tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nate Rock" <nr...@infinitecampus.com>
Subject RE: Tomcat 5.5.12- APR Connector - SSL configuration
Date Wed, 30 Nov 2005 23:06:40 GMT
Thx Remy, but still not working... I did however discover why it's not working so read on...

Remy's comment about reading *all" the documentation highlights my point about the APR SSL
documentation being unclear... According to the APR/SSL documentation on the Tomcat site,
(and verified in the source) the only attribute that is "Required" for the connector is the
SSLCertificateFile attribute so that's all I tried at first. Since the default value for SSLEngine
is "off" wouldn't the SSLEngine="on" be "required" to use SSL on the connector? 

I also skimmed through the attributes by reading the first sentence of the description, and
when I see "Name of the SSLEngine to use."  I say "I don't need an external SSL engine...
On to the next attribute". It might be more clear to make a second attribute that toggles
ssl on/off in the connector and one that specifies an engine other than the default.

<Connector 
	SSLEnable="true" (default false)?
	SSLEngine="customEngineNameHere" (default none)?
	/>

This makes a clear seperation from enabling SSL in the connector and a deviation from the
default SSL engine. In the above mentioned suggestion the SSLEnable attribute should be a
required attribute for the connector. Just my two cents, I know about the SSLEngine so I don't
need the added clarification, it might also be the way that OpenSSL handles it's SSLEngine
attribute, and if that's the case, something pointing out that the attribute is "required"
would be super helpful.

Now that the doc discussion is over lets get to the root of the problem...

After Remy's advice I tried the SSLEngine="on" with only the SSLCertificate attribute and
turned my debug level to 5 to get maximum debugging info.

<Connector port="443" 
	debug="5"
	maxHttpHeaderSize="8192"
	maxThreads="150" 
	minSpareThreads="25" 
	maxSpareThreads="75"
	enableLookups="false" 
	disableUploadTimeout="true"
	acceptCount="100" 	
	SSLEngine="on"	
	SSLCertificateFile="c:\certs\server\server.cer"
	/>

Here is what I got in the log file:

Nov 30, 2005 4:53:21 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
Nov 30, 2005 4:53:22 PM org.apache.coyote.http11.Http11AprProtocol init
SEVERE: Error initializing endpoint
java.lang.Exception: Unable to load certificate key c:\certs\server\server.cer (error:0906D06C:PEM
routines:PEM_read_bio:no start line)
	at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
	at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:592)
	at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:115)
	at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
	at org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
	at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
Nov 30, 2005 4:53:22 PM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException:  Protocol handler initialization failed: java.lang.Exception: Unable to
load certificate key c:\certs\server\server.cer (error:0906D06C:PEM routines:PEM_read_bio:no
start line)
	at org.apache.catalina.connector.Connector.initialize(Connector.java:1018)
	at org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
	at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)

This makes sense because how can the server encrypt anything that matches it's public key
with out having signed it with the private key? /;)  So I added in the SSLCertificateFile
attribute.

<Connector port="443" 
	debug="5"
	maxHttpHeaderSize="8192"
	maxThreads="150" 
	minSpareThreads="25" 
	maxSpareThreads="75"
	enableLookups="false" 
	disableUploadTimeout="true"
	acceptCount="100" 	
	SSLEngine="on"	
	SSLCertificateFile="c:\certs\server\server.cer"
	SSLCertificateKeyFile="c:\certs\server\serverKey.key"
	/>

Woo Hoo!!!!! Nothing in the log file...

Nov 30, 2005 4:57:10 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
Nov 30, 2005 4:57:11 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
Nov 30, 2005 4:57:11 PM org.apache.catalina.startup.Catalina load

I then try connecting to the server using http://server/ but STILL nothing...

Not being one to be thwarted so easily (and having found and posted a code fix just yeterday
for some APR connector code) I dove right into the source... It looks like the SSL implementation
for the native APR connector might not be functioning as intended ;) Take a look at the code
snipit below:

Lines 639-650 of the org.apache.coyote.Http11AprProtocol.java

                // FIXME: SSL implementation
                /*
                if( proto.secure ) {
                    SSLSupport sslSupport=null;
                    if(proto.sslImplementation != null)
                        sslSupport = proto.sslImplementation.getSSLSupport(socket);
                    processor.setSSLSupport(sslSupport);
                } else {
                    processor.setSSLSupport( null );
                }
                processor.setSocket( socket );
                */

Whoops...

Not knowing the intimate details of how the Tomcat/APR connectors function, I might be incorrect
in my assumption, but it looks like the SSL code is in fact commented out.

Going to post a bug for this if someone doesn't do it by the time I get home... =D - cheers!

   -rOcK

-----Original Message-----
From: Remy Maucherat [mailto:remy.maucherat@gmail.com] 
Sent: Wednesday, November 30, 2005 4:12 PM
To: Tomcat Users List
Subject: Re: Tomcat 5.5.12- APR Connector - SSL configuration

On 11/30/05, Nate Rock <nrock@infinitecampus.com> wrote:
> All to no avail =(

Cool, but how about really reading *all* the APR documentation. For example, there's a SSLEngine
attribute, also.

--
xxxxxxxxxxxxxxxxxxxxxxxxx
Rémy Maucherat
Developer & Consultant
JBoss Group (Europe) SàRL
xxxxxxxxxxxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message