Hey Ankit,
I found the bug and hope you can test my fix at cvs head.
Thanks
Peter
Ankit Shah schrieb:
Hi Peter,
Thanks for your response. I double-checked to make sure that secure="true"
is present. Also, the admin app does write out that attribute. It is
indeed the missing sslProtocol attribute that's the root of all problems.
Here are the 2 connector elements from configs:
Configured Manually. Works fine:
<Connector port="1443"
maxThreads="15" minSpareThreads="5" maxSpareThreads="10"
enableLookups="false" disableUploadTimeout="true"
maxKeepAliveRequests="1"
acceptCount="10" debug="0" scheme="https" secure="true"
keystorePass="mypassword"
keystoreFile="c:\path\to\certificate\file"
clientAuth="false" sslProtocol="TLS" />
Saved by Admin App: Breaks
<Connector port="1443" scheme="https" secure="true"
keystoreFile="c:\path\to\certificate\file" keystorePass="mypassword"
maxSpareThreads="10" debug="0" maxThreads="15"
maxKeepAliveRequests="1" minSpareThreads="5
clientAuth="false" acceptCount="10" />
To fix the above so that it works:
<Connector port="1443" scheme="https" secure="true"
keystoreFile="c:\path\to\certificate\file" keystorePass="mypassword"
maxSpareThreads="10" debug="0" maxThreads="15"
maxKeepAliveRequests="1" minSpareThreads="5
clientAuth="false" acceptCount="10" sslProtocol="TLS" />
Note that secure="true" is printed out by the admin app
I have been investigating the source code to track the file that is doing
the job of saving the connector configuration to disk. It should be one of
the files belonging to the storeconfig.jar classes. As a stop-gap
arrangement i might tweak the code to force printing that attribute and
over-ride all checks for just that attribute. (Messy ... but it will work
until a more thorough investigation is done. Everyone knows how deadlines
go ... ;) )
Thanks again,
Ankit
[EMAIL PROTECTED]
05/15/2005 06:55 PM
Please respond to
"Tomcat Users List" <[EMAIL PROTECTED]>
To
[email protected]
cc
Subject
tomcat-user Digest 15 May 2005 22:55:08 -0000 Issue 5626
---- Message from Peter Rossbach <[EMAIL PROTECTED]> on Sun, 15 May 2005
20:16:01 +0200 -----
To:
Tomcat Users List <[email protected]>
Subject:
Re: Admin Application messes up HTTPS Connectors in server.xml
Hey Ankit,
can it be that you forget the secure="true" attribute at your https
connector?
I have look inside Http11Protocol code and find this:
public void setProtocol( String k ) {
setSecure(true);
setAttribute("protocol", k);
}
The sslProtocol="TLS" is the default and the StoreConfig
handler delete all defaults before saving.
This is really a bad side effect, but with correct secure attribute
setting it works for me!
This https config is also documented at:
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/ssl-howto.html
When problem still exists, please send your working and breaking
Connector element config from server.xml
Thanks
Peter
Ankit Shah schrieb:
Hi,
The Tomcat admin utility doesn't save the HTTPS connectors properly. It
misses out the 'sslProtocol' attribute and this results in the failed
connector. Does anyone have a fix around this?
The following is the current state of our server:
Tomcat 5.5.9 with 1.4.2 compatibility add-on.
JRE version 1.4.2_05
My Tests and results:
About certificates:
We are using our own keytool generated unsigned certificates.
Everytime i point firefox to the admin app, it will present the
certificate for my approval. I temporarily accept the certificate for my
session.
1. Install tomcat, configure an HTTPS connector
Run the admin app and change a parameter (acceptCount in my case:
raised it from 8 to 10) and click Save and then Commit Changes
Restart tomcat. Restart Firefox. Pointing the browser to the
admin
app homepage will not load anything.
No Certificate presented!!
2. Manually did a diff on server.xml and server.xml.<backup> . The
difference is the missing 'sslProtocol' attribute. The docs say this
attribute is optional, but that doesn't seem like the case. Added the
attribute manually
sslProtocol="TLS"
Restart Tomcat. Restart Firefox. Certificate presented. Admin App
Homepage Loaded.
3. By seeing the server.xml written out by Admin app, it is clear that
only attributes with non-default values are written out.
From the admin app, set SSL Protocol field's value to SSL. Save.
Commit Changes
Restart Tomcat. Restart Firefox. NO Certificate Presented. Admin
App homepage NOT loaded.
In server.xml - sslProtocol attribute is NOT written out.
I also inspected the logs (Generated by Log4J and logging level set to
debug)
Upon save:
bean is updated with sslProtocol's new value
Upon Commit:
the list of attributes for the connector doesn't have sslProtocol
as one of the attributes that will be written out
Can you help me how i can make admin application available for Tomcat
administration by the assigned administrators? What fixes will be needed.
If there are any known get-arounds for this.
Thanks in advance for all your help and appreciate your patience in
reading through my email.
Ankit
PS: I can mail you the log files if you want (I have about 11 of them,
each is 10M). Thanks once again
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
