Re: Problem configuring SSL
Gentlemen, thanks a lot for your help. I figured out what the problem was. It was not related to tomcat configuration, but to my keystore. The reason is that once you import a client certificate under the same alias as the private pair, they both get merged under the same alias inside keystore. Using keytool -delete command, meant to remove the certificate only, deletes the private pair as well. I noticed that once I dumped keystore content for my keystore and a keystore on one of my other servers. Luckily, I had a backup of the keystore I made right after it was created. Importing the certificates into that keystore resolved the issue. On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/5/14, 12:30 PM, Alex Kogan wrote: I have a strange problem configuring SSL to work with Tomcat. Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 It's a new Tomcat installation. All keystore operations were done with keytool. I imported CA root/intermediate certificate and client certificate, configured SSL connector in server.xml. I have this same setup on another server that works fine. Connecting to this server via http works. 1. If I try to connect this address via https in Chrome I get: This Webpage is not available. In Firefox: Error code: ssl_error_no_cypher_overlap Sounds familiar. Please post your Connector configuration(s) from your server.xml file. Remember to remove any sensitive information from the configuration. Also please post all of the startup messages from Tomcat's logs/catalina.out file: we need to see the versions of various things and what components (if any) suffer problems starting up. 3. Here's a list of enabled ciphers using SSLInfo: #java -showversion SSLInfo Nice to see someone is getting some use out of that. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ VCpWYwQ3I2qGEm5RBvbh =9FS1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Software Engineer Department of Psychiatry and Behavioral Sciences Northwestern University a-ko...@northwestern.edu
Re: Problem configuring SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/7/14, 2:41 PM, Alex Kogan wrote: Gentlemen, thanks a lot for your help. I figured out what the problem was. It was not related to tomcat configuration, but to my keystore. The reason is that once you import a client certificate under the same alias as the private pair, they both get merged under the same alias inside keystore. Using keytool -delete command, meant to remove the certificate only, deletes the private pair as well. I noticed that once I dumped keystore content for my keystore and a keystore on one of my other servers. Luckily, I had a backup of the keystore I made right after it was created. Importing the certificates into that keystore resolved the issue. Java keystores are a nightmare. I try to avoid them whenever possible. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSzFt/AAoJEBzwKT+lPKRYKRwQALT9qv2bOPss+nT1uGQ8WoMY KC6GvvO5RuoHa8ggd/pu7YS6G6czwZnFOYvldOh7BjvKpwppTr/e8uj6FCUv2n4v 592RykM82+tXWFrWEyT7TTwoWPdYDrnIIYFnemndj3trXWXfgR1LIZhtYUIJMofr +h5biqeRRBrldvlZFXJU874Pg2IrwcTyJ4YfT8/XC5/Q196MXHOh0MiDMVJJ91l8 d3c/D6TQ8NWFZTu84ES6aPCh9FwOSxJhHEAllZqcOzRvLuXFhBOw9II9Q/Tto7wM ZKlKRZ8sPJGi42WWYgTvHGlSZ+8kk0HijgbL6uGhHYQ8yIXPL2Jwu0igDFSzUGrU MXe2Pevg1bP2gI3idnmnW+jWjaMujxb5EKW7+N44BqPk2zl/OTZ5hVf/t1E1SCGo BPsulhuQvgXWhlF6GxBdwj0bWLCj8bIqIaAbHd8egT+s5smtKjoNpcVfMNE4xTwO vdM7/MOKBIxLZyRjSw1bQFaxKXYJVnIwQlQSM74SRxNop1qcQhca7EdPMNB0+ojx yM0m3zJNCaVsxg8RQ39Yb11YdfvVjkODV7S4D2uolezmJ6vOLCvgrdnpEtRp5QGt MnQTEH1WLb1kX2p9HboCeTLsGh+XTX9joDqfTObSyFOPyN9ESPcVLgzWdaykHwXE og/LPVC23d0adUNMV0Fz =Qkfm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem configuring SSL
Date: Tue, 7 Jan 2014 14:41:15 -0500 Subject: Re: Problem configuring SSL From: a-ko...@northwestern.edu To: users@tomcat.apache.org Gentlemen, thanks a lot for your help. I figured out what the problem was. It was not related to tomcat configuration, but to my keystore. The reason is that once you import a client certificate under the same alias as the private pair, they both get merged under the same alias inside keystore. Using keytool -delete command, meant to remove the certificate only, deletes the private pair as well. I noticed that once I dumped keystore content for my keystore and a keystore on one of my other servers. Luckily, I had a backup of the keystore I made right after it was created. Importing the certificates into that keystore resolved the issue. MGI *hope* you enabled at least ONE cipher for SSL Connector MGUsually the big players (Versign/Thawte) will provide valid CA cert/valid key in the supplied pfx MGglad to hear that worked for you On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/5/14, 12:30 PM, Alex Kogan wrote: I have a strange problem configuring SSL to work with Tomcat. Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 It's a new Tomcat installation. All keystore operations were done with keytool. I imported CA root/intermediate certificate and client certificate, configured SSL connector in server.xml. I have this same setup on another server that works fine. Connecting to this server via http works. 1. If I try to connect this address via https in Chrome I get: This Webpage is not available. In Firefox: Error code: ssl_error_no_cypher_overlap Sounds familiar. Please post your Connector configuration(s) from your server.xml file. Remember to remove any sensitive information from the configuration. Also please post all of the startup messages from Tomcat's logs/catalina.out file: we need to see the versions of various things and what components (if any) suffer problems starting up. 3. Here's a list of enabled ciphers using SSLInfo: #java -showversion SSLInfo Nice to see someone is getting some use out of that. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ VCpWYwQ3I2qGEm5RBvbh =9FS1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Software Engineer Department of Psychiatry and Behavioral Sciences Northwestern University a-ko...@northwestern.edu
Re: Problem configuring SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 1/5/14, 12:30 PM, Alex Kogan wrote: I have a strange problem configuring SSL to work with Tomcat. Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 It's a new Tomcat installation. All keystore operations were done with keytool. I imported CA root/intermediate certificate and client certificate, configured SSL connector in server.xml. I have this same setup on another server that works fine. Connecting to this server via http works. 1. If I try to connect this address via https in Chrome I get: This Webpage is not available. In Firefox: Error code: ssl_error_no_cypher_overlap Sounds familiar. Please post your Connector configuration(s) from your server.xml file. Remember to remove any sensitive information from the configuration. Also please post all of the startup messages from Tomcat's logs/catalina.out file: we need to see the versions of various things and what components (if any) suffer problems starting up. 3. Here's a list of enabled ciphers using SSLInfo: #java -showversion SSLInfo Nice to see someone is getting some use out of that. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ VCpWYwQ3I2qGEm5RBvbh =9FS1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
