tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ankit Shah <Ankit_S...@symantec.com>
Subject Re: Admin Application messes up HTTPS Connectors in server.xml
Date Mon, 16 May 2005 13:42:59 GMT
Hi Peter,
Thanks for your response. I double-checked to make sure that secure="true" 
is present. Also, the admin app does write out that attribute. It is 
indeed the missing sslProtocol attribute that's the root of all problems.

Here are the 2 connector elements from configs:

Configured Manually. Works fine:

    <Connector port="1443"
               maxThreads="15" minSpareThreads="5" maxSpareThreads="10"
               enableLookups="false" disableUploadTimeout="true" 
maxKeepAliveRequests="1"
               acceptCount="10" debug="0" scheme="https" secure="true"
                           keystorePass="mypassword"
                           keystoreFile="c:\path\to\certificate\file"
               clientAuth="false" sslProtocol="TLS" />

Saved by Admin App: Breaks
  <Connector port="1443" scheme="https" secure="true" 
    keystoreFile="c:\path\to\certificate\file" keystorePass="mypassword"
    maxSpareThreads="10" debug="0" maxThreads="15" 
maxKeepAliveRequests="1" minSpareThreads="5
    clientAuth="false" acceptCount="10" /> 

To fix the above so that it works:
  <Connector port="1443" scheme="https" secure="true" 
    keystoreFile="c:\path\to\certificate\file" keystorePass="mypassword"
    maxSpareThreads="10" debug="0" maxThreads="15" 
maxKeepAliveRequests="1" minSpareThreads="5
    clientAuth="false" acceptCount="10" sslProtocol="TLS" /> 

Note that secure="true" is printed out by the admin app

I have been investigating the source code to track the file that is doing 
the job of saving the connector configuration to disk. It should be one of 
the files belonging to the storeconfig.jar classes. As a stop-gap 
arrangement i might tweak the code to force printing that attribute and 
over-ride all checks for just that attribute. (Messy ... but it will work 
until a more thorough investigation is done. Everyone knows how deadlines 
go ... ;) )

Thanks again,
Ankit









tomcat-user-digest-help@jakarta.apache.org 
05/15/2005 06:55 PM
Please respond to
"Tomcat Users List" <tomcat-user-digest@jakarta.apache.org>


To
tomcat-user@jakarta.apache.org
cc

Subject
tomcat-user Digest 15 May 2005 22:55:08 -0000 Issue 5626

----  Message from Peter Rossbach <pr@objektpark.de> on Sun, 15 May 2005 
20:16:01 +0200 -----
To:
Tomcat Users List <tomcat-user@jakarta.apache.org>
Subject:
Re: Admin Application messes up HTTPS Connectors in server.xml

Hey Ankit,

can it be that you forget the secure="true" attribute at your https 
connector?

I have look inside Http11Protocol code and find this:

   public void setProtocol( String k ) {
        setSecure(true);
        setAttribute("protocol", k);
    }

The sslProtocol="TLS" is the default and the StoreConfig
handler delete all defaults before saving.
This is really a bad side effect, but with correct secure attribute 
setting it works for me!

This https config is also documented at:

http://jakarta.apache.org/tomcat/tomcat-5.5-doc/ssl-howto.html

When problem still exists, please send your working and breaking 
Connector element config from server.xml

Thanks
Peter
 
Ankit Shah schrieb:

>Hi,
>The Tomcat admin utility doesn't save the HTTPS connectors properly. It 
>misses out the 'sslProtocol' attribute and this results in the failed 
>connector. Does anyone have a fix around this?
>
>The following is the current state of our server:
>Tomcat 5.5.9 with 1.4.2 compatibility add-on.
>JRE version 1.4.2_05
>
>My Tests and results:
>About certificates:
>        We are using our own keytool generated unsigned certificates. 
>Everytime i point firefox to the admin app, it will present the 
>certificate for my approval. I temporarily accept the certificate for my 
>session.
>
>1. Install tomcat, configure an HTTPS connector
>        Run the admin app and change a parameter (acceptCount in my case: 

>raised it from 8 to 10) and click Save and then Commit Changes
>
>        Restart tomcat. Restart Firefox. Pointing the browser to the 
admin 
>app homepage will not load anything.
>        No Certificate presented!!
>
>2. Manually did a diff on server.xml and server.xml.<backup> . The 
>difference is the missing 'sslProtocol' attribute. The docs say this 
>attribute is optional, but that doesn't seem like the case. Added the 
>attribute manually
>        sslProtocol="TLS"
>
>        Restart Tomcat. Restart Firefox. Certificate presented. Admin App 

>Homepage Loaded.
>
>3. By seeing the server.xml written out by Admin app, it is clear that 
>only attributes with non-default values are written out.
>        From the admin app, set SSL Protocol field's value to SSL. Save. 
>Commit Changes
>
>        Restart Tomcat. Restart Firefox. NO Certificate Presented. Admin 
>App homepage NOT loaded.
>
>        In server.xml - sslProtocol attribute is NOT written out.
>
>I also inspected the logs (Generated by Log4J and logging level set to 
>debug)
>
>Upon save:
>        bean is updated with sslProtocol's new value
>Upon Commit:
>        the list of attributes for the connector doesn't have sslProtocol 

>as one of the attributes that will be written out
>
>Can you help me how i can make admin application available for Tomcat 
>administration by the assigned administrators? What fixes will be needed. 

>If there are any known get-arounds for this.
>
>Thanks in advance for all your help and appreciate your patience in 
>reading through my email.
>
>Ankit
>PS: I can mail you the log files if you want (I have about 11 of them, 
>each is 10M). Thanks once again
>
>
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message