tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Kumar J <suresh.kuma...@gmail.com>
Subject Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols
Date Mon, 01 Sep 2008 06:46:50 GMT
no, I wanted to use an opensource JRE in this case.

The issue I was trying to put forward is that Tomcat 6.0.13 errors out 
with the following error when the FireFox3.0.1 browser tries to send a 
'SSLv2 Record Layer - Client Hello' message.
--------------------------------------------------
Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
SEVERE: Socket accept failed
Throwable occurred: java.net.SocketException: SSL handshake error
javax.net.ssl.SSLException: INTERNAL ERROR
       at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket Factory.java:150)


       at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
       at java.lang.Thread.run(Thread.java:657)
--------------------------------------------------

But the same Tomcat 6.0.13 server is able to successfully handle the 
'SSLv2 Record Layer - Client Hello' message coming from the IE6.0 
browser. There doesn't seem to be any difference in message format of 
the 'SSLv2 Record Layer' sent by FF and IE browsers.

Any help in narrowing down the issues would be appreciated.

Thanks,
Suresh

bhooshanpandit@aol.com wrote:
> Then it's most likely an issue with harmony JRE (I think it doesn't 
> provide an SSLContext implementation that you are looking for i.e. SSL).
>
> Have you tried Sun JRE??
>
>
> -----Original Message-----
> From: Suresh Kumar J <suresh.kumar.j@gmail.com>
> To: Tomcat Users List <users@tomcat.apache.org>
> Sent: Mon, 1 Sep 2008 11:26 am
> Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of 
> SSLv2/SSLv3 and TLS protocols
>
>
>
>
>
>
>
>
>
> Am having the Apache Harmony JRE.
>
>
> bhooshanpandit@aol.com wrote:
>
>> What JRE / JDK are you using with Tomcat 6.0.13?
>
>>
>
>> -----Original Message-----
>
>> From: Suresh Kumar J <suresh.kumar.j@gmail.com>
>
>> To: Tomcat Users List <users@tomcat.apache.org>
>
>> Sent: Sat, 30 Aug 2008 10:16 pm
>
>> Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of
>> SSLv2/SSLv3 and TLS protocols
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>> I tried changing the "sslProtocol" attribute in conf/server.xml to 
> "SSL"
>
>> and but Tomcat couldn't start.
>
>>
>
>> Observed the following error in catalina.out:
>
>>
>
>> --------------------------------------
>
>>
>
>> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
>>
>
>> SEVERE: Error initializing endpoint
>
>>
>
>> Throwable occurred: java.io.IOException: SSLContext SSL 
> implementation
>
>>
>
>> not found
>
>>
>
>>       at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
>
>
>> java:394)
>
>>
>
>>       at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
>
>
>> Factory.java:125)
>
>>
>
>>       at
>
>>
>
>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
>>
>
>>       at
>
>>
>
>> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
>>
>
>>       at
>
>>
>
>>
> org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
>>
>
>>       at
>
>>
>
>>
> org.apache.catalina.core.StandardService.initialize(StandardService.java:
>
>
>> 677)
>
>>
>
>>       at
>
>>
>
>>
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
>
>
>> 2)
>
>>
>
>>       at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
>>
>
>>       at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
>>
>
>>        at 
> java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
>>
>
>>       at java.lang.reflect.Method.invoke(Method.java:317)
>
>>
>
>>        at 
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
>>
>
>>        at 
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
>>
>
>> --------------------------------------
>
>>
>
>>
>
>> Another question is that how do I make Tomcat to recognize both
>
>> SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some
>
>> browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase.
>
>> Tomcat doesn't seems to recognize SSLv2 messages and errors out with 
> the
>
>> following message:
>
>>
>
>> --------------------------------------------------
>
>>
>
>> Aug 29, 2008 2:52:52 PM
>> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
>>
>
>> SEVERE: Socket accept failed
>
>>
>
>> Throwable occurred: java.net.SocketException: SSL handshake error
>
>>
>
>> javax.net.ssl.SSLException: INTERNAL ERROR
>
>>
>
>>       at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
>
>
>> Factory.java:150)
>
>>
>
>>       at
>
>>
>
>>
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
>>
>
>>
>
>>       at java.lang.Thread.run(Thread.java:657)
>
>>
>
>> --------------------------------------------------
>
>>
>
>>
>
>> Any inputs would be appreciated.
>
>>
>
>>
>
>> Thanks,
>
>>
>
>> Suresh
>
>>
>
>>
>
>> bhooshanpandit@aol.com wrote:
>
>>
>
>>>>> I tried changing the "sslProtocol" attribute in the "Connector"
>
>>> element
>
>>
>
>>>>> in conf/server.xml file and when the Tomcat couldn't start.
>> Observed
>
>>> the
>
>>
>
>>>>> following error in catalina.out:
>
>>
>
>>>
>
>>
>
>>> what value did you specify for sslProtocol. I tried using SSL and it
>
>>> worked.
>
>>
>
>>>
>
>>
>
>>> -----Original Message-----
>
>>
>
>>> From: Suresh Kumar J <suresh.kumar.j@gmail.com>
>
>>
>
>>> To: users@tomcat.apache.org
>
>>
>
>>> Sent: Sat, 30 Aug 2008 4:25 am
>
>>
>
>>> Subject: How to make to Apache-Tomcat 6.0.13 to support all of
>
>>> SSLv2/SSLv3 and TLS protocols
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Hi!
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
>
>>
>
>>>
>
>>
>
>>> snippet of the server.xml config:
>
>>
>
>>>
>
>>
>
>>> ----------------------------
>
>>
>
>>>
>
>>
>
>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>
>>
>
>>>
>
>>
>
>>>              maxThreads="150" scheme="https" secure="true"
>
>>
>
>>>
>
>>
>
>>>               clientAuth="false" sslProtocol="TLS"
>> keystoreType="PKCS12"
>
>>
>
>>>
>
>>
>
>>>              keystoreFile="conf/my-key-store" keystorePass="abcd"/>
>
>>
>
>>>
>
>>
>
>>> ----------------------------
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> The https connection(TLS based) works fine with IE6.0/7.x and 
> FireFox
>
>>
>
>>>
>
>>
>
>>> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP 
> with
>
>>
>
>>>
>
>>
>
>>> the default settings. When I try to connect(https on 443) to Apache
>
>>
>
>>>
>
>>
>
>>> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1
>> window:
>
>>
>
>>>
>
>>
>
>>> -------------------------------------------
>
>>
>
>>>
>
>>
>
>>> Secure Connection Failed
>
>>
>
>>>
>
>>
>
>>> An error occurred during a connection to 10.xx.xx.xx
>
>>
>
>>>
>
>>
>
>>> Cannot communicate securely with peer: no common encryption
>> algorithm(s):
>
>>
>
>>>
>
>>
>
>>> (Error code: ssl_error_no_cypher_overlap)
>
>>
>
>>>
>
>>
>
>>> -------------------------------------------
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Have observed the following error in the Catalina.out file:
>
>>
>
>>>
>
>>
>
>>> --------------------------------------------------
>
>>
>
>>>
>
>>
>
>>> Aug 29, 2008 2:52:52 PM
>
>>> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
>>
>
>>>
>
>>
>
>>> SEVERE: Socket accept failed
>
>>
>
>>>
>
>>
>
>>> Throwable occurred: java.net.SocketException: SSL handshake error
>
>>
>
>>>
>
>>
>
>>> javax.net.ssl.SSLException: INTERNAL ERROR
>
>>
>
>>>
>
>>
>
>>>       at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
>
>
>>
>
>>
>
>>> Factory.java:150)
>
>>
>
>>>
>
>>
>
>>>       at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>       at java.lang.Thread.run(Thread.java:657)
>
>>
>
>>>
>
>>
>
>>> --------------------------------------------------
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 
> is
>
>>
>
>>>
>
>>
>
>>> disabled) in the browser security settings. The web-server is
>> correctly
>
>>
>
>>>
>
>>
>
>>> configured for secured http on TLS. Earlier with Firefox2.0.x, it 
> was
>
>>
>
>>>
>
>>
>
>>> working fine. Also checked with Linux version of FireFox3.0.1 and 
> the
>
>>
>
>>>
>
>>
>
>>> TLS connection is working fine.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> When I tried to analysis the packets capture of the
>> browser/web-server
>
>>
>
>>>
>
>>
>
>>> communication via "WireShark/Ethereal" tools, I observed that the
>
>>
>
>>>
>
>>
>
>>> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for 
> SSL
>
>>
>
>>>
>
>>
>
>>> handshake negotiations. As my Tomcat webserver is configured for 
> TLS,
>> it
>
>>
>
>>>
>
>>
>
>>> doesn't seem to understand the SSLv2 record layer format, eventually
>
>>
>
>>>
>
>>
>
>>> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Since SSLv2 is generally considered to be a weaker protocol than
>> SSLv3
>
>>
>
>>>
>
>>
>
>>> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
>
>>
>
>>>
>
>>
>
>>> protocol, also SSLv2 is disabled by default. On Redhat Linux, the
>> same
>
>>
>
>>>
>
>>
>
>>> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)"
>> for
>
>>
>
>>>
>
>>
>
>>> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3
>> Record
>
>>
>
>>>
>
>>
>
>>> Layer(Client Hello)" which seems to fine. Am able to launch the 
> https
>
>>
>
>>>
>
>>
>
>>> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is 
> on
>
>>
>
>>>
>
>>
>
>>> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
>
>>
>
>>>
>
>>
>
>>> handshake negotiations. Tomcat works well with TLS protocol, but 
> when
>
>>
>
>>>
>
>>
>
>>> the browser uses SSLv2 then it fails.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> I tried changing the "sslProtocol" attribute in the "Connector"
>> element
>
>>
>
>>>
>
>>
>
>>> in conf/server.xml file and when the Tomcat couldn't start. Observed
>> the
>
>>
>
>>>
>
>>
>
>>> following error in catalina.out:
>
>>
>
>>>
>
>>
>
>>> --------------------------------------
>
>>
>
>>>
>
>>
>
>>> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
>>
>
>>>
>
>>
>
>>> SEVERE: Error initializing endpoint
>
>>
>
>>>
>
>>
>
>>> Throwable occurred: java.io.IOException: SSLContext SSL
>> implementation
>
>>
>
>>>
>
>>
>
>>> not found
>
>>
>
>>>
>
>>
>
>>>       at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
>
>
>>
>
>>
>
>>> java:394)
>
>>
>
>>>
>
>>
>
>>>       at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
>
>
>>
>
>>
>
>>> Factory.java:125)
>
>>
>
>>>
>
>>
>
>>>       at
>
>>
>
>>>
>
>>
>
>>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
>>
>
>>>
>
>>
>
>>>       at
>
>>
>
>>>
>
>>
>
>>>
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
>>
>
>>>
>
>>
>
>>>       at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
>>
>
>>>
>
>>
>
>>>       at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.catalina.core.StandardService.initialize(StandardService.java:
>
>
>>
>
>>
>
>>> 677)
>
>>
>
>>>
>
>>
>
>>>       at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
>
>
>>
>
>>
>
>>> 2)
>
>>
>
>>>
>
>>
>
>>>       at 
> org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
>>
>
>>>
>
>>
>
>>>       at 
> org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
>>
>
>>>
>
>>
>
>>>        at
>> java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
>>
>
>>>
>
>>
>
>>>       at java.lang.reflect.Method.invoke(Method.java:317)
>
>>
>
>>>
>
>>
>
>>>        at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
>>
>
>>>
>
>>
>
>>>        at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
>>
>
>>>
>
>>
>
>>> --------------------------------------
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to
>> make
>
>>
>
>>>
>
>>
>
>>> the Tomcat to understand both SSL and TLS protocols so that all the
>
>>
>
>>>
>
>>
>
>>> browsers are supported. It seems to be critical to make the
>> application
>
>>
>
>>>
>
>>
>
>>> I use the certificate in the format of PKCS12, created via openssl
>> tool.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Did anyone else face similar kind of problem in this regard.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Thanks,
>
>>
>
>>>
>
>>
>
>>> Suresh
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
> ---------------------------------------------------------------------
>
>>
>
>>>
>
>>
>
>>> To start a new topic, e-mail: users@tomcat.apache.org
>
>>
>
>>>
>
>>
>
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>>
>
>>>
>
>>
>
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
> ________________________________________________________________________
>
>>
>
>>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
> ---------------------------------------------------------------------
>
>>
>
>>> To start a new topic, e-mail: users@tomcat.apache.org
>
>>
>
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>>
>
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>>>
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>>
>
>> To start a new topic, e-mail: users@tomcat.apache.org
>
>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>>
>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
> ________________________________________________________________________
>
>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>> To start a new topic, e-mail: users@tomcat.apache.org
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>
> ---------------------------------------------------------------------
>
> To start a new topic, e-mail: users@tomcat.apache.org
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
>
>
> ________________________________________________________________________
> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message