tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhooshanpan...@aol.com
Subject Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols
Date Sat, 30 Aug 2008 10:23:47 GMT
>> I tried changing the "sslProtocol" attribute in the "Connector" 
element
>> in conf/server.xml file and when the Tomcat couldn't start. Observed 
the
>>following error in catalina.out:

what value did you specify for sslProtocol. I tried using SSL and it 
worked.

-----Original Message-----
From: Suresh Kumar J <suresh.kumar.j@gmail.com>
To: users@tomcat.apache.org
Sent: Sat, 30 Aug 2008 4:25 am
Subject: How to make to Apache-Tomcat 6.0.13 to support all of 
SSLv2/SSLv3 and TLS protocols









Hi!


Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the

snippet of the server.xml config:

----------------------------

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"

              maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" 
keystoreType="PKCS12"

              keystoreFile="conf/my-key-store" keystorePass="abcd"/>

----------------------------


The https connection(TLS based) works fine with IE6.0/7.x and FireFox

2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with

the default settings. When I try to connect(https on 443) to Apache

Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1 
window:

-------------------------------------------

Secure Connection Failed

An error occurred during a connection to 10.xx.xx.xx

Cannot communicate securely with peer: no common encryption 
algorithm(s):

(Error code: ssl_error_no_cypher_overlap)

-------------------------------------------


Have observed the following error in the Catalina.out file:

--------------------------------------------------

Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor 
run

SEVERE: Socket accept failed

Throwable occurred: java.net.SocketException: SSL handshake error

javax.net.ssl.SSLException: INTERNAL ERROR

       at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
Factory.java:150)

       at

org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)


       at java.lang.Thread.run(Thread.java:657)

--------------------------------------------------


In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is

disabled) in the browser security settings. The web-server is correctly

configured for secured http on TLS. Earlier with Firefox2.0.x, it was

working fine. Also checked with Linux version of FireFox3.0.1 and the

TLS connection is working fine.


When I tried to analysis the packets capture of the browser/web-server

communication via "WireShark/Ethereal" tools, I observed that the

FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL

handshake negotiations. As my Tomcat webserver is configured for TLS, 
it

doesn't seem to understand the SSLv2 record layer format, eventually

errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.


Since SSLv2 is generally considered to be a weaker protocol than SSLv3

and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record

protocol, also SSLv2 is disabled by default. On Redhat Linux, the same

FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)" 
for

security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 Record

Layer(Client Hello)" which seems to fine. Am able to launch the https

webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on

FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL

handshake negotiations. Tomcat works well with TLS protocol, but when

the browser uses SSLv2 then it fails.


I tried changing the "sslProtocol" attribute in the "Connector" element

in conf/server.xml file and when the Tomcat couldn't start. Observed 
the

following error in catalina.out:

--------------------------------------

Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init

SEVERE: Error initializing endpoint

Throwable occurred: java.io.IOException: SSLContext SSL implementation

not found

       at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
java:394)

       at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
Factory.java:125)

       at

org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)

       at

org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)

       at

org.apache.catalina.connector.Connector.initialize(Connector.java:1059)

       at

org.apache.catalina.core.StandardService.initialize(StandardService.java:
677)

       at

org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
2)

       at org.apache.catalina.startup.Catalina.load(Catalina.java:518)

       at org.apache.catalina.startup.Catalina.load(Catalina.java:538)

        at 
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)

       at java.lang.reflect.Method.invoke(Method.java:317)

        at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)

        at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)

--------------------------------------


Does Tomcat 6.0.x supports SSL implementation?. Is it possible to make

the Tomcat to understand both SSL and TLS protocols so that all the

browsers are supported. It seems to be critical to make the application

I use the certificate in the format of PKCS12, created via openssl 
tool.


Did anyone else face similar kind of problem in this regard.


Thanks,

Suresh




---------------------------------------------------------------------

To start a new topic, e-mail: users@tomcat.apache.org

To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org

For additional commands, e-mail: users-help@tomcat.apache.org







________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message