-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Арсений,
On 6/2/14, 10:24 AM, Арсений Зинченко wrote:
> Hi.
>
> Faced with very odd behavior of Tomcat 7...
>
> Have two instances on same box - Tomcat 5.5 and Tomcat 7.
>
> Both have same configuration - first from 5.5:
>
> <Connector port="${port.https}" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true" acceptCount="100"
> scheme="https" secure="true" clientAuth="want" sslProtocol="TLS"
> keystoreFile="conf/.ssl/tomcat.jks" keyAlias="tomcat"
> keystorePass="pass" truststoreFile="conf/.ssl/trustcacerts.jks"
> truststorePass="pass" />
>
> Next - from 7.0:
>
> <Connector port="${port.https}" protocol="HTTP/1.1"
> SSLEnabled="true" enableLookups="false"
> disableUploadTimeout="true" scheme="https" secure="true"
> clientAuth="want" sslProtocol="TLS"
> keystoreFile="conf/.ssl/tomcat.jks" keyAlias="tomcat"
> keystorePass="pass" truststoreFile="conf/.ssl/trustcacerts.jks"
> truststorePass="pass" />
>
> Also - both configured for CLIENT-CERT authentification (same
> applicaion with same web.xml).
>
> In browser installed cert, but - when I'm trying open connection
> to 7 Tomcat - I got 401 - Cannot authenticate with the provided
> credentials and no authentification attempt in log:
>
> 10.***.***.15 - - [02/Jun/2014:17:10:31 +0300] "GET /service/
> HTTP/1.1" 401 1049
>
> But connection to 5.5 - succsessfull with same browser &&
> certificate.
>
> Also, in ssldump I see that browser can't make "handshake" with 7.0
> server:
>
> 1 2 0.0317 (0.0308) S>C Handshake ServerHello Version 3.1
> session_id[32]= 53 8c 85 d7 cf 17 a1 45 8a 4e 64 e6 95 7f 2b f3 cb
> 74 0a f3 13 40 71 e8 74 50 53 1a 00 24 a0 76 cipherSuite
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA compressionMethod
> NULL Certificate ServerKeyExchange CertificateRequest
> certificate_types rsa_sign certificate_types
> dss_sign certificate_authority 30 62 31 0b 30 09 06 03 55 04 06 13
> 02 55 41 31 10 30 0e 06 03 55 04 08 13 07 55 6e 6b 6e 6f 77 6e 31
> 0d 30 0b 06 03 55 04 07 13 04 4b 69 65 76 31 0f 30 0d 06 03 55 04
> 0a 13 06 4c 75 78 6f 66 74 31 0c 30 0a 06 03 55 04 0b 13 03 4c 4d
> 53 31 13 30 11 06 03 55 04 03 13 0a 61 7a 69 6e 63 68 65 6e 6b 6f
> certificate_authority 30 60 31 0b 30 09 06 03 55 04 06 13 02 55 41
> 31 // and that's all
>
> But on 5.5 - everyting OK:
>
> 1 2 0.0213 (0.0195) S>C Handshake ServerHello Version 3.1
> session_id[32]= 53 8c 85 89 be 1f c5 63 e2 16 a0 a0 dc 5b aa 68 0d
> 1c 8d b7 24 c5 13 0a 24 0a 66 9b 54 f4 b0 0f cipherSuite
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA compressionMethod
> NULL Certificate ServerKeyExchange ServerHelloDone 1 3 0.0256
> (0.0042) C>S Handshake ClientKeyExchange
> DiffieHellmanClientPublicValue[96]= 4a 39 5e f5 2a c1 58 13 6b 7c
> 98 0b 44 d7 9a 42 bf 48 c2 6e a4 c6 6d 50 a7 89 8f 53 a4 54 92 a5
> 81 18 1b 22 63 cf c1 63 8f 36 9f d2 59 c3 3e 67 1f 4e 18 01 db f2
> 9d 07 0b 81 12 39 64 62 83 84 78 dc 36 9b 00 34 f5 34 44 2d 92 eb
> d9 f6 b0 7e c4 66 d9 ad f2 bf 7f fb 07 56 eb 58 5d 58 41 2e
>
> What I'm doing wrong?
Anything in the catalina.out or other log files in logs/* ?
Are both Tomcats running on the same server?
In the Tomcat 7 case, does ssldump tell you whether the S>C has hung?
Can you tell if the TCP message is incomplete? Can you get a thread
dump on the Tomcat 7 side?
The configuration itself looks okay to me.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTjKygAAoJEBzwKT+lPKRYVJEQAKlVEFFwEyfyYFML/aArNHqb
00qGyoyzu7+mLNlZlMvP4wvuXivK13Sxy+NNJ/TqkijZ4ZlaSTx82vUBHt2HNX9J
Rsq5lTL1FRHNDzHABoXwkDLj64xhJ41iBFUcdsGENJ9K9mpFtPXi3wSRsQK4eguv
ynRr+f3pJwWsiPlXxWiGICV55mKGsUvSwjKzXhG6RYMpUmHeT1V7SOyOfPA73Jks
GGPaDsc0tNT9K6c8NGX+c5+u0h5Af5UQn10Rcpp/22QSzfIDwq4kv1MPZ9I+TTQa
l/S/L6VfVtbacUuvVMsnN15eIEQDfTVA9RoKjacG0rsrB+oqoSG0UDjFhuP8LXHx
huvhim7CJcZyaNR3Ydp8Q+NFz5ON4w6tlP/APA48x6HUgAJq3DoSlFbrbJGu4HVV
NgziXOdlwz7KD7yVdUckrbCsLVCFrxkBENtOUdQ5a6dp1bjPBfOcxrtPcEduvLUR
mdNsoXQA8pOFBLHwIJSONBn7lSXQPBR+XCkxGJDqYzdmaykoz2OrB7aA4DqtYXCD
iwA0bvwFCOOzq/DiNlLgqscQz9+sAbT7ROjCvkKpDfjJYBi7S26eNx9Gg1S39scX
uAlDoRe96CQDmcitZ8Oqrn5ErKReTpbhGULn0YnHB1uL9Vxd5M8EkAI0whTQMQ5u
qYcRj4u7cd24Okq8KQUd
=zoKs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
