be too generic to help solve my problem. Here it is: >> >>> >> >>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] >> >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >> >>> java.lang.NullPointerException >> >>> at >> >>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown >> >>> Source) >> >>> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown >> >>> Source) >> >> >> >> Oh. You are using BouncyCastle. I've never tried to do that. I'm not >> >> sure how well BC will work with Tomcat. We don't officially support >> >> that configuration, but that doesn't mean we won't try to help. >> > >> > This isn't a Tomcat issue but an interoperability issue between >> BouncyCastle & OpenJDK. >> > >> > * >> > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith >> > ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633data=04%7C01%7Crmysore%40v >> > isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db1 >> > c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM >> > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000s >> > data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3Dreserved=0 >> > * >> > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs >> > .openjdk.java.net%2Fbrowse%2FJDK-8216039data=04%7C01%7Crmysore%40 >> > visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db >> > 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi >> > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000 >> > sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3Dreserved=0 >> >> Oh, great. Looks like a BC upgrade will fix the NPE. But possibly >> something downstream will still fail... >> >> Just to add my 2 cents here : >> >> Per the problem posed in the very first email, we see the SSL/TLS issue >> between Oracle JDK 8 and Tomcat 8.5 >> Environment: >> OS: CentOS 7 >> Apache: apache-tomcat-8.5.65 >> Java: jdk1.8.0_281 >> >> Note that the following link - talks about issues between OpenJDK 11 and >> BC. >> https://bugs.openjdk.java.net/browse/JDK-8216039. >> >> This morning's suggestion (about changing from "sslProtocol" to >> "protocols" ) from Christopher Schultz, sounds promising, in that the >> interaction between the Browser-clients and Tomcat 8.5.x server, will be >> limited only to TLS1.2 >> Making this change, will preclude other old protocols - like TLS 1, TLS >> 11 etc in communication between the clients and the Tomcat server. >> We will need tests after making the change to "protocols" attribute in >> the HTTPS connector block. >> In context of the above mentioned change -we may not need any editing of >> "java.security" file contents (discussed last evening). >> >> Thanks, >> -Raghu >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >>
Re: Tomcat SSL stops working after an undetermined amount of time
Lots of good information was provided. This afternoon I plan to test the "sslProtocol" to "protocols" change in our lower environments. I will reply back with any findings. Thank you everyone for your responses. regards, -- Ez On Tue, May 25, 2021 at 10:48 AM Mysore, Raghunath wrote: > Hi Chris, > > -Original Message- > From: Christopher Schultz > Sent: Tuesday, May 25, 2021 9:10 AM > To: users@tomcat.apache.org > Subject: Re: Tomcat SSL stops working after an undetermined amount of time > > Ronald, > > On 5/25/21 09:31, Roskens, Ronald wrote: > > > >> -Original Message- > >> From: Christopher Schultz > >> Sent: Monday, May 24, 2021 1:56 PM > >> To: users@tomcat.apache.org > >> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an > >> undetermined amount of time > >> > >> CAUTION: This email originated from outside of the organization. DO > >> NOT CLICK on links or open attachments unless you recognize the > >> sender and know the content is safe. > >> > >> Ezsra, > >> > >> On 5/24/21 10:30, Ezsra McDonald wrote: > >>> I am enabling SSL debugging this morning. I did catch this in the > >>> log for an instance that started erroring out this morning. Seems > >>> like it may be too generic to help solve my problem. Here it is: > >>> > >>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > >>> java.lang.NullPointerException > >>> at > >>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > >>> Source) > >>> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown > >>> Source) > >> > >> Oh. You are using BouncyCastle. I've never tried to do that. I'm not > >> sure how well BC will work with Tomcat. We don't officially support > >> that configuration, but that doesn't mean we won't try to help. > > > > This isn't a Tomcat issue but an interoperability issue between > BouncyCastle & OpenJDK. > > > > * > > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > > ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633data=04%7C01%7Crmysore%40v > > isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db1 > > c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM > > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000s > > data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3Dreserved=0 > > * > > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs > > .openjdk.java.net%2Fbrowse%2FJDK-8216039data=04%7C01%7Crmysore%40 > > visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db > > 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi > > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000 > > sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3Dreserved=0 > > Oh, great. Looks like a BC upgrade will fix the NPE. But possibly > something downstream will still fail... > > Just to add my 2 cents here : > > Per the problem posed in the very first email, we see the SSL/TLS issue > between Oracle JDK 8 and Tomcat 8.5 > Environment: > OS: CentOS 7 > Apache: apache-tomcat-8.5.65 > Java: jdk1.8.0_281 > > Note that the following link - talks about issues between OpenJDK 11 and > BC. > https://bugs.openjdk.java.net/browse/JDK-8216039. > > This morning's suggestion (about changing from "sslProtocol" to > "protocols" ) from Christopher Schultz, sounds promising, in that the > interaction between the Browser-clients and Tomcat 8.5.x server, will be > limited only to TLS1.2 > Making this change, will preclude other old protocols - like TLS 1, TLS 11 > etc in communication between the clients and the Tomcat server. > We will need tests after making the change to "protocols" attribute in the > HTTPS connector block. > In context of the above mentioned change -we may not need any editing of > "java.security" file contents (discussed last evening). > > Thanks, > -Raghu > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: Tomcat SSL stops working after an undetermined amount of time
Hi Chris, -Original Message- From: Christopher Schultz Sent: Tuesday, May 25, 2021 9:10 AM To: users@tomcat.apache.org Subject: Re: Tomcat SSL stops working after an undetermined amount of time Ronald, On 5/25/21 09:31, Roskens, Ronald wrote: > >> -Original Message- >> From: Christopher Schultz >> Sent: Monday, May 24, 2021 1:56 PM >> To: users@tomcat.apache.org >> Subject: [EXTERNAL] Re: Tomcat SSL stops working after an >> undetermined amount of time >> >> CAUTION: This email originated from outside of the organization. DO >> NOT CLICK on links or open attachments unless you recognize the >> sender and know the content is safe. >> >> Ezsra, >> >> On 5/24/21 10:30, Ezsra McDonald wrote: >>> I am enabling SSL debugging this morning. I did catch this in the >>> log for an instance that started erroring out this morning. Seems >>> like it may be too generic to help solve my problem. Here it is: >>> >>> 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>> java.lang.NullPointerException >>> at >>> org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown >>> Source) >>> at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown >>> Source) >> >> Oh. You are using BouncyCastle. I've never tried to do that. I'm not >> sure how well BC will work with Tomcat. We don't officially support >> that configuration, but that doesn't mean we won't try to help. > > This isn't a Tomcat issue but an interoperability issue between BouncyCastle > & OpenJDK. > > * > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fbcgit%2Fbc-java%2Fissues%2F633data=04%7C01%7Crmysore%40v > isa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db1 > c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiM > C4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000s > data=VvFC5V57Cy3iWAqlqBwuXjbQOSpMN2EK9nbangoytsc%3Dreserved=0 > * > https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs > .openjdk.java.net%2Fbrowse%2FJDK-8216039data=04%7C01%7Crmysore%40 > visa.com%7C29de4f3283544be589d508d91f8f4728%7C38305e12e15d4ee888b9c4db > 1c477d76%7C0%7C0%7C637575522499773346%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000 > sdata=rqFmFJWSb5zJDkd52jV0PU9FP9%2FNt0k1MInH6pcfBGk%3Dreserved=0 Oh, great. Looks like a BC upgrade will fix the NPE. But possibly something downstream will still fail... Just to add my 2 cents here : Per the problem posed in the very first email, we see the SSL/TLS issue between Oracle JDK 8 and Tomcat 8.5 Environment: OS: CentOS 7 Apache: apache-tomcat-8.5.65 Java: jdk1.8.0_281 Note that the following link - talks about issues between OpenJDK 11 and BC. https://bugs.openjdk.java.net/browse/JDK-8216039. This morning's suggestion (about changing from "sslProtocol" to "protocols" ) from Christopher Schultz, sounds promising, in that the interaction between the Browser-clients and Tomcat 8.5.x server, will be limited only to TLS1.2 Making this change, will preclude other old protocols - like TLS 1, TLS 11 etc in communication between the clients and the Tomcat server. We will need tests after making the change to "protocols" attribute in the HTTPS connector block. In context of the above mentioned change -we may not need any editing of "java.security" file contents (discussed last evening). Thanks, -Raghu - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
Ronald, On 5/25/21 09:31, Roskens, Ronald wrote: -Original Message- From: Christopher Schultz Sent: Monday, May 24, 2021 1:56 PM To: users@tomcat.apache.org Subject: [EXTERNAL] Re: Tomcat SSL stops working after an undetermined amount of time CAUTION: This email originated from outside of the organization. DO NOT CLICK on links or open attachments unless you recognize the sender and know the content is safe. Ezsra, On 5/24/21 10:30, Ezsra McDonald wrote: I am enabling SSL debugging this morning. I did catch this in the log for an instance that started erroring out this morning. Seems like it may be too generic to help solve my problem. Here it is: 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.NullPointerException at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown Source) at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) Oh. You are using BouncyCastle. I've never tried to do that. I'm not sure how well BC will work with Tomcat. We don't officially support that configuration, but that doesn't mean we won't try to help. This isn't a Tomcat issue but an interoperability issue between BouncyCastle & OpenJDK. * https://github.com/bcgit/bc-java/issues/633 * https://bugs.openjdk.java.net/browse/JDK-8216039 Oh, great. Looks like a BC upgrade will fix the NPE. But possibly something downstream will still fail... -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Tomcat SSL stops working after an undetermined amount of time
Ed, On 5/24/21 16:25, Ed Rouse wrote: This works for me. In server.xml: If you really put your server's key into C:\Program Files\Java\openjdk_1.8.0.242\jre\lib\security\cacerts you are making a mistake IMHO. That file is supposed to contain the JVM's trust store. You shouldn't be modifying it at all, let alone to put a private key into it. -chris From: Ezsra McDonald Sent: Monday, May 24, 2021 4:10 PM To: Tomcat Users List Subject: Re: Tomcat SSL stops working after an undetermined amount of time [External email: Use caution! Do not open attachments or click on links from unknown senders or unexpected emails.] Chris, Thanks for your response. These Tomcat servers are something I inherited. I do not know what this bouncycastle.crypto is. If it is making my setup complicated how do I get around it? Is it part of the org.apache.coyote.http11.Http11NioProtocol? What would you recommend I use instead? My end goal is to just enable TLS/SSL on the connectors. --Ez On Mon, May 24, 2021 at 1:56 PM Christopher Schultz < ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> wrote: Ezsra, On 5/24/21 10:30, Ezsra McDonald wrote: I am enabling SSL debugging this morning. I did catch this in the log for an instance that started erroring out this morning. Seems like it may be too generic to help solve my problem. Here it is: 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.NullPointerException at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown Source) at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) Oh. You are using BouncyCastle. I've never tried to do that. I'm not sure how well BC will work with Tomcat. We don't officially support that configuration, but that doesn't mean we won't try to help. There will be a presentation at this year's ApacheCon @Home 2021 about configuring Tomcat for FIPS and it will include how to configure Tomcat with BC (including FIPS). Obviously, you don't want to wait around until the conference to get things working, but perhaps the presenter is lurking on the list ... ? I don't have an email address for the presenter, so I can't give you a reference. :/ -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
Ezsra, On 5/24/21 11:18, Ezsra McDonald wrote: I was unable to identify the issue with debug enabled. I started looking closer at the error I was getting in the various browsers. Apparently the SSL is working. The browsers are blocking it because the server is using something other than TLSv1.2 or better. I was able to prove this using Safari. When I enabled the older TLS options I was able to connect. This is excellent information to have. Tomcat (or BC) should not be throwing NPE under any circumstances, though. The odd thing is that I have the connector configured for TLSv1.2. So, that is where I need to concentrate my efforts now. Why is tomcat not using the TLSv1.2 protocol? As a refresher, I have the following configured for the connector. Aha. You are using "sslProtocol" which is, unfortunately, a nearly worthless configuration attribute and *always* causes confusion for anyone who has never had to deal with the JSSE TLS API. The configuration attribute you really want to use is: protocols="TLSv1.2" The default is "all" which means "SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3", so all protocols should be enabled by default. A SSLscan of the server port shows the following requests were accepted. Some are TLSv1.2. sslscan target.host.com:8080|grep Accepted Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA Accepted TLS11 256 bits DHE-RSA-AES256-SHA Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA Accepted TLS11 128 bits DHE-RSA-AES128-SHA Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits DHE-RSA-AES256-SHA256 Accepted TLS12 256 bits DHE-RSA-AES256-SHA Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA Most browsers will ignore some subset of the above. The only "safe" cipher suite listed above is ECDHE-RSA-AES128-GCM-SHA256 and everyone should support *at least* that for the time being. Hmm. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
> -Original Message- > From: Christopher Schultz > Sent: Monday, May 24, 2021 1:56 PM > To: users@tomcat.apache.org > Subject: [EXTERNAL] Re: Tomcat SSL stops working after an undetermined > amount of time > > CAUTION: This email originated from outside of the organization. DO NOT > CLICK on links or open attachments unless you recognize the sender and > know the content is safe. > > Ezsra, > > On 5/24/21 10:30, Ezsra McDonald wrote: > > I am enabling SSL debugging this morning. I did catch this in the log > > for an instance that started erroring out this morning. Seems like it > > may be too generic to help solve my problem. Here it is: > > > > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > > java.lang.NullPointerException > > at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > > Source) > > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown > > Source) > > Oh. You are using BouncyCastle. I've never tried to do that. I'm not > sure how well BC will work with Tomcat. We don't officially support that > configuration, but that doesn't mean we won't try to help. This isn't a Tomcat issue but an interoperability issue between BouncyCastle & OpenJDK. * https://github.com/bcgit/bc-java/issues/633 * https://bugs.openjdk.java.net/browse/JDK-8216039 Ron Disclaimer This e-mail message is being sent solely for use by the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by phone or reply by e-mail, delete the original message and destroy all copies. Thank you.
RE: Tomcat SSL stops working after an undetermined amount of time
Hi Ezsra, This is an answer to your query - " Why is Tomcat not using the TLSv1.2 protocol?" I assume you are using Oracle JDK v8u281 You may want to review the following line in the file : /jre/lib/security/ java.security jdk.tls.disabledAlgorithms=?? The following old SSL versions are listed here. Examples : SSLv3, TLSv1, TLSv1.1 etc This, in my opinion, will ensure Tomcat will honor TLS1.2 protocol (by eliminating others ) Also are you observing that Safari browser is giving good response, while Chrome is causing the SSL issue ? Hope this helps, -Raghu -Original Message- From: Ed Rouse Sent: Monday, May 24, 2021 2:26 PM To: Tomcat Users List Subject: RE: Tomcat SSL stops working after an undetermined amount of time This works for me. In server.xml: From: Ezsra McDonald Sent: Monday, May 24, 2021 4:10 PM To: Tomcat Users List Subject: Re: Tomcat SSL stops working after an undetermined amount of time [External email: Use caution! Do not open attachments or click on links from unknown senders or unexpected emails.] Chris, Thanks for your response. These Tomcat servers are something I inherited. I do not know what this bouncycastle.crypto is. If it is making my setup complicated how do I get around it? Is it part of the org.apache.coyote.http11.Http11NioProtocol? What would you recommend I use instead? My end goal is to just enable TLS/SSL on the connectors. --Ez On Mon, May 24, 2021 at 1:56 PM Christopher Schultz < ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> wrote: > Ezsra, > > On 5/24/21 10:30, Ezsra McDonald wrote: > > I am enabling SSL debugging this morning. I did catch this in the > > log for an instance that started erroring out this morning. Seems > > like it may be too generic to help solve my problem. Here it is: > > > > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > > java.lang.NullPointerException > > at > > org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > > Source) > > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown > > Source) > > Oh. You are using BouncyCastle. I've never tried to do that. I'm not > sure how well BC will work with Tomcat. We don't officially support > that configuration, but that doesn't mean we won't try to help. > > There will be a presentation at this year's ApacheCon @Home 2021 about > configuring Tomcat for FIPS and it will include how to configure > Tomcat with BC (including FIPS). Obviously, you don't want to wait > around until the conference to get things working, but perhaps the > presenter is lurking on the list ... ? > > I don't have an email address for the presenter, so I can't give you a > reference. :/ > > -chris > > - > To unsubscribe, e-mail: > users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.ap > ache.org> For additional commands, e-mail: > users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > >
RE: Tomcat SSL stops working after an undetermined amount of time
This works for me. In server.xml: From: Ezsra McDonald Sent: Monday, May 24, 2021 4:10 PM To: Tomcat Users List Subject: Re: Tomcat SSL stops working after an undetermined amount of time [External email: Use caution! Do not open attachments or click on links from unknown senders or unexpected emails.] Chris, Thanks for your response. These Tomcat servers are something I inherited. I do not know what this bouncycastle.crypto is. If it is making my setup complicated how do I get around it? Is it part of the org.apache.coyote.http11.Http11NioProtocol? What would you recommend I use instead? My end goal is to just enable TLS/SSL on the connectors. --Ez On Mon, May 24, 2021 at 1:56 PM Christopher Schultz < ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> wrote: > Ezsra, > > On 5/24/21 10:30, Ezsra McDonald wrote: > > I am enabling SSL debugging this morning. I did catch this in the log for > > an instance that started erroring out this morning. Seems like it may be > > too generic to help solve my problem. Here it is: > > > > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > > java.lang.NullPointerException > > at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > > Source) > > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) > > Oh. You are using BouncyCastle. I've never tried to do that. I'm not > sure how well BC will work with Tomcat. We don't officially support that > configuration, but that doesn't mean we won't try to help. > > There will be a presentation at this year's ApacheCon @Home 2021 about > configuring Tomcat for FIPS and it will include how to configure Tomcat > with BC (including FIPS). Obviously, you don't want to wait around until > the conference to get things working, but perhaps the presenter is > lurking on the list ... ? > > I don't have an email address for the presenter, so I can't give you a > reference. :/ > > -chris > > - > To unsubscribe, e-mail: > users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: > users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org> > >
Re: Tomcat SSL stops working after an undetermined amount of time
Chris, Thanks for your response. These Tomcat servers are something I inherited. I do not know what this bouncycastle.crypto is. If it is making my setup complicated how do I get around it? Is it part of the org.apache.coyote.http11.Http11NioProtocol? What would you recommend I use instead? My end goal is to just enable TLS/SSL on the connectors. --Ez On Mon, May 24, 2021 at 1:56 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Ezsra, > > On 5/24/21 10:30, Ezsra McDonald wrote: > > I am enabling SSL debugging this morning. I did catch this in the log for > > an instance that started erroring out this morning. Seems like it may be > > too generic to help solve my problem. Here it is: > > > > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > > java.lang.NullPointerException > > at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > > Source) > > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) > > Oh. You are using BouncyCastle. I've never tried to do that. I'm not > sure how well BC will work with Tomcat. We don't officially support that > configuration, but that doesn't mean we won't try to help. > > There will be a presentation at this year's ApacheCon @Home 2021 about > configuring Tomcat for FIPS and it will include how to configure Tomcat > with BC (including FIPS). Obviously, you don't want to wait around until > the conference to get things working, but perhaps the presenter is > lurking on the list ... ? > > I don't have an email address for the presenter, so I can't give you a > reference. :/ > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat SSL stops working after an undetermined amount of time
Ezsra, On 5/24/21 10:30, Ezsra McDonald wrote: I am enabling SSL debugging this morning. I did catch this in the log for an instance that started erroring out this morning. Seems like it may be too generic to help solve my problem. Here it is: 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.NullPointerException at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown Source) at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) Oh. You are using BouncyCastle. I've never tried to do that. I'm not sure how well BC will work with Tomcat. We don't officially support that configuration, but that doesn't mean we won't try to help. There will be a presentation at this year's ApacheCon @Home 2021 about configuring Tomcat for FIPS and it will include how to configure Tomcat with BC (including FIPS). Obviously, you don't want to wait around until the conference to get things working, but perhaps the presenter is lurking on the list ... ? I don't have an email address for the presenter, so I can't give you a reference. :/ -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
I was unable to identify the issue with debug enabled. I started looking closer at the error I was getting in the various browsers. Apparently the SSL is working. The browsers are blocking it because the server is using something other than TLSv1.2 or better. I was able to prove this using Safari. When I enabled the older TLS options I was able to connect. The odd thing is that I have the connector configured for TLSv1.2. So, that is where I need to concentrate my efforts now. Why is tomcat not using the TLSv1.2 protocol? As a refresher, I have the following configured for the connector. A SSLscan of the server port shows the following requests were accepted. Some are TLSv1.2. sslscan target.host.com:8080|grep Accepted Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA Accepted TLS11 256 bits DHE-RSA-AES256-SHA Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA Accepted TLS11 128 bits DHE-RSA-AES128-SHA Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384 Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384 Accepted TLS12 256 bits DHE-RSA-AES256-SHA256 Accepted TLS12 256 bits DHE-RSA-AES256-SHA Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256 Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA256 Accepted TLS12 128 bits DHE-RSA-AES128-SHA --Ez On Mon, May 24, 2021 at 9:30 AM Ezsra McDonald wrote: > I am enabling SSL debugging this morning. I did catch this in the log for > an instance that started erroring out this morning. Seems like it may be > too generic to help solve my problem. Here it is: > > 24-May-2021 09:25:44.609 SEVERE [catalina-exec-51] > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun > java.lang.NullPointerException > at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown > Source) > at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source) > at java.security.Signature$Delegate.engineSign(Signature.java:1382) > at java.security.Signature.sign(Signature.java:698) > at > sun.security.ssl.CertificateVerify$T13CertificateVerifyMessage.(CertificateVerify.java:931) > at > sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.onProduceCertificateVerify(CertificateVerify.java:1105) > at > sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.produce(CertificateVerify.java:1098) > at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:420) > at > sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1096) > at > sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1032) > at > sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:716) > at > sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:683) > at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376) > at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) > at > sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:983) > at > sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:970) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:917) > at > org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:432) > at > org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:496) > at > org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:237) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1611) > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > > > I will let you know what I find in the debug. It may be a while because > the instance works fine initially. > > -- Ez > > > On Thu, May 20, 2021 at 10:55 AM > wrote: > >> It's "ssl,handshake." >> >> >> > -Original Message- >> > From: Ezsra McDonald >&
Re: Tomcat SSL stops working after an undetermined amount of time
I am enabling SSL debugging this morning. I did catch this in the log for
an instance that started erroring out this morning. Seems like it may be
too generic to help solve my problem. Here it is:
24-May-2021 09:25:44.609 SEVERE [catalina-exec-51]
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
java.lang.NullPointerException
at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown
Source)
at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source)
at java.security.Signature$Delegate.engineSign(Signature.java:1382)
at java.security.Signature.sign(Signature.java:698)
at
sun.security.ssl.CertificateVerify$T13CertificateVerifyMessage.(CertificateVerify.java:931)
at
sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.onProduceCertificateVerify(CertificateVerify.java:1105)
at
sun.security.ssl.CertificateVerify$T13CertificateVerifyProducer.produce(CertificateVerify.java:1098)
at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:420)
at
sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1096)
at
sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1032)
at
sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:716)
at
sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:683)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:983)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:970)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:917)
at
org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:432)
at
org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:496)
at
org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:237)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1611)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
I will let you know what I find in the debug. It may be a while because the
instance works fine initially.
-- Ez
On Thu, May 20, 2021 at 10:55 AM
wrote:
> It's "ssl,handshake."
>
>
> > -Original Message-
> > From: Ezsra McDonald
> > Sent: Thursday, May 20, 2021 10:43 AM
> > To: Tomcat Users List
> > Subject: Re: Tomcat SSL stops working after an undetermined amount of
> > time
> >
> > Mark,
> >
> > Thanks for your response.
> >
> > I did not see anything in the logs. This morning I added '
> > -Djava.net.debug=handshake' to my configuration. I did not see any SSL
> > debug information in my logs. Perhaps I did this wrong or need to use a
> > different argument?
> >
> > I expected the debug to be in the access log. Should I be looking
> elsewhere?
> > I also checked other logs that had timestamps for after the instance was
> > restarted.
> >
> > -- Ez
> >
> > On Thu, May 20, 2021 at 3:05 AM Mark Thomas wrote:
> >
> > > On 19/05/2021 20:42, Ezsra McDonald wrote:
> > > > Environment:
> > > > OS: CentOS 7
> > > > Apache: apache-tomcat-8.5.65
> > > > Java: jdk1.8.0_281
> > > >
> > > > Greetings,
> > > >
> > > > I recently enabled SSL on my Tomcat server HTTP connectors.
> > > > Something odd is happening. After some undetermined amount of time
> > > > the connector stops responding appropriately to requests. My browser
> > > > returns the following
> > > > message:
> > > >
> > > > "An error occurred during a connection to target.host.com:8080. SSL
> > > > received a malformed Alert record.
> > > >
> > > > Error code: SSL_ERROR_RX_MALFORMED_ALERT "
> > > > I do not see anything in the logs to clue me in on what is happening.
> > > >
> > > > I have the following configured for the connector.
> > > > > > > port="${http.port}"
> > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > > maxThreads="50" enableLookups="false" acceptCount="100"
> > > > serv
RE: Tomcat SSL stops working after an undetermined amount of time
It's "ssl,handshake."
> -Original Message-
> From: Ezsra McDonald
> Sent: Thursday, May 20, 2021 10:43 AM
> To: Tomcat Users List
> Subject: Re: Tomcat SSL stops working after an undetermined amount of
> time
>
> Mark,
>
> Thanks for your response.
>
> I did not see anything in the logs. This morning I added '
> -Djava.net.debug=handshake' to my configuration. I did not see any SSL
> debug information in my logs. Perhaps I did this wrong or need to use a
> different argument?
>
> I expected the debug to be in the access log. Should I be looking elsewhere?
> I also checked other logs that had timestamps for after the instance was
> restarted.
>
> -- Ez
>
> On Thu, May 20, 2021 at 3:05 AM Mark Thomas wrote:
>
> > On 19/05/2021 20:42, Ezsra McDonald wrote:
> > > Environment:
> > > OS: CentOS 7
> > > Apache: apache-tomcat-8.5.65
> > > Java: jdk1.8.0_281
> > >
> > > Greetings,
> > >
> > > I recently enabled SSL on my Tomcat server HTTP connectors.
> > > Something odd is happening. After some undetermined amount of time
> > > the connector stops responding appropriately to requests. My browser
> > > returns the following
> > > message:
> > >
> > > "An error occurred during a connection to target.host.com:8080. SSL
> > > received a malformed Alert record.
> > >
> > > Error code: SSL_ERROR_RX_MALFORMED_ALERT "
> > > I do not see anything in the logs to clue me in on what is happening.
> > >
> > > I have the following configured for the connector.
> > > > > port="${http.port}"
> > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > maxThreads="50" enableLookups="false" acceptCount="100"
> > > server="Apache"
> > > SSLEnabled="true" scheme="https" secure="true"
> > > clientAuth="false" sslProtocol="TLSv1.2"
> > > keystoreFile="/opt/tomcat/ssl/tomcat_ssl.jks"
> > > keyAlias="tomcat"
> > > keystorePass="**"
> > > connectionTimeout="2"/>
> > >
> > > When I restart the instance everything works fine for a while.
> > > Later,
> > when
> > > I try to look at the tomcat manager, SSL is no longer functioning
> > properly.
> > >
> > > Any assistance would be appreciated.
> >
> > Anything in the access logs?
> >
> > Enable TLS debug logging in the JVM Tomcat is using. You'll get a lot
> > of data but you'll be able to see exactly what is happening.
> >
> > Mark
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
On 20/05/2021 16:42, Ezsra McDonald wrote: Mark, Thanks for your response. I did not see anything in the logs. This morning I added ' -Djava.net.debug=handshake' to my configuration. I did not see any SSL debug information in my logs. Perhaps I did this wrong or need to use a different argument? Try: -Djavax.net.debug=handshake Mark I expected the debug to be in the access log. Should I be looking elsewhere? I also checked other logs that had timestamps for after the instance was restarted. -- Ez On Thu, May 20, 2021 at 3:05 AM Mark Thomas wrote: On 19/05/2021 20:42, Ezsra McDonald wrote: Environment: OS: CentOS 7 Apache: apache-tomcat-8.5.65 Java: jdk1.8.0_281 Greetings, I recently enabled SSL on my Tomcat server HTTP connectors. Something odd is happening. After some undetermined amount of time the connector stops responding appropriately to requests. My browser returns the following message: "An error occurred during a connection to target.host.com:8080. SSL received a malformed Alert record. Error code: SSL_ERROR_RX_MALFORMED_ALERT " I do not see anything in the logs to clue me in on what is happening. I have the following configured for the connector. When I restart the instance everything works fine for a while. Later, when I try to look at the tomcat manager, SSL is no longer functioning properly. Any assistance would be appreciated. Anything in the access logs? Enable TLS debug logging in the JVM Tomcat is using. You'll get a lot of data but you'll be able to see exactly what is happening. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat SSL stops working after an undetermined amount of time
Mark,
Thanks for your response.
I did not see anything in the logs. This morning I added '
-Djava.net.debug=handshake' to my configuration. I did not see any SSL
debug information in my logs. Perhaps I did this wrong or need to use a
different argument?
I expected the debug to be in the access log. Should I be looking
elsewhere? I also checked other logs that had timestamps for after the
instance was restarted.
-- Ez
On Thu, May 20, 2021 at 3:05 AM Mark Thomas wrote:
> On 19/05/2021 20:42, Ezsra McDonald wrote:
> > Environment:
> > OS: CentOS 7
> > Apache: apache-tomcat-8.5.65
> > Java: jdk1.8.0_281
> >
> > Greetings,
> >
> > I recently enabled SSL on my Tomcat server HTTP connectors. Something odd
> > is happening. After some undetermined amount of time the connector stops
> > responding appropriately to requests. My browser returns the following
> > message:
> >
> > "An error occurred during a connection to target.host.com:8080. SSL
> > received a malformed Alert record.
> >
> > Error code: SSL_ERROR_RX_MALFORMED_ALERT
> > "
> > I do not see anything in the logs to clue me in on what is happening.
> >
> > I have the following configured for the connector.
> > > port="${http.port}"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="50" enableLookups="false" acceptCount="100"
> > server="Apache"
> > SSLEnabled="true" scheme="https" secure="true"
> > clientAuth="false" sslProtocol="TLSv1.2"
> > keystoreFile="/opt/tomcat/ssl/tomcat_ssl.jks"
> > keyAlias="tomcat"
> > keystorePass="**"
> > connectionTimeout="2"/>
> >
> > When I restart the instance everything works fine for a while. Later,
> when
> > I try to look at the tomcat manager, SSL is no longer functioning
> properly.
> >
> > Any assistance would be appreciated.
>
> Anything in the access logs?
>
> Enable TLS debug logging in the JVM Tomcat is using. You'll get a lot of
> data but you'll be able to see exactly what is happening.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: Tomcat SSL stops working after an undetermined amount of time
On 19/05/2021 20:42, Ezsra McDonald wrote: Environment: OS: CentOS 7 Apache: apache-tomcat-8.5.65 Java: jdk1.8.0_281 Greetings, I recently enabled SSL on my Tomcat server HTTP connectors. Something odd is happening. After some undetermined amount of time the connector stops responding appropriately to requests. My browser returns the following message: "An error occurred during a connection to target.host.com:8080. SSL received a malformed Alert record. Error code: SSL_ERROR_RX_MALFORMED_ALERT " I do not see anything in the logs to clue me in on what is happening. I have the following configured for the connector. When I restart the instance everything works fine for a while. Later, when I try to look at the tomcat manager, SSL is no longer functioning properly. Any assistance would be appreciated. Anything in the access logs? Enable TLS debug logging in the JVM Tomcat is using. You'll get a lot of data but you'll be able to see exactly what is happening. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat SSL stops working after an undetermined amount of time
Environment: OS: CentOS 7 Apache: apache-tomcat-8.5.65 Java: jdk1.8.0_281 Greetings, I recently enabled SSL on my Tomcat server HTTP connectors. Something odd is happening. After some undetermined amount of time the connector stops responding appropriately to requests. My browser returns the following message: "An error occurred during a connection to target.host.com:8080. SSL received a malformed Alert record. Error code: SSL_ERROR_RX_MALFORMED_ALERT " I do not see anything in the logs to clue me in on what is happening. I have the following configured for the connector. When I restart the instance everything works fine for a while. Later, when I try to look at the tomcat manager, SSL is no longer functioning properly. Any assistance would be appreciated. regards, -- Ez
Re: Upgraded to 8.5.63, ssl stopped working...?
This was the fix. Thank you! jim On Thu, Feb 11, 2021 at 11:17 PM Mark Thomas wrote: > Check the user the Tomcat service is running as. This changed from Local > System (essentially an admin account) to the less privileged Local Service. > > Mark > > >
Re: Upgraded to 8.5.63, ssl stopped working...?
On Fri, Feb 12, 2021 at 8:17 AM Mark Thomas wrote: > On February 11, 2021 11:01:27 PM UTC, Jim Weill > wrote: > >Yes, the file is there and readable. The NTFS permissions have only > >the > >built-in SYSTEM, CREATOR OWNER, and domain administrators group as > >having > >any kind of access to the folder. This was working before I started > >upgrading. The last modified date is 2017 on that file. > > Check the user the Tomcat service is running as. This changed from Local > System (essentially an admin account) to the less privileged Local Service. > I think the problem which messes up everything is a supposed non absolute URI. I don't remember why this is legitimate, but it probably is, and that means the error messages are microsoftian. I improved them. Rémy > Mark > > > > > >jim > > > >On Thu, Feb 11, 2021 at 2:17 PM Rémy Maucherat wrote: > > > >> On Thu, Feb 11, 2021 at 10:33 PM Jim Weill > > > >> wrote: > >> > >> > Sorry, I should have posted it yesterday. This was the only thing > >I > >> could > >> > find that had anything like an error in the stderr log: > >> > > >> > 10-Feb-2021 17:34:09.930 SEVERE [main] > >> > org.apache.catalina.core.StandardService.initInternal Failed to > >> initialize > >> > connector [Connector[HTTP/1.1-8443]] > >> > org.apache.catalina.LifecycleException: Protocol handler > >initialization > >> > failed > >> > at > >> > > >org.apache.catalina.connector.Connector.initInternal(Connector.java:1077) > >> > at > >org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > >> > at > >> > > >> > > >> > > >org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) > >> > at > >org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > >> > at > >> > > >> > > >> > > >org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:846) > >> > at > >org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > >> > at org.apache.catalina.startup.Catalina.load(Catalina.java:639) > >> > at org.apache.catalina.startup.Catalina.load(Catalina.java:662) > >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > >> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > >> > at java.lang.reflect.Method.invoke(Unknown Source) > >> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) > >> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) > >> > Caused by: java.lang.IllegalArgumentException: Illegal character in > >> opaque > >> > part at index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key > >> > at > >> > org.apache.tomcat.util.net > >> > > >.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) > >> > at > >> > org.apache.tomcat.util.net > >> > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) > >> > at > >org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:247) > >> > at > >> > org.apache.tomcat.util.net > >> > .AbstractEndpoint.init(AbstractEndpoint.java:1143) > >> > at > >> > org.apache.tomcat.util.net > >> > .AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222) > >> > at > >org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599) > >> > at > >> > > >> > > >> > > >org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80) > >> > at > >> > > >org.apache.catalina.connector.Connector.initInternal(Connector.java:1075) > >> > ... 13 more > >> > Caused by: java.lang.IllegalArgumentException: Illegal character in > >> opaque > >> > part at index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key > >> > at java.net.URI.create(Unknown Source) > >> > at java.net.URI.resolve(Unknown Source) > >> > at > >> > > >> > > >> > > >org.apache.tomcat.util.file.ConfigFileLoader.getURI(ConfigFileLoader.java:105) > >> > at > >> > > >> > > >> > > >org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:88) > >> > at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:98) > >> > at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:90) > >> > at > >> > org.apache.tomcat.util.net > >> > .SSLUtilBase.getKeyManagers(SSLUtilBase.java:313) > >> > at > >> > org.apache.tomcat.util.net > >> > .SSLUtilBase.createSSLContext(SSLUtilBase.java:245) > >> > at > >> > org.apache.tomcat.util.net > >> > > >.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98) > >> > ... 20 more > >> > Caused by: java.net.URISyntaxException: Illegal character in opaque > >part > >> at > >> > index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key > >> > at java.net.URI$Parser.fail(Unknown Source) > >> > at java.net.URI$Parser.checkChars(Unknown Source) > >> > at java.net.URI$Parser.parse(Unknown Source) > >> > at java.net.URI.(Unknown Source) > >> > ... 29 more > >> > 10-Feb-2021 17:34:09.930 INFO [main] > >> > org.apache.coyote.AbstractProtocol.init Initializing > >ProtocolHandler > >> > ["ajp-nio-127.0.0.1-8009"] > >> > 10-Feb-2021 17:34:09.930 INFO [main] > >> >
Re: Upgraded to 8.5.63, ssl stopped working...?
On February 11, 2021 11:01:27 PM UTC, Jim Weill wrote: >Yes, the file is there and readable. The NTFS permissions have only >the >built-in SYSTEM, CREATOR OWNER, and domain administrators group as >having >any kind of access to the folder. This was working before I started >upgrading. The last modified date is 2017 on that file. Check the user the Tomcat service is running as. This changed from Local System (essentially an admin account) to the less privileged Local Service. Mark > >jim > >On Thu, Feb 11, 2021 at 2:17 PM Rémy Maucherat wrote: > >> On Thu, Feb 11, 2021 at 10:33 PM Jim Weill > >> wrote: >> >> > Sorry, I should have posted it yesterday. This was the only thing >I >> could >> > find that had anything like an error in the stderr log: >> > >> > 10-Feb-2021 17:34:09.930 SEVERE [main] >> > org.apache.catalina.core.StandardService.initInternal Failed to >> initialize >> > connector [Connector[HTTP/1.1-8443]] >> > org.apache.catalina.LifecycleException: Protocol handler >initialization >> > failed >> > at >> > >org.apache.catalina.connector.Connector.initInternal(Connector.java:1077) >> > at >org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >> > at >> > >> > >> >org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) >> > at >org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >> > at >> > >> > >> >org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:846) >> > at >org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) >> > at org.apache.catalina.startup.Catalina.load(Catalina.java:639) >> > at org.apache.catalina.startup.Catalina.load(Catalina.java:662) >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) >> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) >> > at java.lang.reflect.Method.invoke(Unknown Source) >> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) >> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) >> > Caused by: java.lang.IllegalArgumentException: Illegal character in >> opaque >> > part at index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key >> > at >> > org.apache.tomcat.util.net >> > >.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) >> > at >> > org.apache.tomcat.util.net >> > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) >> > at >org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:247) >> > at >> > org.apache.tomcat.util.net >> > .AbstractEndpoint.init(AbstractEndpoint.java:1143) >> > at >> > org.apache.tomcat.util.net >> > .AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222) >> > at >org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599) >> > at >> > >> > >> >org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80) >> > at >> > >org.apache.catalina.connector.Connector.initInternal(Connector.java:1075) >> > ... 13 more >> > Caused by: java.lang.IllegalArgumentException: Illegal character in >> opaque >> > part at index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key >> > at java.net.URI.create(Unknown Source) >> > at java.net.URI.resolve(Unknown Source) >> > at >> > >> > >> >org.apache.tomcat.util.file.ConfigFileLoader.getURI(ConfigFileLoader.java:105) >> > at >> > >> > >> >org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:88) >> > at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:98) >> > at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:90) >> > at >> > org.apache.tomcat.util.net >> > .SSLUtilBase.getKeyManagers(SSLUtilBase.java:313) >> > at >> > org.apache.tomcat.util.net >> > .SSLUtilBase.createSSLContext(SSLUtilBase.java:245) >> > at >> > org.apache.tomcat.util.net >> > >.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98) >> > ... 20 more >> > Caused by: java.net.URISyntaxException: Illegal character in opaque >part >> at >> > index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key >> > at java.net.URI$Parser.fail(Unknown Source) >> > at java.net.URI$Parser.checkChars(Unknown Source) >> > at java.net.URI$Parser.parse(Unknown Source) >> > at java.net.URI.(Unknown Source) >> > ... 29 more >> > 10-Feb-2021 17:34:09.930 INFO [main] >> > org.apache.coyote.AbstractProtocol.init Initializing >ProtocolHandler >> > ["ajp-nio-127.0.0.1-8009"] >> > 10-Feb-2021 17:34:09.930 INFO [main] >> > org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using >a >> > shared >> > selector for servlet write/read >> > 10-Feb-2021 17:34:09.930 INFO [main] >> > org.apache.catalina.startup.Catalina.load Initialization processed >in >> 1522 >> > ms >> > >> >> This happens when D:\_ssh\_.ICSI.Berkeley.EDU.key is not a file (or >not >> there) and it then tries as a URL. Is your keystore still there after >your >> update ? >> There were recent changes, but there's no difference that I can see >with >> that location as input. >> >> Rémy >> >>
Re: Upgraded to 8.5.63, ssl stopped working...?
Yes, the file is there and readable. The NTFS permissions have only the built-in SYSTEM, CREATOR OWNER, and domain administrators group as having any kind of access to the folder. This was working before I started upgrading. The last modified date is 2017 on that file. jim On Thu, Feb 11, 2021 at 2:17 PM Rémy Maucherat wrote: > On Thu, Feb 11, 2021 at 10:33 PM Jim Weill > wrote: > > > Sorry, I should have posted it yesterday. This was the only thing I > could > > find that had anything like an error in the stderr log: > > > > 10-Feb-2021 17:34:09.930 SEVERE [main] > > org.apache.catalina.core.StandardService.initInternal Failed to > initialize > > connector [Connector[HTTP/1.1-8443]] > > org.apache.catalina.LifecycleException: Protocol handler initialization > > failed > > at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:1077) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > > at > > > > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > > at > > > > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:846) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:639) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:662) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > > at java.lang.reflect.Method.invoke(Unknown Source) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) > > Caused by: java.lang.IllegalArgumentException: Illegal character in > opaque > > part at index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key > > at > > org.apache.tomcat.util.net > > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) > > at > > org.apache.tomcat.util.net > > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) > > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:247) > > at > > org.apache.tomcat.util.net > > .AbstractEndpoint.init(AbstractEndpoint.java:1143) > > at > > org.apache.tomcat.util.net > > .AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222) > > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599) > > at > > > > > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80) > > at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:1075) > > ... 13 more > > Caused by: java.lang.IllegalArgumentException: Illegal character in > opaque > > part at index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key > > at java.net.URI.create(Unknown Source) > > at java.net.URI.resolve(Unknown Source) > > at > > > > > org.apache.tomcat.util.file.ConfigFileLoader.getURI(ConfigFileLoader.java:105) > > at > > > > > org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:88) > > at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:98) > > at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:90) > > at > > org.apache.tomcat.util.net > > .SSLUtilBase.getKeyManagers(SSLUtilBase.java:313) > > at > > org.apache.tomcat.util.net > > .SSLUtilBase.createSSLContext(SSLUtilBase.java:245) > > at > > org.apache.tomcat.util.net > > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98) > > ... 20 more > > Caused by: java.net.URISyntaxException: Illegal character in opaque part > at > > index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key > > at java.net.URI$Parser.fail(Unknown Source) > > at java.net.URI$Parser.checkChars(Unknown Source) > > at java.net.URI$Parser.parse(Unknown Source) > > at java.net.URI.(Unknown Source) > > ... 29 more > > 10-Feb-2021 17:34:09.930 INFO [main] > > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler > > ["ajp-nio-127.0.0.1-8009"] > > 10-Feb-2021 17:34:09.930 INFO [main] > > org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a > > shared > > selector for servlet write/read > > 10-Feb-2021 17:34:09.930 INFO [main] > > org.apache.catalina.startup.Catalina.load Initialization processed in > 1522 > > ms > > > > This happens when D:\_ssh\_.ICSI.Berkeley.EDU.key is not a file (or not > there) and it then tries as a URL. Is your keystore still there after your > update ? > There were recent changes, but there's no difference that I can see with > that location as input. > > Rémy > > > > > > On Thu, Feb 11, 2021 at 12:17 AM Mark Thomas wrote: > > > > > On 11/02/2021 02:06, Jim Weill wrote: > > > > I had 8.5.41 working and decided to do the upgrade to 8.5.63 today on > > > > Windows Server 2012r2. I've had success with stopping the service, > > > > renaming the tomcat directory, putting the unzipped files of the new > > > > version in its
Re: Upgraded to 8.5.63, ssl stopped working...?
On Thu, Feb 11, 2021 at 10:33 PM Jim Weill wrote: > Sorry, I should have posted it yesterday. This was the only thing I could > find that had anything like an error in the stderr log: > > 10-Feb-2021 17:34:09.930 SEVERE [main] > org.apache.catalina.core.StandardService.initInternal Failed to initialize > connector [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Protocol handler initialization > failed > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1077) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:846) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at org.apache.catalina.startup.Catalina.load(Catalina.java:639) > at org.apache.catalina.startup.Catalina.load(Catalina.java:662) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) > Caused by: java.lang.IllegalArgumentException: Illegal character in opaque > part at index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key > at > org.apache.tomcat.util.net > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) > at > org.apache.tomcat.util.net > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:247) > at > org.apache.tomcat.util.net > .AbstractEndpoint.init(AbstractEndpoint.java:1143) > at > org.apache.tomcat.util.net > .AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599) > at > > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80) > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1075) > ... 13 more > Caused by: java.lang.IllegalArgumentException: Illegal character in opaque > part at index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key > at java.net.URI.create(Unknown Source) > at java.net.URI.resolve(Unknown Source) > at > > org.apache.tomcat.util.file.ConfigFileLoader.getURI(ConfigFileLoader.java:105) > at > > org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:88) > at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:98) > at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:90) > at > org.apache.tomcat.util.net > .SSLUtilBase.getKeyManagers(SSLUtilBase.java:313) > at > org.apache.tomcat.util.net > .SSLUtilBase.createSSLContext(SSLUtilBase.java:245) > at > org.apache.tomcat.util.net > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98) > ... 20 more > Caused by: java.net.URISyntaxException: Illegal character in opaque part at > index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key > at java.net.URI$Parser.fail(Unknown Source) > at java.net.URI$Parser.checkChars(Unknown Source) > at java.net.URI$Parser.parse(Unknown Source) > at java.net.URI.(Unknown Source) > ... 29 more > 10-Feb-2021 17:34:09.930 INFO [main] > org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler > ["ajp-nio-127.0.0.1-8009"] > 10-Feb-2021 17:34:09.930 INFO [main] > org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a > shared > selector for servlet write/read > 10-Feb-2021 17:34:09.930 INFO [main] > org.apache.catalina.startup.Catalina.load Initialization processed in 1522 > ms > This happens when D:\_ssh\_.ICSI.Berkeley.EDU.key is not a file (or not there) and it then tries as a URL. Is your keystore still there after your update ? There were recent changes, but there's no difference that I can see with that location as input. Rémy > > On Thu, Feb 11, 2021 at 12:17 AM Mark Thomas wrote: > > > On 11/02/2021 02:06, Jim Weill wrote: > > > I had 8.5.41 working and decided to do the upgrade to 8.5.63 today on > > > Windows Server 2012r2. I've had success with stopping the service, > > > renaming the tomcat directory, putting the unzipped files of the new > > > version in its place, and dropping in the server.xml, and web.xml files > > to > > > replace the default files. As well, I copy over the webapps folder for > > the > > > site, then restart the service. This process has worked many times > > before. > > > > > > When I did this today, the service would not start for some reason. > So I > > > renamed the folders back to their original names, and then ran the > > > uninstall from the add/remove programs. I ran the install executable > on > > > 8.5.63, dropped in the webapps folder, and the server.xml and web.xml > > files > > > and
Re: Upgraded to 8.5.63, ssl stopped working...?
Sorry, I should have posted it yesterday. This was the only thing I could find that had anything like an error in the stderr log: 10-Feb-2021 17:34:09.930 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1077) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:846) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:639) at org.apache.catalina.startup.Catalina.load(Catalina.java:662) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) Caused by: java.lang.IllegalArgumentException: Illegal character in opaque part at index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:247) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1143) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1075) ... 13 more Caused by: java.lang.IllegalArgumentException: Illegal character in opaque part at index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key at java.net.URI.create(Unknown Source) at java.net.URI.resolve(Unknown Source) at org.apache.tomcat.util.file.ConfigFileLoader.getURI(ConfigFileLoader.java:105) at org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:88) at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:98) at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:90) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98) ... 20 more Caused by: java.net.URISyntaxException: Illegal character in opaque part at index 2: D:\_ssh\_.ICSI.Berkeley.EDU.key at java.net.URI$Parser.fail(Unknown Source) at java.net.URI$Parser.checkChars(Unknown Source) at java.net.URI$Parser.parse(Unknown Source) at java.net.URI.(Unknown Source) ... 29 more 10-Feb-2021 17:34:09.930 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"] 10-Feb-2021 17:34:09.930 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read 10-Feb-2021 17:34:09.930 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1522 ms On Thu, Feb 11, 2021 at 12:17 AM Mark Thomas wrote: > On 11/02/2021 02:06, Jim Weill wrote: > > I had 8.5.41 working and decided to do the upgrade to 8.5.63 today on > > Windows Server 2012r2. I've had success with stopping the service, > > renaming the tomcat directory, putting the unzipped files of the new > > version in its place, and dropping in the server.xml, and web.xml files > to > > replace the default files. As well, I copy over the webapps folder for > the > > site, then restart the service. This process has worked many times > before. > > > > When I did this today, the service would not start for some reason. So I > > renamed the folders back to their original names, and then ran the > > uninstall from the add/remove programs. I ran the install executable on > > 8.5.63, dropped in the webapps folder, and the server.xml and web.xml > files > > and the service started, but the site never loads, even on localhost. > > What do you see in the logs? Ideally you want to clear the logs, start > Tomcat, make a single request, stop Tomcat and then look at the logs. > > If you see an error, the safest approach is to fix that error and then > repeat the process as subsequent errors are often side-effects of the > first error. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional
Re: Upgraded to 8.5.63, ssl stopped working...?
On 11/02/2021 02:06, Jim Weill wrote: > I had 8.5.41 working and decided to do the upgrade to 8.5.63 today on > Windows Server 2012r2. I've had success with stopping the service, > renaming the tomcat directory, putting the unzipped files of the new > version in its place, and dropping in the server.xml, and web.xml files to > replace the default files. As well, I copy over the webapps folder for the > site, then restart the service. This process has worked many times before. > > When I did this today, the service would not start for some reason. So I > renamed the folders back to their original names, and then ran the > uninstall from the add/remove programs. I ran the install executable on > 8.5.63, dropped in the webapps folder, and the server.xml and web.xml files > and the service started, but the site never loads, even on localhost. What do you see in the logs? Ideally you want to clear the logs, start Tomcat, make a single request, stop Tomcat and then look at the logs. If you see an error, the safest approach is to fix that error and then repeat the process as subsequent errors are often side-effects of the first error. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Upgraded to 8.5.63, ssl stopped working...?
I had 8.5.41 working and decided to do the upgrade to 8.5.63 today on Windows Server 2012r2. I've had success with stopping the service, renaming the tomcat directory, putting the unzipped files of the new version in its place, and dropping in the server.xml, and web.xml files to replace the default files. As well, I copy over the webapps folder for the site, then restart the service. This process has worked many times before. When I did this today, the service would not start for some reason. So I renamed the folders back to their original names, and then ran the uninstall from the add/remove programs. I ran the install executable on 8.5.63, dropped in the webapps folder, and the server.xml and web.xml files and the service started, but the site never loads, even on localhost. This is the server.xml I'm using, first configured back in 2017. I could probably pare it down, but once it started working, I didn't feel like messing with removing the commented sections. :)
SSL not working
Hi, I did it now so many times - it always worked - configuring tomcat for SSL. Today: New server, new certificate. Create new keystore, imported root, intermediate and server certificate, configured the connector, same as usual. But... http does not work. No error in tomcats log, nothing. Browser says that it cannot load the page due to a connection problem, maybe security issue. How can I debug this ssl problem? Connector SSLEnabled=true clientAuth=want maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11NioProtocol scheme=https secure=true sslProtocol=TLS keystoreFile=conf/tomcat.jks keystoreType=JKS keyAlias=tomcat keystorePass=changeit / Thank you - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL not working
Probably a server config issue, and not SSL. Please provide details of the new environment. -Original Message- From: spr...@gmx.eu [mailto:spr...@gmx.eu] Sent: Friday, January 28, 2011 7:06 AM To: 'Tomcat Users List' Subject: SSL not working Hi, I did it now so many times - it always worked - configuring tomcat for SSL. Today: New server, new certificate. Create new keystore, imported root, intermediate and server certificate, configured the connector, same as usual. But... http does not work. No error in tomcats log, nothing. Browser says that it cannot load the page due to a connection problem, maybe security issue. How can I debug this ssl problem? Connector SSLEnabled=true clientAuth=want maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11NioProtocol scheme=https secure=true sslProtocol=TLS keystoreFile=conf/tomcat.jks keystoreType=JKS keyAlias=tomcat keystorePass=changeit / Thank you - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL not working
I've been fooling around *a lot* lately with SSL, so I thought I'd give this a try. I'm not very experienced, but I'll offer my two cents. First of all, what version of Tomcat, Java, etc. are you running? Such a statement is *de rigueur* for practically any question to this forum. My system looks like ** Server: SuSE 11.3 (2.6.34.7-0.7-desktop #1 SMP PREEMPT 2010-12-13 11:13:53 +0100 i686 i686 i386 GNU/Linux) ** Tomcat 6.0.30 ** Java: JRE 1.5.0_22 (though my keystore was self-generated with JDK 1.6.0_23) That said, the connector you describe is working for me, even when I intentionally misname my keyAlias. However I have only one entry in my keystore. I'm guessing that it can screw up if you have more than one and you give the wrong alias. You're using a JSSE implementation, correct? Run $ keytool -list -keystore $CATALINA_HOME/conf/keystore.jks -v and see what you get. (BTW, my self-generated openssl can be read with $ keytool -printcert -file /srv/apache2/conf/server.crt -v I say this only because I've also been fiddling, successfully, with the APR and mod_jk connector.) On Fri, Jan 28, 2011 at 8:06 AM, spr...@gmx.eu wrote: Hi, I did it now so many times - it always worked - configuring tomcat for SSL. Today: New server, new certificate. Create new keystore, imported root, intermediate and server certificate, configured the connector, same as usual. But... http does not work. No error in tomcats log, nothing. Browser says that it cannot load the page due to a connection problem, maybe security issue. How can I debug this ssl problem? Connector SSLEnabled=true clientAuth=want maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11NioProtocol scheme=https secure=true sslProtocol=TLS keystoreFile=conf/tomcat.jks keystoreType=JKS keyAlias=tomcat keystorePass=changeit / Thank you - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where hell is, there must we ever be --Christopher Marlowe, *Doctor Faustus* (v, 121-24)
RE: SSL not working
Hi, it is TC 7.0.5, Java 1.6_22. When I use a selfsigned certificate everything is fine - same server config, just the other certificate. So it must be something wrong with the certificate. But I have no clue what. How can I debug the SSL-Handshake process? The cert not working has: #7: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] #8: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL client SSL server ] So it should be the right type of cert. Thank you -Original Message- From: Thad Humphries [mailto:thad.humphr...@gmail.com] Sent: Freitag, 28. Januar 2011 16:47 To: Tomcat Users List Subject: Re: SSL not working I've been fooling around *a lot* lately with SSL, so I thought I'd give this a try. I'm not very experienced, but I'll offer my two cents. First of all, what version of Tomcat, Java, etc. are you running? Such a statement is *de rigueur* for practically any question to this forum. My system looks like ** Server: SuSE 11.3 (2.6.34.7-0.7-desktop #1 SMP PREEMPT 2010-12-13 11:13:53 +0100 i686 i686 i386 GNU/Linux) ** Tomcat 6.0.30 ** Java: JRE 1.5.0_22 (though my keystore was self-generated with JDK 1.6.0_23) That said, the connector you describe is working for me, even when I intentionally misname my keyAlias. However I have only one entry in my keystore. I'm guessing that it can screw up if you have more than one and you give the wrong alias. You're using a JSSE implementation, correct? Run $ keytool -list -keystore $CATALINA_HOME/conf/keystore.jks -v and see what you get. (BTW, my self-generated openssl can be read with $ keytool -printcert -file /srv/apache2/conf/server.crt -v I say this only because I've also been fiddling, successfully, with the APR and mod_jk connector.) On Fri, Jan 28, 2011 at 8:06 AM, spr...@gmx.eu wrote: Hi, I did it now so many times - it always worked - configuring tomcat for SSL. Today: New server, new certificate. Create new keystore, imported root, intermediate and server certificate, configured the connector, same as usual. But... http does not work. No error in tomcats log, nothing. Browser says that it cannot load the page due to a connection problem, maybe security issue. How can I debug this ssl problem? Connector SSLEnabled=true clientAuth=want maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11NioProtocol scheme=https secure=true sslProtocol=TLS keystoreFile=conf/tomcat.jks keystoreType=JKS keyAlias=tomcat keystorePass=changeit / Thank you - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where hell is, there must we ever be --Christopher Marlowe, *Doctor Faustus* (v, 121-24) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL not working
OK, i enabled ssl-debug an got this:
Using SSLEngineImpl.
http-8443-exec-6, READ: TLSv1 Handshake, length = 72
*** ClientHello, TLSv1
RandomCookie: GMT: 1296237960 bytes = { 29, 26, 93, 201, 51, 195, 57, 220,
172, 159, 182, 24, 23, 109, 229, 241, 219, 44, 93, 9, 215, 107, 176, 92,
192, 250, 134, 108 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension type_65281, data: 00
***
http-8443-exec-6, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-6, SEND TLSv1 ALERT: fatal, description = handshake_failure
http-8443-exec-6, WRITE: TLSv1 Alert, length = 2
http-8443-exec-6, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-6, called closeOutbound()
http-8443-exec-6, closeOutboundInternal()
Using SSLEngineImpl.
http-8443-exec-7, READ: SSLv3 Handshake, length = 67
*** ClientHello, SSLv3
RandomCookie: GMT: 1296237960 bytes = { 167, 41, 66, 68, 100, 105, 126,
191, 190, 109, 143, 141, 122, 89, 201, 33, 1, 45, 228, 214, 141, 218, 73,
253, 8, 9, 118, 204 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, Unknown 0x0:0xff]
Compression Methods: { 0 }
***
http-8443-exec-7, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-7, SEND SSLv3 ALERT: fatal, description = handshake_failure
http-8443-exec-7, WRITE: SSLv3 Alert, length = 2
http-8443-exec-7, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-7, called closeOutbound()
http-8443-exec-7, closeOutboundInternal()
Using SSLEngineImpl.
http-8443-exec-8, called closeOutbound()
http-8443-exec-8, closeOutboundInternal()
http-8443-exec-8, SEND TLSv1 ALERT: warning, description = close_notify
http-8443-exec-8, WRITE: TLSv1 Alert, length = 2
When I open the cert I can see:
MD5: 3C:33:0A:7C:BC:8B:8D:9E:A5:C1:8C:49:F9:E1:84:0A
SHA1: 7F:02:49:61:4E:55:AE:11:F0:93:82:06:8A:44:95:56:2D:1E:0E:EB
Unterschrift-Algorithmusname: SHA1withRSA
Version: 3
So is my java runtime mising SHA1withRSA?
-Original Message-
From: spr...@gmx.eu [mailto:spr...@gmx.eu]
Sent: Freitag, 28. Januar 2011 18:35
To: 'Tomcat Users List'
Subject: RE: SSL not working
Hi,
it is TC 7.0.5, Java 1.6_22.
When I use a selfsigned certificate everything is fine - same
server config, just the other certificate. So it must be
something wrong with the certificate. But I have no clue what.
How can I debug the SSL-Handshake process?
The cert not working has:
#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#8: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
SSL server
]
So it should be the right type of cert.
Thank you
-Original Message-
From: Thad Humphries [mailto:thad.humphr...@gmail.com]
Sent: Freitag, 28. Januar 2011 16:47
To: Tomcat Users List
Subject: Re: SSL not working
I've been fooling around *a lot* lately with SSL, so I
thought I'd give this
a try. I'm not very experienced, but I'll offer my two cents.
First of all, what version of Tomcat, Java, etc. are you
running? Such a
statement is *de rigueur* for practically any question to
this forum. My
system looks like
** Server: SuSE 11.3 (2.6.34.7-0.7-desktop #1 SMP PREEMPT 2010-12-13
11:13:53 +0100 i686 i686 i386 GNU/Linux)
** Tomcat 6.0.30
** Java: JRE 1.5.0_22 (though my keystore was
self-generated with JDK
1.6.0_23)
That said, the connector you describe is working for me, even when I
intentionally misname my keyAlias. However I have only one
entry in my
keystore. I'm guessing that it can screw up if you have more
than one and
you give the wrong alias.
You're using a JSSE implementation, correct? Run
$ keytool -list -keystore $CATALINA_HOME/conf/keystore.jks -v
and see what you get.
(BTW, my self-generated openssl can be read with
$ keytool -printcert -file /srv/apache2/conf/server.crt -v
I say this only because I've also been fiddling,
successfully, with the APR
and mod_jk
Re: SSL Not working on tomcat 5.5.29
Hi All, If I rename tcnative-1.dll in the bin folder then the site on SSL works. I am not that knowledgeable on thie dll. Any comments or ideas please? I got this suggestion from google but no specific reason. Regards, Kareem Pid * wrote: On 02/07/2010 06:30, kareem_s_m wrote: Hi All, I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what's going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443. Under tomcat 5.5.28, the site renders fine with SSL and non SSL. Is there something I could be missing? Are the Connector definitions in server.xml files identical? You can post it inline here, if you remove the comments and any passwords. p -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29137241.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Not working on tomcat 5.5.29
From: kareem_s_m [mailto:kareemud...@gmail.com] Subject: Re: SSL Not working on tomcat 5.5.29 If I rename tcnative-1.dll in the bin folder then the site on SSL works. SSL handling with the APR connector is completely different from that with a pure Java connector. The docs are here: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html http://tomcat.apache.org/tomcat-5.5-doc/apr.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
2010/7/12 kareem_s_m kareemud...@gmail.com: Hi All, If I rename tcnative-1.dll in the bin folder then the site on SSL works. I am not that knowledgeable on thie dll. Any comments or ideas please? I got this suggestion from google but no specific reason. It was already mentioned in this very thread. http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-ts29052531.html#a29083748 Regards, Kareem - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
Yup... I guess I missed it. Thank You Konstantin. Konstantin Kolinko wrote: 2010/7/12 kareem_s_m kareemud...@gmail.com: Hi All, If I rename tcnative-1.dll in the bin folder then the site on SSL works. I am not that knowledgeable on thie dll. Any comments or ideas please? I got this suggestion from google but no specific reason. It was already mentioned in this very thread. http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-ts29052531.html#a29083748 Regards, Kareem - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29143073.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Not working on tomcat 5.5.29
Thank You Chuck!!! n828cl wrote: From: kareem_s_m [mailto:kareemud...@gmail.com] Subject: Re: SSL Not working on tomcat 5.5.29 If I rename tcnative-1.dll in the bin folder then the site on SSL works. SSL handling with the APR connector is completely different from that with a pure Java connector. The docs are here: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html http://tomcat.apache.org/tomcat-5.5-doc/apr.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29143076.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
When I run in NON SSL (port 8080, stuff is written to the log files). When I run under SSL (8443) nothing is written to the same log files. Konstantin Kolinko wrote: 2010/7/2 kareem_s_m kareemud...@gmail.com: Also nothing is written to the log flies. Nothing at all? The logs are completely empty? Maybe you are still running 5.5.28, or writing to 5.5.28 logs, if the service was installed incorrectly? Under tomcat 5.5.28, the site renders fine with SSL and non SSL. How did you install Tomcat, and how are you running it? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29082265.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
2010/7/6 kareem_s_m kareemud...@gmail.com: When I run in NON SSL (port 8080, stuff is written to the log files). When I run under SSL (8443) nothing is written to the same log files. In the configuration fragment that you provided you are running with all 8080, 8443, 8009 at the same time. If you are adding an XML comment around unneeded connectors, maybe you are doing it wrong, and thus your server.xml is not a well-formed XML file? (You know, XML comments cannot contain -- and thus comments cannot be nested). A trivial question: your keystore is now in a new path. Have you copied it to the new location? keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.29 orig\selfcert.jks How did you install Tomcat, and how are you running it? Not answered. Do you install it as a service, or you are using *.bat files? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
2010/7/6 Konstantin Kolinko knst.koli...@gmail.com: 2010/7/6 kareem_s_m kareemud...@gmail.com: When I run in NON SSL (port 8080, stuff is written to the log files). When I run under SSL (8443) nothing is written to the same log files. In the configuration fragment that you provided you are running with all 8080, 8443, 8009 at the same time. If you are adding an XML comment around unneeded connectors, maybe you are doing it wrong, and thus your server.xml is not a well-formed XML file? (You know, XML comments cannot contain -- and thus comments cannot be nested). A trivial question: your keystore is now in a new path. Have you copied it to the new location? keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.29 orig\selfcert.jks How did you install Tomcat, and how are you running it? Not answered. Do you install it as a service, or you are using *.bat files? One more: please check whether you have bin/tcnative-1.dll in your tomcat-5.5.29. If you do, than APR version of the connector will be used. Configuration for the APR SSL connector is different (it uses OpenSSL library to perform encryption and not Java). Just remove or rename the tcnative-1.dll file. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
Server.xml is well formed as I can render it in IE. Also, the cert path is right. Konstantin Kolinko wrote: 2010/7/6 kareem_s_m kareemud...@gmail.com: When I run in NON SSL (port 8080, stuff is written to the log files). When I run under SSL (8443) nothing is written to the same log files. In the configuration fragment that you provided you are running with all 8080, 8443, 8009 at the same time. If you are adding an XML comment around unneeded connectors, maybe you are doing it wrong, and thus your server.xml is not a well-formed XML file? (You know, XML comments cannot contain -- and thus comments cannot be nested). A trivial question: your keystore is now in a new path. Have you copied it to the new location? keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.29 orig\selfcert.jks How did you install Tomcat, and how are you running it? Not answered. Do you install it as a service, or you are using *.bat files? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29090432.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
2010/7/2 kareem_s_m kareemud...@gmail.com: Also nothing is written to the log flies. Nothing at all? The logs are completely empty? Maybe you are still running 5.5.28, or writing to 5.5.28 logs, if the service was installed incorrectly? Under tomcat 5.5.28, the site renders fine with SSL and non SSL. How did you install Tomcat, and how are you running it? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
The connectors from server.xml in 5.5.29 is as follows: Service name=Catalina !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8080 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=http /Connector Connector port=8443 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.29 orig\selfcert.jks keystorePass=X /Connector !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 redirectPort=8443 protocol=AJP/1.3 /Connector Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm/ Host appBase=webapps name=localhost /Host /Engine /Service The connectors from server.xml in 5.5.28 is as follows: Service name=Catalina !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8080 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=http /Connector Connector port=8443 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.28\selfcert.jks keystorePass=X /Connector !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 redirectPort=8443 protocol=AJP/1.3 /Connector Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm/ Host appBase=webapps name=localhost /Host /Engine /Service /Server Output of version.bat Using CATALINA_BASE: E:\apps\thirdparty\apache-tomcat-5.5.29 orig Using CATALINA_HOME: E:\apps\thirdparty\apache-tomcat-5.5.29 orig Using CATALINA_TMPDIR: E:\apps\thirdparty\apache-tomcat-5.5.29 orig\temp Using JRE_HOME:D:\Java\jdk.1.5.07 Using CLASSPATH: E:\apps\thirdparty\apache-tomcat-5.5.29 orig\bin\bootstrap.jar Server version: Apache Tomcat/5.5.29 Server built: Mar 29 2010 07:46:34 Server number: 5.5.29.0 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.5.0_07-b03 JVM Vendor: Sun Microsystems Inc. awarnier wrote: kareem_s_m wrote: Hi All, I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what's going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443. Under tomcat 5.5.28, the site renders fine with SSL and non SSL. Is there something I could be missing? On the face of it, I would estimate the probability of that at so close to 1 as cannot be distinguished from it. But if you want someone here to help, you will have to provide some more details, such as for example a copy-and-paste of your Connector tags, and maybe tell us which platform this is, and where these Tomcat's are coming from. Useful : go to the Tomcat bin subdirectory with a console window, run version.sh or version.bat, and paste the result in your next message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29067491.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
Hi. 502 Bad Gateway That is a strange error, in this context. Are you accessing this Tomcat directly, or through Apache or IIS or some load-balancer ? Try this anyway : Start Tomcat 5.5.28, open a command window, and enter netstat -ano. With your setup, in the lines marked LISTEN, you should see 4 lines related to Tomcat : in the 2d column (local address), these lines should contain respectively :8005 :8009 :8080 :8443 (The last column contains the PID of the corresponding process (Tomcat). You can check this with the Task Manager, if you enable the PID column.) Anyway, copy and paste these lines here. Now stop Tomcat 5.5.28, start Tomcat 5.5.29, and run the above command again. Copy and paste these lines here. Any difference ? kareem_s_m wrote: The connectors from server.xml in 5.5.29 is as follows: Service name=Catalina !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8080 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=http /Connector Connector port=8443 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.29 orig\selfcert.jks keystorePass=X /Connector !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 redirectPort=8443 protocol=AJP/1.3 /Connector Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm/ Host appBase=webapps name=localhost /Host /Engine /Service The connectors from server.xml in 5.5.28 is as follows: Service name=Catalina !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=8080 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=http /Connector Connector port=8443 minSpareThreads=25 connectionTimeout=2 maxSpareThreads=75 maxThreads=150 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true keystoreFile=E:\apps\thirdparty\apache-tomcat-5.5.28\selfcert.jks keystorePass=X /Connector !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 redirectPort=8443 protocol=AJP/1.3 /Connector Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm/ Host appBase=webapps name=localhost /Host /Engine /Service /Server Output of version.bat Using CATALINA_BASE: E:\apps\thirdparty\apache-tomcat-5.5.29 orig Using CATALINA_HOME: E:\apps\thirdparty\apache-tomcat-5.5.29 orig Using CATALINA_TMPDIR: E:\apps\thirdparty\apache-tomcat-5.5.29 orig\temp Using JRE_HOME:D:\Java\jdk.1.5.07 Using CLASSPATH: E:\apps\thirdparty\apache-tomcat-5.5.29 orig\bin\bootstrap.jar Server version: Apache Tomcat/5.5.29 Server built: Mar 29 2010 07:46:34 Server number: 5.5.29.0 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.5.0_07-b03 JVM Vendor: Sun Microsystems Inc. awarnier wrote: kareem_s_m wrote: Hi All, I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what's going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443. Under tomcat 5.5.28, the site renders fine with SSL and non SSL. Is there something I could be missing? On the face of it, I would estimate the probability of that at so close to 1 as cannot be distinguished from it. But if you want someone here to help, you will have to provide some more details, such as for example a copy-and-paste of your Connector tags, and maybe tell us which platform this is, and where these Tomcat's are coming from. Useful : go to the Tomcat bin subdirectory with a console window, run version.sh or version.bat, and paste the result in your next message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Not working on tomcat 5.5.29
On 02/07/2010 06:30, kareem_s_m wrote: Hi All, I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what's going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443. Under tomcat 5.5.28, the site renders fine with SSL and non SSL. Is there something I could be missing? Are the Connector definitions in server.xml files identical? You can post it inline here, if you remove the comments and any passwords. p signature.asc Description: OpenPGP digital signature
Re: SSL Not working on tomcat 5.5.29
kareem_s_m wrote: Hi All, I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what's going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443. Under tomcat 5.5.28, the site renders fine with SSL and non SSL. Is there something I could be missing? On the face of it, I would estimate the probability of that at so close to 1 as cannot be distinguished from it. But if you want someone here to help, you will have to provide some more details, such as for example a copy-and-paste of your Connector tags, and maybe tell us which platform this is, and where these Tomcat's are coming from. Useful : go to the Tomcat bin subdirectory with a console window, run version.sh or version.bat, and paste the result in your next message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL Not working on tomcat 5.5.29
Hi All, I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what's going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443. Under tomcat 5.5.28, the site renders fine with SSL and non SSL. Is there something I could be missing? Regards, Kareem -- View this message in context: http://old.nabble.com/SSL-Not-working-on-tomcat-5.5.29-tp29052531p29052531.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL only working on localhost
problem solved the firewall exceptions were not config'ed correctly it seems the 443 inbound packet was hitting the box but not hitting tomcat itself (due to fw dropping the packets) i do however wonder for future ref, the best way to turn more logging-on for ssl (even though in this case, logging would not have helped much ...except it would have been more obvious that tomcat was NOT seeing the ssl attempts by the remote clients at all ) better logging ideas are welcomed. (as this might benefit others also) I was hoping the global debug logging level would have showm a bit more on the ssl connections, etc ...but i dont think it did that fyi Tomcat 6.0.13 Java 1.6.017 From: Guifre Bosch Fabregas guifre.bo...@gmail.com To: Tomcat Users List users@tomcat.apache.org; p...@pidster.com Sent: Wed, December 2, 2009 8:13:58 AM Subject: Re: SSL only working on localhost Can you see your page from another computer without SSL? What's your OS? Is it possible that the problem is the Firewall. Can you see the port 80 and 443 are open? 2009/12/2 Pid p...@pidster.com On 02/12/2009 12:41, Michael Dockery wrote: I have gotten ssl w/self-signed cert working on tomcat 6 a few times in the past. I am trying it again on a different server I am using port 443 when i attempt https://localhost via a browswer on the server itself the browser is properly presented with the cert warning (as i expected) however, when i try to access https from another computer, it just hangs... (and therefore NO cert warning) i have wiresharked the server, and can see the inbound 443 connections, so the firewall does not seem to be the issue. (note: the other computers are on the same subnet/lan) i have tried browsing to the servers ip, netbios name, fqdn/dns with always the same result (below): ---http is fine (the home page appears) ---however httpS does not do anything (unless i browse from the server itself to itself) further the logs do not show anything interesting and i have the log level set to debug. ideas? Idea: describe Tomcat, JVM, OS - precise versions please. Supply server.xml in use, comments removed. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL only working on localhost
I have gotten ssl w/self-signed cert working on tomcat 6 a few times in the past. I am trying it again on a different server I am using port 443 when i attempt https://localhost via a browswer on the server itself the browser is properly presented with the cert warning (as i expected) however, when i try to access https from another computer, it just hangs... (and therefore NO cert warning) i have wiresharked the server, and can see the inbound 443 connections, so the firewall does not seem to be the issue. (note: the other computers are on the same subnet/lan) i have tried browsing to the servers ip, netbios name, fqdn/dns with always the same result (below): ---http is fine (the home page appears) ---however httpS does not do anything (unless i browse from the server itself to itself) further the logs do not show anything interesting and i have the log level set to debug. ideas?
Re: SSL only working on localhost
On 02/12/2009 12:41, Michael Dockery wrote: I have gotten ssl w/self-signed cert working on tomcat 6 a few times in the past. I am trying it again on a different server I am using port 443 when i attempt https://localhost via a browswer on the server itself the browser is properly presented with the cert warning (as i expected) however, when i try to access https from another computer, it just hangs... (and therefore NO cert warning) i have wiresharked the server, and can see the inbound 443 connections, so the firewall does not seem to be the issue. (note: the other computers are on the same subnet/lan) i have tried browsing to the servers ip, netbios name, fqdn/dns with always the same result (below): ---http is fine (the home page appears) ---however httpS does not do anything (unless i browse from the server itself to itself) further the logs do not show anything interesting and i have the log level set to debug. ideas? Idea: describe Tomcat, JVM, OS - precise versions please. Supply server.xml in use, comments removed. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL only working on localhost
Can you see your page from another computer without SSL? What's your OS? Is it possible that the problem is the Firewall. Can you see the port 80 and 443 are open? 2009/12/2 Pid p...@pidster.com On 02/12/2009 12:41, Michael Dockery wrote: I have gotten ssl w/self-signed cert working on tomcat 6 a few times in the past. I am trying it again on a different server I am using port 443 when i attempt https://localhost via a browswer on the server itself the browser is properly presented with the cert warning (as i expected) however, when i try to access https from another computer, it just hangs... (and therefore NO cert warning) i have wiresharked the server, and can see the inbound 443 connections, so the firewall does not seem to be the issue. (note: the other computers are on the same subnet/lan) i have tried browsing to the servers ip, netbios name, fqdn/dns with always the same result (below): ---http is fine (the home page appears) ---however httpS does not do anything (unless i browse from the server itself to itself) further the logs do not show anything interesting and i have the log level set to debug. ideas? Idea: describe Tomcat, JVM, OS - precise versions please. Supply server.xml in use, comments removed. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL only working on localhost
In addition to Pid's comment, which you should take heed of: 02.12.2009 13:41, Michael Dockery: i have wiresharked the server, and can see the inbound 443 connections, so the firewall does not seem to be the issue. (note: the other computers are on the same subnet/lan) What exactly do you mean by can see the inbound 443 connections? My guess would be that wireshark only shows incoming TCP packets directed to port 443 of your server. If my guess is correct, this proves nothing wrt to the packet filter's settings. It might well throw those packets away. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL only working on localhost
-Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, December 02, 2009 6:51 AM To: users@tomcat.apache.org Subject: Re: SSL only working on localhost On 02/12/2009 12:41, Michael Dockery wrote: I have gotten ssl w/self-signed cert working on tomcat 6 a few times in the past. I am trying it again on a different server I am using port 443 when i attempt https://localhost via a browswer on the server itself the browser is properly presented with the cert warning (as i expected) however, when i try to access https from another computer, it just hangs... (and therefore NO cert warning) ... ideas? Idea: describe Tomcat, JVM, OS - precise versions please. Supply server.xml in use, comments removed. Definitely a good idea, as there are problems with specific versions of Windows and APR and certain implied settings about the default Connector configuration. *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Mod_jk and SSL not working together
Hello, I have a Apache 2.0.63 Webserver and Tomcat 6.0 and use mod_jk. The server don´t uses the JKMount if I use https. http://www.mysite.de shows me correctly the mounted Webapps from Tomcat. https://www.mysite.de shows me the Apache Webserver Startpage and every URL command shows me a 404 . Where I have to define something for the SSL and mod_jk? My httpd.conf LoadModule ssl_module modules/mod_ssl.so ### Apache Tomcat Connector ### LoadModule jk_module modules/mod_jk.so JkWorkersFile conf/worker.properties JkLogFile logs/mod_jk.log JkLogLevel warn JkMount /* tomcat-worker1 JkOptions +ForwardURICompatUnparsed # This was unchanged because the Tomcat Webapps is used. DocumentRoot C:/Programme (x86)/Apache Group/Apache2/htdocs # # Bring in additional module-specific configurations # IfModule mod_ssl.c Include conf/ssl.conf /IfModule No Virtual Host has been defined! It is better to use a Virtual Host? Greetings Alexander smime.p7s Description: S/MIME cryptographic signature
Re: Mod_jk and SSL not working together
Alexander Diedler wrote: Hello, I have a Apache 2.0.63 Webserver and Tomcat 6.0 and use mod_jk. The server don´t uses the JKMount if I use https. http://www.mysite.de shows me correctly the mounted Webapps from Tomcat. https://www.mysite.de shows me the Apache Webserver Startpage and every URL command shows me a 404…. Where I have to define something for the SSL and mod_jk? IfModule mod_ssl.c Include conf/ssl.conf /IfModule No Virtual Host has been defined! It is better to use a Virtual Host? mod_ssl uses VirtualHost, so you will need either JkMountCopy all or defining JkMount inside ssl.conf as well Regards -- ^(TM) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR SSL not working
Hi Filip,
guess you're mixing things up:
Since I'm using the APR (Apache Portable Runtime), according to
http://tomcat.apache.org/tomcat-5.5-doc/apr.html,
it has to be SSLEngine=on
(check the HTTPS-Connector)
The example given in the Tomcat-docs is
Connector port=443 maxHttpHeaderSize=8192
maxThreads=150 minSpareThreads=25 maxSpareThreads=75
enableLookups=false disableUploadTimeout=true
acceptCount=100 scheme=https secure=true
SSLEngine=on
SSLCertificateFile=${catalina.base}/conf/localhost.crt
SSLCertificateKeyFile=${catalina.base}/conf/localhost.key /
Cheers
Gregor
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: APR SSL not working
SSLEngine=on should be SSLEnabled=true Gregor Schneider wrote: Hi there, I'm about to give it up. One final question though: Anybody out there who has the following combination up running: - Linux (Debian preferred, other distributions also welcome) - Tomcat 5.5 - APR - SSL ? I'm sucessful getting Tomcat running together with the APR, however, when I'm inserting the connector Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEngine=on SSLCertificateFile=/home/tomcat/www/certs/dom.dekold4711.crt SSLCertificateKeyFile=/home/tomcat/www/certs/dom.dekold4711.key / into server.xml, Tomcat-startup hangs when initializing Coyote HTTP/1.1: 2008-08-29 17:15:31,722 INFO[main]: An older version 1.1.3 of the Apache Tomcat Native library is installed, while Tomcat recommends versi on greater than 1.1.4 2008-08-29 17:15:32,142 INFO[main]: Initializing Coyote HTTP/1.1 on http-8080 However, netstat shows me that Tomcat is listening on port 8443 So, if anybody has the configuration Tomcat APR SSL up running, I'd be happy about any confirmation, otherwise I'll consider Tomcat APR SSL as simply not functional. Gregor - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: APR SSL not working
Hi Markus, On Fri, Aug 29, 2008 at 5:52 PM, Markus Schönhaber [EMAIL PROTECTED] wrote: Gregor Schneider schrieb: Search the list archives. There has more than once been discussion about this topic. For example http://marc.info/?l=tomcat-userm=118190563608389w=2 Maybe this helps. actually it did, thanks a lot for the hint. The solution was: - create an .rnd-file within the user-space: openssl rand -out $HOME/.rnd 2048 - compile the APR with /dev/urandom: ./configure --with-apr=/usr/bin/apr-1-config \\ --with-devrandom=/dev/urandom \\ --prefix=/home/tomcat/www/lib make make install Now it seems to work like charm. Again, thanks for shedding some light.. Gregor -- what's puzzlin' you, is the nature of my game gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: APR SSL not working
Gregor Schneider wrote: The solution was: - create an .rnd-file within the user-space: openssl rand -out $HOME/.rnd 2048 - compile the APR with /dev/urandom: ./configure --with-apr=/usr/bin/apr-1-config \\ --with-devrandom=/dev/urandom \\ --prefix=/home/tomcat/www/lib make make install Now it seems to work like charm. If you configure APR to use /dev/urandom, creating a static ranndom file shouldn't be necessary. BTW: in Tomcat 6 (starting with 6.0.17?) the AprLifecycleListener supports the attribute SSLRandomSeed: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File This is supposed to set the random source used by APR. As I understand it (haven't tried it myself) one should be able to set this, for example, to /dev/urandom or a static random file and speed things up even if APR was compiled with /dev/random as default random source. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: APR SSL not working
Hi Markus, seems I was a bit too optimistic... although I compiled APR with /dev/urandomPLUS creating $HOME/.rnd (changed 2048 to 4096 since this is the value specified in /proc/sys/kernal/poolsize), it's again taking ages to start up tomcat. Since this is a server-machine where I just can't move the mouse or hack the keyboard to create some entropy, I'm again stuck here. Do you know of any additional option to speed up the process of creating some entropy? Since we're stuck to Tomcat 5.5, unfortunately Tomcat 6 with the new config is not an option. Cheers Gregor -- what's puzzlin' you, is the nature of my game gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: APR SSL not working
Gregor Schneider wrote: seems I was a bit too optimistic... although I compiled APR with /dev/urandomPLUS creating $HOME/.rnd (changed 2048 to 4096 since this is the value specified in /proc/sys/kernal/poolsize), it's again taking ages to start up tomcat. AFAIK is /dev/urandom guaranteed not to block. If initializing the HTTPS connector takes very long nevertheless, I'd make sure that /dev/urandom is indeed used - and not /dev/random. You could, for example, use lsof to check. Is the libtcnative your Tomcat uses really linked against your self-compiled version of APR (ldd to check)? Do you know of any additional option to speed up the process of creating some entropy? I'm not sure, but maybe a lot of activity generated in a ssh session might help too. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: APR SSL not working
Hi Marcus, On Mon, Sep 1, 2008 at 4:56 PM, Markus Schönhaber [EMAIL PROTECTED] wrote: Is the libtcnative your Tomcat uses really linked against your self-compiled version of APR (ldd to check)? looks as if you're becoming my personal hero... I just had the development-headers of the APR installed, meaning the APR was the pre-compiled Debian-version. Now I've downloaded the APR-sources, compiled them with ./configure --with-devrandom=/dev/urandom make make install Really a big, big thanks for helping me to make it work! Gregor -- what's puzzlin' you, is the nature of my game gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
APR SSL not working
Hi there, I'm about to give it up. One final question though: Anybody out there who has the following combination up running: - Linux (Debian preferred, other distributions also welcome) - Tomcat 5.5 - APR - SSL ? I'm sucessful getting Tomcat running together with the APR, however, when I'm inserting the connector Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEngine=on SSLCertificateFile=/home/tomcat/www/certs/dom.dekold4711.crt SSLCertificateKeyFile=/home/tomcat/www/certs/dom.dekold4711.key / into server.xml, Tomcat-startup hangs when initializing Coyote HTTP/1.1: 2008-08-29 17:15:31,722 INFO[main]: An older version 1.1.3 of the Apache Tomcat Native library is installed, while Tomcat recommends versi on greater than 1.1.4 2008-08-29 17:15:32,142 INFO[main]: Initializing Coyote HTTP/1.1 on http-8080 However, netstat shows me that Tomcat is listening on port 8443 So, if anybody has the configuration Tomcat APR SSL up running, I'd be happy about any confirmation, otherwise I'll consider Tomcat APR SSL as simply not functional. Gregor -- what's puzzlin' you, is the nature of my game gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: APR SSL not working
gregor- i assume your implementation includes configuring AprLifecycleListener listener in server.xml Listener className=org.apache.catalina.core.AprLifecycleListener / ? Martin __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. Date: Fri, 29 Aug 2008 17:16:55 +0200 From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: APR SSL not working Hi there, I'm about to give it up. One final question though: Anybody out there who has the following combination up running: - Linux (Debian preferred, other distributions also welcome) - Tomcat 5.5 - APR - SSL ? I'm sucessful getting Tomcat running together with the APR, however, when I'm inserting the connector Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEngine=on SSLCertificateFile=/home/tomcat/www/certs/dom.dekold4711.crt SSLCertificateKeyFile=/home/tomcat/www/certs/dom.dekold4711.key / into server.xml, Tomcat-startup hangs when initializing Coyote HTTP/1.1: 2008-08-29 17:15:31,722 INFO[main]: An older version 1.1.3 of the Apache Tomcat Native library is installed, while Tomcat recommends versi on greater than 1.1.4 2008-08-29 17:15:32,142 INFO[main]: Initializing Coyote HTTP/1.1 on http-8080 However, netstat shows me that Tomcat is listening on port 8443 So, if anybody has the configuration Tomcat APR SSL up running, I'd be happy about any confirmation, otherwise I'll consider Tomcat APR SSL as simply not functional. Gregor -- what's puzzlin' you, is the nature of my game gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Get thousands of games on your PC, your mobile phone, and the web with Windows®. http://clk.atdmt.com/MRT/go/108588800/direct/01/
Re: APR SSL not working
Gregor Schneider schrieb: Anybody out there who has the following combination up running: - Linux (Debian preferred, other distributions also welcome) - Tomcat 5.5 - APR - SSL Yes. into server.xml, Tomcat-startup hangs when initializing Coyote HTTP/1.1: 2008-08-29 17:15:31,722 INFO[main]: An older version 1.1.3 of the Apache Tomcat Native library is installed, while Tomcat recommends versi on greater than 1.1.4 2008-08-29 17:15:32,142 INFO[main]: Initializing Coyote HTTP/1.1 on http-8080 However, netstat shows me that Tomcat is listening on port 8443 If these are the last lines of your log, that's to be expected. Otherwise the log would contain info about http-8443. How long did you wait? Chances are, APR is using /dev/random and the system has run out of entropy. Search the list archives. There has more than once been discussion about this topic. For example http://marc.info/?l=tomcat-userm=118190563608389w=2 Maybe this helps. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL not working
Mladen Turk-2 wrote: Matúš Nemčík wrote: Hi, i have installed the latest version of Apache Tomcat 5.5.17 on Windows XP platform using the installer and the server is running as a service. The probable reason is because default service runs under the SYSTEM account. Keystore requires a valid user. Modify the service to use the account you are using when running in command line mode (Anyhow first try if it works from command line). Regards, Mladen. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] How to change the account for tomcat service, should I have to give window account, or should I have to create a tomcat user. -- View this message in context: http://www.nabble.com/SSL-not-working-tp5462780p18606487.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL not working on Tomcat 5.5
Hi, I am running Tomcat 5.5 on a Windows 2003 server box, using Sun JRE 1.5.0_11. Since I want to have SSL support on my server, I followed the instructions on http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html first creating a self-signed certificate and then uncommenting the SSL Connector on port 8443. After a restart of the tomcat service i expected to have the SSL up and running but alas. When accessing http://localhost:8443 it works fine, hence the connector seems active on the port. But when trying to access https://localhost:8443 , my IE7 browser stands hanging for a pretty long while until it declares that the page cannot be opened. No error messages whatsoever to be found in the tomcat logs. I have the same problem on another box which runs Windows 2000 Server, all other things the same. Please help me figure out what is wrong! Regards Marcus Johansson
Re: SSL not working on Tomcat 5.5
Marcus Johansson wrote: I am running Tomcat 5.5 on a Windows 2003 server box, using Sun JRE 1.5.0_11. Since I want to have SSL support on my server, I followed the instructions on http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html first creating a self-signed certificate and then uncommenting the SSL Connector on port 8443. After a restart of the tomcat service i expected to have the SSL up and running but alas. When accessing http://localhost:8443 it works fine, hence the connector seems active on the port. But when trying to access https://localhost:8443 , my IE7 browser stands hanging for a pretty long while until it declares that the page cannot be opened. No error messages whatsoever to be found in the tomcat logs. Check whether you're using APR. If so, the above document won't help you much - look at http://tomcat.apache.org/tomcat-5.5-doc/apr.html#HTTPS instead and check the list archives for more info, since this comes up quite frequently. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL not working on Tomcat
Michael, I may have missed something, but did you install your certificate reply into your keystore? I can't see any account of that been done. I also agree that you need to install the CA root certificate in your keystore as well. You need to have the full trust chain in your keystore. Another thought is to configure your server.xml slightly differently. You may want to try the following to get you going: Connector port=8443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS Factory className=org.apache.coyote.tomcat5.CoyoteServerSocketFactory clientAuth=false protocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS / /Connector Hope that helps. Regards, Andrew -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Thursday, 9 November 2006 9:02 AM To: Tomcat Users List Subject: Re: SSL not working on Tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, Michael Casale wrote: I've installed Firefox 2.0 and I get the error: Firefox can't connect securely to upm.knoa.com because the site uses a security protocol which isn't enabled So... I changed sslProtocol=TLS to sslProtocol=SSL and restarted the service. I get the same error. Wow. Sounds like something is seriously screwed up. Have you tried a different client machine? Perhaps one of your SSL libraries is hosed. Have you tried re-installing Tomcat? Perhaps one of TC's SSL libraries is hosed. If all else fails, I would run something like memtest86 on your server to see if the memory is okay. It's tough to do all this crypto stuff and not have an exception when the littlest thing goes wrong, so something is definitely amiss. It's not like Sun invented a new SSL protocol and didn't tell anyone about it ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUlPC9CaO5/Lv0PARAiljAJ9auqO2pfKdS9+zimV5hFhJR2zn2wCfZkY5 KP4Xe5Do8g1iS9+EYc0LqvA= =QizN -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL not working on Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, Michael Casale wrote: I've installed Firefox 2.0 and I get the error: Firefox can't connect securely to upm.knoa.com because the site uses a security protocol which isn't enabled So... I changed sslProtocol=TLS to sslProtocol=SSL and restarted the service. I get the same error. Wow. Sounds like something is seriously screwed up. Have you tried a different client machine? Perhaps one of your SSL libraries is hosed. Have you tried re-installing Tomcat? Perhaps one of TC's SSL libraries is hosed. If all else fails, I would run something like memtest86 on your server to see if the memory is okay. It's tough to do all this crypto stuff and not have an exception when the littlest thing goes wrong, so something is definitely amiss. It's not like Sun invented a new SSL protocol and didn't tell anyone about it ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUlPC9CaO5/Lv0PARAiljAJ9auqO2pfKdS9+zimV5hFhJR2zn2wCfZkY5 KP4Xe5Do8g1iS9+EYc0LqvA= =QizN -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL not working on Tomcat - The Solution
Hi All - The simple solution to this whole problem is that I was using the wrong Keystore file - not the one I originally used to generate my certificate request. I originally tried to use the original keystore file to import in my newly purchased certification, but I kept getting the error Wrong Keystore Format (or something to that effect - I forgot and am in a hurry here). The reason why is I was following poor instructions on my company's wiki which omitted the storetype tag in the keystore -import line. You need the -storetype PKCS12 when importing into a PKCS12 keystore. Duh on me. This is how we learn. I figured I'd just point this out for anyone else using the keytool command and working with PKCS12 format keys and keystores. Thanks to all those who offered help! Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 5:02 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, Michael Casale wrote: I've installed Firefox 2.0 and I get the error: Firefox can't connect securely to upm.knoa.com because the site uses a security protocol which isn't enabled So... I changed sslProtocol=TLS to sslProtocol=SSL and restarted the service. I get the same error. Wow. Sounds like something is seriously screwed up. Have you tried a different client machine? Perhaps one of your SSL libraries is hosed. Have you tried re-installing Tomcat? Perhaps one of TC's SSL libraries is hosed. If all else fails, I would run something like memtest86 on your server to see if the memory is okay. It's tough to do all this crypto stuff and not have an exception when the littlest thing goes wrong, so something is definitely amiss. It's not like Sun invented a new SSL protocol and didn't tell anyone about it ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUlPC9CaO5/Lv0PARAiljAJ9auqO2pfKdS9+zimV5hFhJR2zn2wCfZkY5 KP4Xe5Do8g1iS9+EYc0LqvA= =QizN -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL not working on Tomcat
Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1. Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2. Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3. I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ According to the Tomcat SSL documentation, I need to have the root cert and the purchased cert in the keystore file, and I need to use the keyAlias to tell Tomcat which one to use. But whenever I add in the keyAlias entry it gives me the Alias name tomcat does not identify a key entry error in the logs. If I could find out how to enable better logging I may be able to troubleshoot this further. Thanks for any help! Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121
RE: SSL not working on Tomcat
From: Michael Casale [mailto:[EMAIL PROTECTED] Subject: SSL not working on Tomcat I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Depending on how you installed Tomcat, you may have also gotten the native connector, aka APR. Its SSL configuration is different from the traditional Tomcat connector. Look here for details: http://tomcat.apache.org/tomcat-5.5-doc/apr.html Regardless, you probably want to move up to a more recent level. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL not working on Tomcat
Did you try this with Firefox? IE has some problems with no-cache in the header or as a pragma. Later versions of Tomcat 5.5 set this. There is a mailing list thread concerning this: http://marc.theaimsgroup.com/?t=11180675668r=1w=2 along with some solutions. Hope this helps. /mde/ just my two cents . . . . --- Michael Casale [EMAIL PROTECTED] wrote: Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1.Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2.Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3.I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ According to the Tomcat SSL documentation, I need to have the root cert and the purchased cert in the keystore file, and I need to use the keyAlias to tell Tomcat which one to use. But whenever I add in the keyAlias entry it gives me the Alias name tomcat does not identify a key entry error in the logs. If I could find out how to enable better logging I may be able to troubleshoot this further. Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL not working on Tomcat
Hi, According to you, one of the steps that you did was , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. You seem to be running your application on a windows box. Can that be the reason why your key is not working properly ? Thanks Dhiraj Ramakrishnan On 11/8/06, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Michael Casale [mailto:[EMAIL PROTECTED] Subject: SSL not working on Tomcat I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Depending on how you installed Tomcat, you may have also gotten the native connector, aka APR. Its SSL configuration is different from the traditional Tomcat connector. Look here for details: http://tomcat.apache.org/tomcat-5.5-doc/apr.html Regardless, you probably want to move up to a more recent level. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL not working on Tomcat
I've installed Firefox 2.0 and I get the error: Firefox can't connect securely to upm.knoa.com because the site uses a security protocol which isn't enabled So... I changed sslProtocol=TLS to sslProtocol=SSL and restarted the service. I get the same error. Meanwhile, with Internet Explorer, I turned off friendly error messages, and loaded the page. Instead of a page not found I get a blank page. Interesting. Next I tried the validator, a tool from here: http://validator.w3.org/ Great tool. It reports the following error: 500 SSL negotiation failed: error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher Any ideas? I'm going to try re-importing the original certificate in PKCS12 format... Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -Original Message- From: Mark Eggers [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 6:35 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat Did you try this with Firefox? IE has some problems with no-cache in the header or as a pragma. Later versions of Tomcat 5.5 set this. There is a mailing list thread concerning this: http://marc.theaimsgroup.com/?t=11180675668r=1w=2 along with some solutions. Hope this helps. /mde/ just my two cents . . . . --- Michael Casale [EMAIL PROTECTED] wrote: Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1.Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2.Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3.I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ According to the Tomcat SSL documentation, I need to have the root cert and the purchased cert in the keystore file, and I need to use the keyAlias to tell Tomcat which one to use. But whenever I add in the keyAlias entry it gives me the Alias name tomcat does not identify a key entry error in the logs. If I could find out how to enable better logging I may be able to troubleshoot this further. Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index
RE: SSL not working on Tomcat
I also tried building the keystore in PKCS12 format - importing both the root cert and normal cert into the keystore. I'm getting the same error. Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -Original Message- From: Dhiraj Ramakrishnan [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 6:44 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat Hi, According to you, one of the steps that you did was , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. You seem to be running your application on a windows box. Can that be the reason why your key is not working properly ? Thanks Dhiraj Ramakrishnan On 11/8/06, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Michael Casale [mailto:[EMAIL PROTECTED] Subject: SSL not working on Tomcat I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Depending on how you installed Tomcat, you may have also gotten the native connector, aka APR. Its SSL configuration is different from the traditional Tomcat connector. Look here for details: http://tomcat.apache.org/tomcat-5.5-doc/apr.html Regardless, you probably want to move up to a more recent level. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL not working on Tomcat
Michael comments prefixed with Re Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1. Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2. Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3. I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ MGcould you check to see if the keystoreFile is called tomcat and is located in in C:\files ? MGout of curiosity which JVM are you using Sun or IBM..this changes the values assigned to sslProtocol and algorithm? MGhttp://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html MGM- Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121
RE: SSL not working on Tomcat
Thanks for your response. The tomcat keystore is located in c:\files. The version of Java is 1.5.0_06 Thanks! Mike -Original Message- From: Martin Gainty [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 9:08 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat Michael comments prefixed with Re Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1. Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2. Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3. I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ MGcould you check to see if the keystoreFile is called tomcat and is located in in C:\files ? MGout of curiosity which JVM are you using Sun or IBM..this changes the values assigned to sslProtocol and algorithm? MGhttp://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html MGM- Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL not working
Thanks for your reply, you was right, the problem was with the account ... now everything is working great!!! Thanks again!! On 7/24/06, Mladen Turk [EMAIL PROTECTED] wrote: Matúš Nemčík wrote: Hi, i have installed the latest version of Apache Tomcat 5.5.17 on Windows XP platform using the installer and the server is running as a service. The probable reason is because default service runs under the SYSTEM account. Keystore requires a valid user. Modify the service to use the account you are using when running in command line mode (Anyhow first try if it works from command line). Regards, Mladen. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat ssl not working
The servers.xml file needs to be configured with the keystore path and file name. Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=D:\\Documents and Settings\\kz616d\\My Documents\\temp\\Jill\\w2jzdr9y01.amer.corp.eds.com.keystore keystorePass=dorkdork clientAuth=false protocol=TLS / /Connector -Original Message- From: AJ Jonen [mailto:[EMAIL PROTECTED] Sent: Thursday, June 01, 2006 3:12 PM To: Tomcat Users List Subject: tomcat ssl not working My tomcat server is not responding when I type in https://localhost:8443. oddly enough it does work when I type in http://localhost:8443 I'm having a bit of an issue getting Tomcat to work on the secure port 8443. What happens is I type https://localhost:8443 and the page never loads. I get no errors (page cannot be found, page cannot be displayed etc). My browser simply looks like it's loading the page, it eventually says that it's done, but my browser home page is still displayed. - The unsecure port (port 8090 in my case, because port 8080 was already in use) works fine. - I generated my keystore file, presumably correctly (I was prompted to enter my name, organization, location, etc), and it is in the correct location (C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf). - Kathy O. looked at my server.xml page and says that everything looks correct. Everything looks right to me too. - I am using Tomcat 5.5 and I am using the correct java version (1.5, not 1.4). Any ideas on what might be preventing the page from loading correctly on the secure port? Rebecca - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat ssl not working
You can have a look here and see if you find any useful tips - this explains how I got SSL to work on Tomcat: http://jack.godau.googlepages.com/jbosscertificatesandopenssl Cheers Jack... On 01/06/06, Mike Sabroff [EMAIL PROTECTED] wrote: I am running 5.5.9 and have no problems with it (except that it is expired) but it still works if I accept it. Mike AJ Jonen wrote: My tomcat server is not responding when I type in https://localhost:8443. oddly enough it does work when I type in http://localhost:8443 I'm having a bit of an issue getting Tomcat to work on the secure port 8443. What happens is I type https://localhost:8443 and the page never loads. I get no errors (page cannot be found, page cannot be displayed etc). My browser simply looks like it's loading the page, it eventually says that it's done, but my browser home page is still displayed. - The unsecure port (port 8090 in my case, because port 8080 was already in use) works fine. - I generated my keystore file, presumably correctly (I was prompted to enter my name, organization, location, etc), and it is in the correct location (C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf). - Kathy O. looked at my server.xml page and says that everything looks correct. Everything looks right to me too. - I am using Tomcat 5.5 and I am using the correct java version (1.5, not 1.4). Any ideas on what might be preventing the page from loading correctly on the secure port? Rebecca - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Mike Sabroff Web Services Developer [EMAIL PROTECTED] 920-568-8379 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Cheers Jack... The claim natural is not synonymous with safe. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
