This issue is only with my ECC certificates. the whole configuration works
pretty good with TLS1.2 when i am using the RSA certs. openssl selfsinged
ECC certs are also working.
On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah <sanaulla...@gmail.com> wrote:
> Here is my configuration. I am using openssl. I haven't installed any
> certificate to JVM truststore.
>
> <Connector address="0.0.0.0"
> port="8443"
> SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false"
> SSLProtocol="All"
>
> SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem"
> SSLCertificateFile="/home/san/certs/pay-test/test.pem"
>
> SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/>
>
>
>
>
>
> On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty <mgai...@hotmail.com> wrote:
>
>>
>>
>>
>>
>>
>> > Date: Tue, 7 Jan 2014 14:51:21 +0500
>> > Subject: detailed APR/SSL logging
>> > From: sanaulla...@gmail.com
>> > To: users@tomcat.apache.org
>> >
>> > Hi,
>> >
>> > Anyone knows, how do i can get the detailed APR/SSL debug logs. i need
>> to
>> > know where my SSL session is getting broken? there is nothing in the
>> > catalina.out log.
>> >
>> > usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ]
>> [
>> > -nonaming ] { -help | start | stop }
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
>> init
>> > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
>> > version 1.5.1.
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
>> init
>> > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
>> > [false], random [true].
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.AprLifecycleListener
>> > initializeSSL
>> > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
>> > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
>> > INFO: Initializing ProtocolHandler ["http-apr-8080"]
>> > Jan 07, 2014 1:43:12 AM org.apache.coyote.AbstractProtocol init
>> > INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-8443"]
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.Catalina load
>> > INFO: Initialization processed in 696 ms
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardService
>> > startInternal
>> > INFO: Starting service Catalina
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.core.StandardEngine
>> > startInternal
>> > INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
>> > Jan 07, 2014 1:43:12 AM org.apache.catalina.startup.HostConfig
>> > deployDirectory
>> > INFO: Deploying web application directory
>> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>> > deployDirectory
>> > INFO: Deploying web application directory
>> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>> > deployDirectory
>> > INFO: Deploying web application directory
>> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>> > deployDirectory
>> > INFO: Deploying web application directory
>> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>> > deployDirectory
>> > INFO: Deploying web application directory
>> > /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
>> > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
>> > INFO: Starting ProtocolHandler ["http-apr-8080"]
>> > Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
>> > INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-8443"]
>> > Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.Catalina start
>> > INFO: Server startup in 935 ms
>> >
>> >
>> >
>> ----------------------------------------------------------------------------------------------------------------------
>> > Server looks up properly with openssl and certs but when i try to
>> connect
>> > it with openssl s_client its getting error
>> >
>> ----------------------------------------------------------------------------------------------------------------------
>> > root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
>> > 127.0.0.1:8443 -tls1_2 -debug
>> > CONNECTED(00000003)
>> > write to 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F))
>> > 0000 - 16 03 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 ....:...6..R...E
>> > 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57 ...&o....X....?W
>> > 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00 00 9e c0 30 ...I-R.........0
>> > 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.....".!..
>> > 0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.....2
>> > 0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&.......=.5
>> > 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d ................
>> > 0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ...../.+.'.#....
>> > 0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .........g.@.3.2
>> > 0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .....E.D.1.-.).%
>> > 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 .......<./...A..
>> > 00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 ................
>> > 00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...............o
>> > 00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...........4.2..
>> > 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 ................
>> > 00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 ................
>> > 0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 ................
>> > 0110 - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.....". ......
>> > 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 ................
>> > 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f 00 01 01 ...............
>> > read from 0x8a03258 [0x8a08a93] (5 bytes => 5 (0x5))
>> > 0000 - 15 03 03 00 02 .....
>> > read from 0x8a03258 [0x8a08a98] (2 bytes => 2 (0x2))
>> > 0000 - 02 28 .(
>> > 3074095420:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
>> > handshake failure:s3_pkt.c:1256:SSL alert number 40
>> > 3074095420:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
>> > failure:s3_pkt.c:596:
>> > ---
>> > no peer certificate available
>>
>> MG>did you install at least 1+ CA cert(s) to JVM truststore?
>>
>> > No client certificate CA names sent
>> > ---
>> > SSL handshake has read 7 bytes and written 0 bytes
>> > ---
>> > New, (NONE), Cipher is (NONE)
>> > Secure Renegotiation IS NOT supported
>> > Compression: NONE
>> > Expansion: NONE
>> > SSL-Session:
>> > Protocol : TLSv1.2
>> > Cipher : 0000
>>
>> MG> did you enable ALL ciphers for connector that is implementing
>> protocol=TLSV1.2
>>
>> > Session-ID:
>> > Session-ID-ctx:
>> > Master-Key:
>> > Key-Arg : None
>> > PSK identity: None
>> > PSK identity hint: None
>> > SRP username: None
>> > Start Time: 1389088241
>> > Timeout : 7200 (sec)
>> > Verify return code: 0 (ok)
>> >
>> >
>> > Regards,
>> > San
>>
>>
>
>
