tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhooshanpan...@aol.com
Subject Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols
Date Mon, 01 Sep 2008 05:38:48 GMT
What JRE / JDK are you using with Tomcat 6.0.13?

-----Original Message-----
From: Suresh Kumar J <suresh.kumar.j@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Sat, 30 Aug 2008 10:16 pm
Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of 
SSLv2/SSLv3 and TLS protocols










I tried changing the "sslProtocol" attribute in conf/server.xml to 
"SSL"
and but Tomcat couldn't start.

Observed the following error in catalina.out:

--------------------------------------

Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init

SEVERE: Error initializing endpoint

Throwable occurred: java.io.IOException: SSLContext SSL implementation

not found

       at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
java:394)

       at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
Factory.java:125)

       at

org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)

       at

org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)

       at

org.apache.catalina.connector.Connector.initialize(Connector.java:1059)

       at

org.apache.catalina.core.StandardService.initialize(StandardService.java:
677)

       at

org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
2)

       at org.apache.catalina.startup.Catalina.load(Catalina.java:518)

       at org.apache.catalina.startup.Catalina.load(Catalina.java:538)

        at 
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)

       at java.lang.reflect.Method.invoke(Method.java:317)

        at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)

        at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)

--------------------------------------


Another question is that how do I make Tomcat to recognize both
SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some
browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase.
Tomcat doesn't seems to recognize SSLv2 messages and errors out with 
the
following message:

--------------------------------------------------

Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor 
run

SEVERE: Socket accept failed

Throwable occurred: java.net.SocketException: SSL handshake error

javax.net.ssl.SSLException: INTERNAL ERROR

       at

org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
Factory.java:150)

       at

org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)


       at java.lang.Thread.run(Thread.java:657)

--------------------------------------------------


Any inputs would be appreciated.


Thanks,

Suresh


bhooshanpandit@aol.com wrote:

>>> I tried changing the "sslProtocol" attribute in the "Connector"
> element

>>> in conf/server.xml file and when the Tomcat couldn't start. 
Observed
> the

>>> following error in catalina.out:

>

> what value did you specify for sslProtocol. I tried using SSL and it
> worked.

>

> -----Original Message-----

> From: Suresh Kumar J <suresh.kumar.j@gmail.com>

> To: users@tomcat.apache.org

> Sent: Sat, 30 Aug 2008 4:25 am

> Subject: How to make to Apache-Tomcat 6.0.13 to support all of
> SSLv2/SSLv3 and TLS protocols

>

>

>

>

>

>

>

>

>

> Hi!

>

>

> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the

>

> snippet of the server.xml config:

>

> ----------------------------

>

> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"

>

>              maxThreads="150" scheme="https" secure="true"

>

>               clientAuth="false" sslProtocol="TLS" 
keystoreType="PKCS12"

>

>              keystoreFile="conf/my-key-store" keystorePass="abcd"/>

>

> ----------------------------

>

>

> The https connection(TLS based) works fine with IE6.0/7.x and FireFox

>

> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with

>

> the default settings. When I try to connect(https on 443) to Apache

>

> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1 
window:

>

> -------------------------------------------

>

> Secure Connection Failed

>

> An error occurred during a connection to 10.xx.xx.xx

>

> Cannot communicate securely with peer: no common encryption 
algorithm(s):

>

> (Error code: ssl_error_no_cypher_overlap)

>

> -------------------------------------------

>

>

> Have observed the following error in the Catalina.out file:

>

> --------------------------------------------------

>

> Aug 29, 2008 2:52:52 PM
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run

>

> SEVERE: Socket accept failed

>

> Throwable occurred: java.net.SocketException: SSL handshake error

>

> javax.net.ssl.SSLException: INTERNAL ERROR

>

>       at

>

> 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket


> Factory.java:150)

>

>       at

>

> 
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)


>

>

>       at java.lang.Thread.run(Thread.java:657)

>

> --------------------------------------------------

>

>

> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is

>

> disabled) in the browser security settings. The web-server is 
correctly

>

> configured for secured http on TLS. Earlier with Firefox2.0.x, it was

>

> working fine. Also checked with Linux version of FireFox3.0.1 and the

>

> TLS connection is working fine.

>

>

> When I tried to analysis the packets capture of the 
browser/web-server

>

> communication via "WireShark/Ethereal" tools, I observed that the

>

> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL

>

> handshake negotiations. As my Tomcat webserver is configured for TLS, 
it

>

> doesn't seem to understand the SSLv2 record layer format, eventually

>

> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.

>

>

> Since SSLv2 is generally considered to be a weaker protocol than 
SSLv3

>

> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record

>

> protocol, also SSLv2 is disabled by default. On Redhat Linux, the 
same

>

> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)" 
for

>

> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 
Record

>

> Layer(Client Hello)" which seems to fine. Am able to launch the https

>

> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on

>

> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL

>

> handshake negotiations. Tomcat works well with TLS protocol, but when

>

> the browser uses SSLv2 then it fails.

>

>

> I tried changing the "sslProtocol" attribute in the "Connector" 
element

>

> in conf/server.xml file and when the Tomcat couldn't start. Observed 
the

>

> following error in catalina.out:

>

> --------------------------------------

>

> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init

>

> SEVERE: Error initializing endpoint

>

> Throwable occurred: java.io.IOException: SSLContext SSL 
implementation

>

> not found

>

>       at

>

> 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.


> java:394)

>

>       at

>

> 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket


> Factory.java:125)

>

>       at

>

> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)

>

>       at

>

> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)

>

>       at

>

> 
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)

>

>       at

>

> 
org.apache.catalina.core.StandardService.initialize(StandardService.java:


> 677)

>

>       at

>

> 
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79


> 2)

>

>       at org.apache.catalina.startup.Catalina.load(Catalina.java:518)

>

>       at org.apache.catalina.startup.Catalina.load(Catalina.java:538)

>

>        at 
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)

>

>       at java.lang.reflect.Method.invoke(Method.java:317)

>

>        at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)

>

>        at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)

>

> --------------------------------------

>

>

> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to 
make

>

> the Tomcat to understand both SSL and TLS protocols so that all the

>

> browsers are supported. It seems to be critical to make the 
application

>

> I use the certificate in the format of PKCS12, created via openssl 
tool.

>

>

> Did anyone else face similar kind of problem in this regard.

>

>

> Thanks,

>

> Suresh

>

>

>

>

> ---------------------------------------------------------------------

>

> To start a new topic, e-mail: users@tomcat.apache.org

>

> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org

>

> For additional commands, e-mail: users-help@tomcat.apache.org

>

>

>

>

>

>

>

> 
________________________________________________________________________ 


> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

>

>

> ---------------------------------------------------------------------

> To start a new topic, e-mail: users@tomcat.apache.org

> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org

> For additional commands, e-mail: users-help@tomcat.apache.org

>


---------------------------------------------------------------------

To start a new topic, e-mail: users@tomcat.apache.org

To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org

For additional commands, e-mail: users-help@tomcat.apache.org







________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message