OK, i enabled ssl-debug an got this:
Using SSLEngineImpl.
http-8443-exec-6, READ: TLSv1 Handshake, length = 72
*** ClientHello, TLSv1
RandomCookie: GMT: 1296237960 bytes = { 29, 26, 93, 201, 51, 195, 57, 220,
172, 159, 182, 24, 23, 109, 229, 241, 219, 44, 93, 9, 215, 107, 176, 92,
192, 250, 134, 108 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension type_65281, data: 00
***
http-8443-exec-6, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-6, SEND TLSv1 ALERT: fatal, description = handshake_failure
http-8443-exec-6, WRITE: TLSv1 Alert, length = 2
http-8443-exec-6, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-6, called closeOutbound()
http-8443-exec-6, closeOutboundInternal()
Using SSLEngineImpl.
http-8443-exec-7, READ: SSLv3 Handshake, length = 67
*** ClientHello, SSLv3
RandomCookie: GMT: 1296237960 bytes = { 167, 41, 66, 68, 100, 105, 126,
191, 190, 109, 143, 141, 122, 89, 201, 33, 1, 45, 228, 214, 141, 218, 73,
253, 8, 9, 118, 204 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, Unknown 0x0:0xff]
Compression Methods: { 0 }
***
http-8443-exec-7, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-7, SEND SSLv3 ALERT: fatal, description = handshake_failure
http-8443-exec-7, WRITE: SSLv3 Alert, length = 2
http-8443-exec-7, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-7, called closeOutbound()
http-8443-exec-7, closeOutboundInternal()
Using SSLEngineImpl.
http-8443-exec-8, called closeOutbound()
http-8443-exec-8, closeOutboundInternal()
http-8443-exec-8, SEND TLSv1 ALERT: warning, description = close_notify
http-8443-exec-8, WRITE: TLSv1 Alert, length = 2
When I open the cert I can see:
MD5: 3C:33:0A:7C:BC:8B:8D:9E:A5:C1:8C:49:F9:E1:84:0A
SHA1: 7F:02:49:61:4E:55:AE:11:F0:93:82:06:8A:44:95:56:2D:1E:0E:EB
Unterschrift-Algorithmusname: SHA1withRSA
Version: 3
So is my java runtime mising SHA1withRSA?
> -----Original Message-----
> From: spr...@gmx.eu [mailto:spr...@gmx.eu]
> Sent: Freitag, 28. Januar 2011 18:35
> To: 'Tomcat Users List'
> Subject: RE: SSL not working
>
> Hi,
>
> it is TC 7.0.5, Java 1.6_22.
>
> When I use a selfsigned certificate everything is fine - same
> server config, just the other certificate. So it must be
> something wrong with the certificate. But I have no clue what.
>
> How can I debug the SSL-Handshake process?
>
> The cert not working has:
>
> #7: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
> serverAuth
> clientAuth
> ]
> #8: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
> NetscapeCertType [
> SSL client
> SSL server
> ]
>
> So it should be the right type of cert.
>
> Thank you
>
> > -----Original Message-----
> > From: Thad Humphries [mailto:thad.humphr...@gmail.com]
> > Sent: Freitag, 28. Januar 2011 16:47
> > To: Tomcat Users List
> > Subject: Re: SSL not working
> >
> > I've been fooling around *a lot* lately with SSL, so I
> > thought I'd give this
> > a try. I'm not very experienced, but I'll offer my two cents.
> >
> > First of all, what version of Tomcat, Java, etc. are you
> > running? Such a
> > statement is *de rigueur* for practically any question to
> > this forum. My
> > system looks like
> >
> > ** Server: SuSE 11.3 (2.6.34.7-0.7-desktop #1 SMP PREEMPT 2010-12-13
> > 11:13:53 +0100 i686 i686 i386 GNU/Linux)
> > ** Tomcat 6.0.30
> > ** Java: JRE 1.5.0_22 (though my keystore was
> self-generated with JDK
> > 1.6.0_23)
> >
> > That said, the connector you describe is working for me, even when I
> > intentionally misname my keyAlias. However I have only one
> > entry in my
> > keystore. I'm guessing that it can screw up if you have more
> > than one and
> > you give the wrong alias.
> >
> > You're using a JSSE implementation, correct? Run
> >
> > $ keytool -list -keystore $CATALINA_HOME/conf/keystore.jks -v
> >
> > and see what you get.
> >
> >
> > (BTW, my self-generated openssl can be read with
> >
> > $ keytool -printcert -file /srv/apache2/conf/server.crt -v
> >
> > I say this only because I've also been fiddling,
> > successfully, with the APR
> > and mod_jk connector.)
> >
> > On Fri, Jan 28, 2011 at 8:06 AM, <spr...@gmx.eu> wrote:
> >
> > > Hi,
> > >
> > > I did it now so many times - it always worked - configuring
> > tomcat for SSL.
> > >
> > > Today: New server, new certificate.
> > >
> > > Create new keystore, imported root, intermediate and server
> > certificate,
> > > configured the connector, same as usual.
> > >
> > > But... http does not work. No error in tomcats log,
> > nothing. Browser says
> > > that it cannot load the page due to a connection problem,
> > maybe security
> > > issue.
> > >
> > > How can I debug this ssl problem?
> > >
> > > <Connector
> > > SSLEnabled="true"
> > > clientAuth="want"
> > > maxThreads="150"
> > > port="8443"
> > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > scheme="https"
> > > secure="true"
> > > sslProtocol="TLS"
> > > keystoreFile="conf/tomcat.jks"
> > > keystoreType="JKS"
> > > keyAlias="tomcat"
> > > keystorePass="changeit"
> > > />
> > >
> > > Thank you
> > >
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> >
> >
> > --
> > "Hell hath no limits, nor is circumscrib'd In one self-place;
> > but where we
> > are is hell, And where hell is, there must we ever be" --Christopher
> > Marlowe, *Doctor Faustus* (v, 121-24)
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
