tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jean-Etienne G."<jeg...@voila.fr>
Subject RE: SSL handshake failure URGENT
Date Fri, 15 Jun 2001 08:59:29 GMT
Here they are
(all the files I have generated with these openssl commands)

> can u send ur server,client,ca certs?
> 
> Rams
> +91-040-3000401 x 2162 (O)
> +91-040-6313447 (R)
> 
> 
> -----Original Message-----
> From: Jean-Etienne G. [mailto:jeg_ml@voila.fr]
> Sent: Thursday, June 14, 2001 7:27 PM
> To: tomcat-user@jakarta.apache.org
> Subject: SSL handshake failure URGENT
> 
> 
> Hello,
> 
>  I get no responses for my previous mails... so maybe I did not contact the
> good mailing list. Please give me an start of response...
> 
>  Hello,
>  I have a cert importation problem
> 
>  here is the output of an openSSL client command [witch emulate a browser]
> (openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
>  cl_key.pem -state) :
> 
>  Enter PEM pass phrase:
>  CONNECTED(00000003)
>  SSL_connect:before/connect initialization
>  SSL_connect:SSLv2/v3 write client hello A
>  SSL3 alert read:fatal:handshake failure
>  SSL_connect:error in SSLv2/v3 read server hello A
>  1993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure:s23_clnt.c:453:
> 
>  Can someone help me ?
>  Is it a way to make it work without installing apache ?
>  Thanks for your answer
> 
> 
> 
> 
>  I have this tomcat configuration :
> 
> 
>  <Connector className=3D"org.apache.tomcat.service.PoolTcpConnector">
>  <Parameter name=3D"handler"
>  value=3D"org.apache.tomcat.service.http.HttpConnectionHandler"/>
>  <Parameter name=3D"port"
>  value=3D"8443"/>
>  <Parameter name=3D"socketFactory"
>  value=3D"org.apache.tomcat.net.SSLSocketFactory" />
>  <Parameter name=3D"keystore"
>  value=3D"/opt/tomcat-3-2-2/tomcat/conf/keystore" />
>  <Parameter name=3D"keypass"
>  value=3D"pwd_sr" />
>  <Parameter name=3D"clientAuth"
>  value=3D"true" />
>  </Connector>
> 
> 
>  And that are all the lines procedure I entered to make it well work
> 
>  mkdir ./demoCA
>  echo "" > ./demoCA/index.txt
>  echo "01" > ./demoCA/serial
> 
>  # CA
>  openssl req -new -out ca_req.pem -keyout ca_key.pem
>  #pwd:pwd_ca
>  #challenge_pwd:ch_ca
>  #company name:THE_ORG
> 
>  # CLIENT
>  openssl req -new -out cl_req.pem -keyout cl_key.pem
>  #pwd:pwd_cl
>  #ch_pwd:ch_cl
>  #company name:THE_ORG
>  # SERVER
>  openssl req -new -out sr_req.pem -keyout sr_key.pem
>  #pwd:pwd_sr
>  #ch_pwd:ch_sr
>  #company name:THE_ORG
>  # CA AUTH
>  echo "CA AUTH : enter CA password"
>  openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
>  #pwd:pwd_ca
>  rm ./demoCA/index.txt
>  rm ./demoCA/serial
>  cat "" > ./demoCA/index.txt
>  cat "01" > ./demoCA/serial
> 
>  # CLIENT AUTH BY CA
>  echo "CL AUTH : enter CA password"
>  openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile
> ca_key.pem -config /usr/local/ssl/openssl.cnf
>  #pwd:pwd_ca
> 
>  # SERVER AUTH BY CA
>  echo "SR AUTH : enter CA password"
>  openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile
> ca_key.pem -config /usr/local/ssl/openssl.cnf
>  #pwd:pwd_ca
> 
>  # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
>  openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der
> 
>  # REMOVE PREVIOUS KEYSTORE
>  rm /opt/tomcat-3-2-2/tomcat/conf/keystore
> 
>  # IMPORT SERVER CERT IN TOMCAT KEYSTORE
>  echo "IMPORT SR CERT : enter SR password"
>  /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file
> sr_cert.der -keystore /opt/tomcat-3-2-2/tomcat/conf/keystore
>  #pwd:pwd_sr
> 
>  # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
>  echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
>  openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12
>  #pwd:pwd_cl
>  #exp_pwd:pwd_cl
> 
>  # CONNECTION TO THE TOMCAT SERVER
>  openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
> cl_key.pem -state
> __________________________________________________
> Voila vous propose une boite aux lettres gratuite sur Voila Mail:
> http://mail.voila.fr
> 
> 
> 


__________________________________________________
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr


Mime
View raw message