Re: embedded, not local

Mon, 15 Feb 2021 15:27:15 -0800 

Thanks again, Chris,

On 2/15/21 1:32 PM, Christopher Schultz wrote:


Try this:

$ openssl s_client -showcerts -connect k1:16004 -tls1_2


openssl s_client -showcerts -connect k1:16004 -tls1_2
CONNECTED(00000003)

140444510528832:error:1408F10B:SSL routines:ssl3_get_record:wrong 
version number:../ssl/record/ssl3_record.c:331:

---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 217 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1613429202
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---



Check the port? Remember that TLS is enabled on one port (Connector) 
while plaintext is on another port (Connector). So switch from 
plaintext to TLS you will need to change port numbers in your s_client 
connection string (and browser).



How many connectors are you configuring? And how? Your code only shows 
configuring a local "connector" reference, but not where it came from, 
if it was added to the server component, etc.



I'm not following perfectly.  I did localhost lookup at Luis's 
suggestion, but I name k1 in all my code/runs.

Do I have to add a doOptions handler in my servlets to handle prefight?



This is my Connector generation and consumption code:

        Service service = embeddedTomcat.getService();
        service.addConnector(addTLSConnector(tomcatPort));

       private Connector addTLSConnector(int tcport) {
         Connector connector = new Connector();
         addTLSConnector(connector, tcport);
         return connector;
       }
      private Connector addTLSConnector(Connector connector, int tcport) {
        File keyFile = new File
   (System.getProperty("SGSSRVR_keystoreFile"));
        if (! keyFile.exists()) throw new RuntimeException("where's the
   keystore?");
        File trustFile = new File
   (System.getProperty("SGSSRVR_truststoreFile"));
        if (! trustFile.exists()) throw new RuntimeException("where's
   the truststore?");
        boolean done = true;
        connector.setPort(tcport);
        connector.setSecure(true);
        connector.setScheme(System.getProperty("SGSSRVR_scheme"));
        //done = done && connector.setProperty("protocol", "HTTP/1.1");
        done = done && connector.setProperty("sslProtocol", "TLS");
        done = done &&
   connector.setProperty("address",System.getProperty("SGSSRVR_hostaddr"));
        done = done && connector.setProperty("keyAlias",
   System.getProperty("SGSSRVR_keystoreAlias"));
        done = done && connector.setProperty("keystorePass",
   System.getProperty("SGSSRVR_keystorePwd"));
        done = done && connector.setProperty("keystoreFile",
   keyFile.getAbsolutePath());
        done = done && connector.setProperty("keystoreType",
   System.getProperty("SGSSRVR_storeType"));
   //    done = done && connector.setProperty("truststoreType",
   System.getProperty("SGSSRVR_storeType"));
   //    done = done && connector.setProperty("truststoreFile",
   trustFile.getAbsolutePath());
   //    done = done && connector.setProperty("truststoreAlias",
   System.getProperty("SGSSRVR_truststoreAlias"));
   //    done = done && connector.setProperty("truststorePassword",
   System.getProperty("SGSSRVR_truststorePwd"));

        done = done && connector.setProperty("clientAuth", "false");
        done = done && connector.setProperty("maxThreads", "200");
        done = done && connector.setProperty("SSLEnabled", "true");
        if (! done) {
          System.out.println("Some problem(s) in connector setup");
        }
        return connector;
      }


with comments on trust or key lines or neither.  trust.Alias and 
trust.pass, in either order, always fail (seen in IntelliJ when 'done' 
flips to false)


and the properties are sent in from files:

   SGSSRVR_socketPort        = 16004
   SGSSRVR_scheme            = https
   SGSSRVR_databaseConnection    = jdbc:postgresql://%s:%d/%s
   SGSSRVR_emergencyJsonDir    = /home/u0138544/aws/deploy/crash/
   SGSSRVR_ContextRootDir         =
   /home/u0138544/aws/deploy/webroot/tomcat.16004/work/Tomcat/k1
   SGSSRVR_dbTestUser        = viv
   SGSSRVR_dbTestDb        = postgres
   SGSSRVR_databasePort        = 5432
   SGSSRVR_databaseHost        = k2
   SGSSRVR_roleExtension        = _notnull
   SGSSRVR_expansionStep        = 5
   SGSSRVR_hostaddr            = k1
   SGSSRVR_keystoreFile        = /home/u0138544/aws/deploy/server/k1.p12
   SGSSRVR_keystoreAlias        = k1
   SGSSRVR_keystorePwd            = changeit
   SGSSRVR_truststoreFile        = /home/u0138544/aws/deploy/server/k1.p12
   SGSSRVR_truststoreAlias        = k1
   SGSSRVR_truststorePwd          = changeit
   SGSSRVR_storeType        = PKCS


I'm only calling the connector generator once.





-chris

























					Reply via email to