-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Madhan,
On 6/10/20 22:08, Madhan Raj wrote: > Any insights please . How did you create your certificate? What are the details of your certificate and key? For example, which curve are you using? How many key bits? What type of signature on the certificate? What is the alias for that certificate in your keystore? Does it match what you have configured in Tomcat? Do you have a password on your keystore? Are you setting that correctly in your <Certificate> element? (I see no password in your posted config.) What client are you using to attempt the handshake? What error(s) do you get with the handshake? If you configure *only* ESDSA, can you handshake? Or does ECDSA never work? You haven't give us much to go on, other than "I can't get ESDSA to work" when it's pretty clear others can get it to work. - -chris > On Thu, 4 Jun, 2020, 11:12 pm Madhan Raj, <madhanra...@gmail.com > <mailto:madhanra...@gmail.com>> wrote: > > Hi Christopher, > > Yes you correct I can only complete a handshake with RSA cert, not > ECDSA cert. when i try to connect with ECDSA ciphers using > s_client negotiation fails. Madhan > > On Thu, Jun 4, 2020 at 12:41 PM Christopher Schultz > <ch...@christopherschultz.net > <mailto:ch...@christopherschultz.net>> wrote: > > Madhan, > > On 6/3/20 21:08, Madhan Raj wrote: >> OS - CentOS 7.6.1810( Core) > >> Below connector doesn't load my EC keystore whereas it works >> with RSA . Any insights please . > > When you say "doesn't load", what do you mean? Possible reasonable > responses are: > > 1. I can only complete a handshake with RSA cert, not ECDSA cert 2. > Error message (please post) 3. JVM crashes 4. OS crashes 5. > Universe ends (possible, but unlikely to be reproducible) > >> this is my connector tag in server.xml <Connector >> SSLEnabled="true" URIEncoding="UTF-8" maxThreads="200" >> port="443" scheme="https" secure="true" >> protocol="org.apache.coyote.http11.Http11NioProtocol" > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementat > > ion" > > > disableUploadTimeout="true" enableLookups="false" > maxHttpHeaderSize="819 2" >> minSpareThreads="25"> <SSLHostConfig sslProtocol="TLS" >> certificateVerification="none" sessionTimeout="1800" >> protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3" > > ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECD > > HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DS > S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA" > > > sessionCacheSize="10000"> >> <Certificate certificateKeyAlias="tomcat-ecdsa" > > certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/ce > > rts/tomcat-ECDSA.keystore" > > > certificateKeystorePassword="8o8yeAH2qSJbJ2sn" >> certificateKeystoreType="PKCS12" type="EC"/> </SSLHostConfig> >> </Connector> > >> tomcat start up command used :- /home/tomcat/tomcat -user tomcat >> -home /usr/local/thirdparty/java/j2sdk -pidfile >> /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname >> /home/tomcat/tomcat -outfile >> /usr/local/thirdparty/jakarta-tomcat/logs/catalina.out -errfile >> &1 -Djdk.tls.ephemeralDHKeySize=2048 >> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources >> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 > > -Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/c > > onf/logging.properties > > > - > -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,sus pe > > nd=n >> -XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80 >> -Xmx1824m -Xms256m >> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager >> >> - -cp > > /usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thir > > dparty/jakarta-tomcat/bin/tomcat-juli.jar > > > - > -Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/cata li > > na.policy >> -Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat >> -Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat >> -Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp >> org.apache.catalina.startup.Bootstrap start' > >> JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH >> -Djavax.net.ssl.sessionCacheSize=10000 > > -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust- > > certs/tomcat-trust.keystore > > > -Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD > > -XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat. > > txt > > > -Dsun.zip.disableMemoryMapping=true >> -XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh >> -XX:OnError=/home/tomcat/tomcat_diagnostics.sh $TOMCAT_JAVA_OPTS > >> Also can i have both RSA and ECDSA in a single keystore. Will >> that work in tomcat 9? > > Yes. You have to use two <Certificate> elements each with a > different "type" and "certificateKeyAlias" > >> it used to work with tomat 7 > > It still works with Tomcat 9. > > -chris > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7ibjkACgkQHPApP6U8 pFheVg//akO4QY2HP7S7zfseHqH3lb1ZsU4JxjGkCXNCGhX1lju3tAaGEqAEb/VG ecnGaf/lvdhKlcNfI26ZdRjb0QM6CWwrhIvrnkRe8Yf5kYHFMRkIkllMMF27hhGd aJV2urneiP8S2vHVVqyVnR+lZklIkm/TyC5h31E1lE/J0urE/ZE/hzB9IEPly9Bc x7dbI22pA40ZpQgj+1vLRvdvjziQCo9I1erpy3IJhjsx9Ro30GBY+UZ3gNKtrOID HEi5+gQO2TdKV+k3D41fF5t0GJY119T98O4Hat1/R49XgHOPw290PP2i4eswhXG1 kGfTeRpTB7WI2X050RNWJL80Mb4HShi0VwtYhLdPaelR/0aqefFHGu03VB33+vRm FxMoKpKyHo1DqnaKuTBxFCdLHpwjGP2GWWC9zRyBPc5WIuClf9xgIkagCENs3UvG CDVjtG5qhOw681rGSAO/zYa+DnKahyc+xar44xlfewxbtuMpI47vYilH4vehnEsl /BawOct37LFauSY8sp0Rbr2CGgmjoCI4M1TvIN9xVrXhSpsu8RHXAzj0fEWmKh+u Is3Jpy/4tQtMC5QAtiPjxPHVfy8WvU15ZkGBhGgsfTXaZ+FushdMYRCUHc2sR3dX cchXIjQjHg7b1/Lvp3/TbLXhbRMjcdSpiJgdH1ZxOHbJT+JroZs= =p/97 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
