subject:"Re\: Tomcat 7.0.55 Not loading truststore or keystore"

Re: Tomcat 7.0.55 Not loading truststore or keystore

2015-09-01 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Diarmuid,

On 9/1/15 1:06 PM, dmccrthy wrote:
> I am having trouble getting Tomcat to load a truststore and
> keystore.  This seems to be a basic configuration issue but I can't
> figure out what the problem is. Any insights would be gratefully
> received.
> 
> The scenario is:
> 
> * A 3rd party web application is deployed in Tomcat * The 3rrd
> party web application is making outbound HTTPS connections to a 3rd
> party web service * Tomcat JVM parameters are configured with
> 
> -Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks
>
> 
- -Djavax.net.ssl.trustStorePassword=
> -Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.j
ks
>
> 
- -Djavax.net.ssl.keyStorePassword=

The above will all act as defaults for the Java-based HTTP(s) connectors
.

> -Dhttps.protocols="TLSv1"

I don't believe this setting will do anything to Tomcat... at least,
it's not documented to do so.

Let's focus on the keystore to start, and then get client certs working.

How many certs do you have in your keystore? Did you specify an
"alias" for the key you'd like to use for the server?

For my money, I'd forget the system properties and use an explicit set
of configuration parameters on my  element. Can you post
your  configuration?

[
Looking back at this after writing the rest of this reply: are you
trying to host an HTTPS service *at all*? If not, forget about the
keystore entirely because it's not necessary even a little bit. Just
in case it helps clear-up any confusion, here are when these two
things matter:

1. keystore - useful in 2 separate circumstances:
  a. You are setting up an HTTPS listener when you
 have a server certificate. The server's certificate and private key
 go into the keystore, along with any other certificates you may
 need or in order to form a chain of trust from your CA (e.g.
 VeriSign) down to your own key
  b. You are making outgoing connections to an HTTPS service and you
 need to present a client certificate to the server

2. truststore - useful in 2 separate circumstances:
  a. You have an HTTPS listener and you want to validate client
 certificates of clients connecting TO YOU
  b. You want to make outgoing connections to an HTTPS service
 and YOU WANT TO VALIDATE THE SERVER'S CERTIFICATE against the
 certs in your trust store. This allows you, for example, to
 connect to a server with a self-signed cert, or one signed by
 a CA that Java doesn't trust out-of-the-box

You need to be very clear about what you are trying to do because it's
about as clear as mud right now.
]

> 1) Openssl connects with MA parameters connects with no errors
> 
> openssl s_client -tls1 -connect server-dns-name:15305 -CAfile 
> server-cert-with-intermediate-and-root-in-one-file.cer -cert 
> client-public-key.cer -key client-private-key.key -pass 
> pass:client-private-key-password
> 
> New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048
> bit Secure Renegotiation IS supported Compression: NONE Expansion:
> NONE No ALPN negotiated SSL-Session: Protocol  : TLSv1 Cipher:
> AES256-SHA Session-ID: 
> 893D24420CC89DED5E8E0E18C3D97270C3DD04B7A4B86602D5B34FC5E58DDE8F 
> Session-ID-ctx: Master-Key: 
> 89ABDA0ED080567E0CB8494AC236B107B7430A5487986BE7F3B468AF81B19BC27FD9C7
D3EBC46280B9A608E5517D447C
>
> 
Key-Arg   : None
> PSK identity: None PSK identity hint: None SRP username: None Start
> Time: 1441125595 Timeout   : 7200 (sec) Verify return code: 0 (ok)

Is the other client connecting with SSL instead of TLS handshake?

> 2) A standalone Java program with a couple of lines to open a
> HTTPS connection to the 3rd party certificate works.  This uses the
> same truststore and keystore 3) SoapUI works using the same
> truststore and keystore

SoapUI as a server or as a client? Or both?

> 4) Our 3rd party vendor can connect 5) I have googled various
> phrases like "Tomcat JVM not loading truststore".  There are
> hundreds of examples involving HTTPS connectors and/or
> configuration errors.  However we are not using server-side 
> connectors and I can't see anything wrong with the configuration.

What's a "server-side connector"?

> The only potential hit I found for a defect was in Tomcat 6 
> http://tomcat.10.x6.nabble.com/configured-truststore-ignored-by-tomcat
- -td4986884.html
>
>  6) I tried installing a HTTPS connector in our Tomcat client
> instance. This then shows that the truststore is being loaded, but
> it is not used by the outbound HTTPS client connections

How are you making an outbound client connection? Haven't we been over
this just this week? Tomcat doesn't make any outgoing connections, so
if you want to use a trust store you'll have to arrange for that trust
store to be used by whatever client connection you are making (e.g.
HttpsURLConnection, Apache hc-client, etc.).

> 7) Tried playing with the format of the file paths by adding double
> quotes, changing the path

RE: Tomcat 7.0.55 Not loading truststore or keystore

2015-09-01 Thread jeffery.scott.crump


>> openssl s_client -tls1 -connect server-dns-name:15305 -CAfile 
>> server-cert-with-intermediate-and-root-in-one-file.cer -cert 
>> client-public-key.cer -key client-private-key.key -pass 
>> pass:client-private-key-password

I've had trouble when there are more certificate packaged in the same file as 
the root certificate. If you can separate the certificates your problem should 
go away.

Jeff Crump


Sent from Mail for Windows 10



From: George Stanchev
Sent: Tuesday, September 1, 2015 1:02 PM
To: Tomcat Users List
Subject: RE: Tomcat 7.0.55 Not loading truststore or keystore


Hi Diarmuid,

We have run similar issue with client cert SSL. Is your 3rd party web service 
hosted on Windows/IIS?

George

-Original Message-
From: dmccrthy [mailto:dmccr...@gmail.com]
Sent: Tuesday, September 01, 2015 11:07 AM
To: Tomcat Users List
Subject: Tomcat 7.0.55 Not loading truststore or keystore

Hi All,

I am having trouble getting Tomcat to load a truststore and keystore.  This 
seems to be a basic configuration issue but I can't figure out what the problem 
is. Any insights would be gratefully received.

The scenario is:

* A 3rd party web application is deployed in Tomcat
* The 3rrd party web application is making outbound HTTPS connections to a 3rd 
party web service
* Tomcat JVM parameters are configured with

   -Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks
   -Djavax.net.ssl.trustStorePassword=
   -Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks
   -Djavax.net.ssl.keyStorePassword=
   -Dhttps.protocols="TLSv1"
   -Djavax.net.debug=ALL

* Both truststore and keystore are JKS
* Mutual authentication is used for the SSL handshake
* There are no errors in the Tomcat logs to indicate a problem with the 
truststore and keystore
* The Tomcat logs show the server-side certificate being downloaded but not 
reporting the expected lines

  Found trusted certificate:
  matching alias: 

  Or for the keystore, I am expecting to see a log that it is loading the 
keystore (example below), but there is no sign that the keystore is being 
loaded. I got the log extract below from a standalone java client which 
successfully connects using MA to the remote service.

  keyStore is : c:\temp\DWCHASSMESA002.pfx
  keyStore type is : PKCS12
  keyStore provider is :
  init keystore
  init keymanager of type SunX509

  ***
  found key for : dwchassmesa002
  chain [0] = [

* The Tomcat logs show that the SSL handshake gets as far as the 
ClientKeyExchange, but there is no client certificate sent and the handshake 
terminates with "Software caused connection abort: recv failed".
On DataPower the error is that the client is not sending the certificate.


http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:


[read] MD5 and SHA1 hashes:  len = 9
: 0D 00 00 05 02 01 02 00   00   .
*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
: 0E 00 00 00
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1 [write] MD5 and SHA1 hashes:  
len = 269


http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 269 [Raw write]: length 
= 274
: 16 03 01 01 0D 0B 00 00   03 00 00 00 10 00 01 02  


0110: 2E 32  .2
SESSION KEYGEN:
PreMaster Secret:


http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 48 http-bio-8080-exec-2, 
waiting for close_notify or alert: state 1 http-bio-8080-exec-2, Exception 
while waiting for close
java.net.SocketException: Software caused connection abort: recv failed 
http-bio-8080-exec-2, handling exception: java.net.SocketException:
Software caused connection abort: recv failed %% Invalidated:  [Session-163, 
TLS_RSA_WITH_AES_128_CBC_SHA] http-bio-8080-exec-2, called close() 
http-bio-8080-exec-2, called closeInternal(true) http-bio-8080-exec-2, called 
closeSocket(

We are using the software below on the client environment:

* Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
* Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode)
* JCE Unlimited Security: No
* Apache Tomcat/7.0.55
* Microsoft Windows Server 2008 R2 Enterprise 64-bit

Analysis Steps
==

1) Openssl connects with MA parameters connects with no errors

openssl s_client -tls1 -connect server-dns-name:15305 -CAfile 
server-cert-with-intermediate-and-root-in-one-file.cer -cert 
client-public-key.cer -key client-private-key.key -pass 
pass:client-private-key-password

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1
Cipher: AES256-SHA
Session-ID:
893D24420CC89DED5E8E0E18C3D97270C3DD04B7A4B86602D5B34FC

RE: Tomcat 7.0.55 Not loading truststore or keystore

2015-09-01 Thread George Stanchev

Hi Diarmuid,

We have run similar issue with client cert SSL. Is your 3rd party web service 
hosted on Windows/IIS? 

George

-Original Message-
From: dmccrthy [mailto:dmccr...@gmail.com] 
Sent: Tuesday, September 01, 2015 11:07 AM
To: Tomcat Users List
Subject: Tomcat 7.0.55 Not loading truststore or keystore

Hi All,

I am having trouble getting Tomcat to load a truststore and keystore.  This 
seems to be a basic configuration issue but I can't figure out what the problem 
is. Any insights would be gratefully received.

The scenario is:

* A 3rd party web application is deployed in Tomcat
* The 3rrd party web application is making outbound HTTPS connections to a 3rd 
party web service
* Tomcat JVM parameters are configured with

   -Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks
   -Djavax.net.ssl.trustStorePassword=
   -Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks
   -Djavax.net.ssl.keyStorePassword=
   -Dhttps.protocols="TLSv1"
   -Djavax.net.debug=ALL

* Both truststore and keystore are JKS
* Mutual authentication is used for the SSL handshake
* There are no errors in the Tomcat logs to indicate a problem with the 
truststore and keystore
* The Tomcat logs show the server-side certificate being downloaded but not 
reporting the expected lines

  Found trusted certificate:
  matching alias: 

  Or for the keystore, I am expecting to see a log that it is loading the 
keystore (example below), but there is no sign that the keystore is being 
loaded. I got the log extract below from a standalone java client which 
successfully connects using MA to the remote service.

  keyStore is : c:\temp\DWCHASSMESA002.pfx
  keyStore type is : PKCS12
  keyStore provider is :
  init keystore
  init keymanager of type SunX509

  ***
  found key for : dwchassmesa002
  chain [0] = [

* The Tomcat logs show that the SSL handshake gets as far as the 
ClientKeyExchange, but there is no client certificate sent and the handshake 
terminates with "Software caused connection abort: recv failed".
On DataPower the error is that the client is not sending the certificate.


http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:


[read] MD5 and SHA1 hashes:  len = 9
: 0D 00 00 05 02 01 02 00   00   .
*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
: 0E 00 00 00
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1 [write] MD5 and SHA1 hashes:  
len = 269


http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 269 [Raw write]: length 
= 274
: 16 03 01 01 0D 0B 00 00   03 00 00 00 10 00 01 02  


0110: 2E 32  .2
SESSION KEYGEN:
PreMaster Secret:


http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 48 http-bio-8080-exec-2, 
waiting for close_notify or alert: state 1 http-bio-8080-exec-2, Exception 
while waiting for close
java.net.SocketException: Software caused connection abort: recv failed 
http-bio-8080-exec-2, handling exception: java.net.SocketException:
Software caused connection abort: recv failed %% Invalidated:  [Session-163, 
TLS_RSA_WITH_AES_128_CBC_SHA] http-bio-8080-exec-2, called close() 
http-bio-8080-exec-2, called closeInternal(true) http-bio-8080-exec-2, called 
closeSocket(

We are using the software below on the client environment:

* Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
* Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode)
* JCE Unlimited Security: No
* Apache Tomcat/7.0.55
* Microsoft Windows Server 2008 R2 Enterprise 64-bit

Analysis Steps
==

1) Openssl connects with MA parameters connects with no errors

openssl s_client -tls1 -connect server-dns-name:15305 -CAfile 
server-cert-with-intermediate-and-root-in-one-file.cer -cert 
client-public-key.cer -key client-private-key.key -pass 
pass:client-private-key-password

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1
Cipher: AES256-SHA
Session-ID:
893D24420CC89DED5E8E0E18C3D97270C3DD04B7A4B86602D5B34FC5E58DDE8F
Session-ID-ctx:
Master-Key:
89ABDA0ED080567E0CB8494AC236B107B7430A5487986BE7F3B468AF81B19BC27FD9C7D3EBC46280B9A608E5517D447C
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1441125595
   Timeout   : 7200 (sec)
Verify return code: 0 (ok)

2) A standalone Java program with a couple of lines to open a HTTPS connection 
to the 3rd party certificate works.  This uses the same truststore and keystore
3) SoapUI works using the same truststore and keystore
4) Our 3rd party vendor can connect
5) I have googled various phrases like "Tomcat JVM not loading truststore".  
There are hundreds of examples

Re: Tomcat 7.0.55 Not loading truststore or keystore

2015-09-01 Thread dmccrthy

Hi Chris,

Thanks for replying. This is a different 3rd party service we're connecting
to, but again it's a weird one because other tools work. I've included
responses below prefixed with [DMC].

Regards,
Diarmuid

On 1 Sep 2015 20:57, "Christopher Schultz" 
wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Diarmuid,
>
> On 9/1/15 1:06 PM, dmccrthy wrote:
> > I am having trouble getting Tomcat to load a truststore and
> > keystore.  This seems to be a basic configuration issue but I can't
> > figure out what the problem is. Any insights would be gratefully
> > received.
> >
> > The scenario is:
> >
> > * A 3rd party web application is deployed in Tomcat * The 3rrd
> > party web application is making outbound HTTPS connections to a 3rd
> > party web service * Tomcat JVM parameters are configured with
> >
> > -Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks
> >
> >
> - -Djavax.net.ssl.trustStorePassword=
> > -Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.j
> ks
> >
> >
> - -Djavax.net.ssl.keyStorePassword=
>
> The above will all act as defaults for the Java-based HTTP(s) connectors
> .
>
> > -Dhttps.protocols="TLSv1"
>
> I don't believe this setting will do anything to Tomcat... at least,
> it's not documented to do so.

[DMC] Using this setting fixed our previous problem whereby outgoing HTTPS
connections from Tomcat experienced SSL handshake issues when the handshake
involved a negotiation from TLSv1.2 to TLSv1. Forcing the handshake to use
TLSv1 resolved the problem.

>
> Let's focus on the keystore to start, and then get client certs working.
>
> How many certs do you have in your keystore? Did you specify an
> "alias" for the key you'd like to use for the server?

[DMC] Just the client public/private key pair needed for the MA handshake.

>
> For my money, I'd forget the system properties and use an explicit set
> of configuration parameters on my  element. Can you post
> your  configuration?
>
> [
> Looking back at this after writing the rest of this reply: are you
> trying to host an HTTPS service *at all*?

[DMC] No, I just tried using a HTTPS connector to see if Tomcat would load
the trustore, and it did. But our scenario is for outgoing client HTTPS
connections so it doesn't help that.

If not, forget about the
> keystore entirely because it's not necessary even a little bit. Just
> in case it helps clear-up any confusion, here are when these two
> things matter:
>
> 1. keystore - useful in 2 separate circumstances:
>   a. You are setting up an HTTPS listener when you
>  have a server certificate. The server's certificate and private key
>  go into the keystore, along with any other certificates you may
>  need or in order to form a chain of trust from your CA (e.g.
>  VeriSign) down to your own key
>   b. You are making outgoing connections to an HTTPS service and you
>  need to present a client certificate to the server

[DMC] We're using scenario (b)

>
> 2. truststore - useful in 2 separate circumstances:
>   a. You have an HTTPS listener and you want to validate client
>  certificates of clients connecting TO YOU
>   b. You want to make outgoing connections to an HTTPS service
>  and YOU WANT TO VALIDATE THE SERVER'S CERTIFICATE against the
>  certs in your trust store. This allows you, for example, to
>  connect to a server with a self-signed cert, or one signed by
>  a CA that Java doesn't trust out-of-the-box
>
> You need to be very clear about what you are trying to do because it's
> about as clear as mud right now.
> ]

[DMC] Sorry for the ambiguity, we're using scenario (b), outgoing client
connections. The server cert is signed by GeoTrust but we don't have the
full CA chain in the truststore, only the server cert.

>
> > 1) Openssl connects with MA parameters connects with no errors
> >
> > openssl s_client -tls1 -connect server-dns-name:15305 -CAfile
> > server-cert-with-intermediate-and-root-in-one-file.cer -cert
> > client-public-key.cer -key client-private-key.key -pass
> > pass:client-private-key-password
> >
> > New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048
> > bit Secure Renegotiation IS supported Compression: NONE Expansion:
> > NONE No ALPN negotiated SSL-Session: Protocol  : TLSv1 Cipher:
> > AES256-SHA Session-ID:
> > 893D24420CC89DED5E8E0E18C3D97270C3DD04B7A4B86602D5B34FC5E58DDE8F
> > Session-ID-ctx: Master-Key:
> > 89ABDA0ED080567E0CB8494AC236B107B7430A5487986BE7F3B468AF81B19BC27FD9C7
> D3EBC46280B9A608E5517D447C
> >
> >
> Key-Arg   : None
> > PSK identity: None PSK identity hint: None SRP username: None Start
> > Time: 1441125595 Timeout   : 7200 (sec) Verify return code: 0 (ok)
>
> Is the other client connecting with SSL instead of TLS handshake?

[DMC] I'll have to double check, but the key thing I've been focusing on is
that the standalone Java client logs the fact that it's loading the
trustore, checking the server cert

RE: Tomcat 7.0.55 Not loading truststore or keystore

2015-09-01 Thread dmccrthy

Hi Jeff,

Our client keystore has one certificate, but the truststore has multiple
certs. I'll try removing  everything from the truststore except the server
cert and see what happens.

Thanks,
Diarmuid
On 1 Sep 2015 19:53, <jeffery.scott.cr...@gmail.com> wrote:

>
> >> openssl s_client -tls1 -connect server-dns-name:15305 -CAfile
> server-cert-with-intermediate-and-root-in-one-file.cer -cert
> client-public-key.cer -key client-private-key.key -pass
> pass:client-private-key-password
>
> I've had trouble when there are more certificate packaged in the same file
> as the root certificate. If you can separate the certificates your problem
> should go away.
>
> Jeff Crump
>
>
> Sent from Mail for Windows 10
>
>
>
> From: George Stanchev
> Sent: Tuesday, September 1, 2015 1:02 PM
> To: Tomcat Users List
> Subject: RE: Tomcat 7.0.55 Not loading truststore or keystore
>
>
> Hi Diarmuid,
>
> We have run similar issue with client cert SSL. Is your 3rd party web
> service hosted on Windows/IIS?
>
> George
>
> -Original Message-
> From: dmccrthy [mailto:dmccr...@gmail.com]
> Sent: Tuesday, September 01, 2015 11:07 AM
> To: Tomcat Users List
> Subject: Tomcat 7.0.55 Not loading truststore or keystore
>
> Hi All,
>
> I am having trouble getting Tomcat to load a truststore and keystore.
> This seems to be a basic configuration issue but I can't figure out what
> the problem is. Any insights would be gratefully received.
>
> The scenario is:
>
> * A 3rd party web application is deployed in Tomcat
> * The 3rrd party web application is making outbound HTTPS connections to a
> 3rd party web service
> * Tomcat JVM parameters are configured with
>
>-Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks
>-Djavax.net.ssl.trustStorePassword=
>-Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks
>-Djavax.net.ssl.keyStorePassword=
>-Dhttps.protocols="TLSv1"
>-Djavax.net.debug=ALL
>
> * Both truststore and keystore are JKS
> * Mutual authentication is used for the SSL handshake
> * There are no errors in the Tomcat logs to indicate a problem with the
> truststore and keystore
> * The Tomcat logs show the server-side certificate being downloaded but
> not reporting the expected lines
>
>   Found trusted certificate:
>   matching alias: 
>
>   Or for the keystore, I am expecting to see a log that it is loading the
> keystore (example below), but there is no sign that the keystore is being
> loaded. I got the log extract below from a standalone java client which
> successfully connects using MA to the remote service.
>
>   keyStore is : c:\temp\DWCHASSMESA002.pfx
>   keyStore type is : PKCS12
>   keyStore provider is :
>   init keystore
>   init keymanager of type SunX509
>
>   ***
>   found key for : dwchassmesa002
>   chain [0] = [
>
> * The Tomcat logs show that the SSL handshake gets as far as the
> ClientKeyExchange, but there is no client certificate sent and the
> handshake terminates with "Software caused connection abort: recv failed".
> On DataPower the error is that the client is not sending the certificate.
>
> 
> http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13
> *** CertificateRequest
> Cert Types: RSA, DSS
> Cert Authorities:
> 
>
> [read] MD5 and SHA1 hashes:  len = 9
> : 0D 00 00 05 02 01 02 00   00   .
> *** ServerHelloDone
> [read] MD5 and SHA1 hashes:  len = 4
> : 0E 00 00 00
> *** Certificate chain
> ***
> *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 [write] MD5 and SHA1
> hashes:  len = 269
>
> 
> http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 269 [Raw write]:
> length = 274
> : 16 03 01 01 0D 0B 00 00   03 00 00 00 10 00 01 02  
> 
>
> 0110: 2E 32  .2
> SESSION KEYGEN:
> PreMaster Secret:
> 
>
> http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 48
> http-bio-8080-exec-2, waiting for close_notify or alert: state 1
> http-bio-8080-exec-2, Exception while waiting for close
> java.net.SocketException: Software caused connection abort: recv failed
> http-bio-8080-exec-2, handling exception: java.net.SocketException:
> Software caused connection abort: recv failed %% Invalidated:
> [Session-163, TLS_RSA_WITH_AES_128_CBC_SHA] http-bio-8080-exec-2, called
> close() http-bio-8080-exec-2, called closeInternal(true)
> http-bio-8080-exec-2, called closeSocket(
>
> We are using the software below on the client environment:
>
> * Java(TM) SE Runtime Environment (build 1.7.0_67-b0

Re: Tomcat 7.0.55 Not loading truststore or keystore

2015-09-01 Thread dmccrthy

Ah. No, our client cert is signed by a self-signed root. But only the
client cert is in the keystore and only the client cert is registered on
the Datapower server. I can connect using the same keystore with a
standalone Java client that just opens a URL connection and input stream,
and also with SoapUI as a client. But not with our client app deployed in
Tomcat.

Regards,
Diarmuid
On 1 Sep 2015 22:23, <jeffery.scott.cr...@gmail.com> wrote:

> I'm referring to when a certificate is a combo such as a GoDaddy  g1_g2
> root. The intermediate is usually fine.
>
> Sent from my BlackBerry 10 smartphone on the
> Verizon Wireless 4G LTE network.
>   Original Message
> From: dmccrthy
> Sent: Tuesday, September 1, 2015 4:12 PM
> To: Tomcat Users List
> Reply To: Tomcat Users List
> Subject: RE: Tomcat 7.0.55 Not loading truststore or keystore
>
> Hi Jeff,
>
> Our client keystore has one certificate, but the truststore has multiple
> certs. I'll try removing everything from the truststore except the server
> cert and see what happens.
>
> Thanks,
> Diarmuid
> On 1 Sep 2015 19:53, <jeffery.scott.cr...@gmail.com> wrote:
>
> >
> > >> openssl s_client -tls1 -connect server-dns-name:15305 -CAfile
> > server-cert-with-intermediate-and-root-in-one-file.cer -cert
> > client-public-key.cer -key client-private-key.key -pass
> > pass:client-private-key-password
> >
> > I've had trouble when there are more certificate packaged in the same
> file
> > as the root certificate. If you can separate the certificates your
> problem
> > should go away.
> >
> > Jeff Crump
> >
> >
> > Sent from Mail for Windows 10
> >
> >
> >
> > From: George Stanchev
> > Sent: Tuesday, September 1, 2015 1:02 PM
> > To: Tomcat Users List
> > Subject: RE: Tomcat 7.0.55 Not loading truststore or keystore
> >
> >
> > Hi Diarmuid,
> >
> > We have run similar issue with client cert SSL. Is your 3rd party web
> > service hosted on Windows/IIS?
> >
> > George
> >
> > -Original Message-
> > From: dmccrthy [mailto:dmccr...@gmail.com]
> > Sent: Tuesday, September 01, 2015 11:07 AM
> > To: Tomcat Users List
> > Subject: Tomcat 7.0.55 Not loading truststore or keystore
> >
> > Hi All,
> >
> > I am having trouble getting Tomcat to load a truststore and keystore.
> > This seems to be a basic configuration issue but I can't figure out what
> > the problem is. Any insights would be gratefully received.
> >
> > The scenario is:
> >
> > * A 3rd party web application is deployed in Tomcat
> > * The 3rrd party web application is making outbound HTTPS connections to
> a
> > 3rd party web service
> > * Tomcat JVM parameters are configured with
> >
> > -Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks
> > -Djavax.net.ssl.trustStorePassword=
> > -Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks
> > -Djavax.net.ssl.keyStorePassword=
> > -Dhttps.protocols="TLSv1"
> > -Djavax.net.debug=ALL
> >
> > * Both truststore and keystore are JKS
> > * Mutual authentication is used for the SSL handshake
> > * There are no errors in the Tomcat logs to indicate a problem with the
> > truststore and keystore
> > * The Tomcat logs show the server-side certificate being downloaded but
> > not reporting the expected lines
> >
> > Found trusted certificate:
> > matching alias: 
> >
> > Or for the keystore, I am expecting to see a log that it is loading the
> > keystore (example below), but there is no sign that the keystore is being
> > loaded. I got the log extract below from a standalone java client which
> > successfully connects using MA to the remote service.
> >
> > keyStore is : c:\temp\DWCHASSMESA002.pfx
> > keyStore type is : PKCS12
> > keyStore provider is :
> > init keystore
> > init keymanager of type SunX509
> >
> > ***
> > found key for : dwchassmesa002
> > chain [0] = [
> >
> > * The Tomcat logs show that the SSL handshake gets as far as the
> > ClientKeyExchange, but there is no client certificate sent and the
> > handshake terminates with "Software caused connection abort: recv
> failed".
> > On DataPower the error is that the client is not sending the certificate.
> >
> > 
> > http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13
> > *** CertificateRequest
> > Cert Types: RSA, DSS
> > Cert Authorities:
> > 
> >
> > [read] MD5 and SHA1 hashes: len = 9
> > 0

Re: Tomcat 7.0.55 Not loading truststore or keystore

2015-09-01 Thread jeffery . scott . crump

I'm referring to when a certificate is a combo such as a GoDaddy  g1_g2 root. 
The intermediate is usually fine.

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
  Original Message  
From: dmccrthy
Sent: Tuesday, September 1, 2015 4:12 PM
To: Tomcat Users List
Reply To: Tomcat Users List
Subject: RE: Tomcat 7.0.55 Not loading truststore or keystore

Hi Jeff,

Our client keystore has one certificate, but the truststore has multiple
certs. I'll try removing everything from the truststore except the server
cert and see what happens.

Thanks,
Diarmuid
On 1 Sep 2015 19:53, <jeffery.scott.cr...@gmail.com> wrote:

>
> >> openssl s_client -tls1 -connect server-dns-name:15305 -CAfile
> server-cert-with-intermediate-and-root-in-one-file.cer -cert
> client-public-key.cer -key client-private-key.key -pass
> pass:client-private-key-password
>
> I've had trouble when there are more certificate packaged in the same file
> as the root certificate. If you can separate the certificates your problem
> should go away.
>
> Jeff Crump
>
>
> Sent from Mail for Windows 10
>
>
>
> From: George Stanchev
> Sent: Tuesday, September 1, 2015 1:02 PM
> To: Tomcat Users List
> Subject: RE: Tomcat 7.0.55 Not loading truststore or keystore
>
>
> Hi Diarmuid,
>
> We have run similar issue with client cert SSL. Is your 3rd party web
> service hosted on Windows/IIS?
>
> George
>
> -Original Message-
> From: dmccrthy [mailto:dmccr...@gmail.com]
> Sent: Tuesday, September 01, 2015 11:07 AM
> To: Tomcat Users List
> Subject: Tomcat 7.0.55 Not loading truststore or keystore
>
> Hi All,
>
> I am having trouble getting Tomcat to load a truststore and keystore.
> This seems to be a basic configuration issue but I can't figure out what
> the problem is. Any insights would be gratefully received.
>
> The scenario is:
>
> * A 3rd party web application is deployed in Tomcat
> * The 3rrd party web application is making outbound HTTPS connections to a
> 3rd party web service
> * Tomcat JVM parameters are configured with
>
> -Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks
> -Djavax.net.ssl.trustStorePassword=
> -Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks
> -Djavax.net.ssl.keyStorePassword=
> -Dhttps.protocols="TLSv1"
> -Djavax.net.debug=ALL
>
> * Both truststore and keystore are JKS
> * Mutual authentication is used for the SSL handshake
> * There are no errors in the Tomcat logs to indicate a problem with the
> truststore and keystore
> * The Tomcat logs show the server-side certificate being downloaded but
> not reporting the expected lines
>
> Found trusted certificate:
> matching alias: 
>
> Or for the keystore, I am expecting to see a log that it is loading the
> keystore (example below), but there is no sign that the keystore is being
> loaded. I got the log extract below from a standalone java client which
> successfully connects using MA to the remote service.
>
> keyStore is : c:\temp\DWCHASSMESA002.pfx
> keyStore type is : PKCS12
> keyStore provider is :
> init keystore
> init keymanager of type SunX509
>
> ***
> found key for : dwchassmesa002
> chain [0] = [
>
> * The Tomcat logs show that the SSL handshake gets as far as the
> ClientKeyExchange, but there is no client certificate sent and the
> handshake terminates with "Software caused connection abort: recv failed".
> On DataPower the error is that the client is not sending the certificate.
>
> 
> http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13
> *** CertificateRequest
> Cert Types: RSA, DSS
> Cert Authorities:
> 
>
> [read] MD5 and SHA1 hashes: len = 9
> : 0D 00 00 05 02 01 02 00 00 .
> *** ServerHelloDone
> [read] MD5 and SHA1 hashes: len = 4
> : 0E 00 00 00 
> *** Certificate chain
> ***
> *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 [write] MD5 and SHA1
> hashes: len = 269
>
> 
> http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 269 [Raw write]:
> length = 274
> : 16 03 01 01 0D 0B 00 00 03 00 00 00 10 00 01 02 
> 
>
> 0110: 2E 32 .2
> SESSION KEYGEN:
> PreMaster Secret:
> 
>
> http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 48
> http-bio-8080-exec-2, waiting for close_notify or alert: state 1
> http-bio-8080-exec-2, Exception while waiting for close
> java.net.SocketException: Software caused connection abort: recv failed
> http-bio-8080-exec-2, handling exception: java.net.SocketException:
> Software caused connection abort: recv failed %% Invalidated:
> [Session-163, TLS_RSA_WITH_AES_128_CBC_SHA] http-bio-8080-exec-2, called
> close() http-bio

RE: Tomcat 7.0.55 Not loading truststore or keystore

2015-09-01 Thread dmccrthy

Hi George,

The 3rd party service is behind IBM Datapower. Datapower is reporting that
our HTTPS client connections aren't sending the client certificate as part
of the MA handshake. I'll double-check what the actual service is running
on behind that, but according to our 3rd party application team the
connections aren't getting that far.

Thanks,
Diarmuid
On 1 Sep 2015 19:03, "George Stanchev"  wrote:

> Hi Diarmuid,
>
> We have run similar issue with client cert SSL. Is your 3rd party web
> service hosted on Windows/IIS?
>
> George
>
> -Original Message-
> From: dmccrthy [mailto:dmccr...@gmail.com]
> Sent: Tuesday, September 01, 2015 11:07 AM
> To: Tomcat Users List
> Subject: Tomcat 7.0.55 Not loading truststore or keystore
>
> Hi All,
>
> I am having trouble getting Tomcat to load a truststore and keystore.
> This seems to be a basic configuration issue but I can't figure out what
> the problem is. Any insights would be gratefully received.
>
> The scenario is:
>
> * A 3rd party web application is deployed in Tomcat
> * The 3rrd party web application is making outbound HTTPS connections to a
> 3rd party web service
> * Tomcat JVM parameters are configured with
>
>-Djavax.net.ssl.trustStore=d:\Tomcat_ENV1\conf\tomcat_truststore.jks
>-Djavax.net.ssl.trustStorePassword=
>-Djavax.net.ssl.keyStore=d:\Tomcat_ENV1\conf\DWCHASSMESA002_keystore.jks
>-Djavax.net.ssl.keyStorePassword=
>-Dhttps.protocols="TLSv1"
>-Djavax.net.debug=ALL
>
> * Both truststore and keystore are JKS
> * Mutual authentication is used for the SSL handshake
> * There are no errors in the Tomcat logs to indicate a problem with the
> truststore and keystore
> * The Tomcat logs show the server-side certificate being downloaded but
> not reporting the expected lines
>
>   Found trusted certificate:
>   matching alias: 
>
>   Or for the keystore, I am expecting to see a log that it is loading the
> keystore (example below), but there is no sign that the keystore is being
> loaded. I got the log extract below from a standalone java client which
> successfully connects using MA to the remote service.
>
>   keyStore is : c:\temp\DWCHASSMESA002.pfx
>   keyStore type is : PKCS12
>   keyStore provider is :
>   init keystore
>   init keymanager of type SunX509
>
>   ***
>   found key for : dwchassmesa002
>   chain [0] = [
>
> * The Tomcat logs show that the SSL handshake gets as far as the
> ClientKeyExchange, but there is no client certificate sent and the
> handshake terminates with "Software caused connection abort: recv failed".
> On DataPower the error is that the client is not sending the certificate.
>
> 
> http-bio-8080-exec-2, READ: TLSv1 Handshake, length = 13
> *** CertificateRequest
> Cert Types: RSA, DSS
> Cert Authorities:
> 
>
> [read] MD5 and SHA1 hashes:  len = 9
> : 0D 00 00 05 02 01 02 00   00   .
> *** ServerHelloDone
> [read] MD5 and SHA1 hashes:  len = 4
> : 0E 00 00 00
> *** Certificate chain
> ***
> *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 [write] MD5 and SHA1
> hashes:  len = 269
>
> 
> http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 269 [Raw write]:
> length = 274
> : 16 03 01 01 0D 0B 00 00   03 00 00 00 10 00 01 02  
> 
>
> 0110: 2E 32  .2
> SESSION KEYGEN:
> PreMaster Secret:
> 
>
> http-bio-8080-exec-2, WRITE: TLSv1 Handshake, length = 48
> http-bio-8080-exec-2, waiting for close_notify or alert: state 1
> http-bio-8080-exec-2, Exception while waiting for close
> java.net.SocketException: Software caused connection abort: recv failed
> http-bio-8080-exec-2, handling exception: java.net.SocketException:
> Software caused connection abort: recv failed %% Invalidated:
> [Session-163, TLS_RSA_WITH_AES_128_CBC_SHA] http-bio-8080-exec-2, called
> close() http-bio-8080-exec-2, called closeInternal(true)
> http-bio-8080-exec-2, called closeSocket(
>
> We are using the software below on the client environment:
>
> * Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
> * Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode)
> * JCE Unlimited Security: No
> * Apache Tomcat/7.0.55
> * Microsoft Windows Server 2008 R2 Enterprise 64-bit
>
> Analysis Steps
> ==
>
> 1) Openssl connects with MA parameters connects with no errors
>
> openssl s_client -tls1 -connect server-dns-name:15305 -CAfile
> server-cert-with-intermediate-and-root-in-one-file.cer -cert
> client-public-key.cer -key client-private-key.key -pass
> pass:client-private-key-password
>
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol  : TLSv1
> Cipher: AES256-SHA
> Session-ID:
> 893D24420CC89DED5E8E0E18C3D97270C3DD04B7A4B86602D5B34FC5E58DDE8F
> Session-ID-ctx:
> Master-Key:
>

Re: Tomcat 7.0.55 Not loading truststore or keystore

RE: Tomcat 7.0.55 Not loading truststore or keystore

RE: Tomcat 7.0.55 Not loading truststore or keystore

Re: Tomcat 7.0.55 Not loading truststore or keystore

RE: Tomcat 7.0.55 Not loading truststore or keystore

Re: Tomcat 7.0.55 Not loading truststore or keystore

Re: Tomcat 7.0.55 Not loading truststore or keystore

RE: Tomcat 7.0.55 Not loading truststore or keystore

8 matches

Site Navigation

Mail list logo

Footer information