Re: Problem configuring SSL

2014-01-07 Thread Alex Kogan
Gentlemen, thanks a lot for your help. I figured out what the problem was.
It was not related to tomcat configuration, but to my keystore. The reason
is that once you import a client certificate under the same alias as the
private pair, they both get merged under the same alias inside keystore.
Using keytool -delete command, meant to remove the certificate only,
deletes the private pair as well. I noticed that once I dumped keystore
content for my keystore and a keystore on one of my other servers. Luckily,
I had a backup of the keystore I made right after it was created. Importing
the certificates into that keystore resolved the issue.


On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Alex,

 On 1/5/14, 12:30 PM, Alex Kogan wrote:
  I have a strange problem configuring SSL to work with Tomcat.
  Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45
 
  It's a new Tomcat installation. All keystore operations were done
  with keytool. I imported CA root/intermediate certificate and
  client certificate, configured SSL connector in server.xml. I have
  this same setup on another server that works fine. Connecting to
  this server via http works.
 
  1. If I try to connect this address via https in Chrome I get:
  This Webpage is not available. In Firefox: Error code:
  ssl_error_no_cypher_overlap

 Sounds familiar.

 Please post your Connector configuration(s) from your server.xml
 file. Remember to remove any sensitive information from the configuration.

 Also please post all of the startup messages from Tomcat's
 logs/catalina.out file: we need to see the versions of various things
 and what components (if any) suffer problems starting up.

  3. Here's a list of enabled ciphers using SSLInfo:
 
  #java -showversion SSLInfo

 Nice to see someone is getting some use out of that. ;)

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS
 JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ
 +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC
 f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6
 bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8
 m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE
 /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD
 SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB
 Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu
 RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH
 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+
 VCpWYwQ3I2qGEm5RBvbh
 =9FS1
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




-- 
Software Engineer
Department of Psychiatry and Behavioral Sciences
Northwestern University

a-ko...@northwestern.edu


Re: Problem configuring SSL

2014-01-07 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alex,

On 1/7/14, 2:41 PM, Alex Kogan wrote:
 Gentlemen, thanks a lot for your help. I figured out what the
 problem was. It was not related to tomcat configuration, but to my
 keystore. The reason is that once you import a client certificate
 under the same alias as the private pair, they both get merged
 under the same alias inside keystore. Using keytool -delete
 command, meant to remove the certificate only, deletes the private
 pair as well. I noticed that once I dumped keystore content for my
 keystore and a keystore on one of my other servers. Luckily, I had
 a backup of the keystore I made right after it was created.
 Importing the certificates into that keystore resolved the issue.

Java keystores are a nightmare. I try to avoid them whenever possible.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSzFt/AAoJEBzwKT+lPKRYKRwQALT9qv2bOPss+nT1uGQ8WoMY
KC6GvvO5RuoHa8ggd/pu7YS6G6czwZnFOYvldOh7BjvKpwppTr/e8uj6FCUv2n4v
592RykM82+tXWFrWEyT7TTwoWPdYDrnIIYFnemndj3trXWXfgR1LIZhtYUIJMofr
+h5biqeRRBrldvlZFXJU874Pg2IrwcTyJ4YfT8/XC5/Q196MXHOh0MiDMVJJ91l8
d3c/D6TQ8NWFZTu84ES6aPCh9FwOSxJhHEAllZqcOzRvLuXFhBOw9II9Q/Tto7wM
ZKlKRZ8sPJGi42WWYgTvHGlSZ+8kk0HijgbL6uGhHYQ8yIXPL2Jwu0igDFSzUGrU
MXe2Pevg1bP2gI3idnmnW+jWjaMujxb5EKW7+N44BqPk2zl/OTZ5hVf/t1E1SCGo
BPsulhuQvgXWhlF6GxBdwj0bWLCj8bIqIaAbHd8egT+s5smtKjoNpcVfMNE4xTwO
vdM7/MOKBIxLZyRjSw1bQFaxKXYJVnIwQlQSM74SRxNop1qcQhca7EdPMNB0+ojx
yM0m3zJNCaVsxg8RQ39Yb11YdfvVjkODV7S4D2uolezmJ6vOLCvgrdnpEtRp5QGt
MnQTEH1WLb1kX2p9HboCeTLsGh+XTX9joDqfTObSyFOPyN9ESPcVLgzWdaykHwXE
og/LPVC23d0adUNMV0Fz
=Qkfm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Problem configuring SSL

2014-01-07 Thread Martin Gainty
  


 Date: Tue, 7 Jan 2014 14:41:15 -0500
 Subject: Re: Problem configuring SSL
 From: a-ko...@northwestern.edu
 To: users@tomcat.apache.org
 
 Gentlemen, thanks a lot for your help. I figured out what the problem was.
 It was not related to tomcat configuration, but to my keystore. The reason
 is that once you import a client certificate under the same alias as the
 private pair, they both get merged under the same alias inside keystore.
 Using keytool -delete command, meant to remove the certificate only,
 deletes the private pair as well. I noticed that once I dumped keystore
 content for my keystore and a keystore on one of my other servers. Luckily,
 I had a backup of the keystore I made right after it was created. Importing
 the certificates into that keystore resolved the issue.

MGI *hope* you enabled at least ONE cipher for SSL Connector
MGUsually the big players (Versign/Thawte) will provide valid CA cert/valid 
key in the supplied pfx
MGglad to hear that worked for you
 
 
 On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz 
 ch...@christopherschultz.net wrote:
 
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA256
 
  Alex,
 
  On 1/5/14, 12:30 PM, Alex Kogan wrote:
   I have a strange problem configuring SSL to work with Tomcat.
   Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45
  
   It's a new Tomcat installation. All keystore operations were done
   with keytool. I imported CA root/intermediate certificate and
   client certificate, configured SSL connector in server.xml. I have
   this same setup on another server that works fine. Connecting to
   this server via http works.
  
   1. If I try to connect this address via https in Chrome I get:
   This Webpage is not available. In Firefox: Error code:
   ssl_error_no_cypher_overlap
 
  Sounds familiar.
 
  Please post your Connector configuration(s) from your server.xml
  file. Remember to remove any sensitive information from the configuration.
 
  Also please post all of the startup messages from Tomcat's
  logs/catalina.out file: we need to see the versions of various things
  and what components (if any) suffer problems starting up.
 
   3. Here's a list of enabled ciphers using SSLInfo:
  
   #java -showversion SSLInfo
 
  Nice to see someone is getting some use out of that. ;)
 
  - -chris
  -BEGIN PGP SIGNATURE-
  Version: GnuPG v1
  Comment: GPGTools - http://gpgtools.org
  Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
  iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS
  JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ
  +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC
  f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6
  bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8
  m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE
  /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD
  SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB
  Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu
  RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH
  4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+
  VCpWYwQ3I2qGEm5RBvbh
  =9FS1
  -END PGP SIGNATURE-
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 
 -- 
 Software Engineer
 Department of Psychiatry and Behavioral Sciences
 Northwestern University
 
 a-ko...@northwestern.edu
  

Re: Problem configuring SSL

2014-01-05 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alex,

On 1/5/14, 12:30 PM, Alex Kogan wrote:
 I have a strange problem configuring SSL to work with Tomcat. 
 Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45
 
 It's a new Tomcat installation. All keystore operations were done
 with keytool. I imported CA root/intermediate certificate and
 client certificate, configured SSL connector in server.xml. I have
 this same setup on another server that works fine. Connecting to
 this server via http works.
 
 1. If I try to connect this address via https in Chrome I get:
 This Webpage is not available. In Firefox: Error code: 
 ssl_error_no_cypher_overlap

Sounds familiar.

Please post your Connector configuration(s) from your server.xml
file. Remember to remove any sensitive information from the configuration.

Also please post all of the startup messages from Tomcat's
logs/catalina.out file: we need to see the versions of various things
and what components (if any) suffer problems starting up.

 3. Here's a list of enabled ciphers using SSLInfo:
 
 #java -showversion SSLInfo

Nice to see someone is getting some use out of that. ;)

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS
JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ
+d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC
f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6
bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8
m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE
/enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD
SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB
Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu
RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH
4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+
VCpWYwQ3I2qGEm5RBvbh
=9FS1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org