OK, i enabled ssl-debug an got this: Using SSLEngineImpl. http-8443-exec-6, READ: TLSv1 Handshake, length = 72 *** ClientHello, TLSv1 RandomCookie: GMT: 1296237960 bytes = { 29, 26, 93, 201, 51, 195, 57, 220, 172, 159, 182, 24, 23, 109, 229, 241, 219, 44, 93, 9, 215, 107, 176, 92, 192, 250, 134, 108 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA] Compression Methods: { 0 } Unsupported extension type_65281, data: 00 *** http-8443-exec-6, fatal error: 40: no cipher suites in common javax.net.ssl.SSLHandshakeException: no cipher suites in common http-8443-exec-6, SEND TLSv1 ALERT: fatal, description = handshake_failure http-8443-exec-6, WRITE: TLSv1 Alert, length = 2 http-8443-exec-6, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common http-8443-exec-6, called closeOutbound() http-8443-exec-6, closeOutboundInternal() Using SSLEngineImpl. http-8443-exec-7, READ: SSLv3 Handshake, length = 67 *** ClientHello, SSLv3 RandomCookie: GMT: 1296237960 bytes = { 167, 41, 66, 68, 100, 105, 126, 191, 190, 109, 143, 141, 122, 89, 201, 33, 1, 45, 228, 214, 141, 218, 73, 253, 8, 9, 118, 204 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, Unknown 0x0:0xff] Compression Methods: { 0 } *** http-8443-exec-7, fatal error: 40: no cipher suites in common javax.net.ssl.SSLHandshakeException: no cipher suites in common http-8443-exec-7, SEND SSLv3 ALERT: fatal, description = handshake_failure http-8443-exec-7, WRITE: SSLv3 Alert, length = 2 http-8443-exec-7, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common http-8443-exec-7, called closeOutbound() http-8443-exec-7, closeOutboundInternal() Using SSLEngineImpl. http-8443-exec-8, called closeOutbound() http-8443-exec-8, closeOutboundInternal() http-8443-exec-8, SEND TLSv1 ALERT: warning, description = close_notify http-8443-exec-8, WRITE: TLSv1 Alert, length = 2
When I open the cert I can see: MD5: 3C:33:0A:7C:BC:8B:8D:9E:A5:C1:8C:49:F9:E1:84:0A SHA1: 7F:02:49:61:4E:55:AE:11:F0:93:82:06:8A:44:95:56:2D:1E:0E:EB Unterschrift-Algorithmusname: SHA1withRSA Version: 3 So is my java runtime mising SHA1withRSA? > -----Original Message----- > From: spr...@gmx.eu [mailto:spr...@gmx.eu] > Sent: Freitag, 28. Januar 2011 18:35 > To: 'Tomcat Users List' > Subject: RE: SSL not working > > Hi, > > it is TC 7.0.5, Java 1.6_22. > > When I use a selfsigned certificate everything is fine - same > server config, just the other certificate. So it must be > something wrong with the certificate. But I have no clue what. > > How can I debug the SSL-Handshake process? > > The cert not working has: > > #7: ObjectId: 2.5.29.37 Criticality=false > ExtendedKeyUsages [ > serverAuth > clientAuth > ] > #8: ObjectId: 2.16.840.1.113730.1.1 Criticality=false > NetscapeCertType [ > SSL client > SSL server > ] > > So it should be the right type of cert. > > Thank you > > > -----Original Message----- > > From: Thad Humphries [mailto:thad.humphr...@gmail.com] > > Sent: Freitag, 28. Januar 2011 16:47 > > To: Tomcat Users List > > Subject: Re: SSL not working > > > > I've been fooling around *a lot* lately with SSL, so I > > thought I'd give this > > a try. I'm not very experienced, but I'll offer my two cents. > > > > First of all, what version of Tomcat, Java, etc. are you > > running? Such a > > statement is *de rigueur* for practically any question to > > this forum. My > > system looks like > > > > ** Server: SuSE 11.3 (2.6.34.7-0.7-desktop #1 SMP PREEMPT 2010-12-13 > > 11:13:53 +0100 i686 i686 i386 GNU/Linux) > > ** Tomcat 6.0.30 > > ** Java: JRE 1.5.0_22 (though my keystore was > self-generated with JDK > > 1.6.0_23) > > > > That said, the connector you describe is working for me, even when I > > intentionally misname my keyAlias. However I have only one > > entry in my > > keystore. I'm guessing that it can screw up if you have more > > than one and > > you give the wrong alias. > > > > You're using a JSSE implementation, correct? Run > > > > $ keytool -list -keystore $CATALINA_HOME/conf/keystore.jks -v > > > > and see what you get. > > > > > > (BTW, my self-generated openssl can be read with > > > > $ keytool -printcert -file /srv/apache2/conf/server.crt -v > > > > I say this only because I've also been fiddling, > > successfully, with the APR > > and mod_jk connector.) > > > > On Fri, Jan 28, 2011 at 8:06 AM, <spr...@gmx.eu> wrote: > > > > > Hi, > > > > > > I did it now so many times - it always worked - configuring > > tomcat for SSL. > > > > > > Today: New server, new certificate. > > > > > > Create new keystore, imported root, intermediate and server > > certificate, > > > configured the connector, same as usual. > > > > > > But... http does not work. No error in tomcats log, > > nothing. Browser says > > > that it cannot load the page due to a connection problem, > > maybe security > > > issue. > > > > > > How can I debug this ssl problem? > > > > > > <Connector > > > SSLEnabled="true" > > > clientAuth="want" > > > maxThreads="150" > > > port="8443" > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > scheme="https" > > > secure="true" > > > sslProtocol="TLS" > > > keystoreFile="conf/tomcat.jks" > > > keystoreType="JKS" > > > keyAlias="tomcat" > > > keystorePass="changeit" > > > /> > > > > > > Thank you > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > > -- > > "Hell hath no limits, nor is circumscrib'd In one self-place; > > but where we > > are is hell, And where hell is, there must we ever be" --Christopher > > Marlowe, *Doctor Faustus* (v, 121-24) > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org