> Date: Tue, 7 Jan 2014 14:41:15 -0500
> Subject: Re: Problem configuring SSL
> From: a-ko...@northwestern.edu
> To: users@tomcat.apache.org
>
> Gentlemen, thanks a lot for your help. I figured out what the problem was.
> It was not related to tomcat configuration, but to my keystore. The reason
> is that once you import a client certificate under the same alias as the
> private pair, they both get merged under the same alias inside keystore.
> Using keytool -delete command, meant to remove the certificate only,
> deletes the private pair as well. I noticed that once I dumped keystore
> content for my keystore and a keystore on one of my other servers. Luckily,
> I had a backup of the keystore I made right after it was created. Importing
> the certificates into that keystore resolved the issue.
MG>I *hope* you enabled at least ONE cipher for SSL Connector
MG>Usually the big players (Versign/Thawte) will provide valid CA cert/valid
key in the supplied pfx
MG>glad to hear that worked for you
>
> On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Alex,
> >
> > On 1/5/14, 12:30 PM, Alex Kogan wrote:
> > > I have a strange problem configuring SSL to work with Tomcat.
> > > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45
> > >
> > > It's a new Tomcat installation. All keystore operations were done
> > > with keytool. I imported CA root/intermediate certificate and
> > > client certificate, configured SSL connector in server.xml. I have
> > > this same setup on another server that works fine. Connecting to
> > > this server via http works.
> > >
> > > 1. If I try to connect this address via https in Chrome I get:
> > > "This Webpage is not available." In Firefox: "Error code:
> > > ssl_error_no_cypher_overlap"
> >
> > Sounds familiar.
> >
> > Please post your <Connector> configuration(s) from your server.xml
> > file. Remember to remove any sensitive information from the configuration.
> >
> > Also please post all of the startup messages from Tomcat's
> > logs/catalina.out file: we need to see the versions of various things
> > and what components (if any) suffer problems starting up.
> >
> > > 3. Here's a list of enabled ciphers using SSLInfo:
> > >
> > > #java -showversion SSLInfo
> >
> > Nice to see someone is getting some use out of that. ;)
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS
> > JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ
> > +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC
> > f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6
> > bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8
> > m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE
> > /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD
> > SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB
> > Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu
> > RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH
> > 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+
> > VCpWYwQ3I2qGEm5RBvbh
> > =9FS1
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
>
> --
> Software Engineer
> Department of Psychiatry and Behavioral Sciences
> Northwestern University
>
> a-ko...@northwestern.edu
