tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Kumar J <suresh.kuma...@gmail.com>
Subject Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols
Date Mon, 01 Sep 2008 05:56:53 GMT
Am having the Apache Harmony JRE.

bhooshanpandit@aol.com wrote:
> What JRE / JDK are you using with Tomcat 6.0.13?
>
> -----Original Message-----
> From: Suresh Kumar J <suresh.kumar.j@gmail.com>
> To: Tomcat Users List <users@tomcat.apache.org>
> Sent: Sat, 30 Aug 2008 10:16 pm
> Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of 
> SSLv2/SSLv3 and TLS protocols
>
>
>
>
>
>
>
>
>
>
> I tried changing the "sslProtocol" attribute in conf/server.xml to "SSL"
> and but Tomcat couldn't start.
>
> Observed the following error in catalina.out:
>
> --------------------------------------
>
> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
> SEVERE: Error initializing endpoint
>
> Throwable occurred: java.io.IOException: SSLContext SSL implementation
>
> not found
>
>       at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
> java:394)
>
>       at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
> Factory.java:125)
>
>       at
>
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
>       at
>
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
>       at
>
> org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
>       at
>
> org.apache.catalina.core.StandardService.initialize(StandardService.java:
> 677)
>
>       at
>
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
> 2)
>
>       at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
>       at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
>        at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
>       at java.lang.reflect.Method.invoke(Method.java:317)
>
>        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
>        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
> --------------------------------------
>
>
> Another question is that how do I make Tomcat to recognize both
> SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some
> browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase.
> Tomcat doesn't seems to recognize SSLv2 messages and errors out with the
> following message:
>
> --------------------------------------------------
>
> Aug 29, 2008 2:52:52 PM 
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
> SEVERE: Socket accept failed
>
> Throwable occurred: java.net.SocketException: SSL handshake error
>
> javax.net.ssl.SSLException: INTERNAL ERROR
>
>       at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
> Factory.java:150)
>
>       at
>
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
>       at java.lang.Thread.run(Thread.java:657)
>
> --------------------------------------------------
>
>
> Any inputs would be appreciated.
>
>
> Thanks,
>
> Suresh
>
>
> bhooshanpandit@aol.com wrote:
>
>>>> I tried changing the "sslProtocol" attribute in the "Connector"
>> element
>
>>>> in conf/server.xml file and when the Tomcat couldn't start. 
> Observed
>> the
>
>>>> following error in catalina.out:
>
>>
>
>> what value did you specify for sslProtocol. I tried using SSL and it
>> worked.
>
>>
>
>> -----Original Message-----
>
>> From: Suresh Kumar J <suresh.kumar.j@gmail.com>
>
>> To: users@tomcat.apache.org
>
>> Sent: Sat, 30 Aug 2008 4:25 am
>
>> Subject: How to make to Apache-Tomcat 6.0.13 to support all of
>> SSLv2/SSLv3 and TLS protocols
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>> Hi!
>
>>
>
>>
>
>> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
>
>>
>
>> snippet of the server.xml config:
>
>>
>
>> ----------------------------
>
>>
>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>
>>
>
>>              maxThreads="150" scheme="https" secure="true"
>
>>
>
>>               clientAuth="false" sslProtocol="TLS" 
> keystoreType="PKCS12"
>
>>
>
>>              keystoreFile="conf/my-key-store" keystorePass="abcd"/>
>
>>
>
>> ----------------------------
>
>>
>
>>
>
>> The https connection(TLS based) works fine with IE6.0/7.x and FireFox
>
>>
>
>> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with
>
>>
>
>> the default settings. When I try to connect(https on 443) to Apache
>
>>
>
>> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1 
> window:
>
>>
>
>> -------------------------------------------
>
>>
>
>> Secure Connection Failed
>
>>
>
>> An error occurred during a connection to 10.xx.xx.xx
>
>>
>
>> Cannot communicate securely with peer: no common encryption 
> algorithm(s):
>
>>
>
>> (Error code: ssl_error_no_cypher_overlap)
>
>>
>
>> -------------------------------------------
>
>>
>
>>
>
>> Have observed the following error in the Catalina.out file:
>
>>
>
>> --------------------------------------------------
>
>>
>
>> Aug 29, 2008 2:52:52 PM
>> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
>>
>
>> SEVERE: Socket accept failed
>
>>
>
>> Throwable occurred: java.net.SocketException: SSL handshake error
>
>>
>
>> javax.net.ssl.SSLException: INTERNAL ERROR
>
>>
>
>>       at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
>
>
>> Factory.java:150)
>
>>
>
>>       at
>
>>
>
>>
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
>>
>
>>
>
>>       at java.lang.Thread.run(Thread.java:657)
>
>>
>
>> --------------------------------------------------
>
>>
>
>>
>
>> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is
>
>>
>
>> disabled) in the browser security settings. The web-server is 
> correctly
>
>>
>
>> configured for secured http on TLS. Earlier with Firefox2.0.x, it was
>
>>
>
>> working fine. Also checked with Linux version of FireFox3.0.1 and the
>
>>
>
>> TLS connection is working fine.
>
>>
>
>>
>
>> When I tried to analysis the packets capture of the 
> browser/web-server
>
>>
>
>> communication via "WireShark/Ethereal" tools, I observed that the
>
>>
>
>> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL
>
>>
>
>> handshake negotiations. As my Tomcat webserver is configured for TLS, 
> it
>
>>
>
>> doesn't seem to understand the SSLv2 record layer format, eventually
>
>>
>
>> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
>
>>
>
>>
>
>> Since SSLv2 is generally considered to be a weaker protocol than 
> SSLv3
>
>>
>
>> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
>
>>
>
>> protocol, also SSLv2 is disabled by default. On Redhat Linux, the 
> same
>
>>
>
>> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)" 
> for
>
>>
>
>> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 
> Record
>
>>
>
>> Layer(Client Hello)" which seems to fine. Am able to launch the https
>
>>
>
>> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on
>
>>
>
>> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
>
>>
>
>> handshake negotiations. Tomcat works well with TLS protocol, but when
>
>>
>
>> the browser uses SSLv2 then it fails.
>
>>
>
>>
>
>> I tried changing the "sslProtocol" attribute in the "Connector" 
> element
>
>>
>
>> in conf/server.xml file and when the Tomcat couldn't start. Observed 
> the
>
>>
>
>> following error in catalina.out:
>
>>
>
>> --------------------------------------
>
>>
>
>> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
>>
>
>> SEVERE: Error initializing endpoint
>
>>
>
>> Throwable occurred: java.io.IOException: SSLContext SSL 
> implementation
>
>>
>
>> not found
>
>>
>
>>       at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
>
>
>> java:394)
>
>>
>
>>       at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
>
>
>> Factory.java:125)
>
>>
>
>>       at
>
>>
>
>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
>>
>
>>       at
>
>>
>
>> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
>>
>
>>       at
>
>>
>
>>
> org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
>>
>
>>       at
>
>>
>
>>
> org.apache.catalina.core.StandardService.initialize(StandardService.java:
>
>
>> 677)
>
>>
>
>>       at
>
>>
>
>>
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
>
>
>> 2)
>
>>
>
>>       at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
>>
>
>>       at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
>>
>
>>        at 
> java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
>>
>
>>       at java.lang.reflect.Method.invoke(Method.java:317)
>
>>
>
>>        at 
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
>>
>
>>        at 
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
>>
>
>> --------------------------------------
>
>>
>
>>
>
>> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to 
> make
>
>>
>
>> the Tomcat to understand both SSL and TLS protocols so that all the
>
>>
>
>> browsers are supported. It seems to be critical to make the 
> application
>
>>
>
>> I use the certificate in the format of PKCS12, created via openssl 
> tool.
>
>>
>
>>
>
>> Did anyone else face similar kind of problem in this regard.
>
>>
>
>>
>
>> Thanks,
>
>>
>
>> Suresh
>
>>
>
>>
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>>
>
>> To start a new topic, e-mail: users@tomcat.apache.org
>
>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>>
>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
> ________________________________________________________________________
>
>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>> To start a new topic, e-mail: users@tomcat.apache.org
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>
> ---------------------------------------------------------------------
>
> To start a new topic, e-mail: users@tomcat.apache.org
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
>
>
> ________________________________________________________________________
> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message