Gentlemen, thanks a lot for your help. I figured out what the problem was. It was not related to tomcat configuration, but to my keystore. The reason is that once you import a client certificate under the same alias as the private pair, they both get merged under the same alias inside keystore. Using keytool -delete command, meant to remove the certificate only, deletes the private pair as well. I noticed that once I dumped keystore content for my keystore and a keystore on one of my other servers. Luckily, I had a backup of the keystore I made right after it was created. Importing the certificates into that keystore resolved the issue.
On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Alex, > > On 1/5/14, 12:30 PM, Alex Kogan wrote: > > I have a strange problem configuring SSL to work with Tomcat. > > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 > > > > It's a new Tomcat installation. All keystore operations were done > > with keytool. I imported CA root/intermediate certificate and > > client certificate, configured SSL connector in server.xml. I have > > this same setup on another server that works fine. Connecting to > > this server via http works. > > > > 1. If I try to connect this address via https in Chrome I get: > > "This Webpage is not available." In Firefox: "Error code: > > ssl_error_no_cypher_overlap" > > Sounds familiar. > > Please post your <Connector> configuration(s) from your server.xml > file. Remember to remove any sensitive information from the configuration. > > Also please post all of the startup messages from Tomcat's > logs/catalina.out file: we need to see the versions of various things > and what components (if any) suffer problems starting up. > > > 3. Here's a list of enabled ciphers using SSLInfo: > > > > #java -showversion SSLInfo > > Nice to see someone is getting some use out of that. ;) > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS > JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ > +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC > f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 > bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 > m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE > /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD > SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB > Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu > RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH > 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ > VCpWYwQ3I2qGEm5RBvbh > =9FS1 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Software Engineer Department of Psychiatry and Behavioral Sciences Northwestern University a-ko...@northwestern.edu