tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ankit Shah <Ankit_S...@symantec.com>
Subject Re: tomcat-user Digest 16 May 2005 21:06:57 -0000 Issue 5633
Date Tue, 17 May 2005 21:12:45 GMT
Hi Peter,
You're a stunner. Thanks very much... your fix works.The file is printed 
out nicely and multiple restarts doesn't mess it up.

Danke,
Ankit




tomcat-user-digest-help@jakarta.apache.org 
05/16/2005 05:06 PM
Please respond to
"Tomcat Users List" <tomcat-user-digest@jakarta.apache.org>


To
tomcat-user@jakarta.apache.org
cc

Subject
tomcat-user Digest 16 May 2005 21:06:57 -0000 Issue 5633







tomcat-user Digest 16 May 2005 21:06:57 -0000 Issue 5633


----- Message from Peter Rossbach <pr@objektpark.de> on Mon, 16 May 2005 
20:23:43 +0200 -----
To:
Tomcat Users List <tomcat-user@jakarta.apache.org>
Subject:
Re: Admin Application messes up HTTPS Connectors in server.xml

Hey Ankit,

I found the bug and hope you can test my fix at cvs head.

Thanks
Peter

Ankit Shah schrieb:

>Hi Peter,
>Thanks for your response. I double-checked to make sure that 
secure="true" 
>is present. Also, the admin app does write out that attribute. It is 
>indeed the missing sslProtocol attribute that's the root of all problems.
>
>Here are the 2 connector elements from configs:
>
>Configured Manually. Works fine:
>
>    <Connector port="1443"
>               maxThreads="15" minSpareThreads="5" maxSpareThreads="10"
>               enableLookups="false" disableUploadTimeout="true" 
>maxKeepAliveRequests="1"
>               acceptCount="10" debug="0" scheme="https" secure="true"
>                           keystorePass="mypassword"
>                           keystoreFile="c:\path\to\certificate\file"
>               clientAuth="false" sslProtocol="TLS" />
>
>Saved by Admin App: Breaks
>  <Connector port="1443" scheme="https" secure="true" 
>    keystoreFile="c:\path\to\certificate\file" keystorePass="mypassword"
>    maxSpareThreads="10" debug="0" maxThreads="15" 
>maxKeepAliveRequests="1" minSpareThreads="5
>    clientAuth="false" acceptCount="10" /> 
>
>To fix the above so that it works:
>  <Connector port="1443" scheme="https" secure="true" 
>    keystoreFile="c:\path\to\certificate\file" keystorePass="mypassword"
>    maxSpareThreads="10" debug="0" maxThreads="15" 
>maxKeepAliveRequests="1" minSpareThreads="5
>    clientAuth="false" acceptCount="10" sslProtocol="TLS" /> 
>
>Note that secure="true" is printed out by the admin app
>
>I have been investigating the source code to track the file that is doing 

>the job of saving the connector configuration to disk. It should be one 
of 
>the files belonging to the storeconfig.jar classes. As a stop-gap 
>arrangement i might tweak the code to force printing that attribute and 
>over-ride all checks for just that attribute. (Messy ... but it will work 

>until a more thorough investigation is done. Everyone knows how deadlines 

>go ... ;) )
>
>Thanks again,
>Ankit
>
>
>
>
>
>
>
>
>
>tomcat-user-digest-help@jakarta.apache.org 
>05/15/2005 06:55 PM
>Please respond to
>"Tomcat Users List" <tomcat-user-digest@jakarta.apache.org>
>
>
>To
>tomcat-user@jakarta.apache.org
>cc
>
>Subject
>tomcat-user Digest 15 May 2005 22:55:08 -0000 Issue 5626
>
>----  Message from Peter Rossbach <pr@objektpark.de> on Sun, 15 May 2005 
>20:16:01 +0200 -----
>To:
>Tomcat Users List <tomcat-user@jakarta.apache.org>
>Subject:
>Re: Admin Application messes up HTTPS Connectors in server.xml
>
>Hey Ankit,
>
>can it be that you forget the secure="true" attribute at your https 
>connector?
>
>I have look inside Http11Protocol code and find this:
>
>   public void setProtocol( String k ) {
>        setSecure(true);
>        setAttribute("protocol", k);
>    }
>
>The sslProtocol="TLS" is the default and the StoreConfig
>handler delete all defaults before saving.
>This is really a bad side effect, but with correct secure attribute 
>setting it works for me!
>
>This https config is also documented at:
>
>http://jakarta.apache.org/tomcat/tomcat-5.5-doc/ssl-howto.html
>
>When problem still exists, please send your working and breaking 
>Connector element config from server.xml
>
>Thanks
>Peter
> 
>Ankit Shah schrieb:
>
> 
>
>>Hi,
>>The Tomcat admin utility doesn't save the HTTPS connectors properly. It 
>>misses out the 'sslProtocol' attribute and this results in the failed 
>>connector. Does anyone have a fix around this?
>>
>>The following is the current state of our server:
>>Tomcat 5.5.9 with 1.4.2 compatibility add-on.
>>JRE version 1.4.2_05
>>
>>My Tests and results:
>>About certificates:
>>       We are using our own keytool generated unsigned certificates. 
>>Everytime i point firefox to the admin app, it will present the 
>>certificate for my approval. I temporarily accept the certificate for my 

>>session.
>>
>>1. Install tomcat, configure an HTTPS connector
>>       Run the admin app and change a parameter (acceptCount in my case: 

>> 
>>
>
> 
>
>>raised it from 8 to 10) and click Save and then Commit Changes
>>
>>       Restart tomcat. Restart Firefox. Pointing the browser to the 
>> 
>>
>admin 
> 
>
>>app homepage will not load anything.
>>       No Certificate presented!!
>>
>>2. Manually did a diff on server.xml and server.xml.<backup> . The 
>>difference is the missing 'sslProtocol' attribute. The docs say this 
>>attribute is optional, but that doesn't seem like the case. Added the 
>>attribute manually
>>       sslProtocol="TLS"
>>
>>       Restart Tomcat. Restart Firefox. Certificate presented. Admin App 

>> 
>>
>
> 
>
>>Homepage Loaded.
>>
>>3. By seeing the server.xml written out by Admin app, it is clear that 
>>only attributes with non-default values are written out.
>>       From the admin app, set SSL Protocol field's value to SSL. Save. 
>>Commit Changes
>>
>>       Restart Tomcat. Restart Firefox. NO Certificate Presented. Admin 
>>App homepage NOT loaded.
>>
>>       In server.xml - sslProtocol attribute is NOT written out.
>>
>>I also inspected the logs (Generated by Log4J and logging level set to 
>>debug)
>>
>>Upon save:
>>       bean is updated with sslProtocol's new value
>>Upon Commit:
>>       the list of attributes for the connector doesn't have sslProtocol 

>> 
>>
>
> 
>
>>as one of the attributes that will be written out
>>
>>Can you help me how i can make admin application available for Tomcat 
>>administration by the assigned administrators? What fixes will be 
needed. 
>> 
>>
>
> 
>
>>If there are any known get-arounds for this.
>>
>>Thanks in advance for all your help and appreciate your patience in 
>>reading through my email.
>>
>>Ankit
>>PS: I can mail you the log files if you want (I have about 11 of them, 
>>each is 10M). Thanks once again
>>
>>
>>
>> 
>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message