Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols

Suresh Kumar J Sun, 31 Aug 2008 22:57:43 -0700

Am having the Apache Harmony JRE.

[EMAIL PROTECTED] wrote:

What JRE / JDK are you using with Tomcat 6.0.13?


-----Original Message-----
From: Suresh Kumar J <[EMAIL PROTECTED]>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Sat, 30 Aug 2008 10:16 pm

Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all ofSSLv2/SSLv3 and TLS protocols











I tried changing the "sslProtocol" attribute in conf/server.xml to "SSL"
and but Tomcat couldn't start.

Observed the following error in catalina.out:

--------------------------------------

Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init

SEVERE: Error initializing endpoint

Throwable occurred: java.io.IOException: SSLContext SSL implementation

not found

      at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
java:394)

      at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
Factory.java:125)

      at

org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)

      at

org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)

      at

org.apache.catalina.connector.Connector.initialize(Connector.java:1059)

      at

org.apache.catalina.core.StandardService.initialize(StandardService.java:
677)

      at

org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
2)

      at org.apache.catalina.startup.Catalina.load(Catalina.java:518)

      at org.apache.catalina.startup.Catalina.load(Catalina.java:538)

       at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)

      at java.lang.reflect.Method.invoke(Method.java:317)

       at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)

       at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)

--------------------------------------


Another question is that how do I make Tomcat to recognize both
SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some
browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase.
Tomcat doesn't seems to recognize SSLv2 messages and errors out with the
following message:

--------------------------------------------------

Aug 29, 2008 2:52:52 PMorg.apache.tomcat.util.net.JIoEndpoint$Acceptor run


SEVERE: Socket accept failed

Throwable occurred: java.net.SocketException: SSL handshake error

javax.net.ssl.SSLException: INTERNAL ERROR

      at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
Factory.java:150)

      at

org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)


      at java.lang.Thread.run(Thread.java:657)

--------------------------------------------------


Any inputs would be appreciated.


Thanks,

Suresh


[EMAIL PROTECTED] wrote:

I tried changing the "sslProtocol" attribute in the "Connector"

element

in conf/server.xml file and when the Tomcat couldn't start.

Observed

the

following error in catalina.out:

what value did you specify for sslProtocol. I tried using SSL and it
worked.

-----Original Message-----

From: Suresh Kumar J <[EMAIL PROTECTED]>

To: users@tomcat.apache.org

Sent: Sat, 30 Aug 2008 4:25 am

Subject: How to make to Apache-Tomcat 6.0.13 to support all of
SSLv2/SSLv3 and TLS protocols

Hi!

Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the

snippet of the server.xml config:

----------------------------

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"

             maxThreads="150" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS"

keystoreType="PKCS12"

             keystoreFile="conf/my-key-store" keystorePass="abcd"/>

----------------------------

The https connection(TLS based) works fine with IE6.0/7.x and FireFox

2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with

the default settings. When I try to connect(https on 443) to Apache

Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1

window:

-------------------------------------------

Secure Connection Failed

An error occurred during a connection to 10.xx.xx.xx

Cannot communicate securely with peer: no common encryption

algorithm(s):

(Error code: ssl_error_no_cypher_overlap)

-------------------------------------------

Have observed the following error in the Catalina.out file:

--------------------------------------------------

Aug 29, 2008 2:52:52 PM
org.apache.tomcat.util.net.JIoEndpoint$Acceptor run

SEVERE: Socket accept failed

Throwable occurred: java.net.SocketException: SSL handshake error

javax.net.ssl.SSLException: INTERNAL ERROR

at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket

Factory.java:150)

at

org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)

      at java.lang.Thread.run(Thread.java:657)

--------------------------------------------------

In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is

disabled) in the browser security settings. The web-server is

correctly

configured for secured http on TLS. Earlier with Firefox2.0.x, it was

working fine. Also checked with Linux version of FireFox3.0.1 and the

TLS connection is working fine.

When I tried to analysis the packets capture of the

browser/web-server

communication via "WireShark/Ethereal" tools, I observed that the

FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL

handshake negotiations. As my Tomcat webserver is configured for TLS,

it

doesn't seem to understand the SSLv2 record layer format, eventually

errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.

Since SSLv2 is generally considered to be a weaker protocol than

SSLv3

and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record

protocol, also SSLv2 is disabled by default. On Redhat Linux, the

same

FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)"

for

security negotiations. The FireFox v2.0.x on Windows uses "SSLv3

Record

Layer(Client Hello)" which seems to fine. Am able to launch the https

webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on

FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL

handshake negotiations. Tomcat works well with TLS protocol, but when

the browser uses SSLv2 then it fails.

I tried changing the "sslProtocol" attribute in the "Connector"

element

in conf/server.xml file and when the Tomcat couldn't start. Observed

the

following error in catalina.out:

--------------------------------------

Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init

SEVERE: Error initializing endpoint

Throwable occurred: java.io.IOException: SSLContext SSL

implementation

not found

at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.

java:394)

at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket

Factory.java:125)

at

org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)

at

org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)

at

org.apache.catalina.connector.Connector.initialize(Connector.java:1059)

at

org.apache.catalina.core.StandardService.initialize(StandardService.java:

677)

at

org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79

2)

      at org.apache.catalina.startup.Catalina.load(Catalina.java:518)

      at org.apache.catalina.startup.Catalina.load(Catalina.java:538)

at

java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)

      at java.lang.reflect.Method.invoke(Method.java:317)

at

org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)

at

org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)

--------------------------------------

Does Tomcat 6.0.x supports SSL implementation?. Is it possible to

make

the Tomcat to understand both SSL and TLS protocols so that all the

browsers are supported. It seems to be critical to make the

application

I use the certificate in the format of PKCS12, created via openssl

tool.

Did anyone else face similar kind of problem in this regard.

Thanks,

Suresh

---------------------------------------------------------------------

To start a new topic, e-mail: users@tomcat.apache.org

To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: [EMAIL PROTECTED]

________________________________________________________________________

You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

---------------------------------------------------------------------

To start a new topic, e-mail: users@tomcat.apache.org

To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------

To start a new topic, e-mail: users@tomcat.apache.org

To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: [EMAIL PROTECTED]







________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols

Reply via email to