tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhooshanpan...@aol.com
Subject Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols
Date Mon, 01 Sep 2008 06:31:31 GMT
Then it's most likely an issue with harmony JRE (I think it doesn't 
provide an SSLContext implementation that you are looking for i.e. SSL).

Have you tried Sun JRE??


-----Original Message-----
From: Suresh Kumar J <suresh.kumar.j@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Mon, 1 Sep 2008 11:26 am
Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of 
SSLv2/SSLv3 and TLS protocols









Am having the Apache Harmony JRE.


bhooshanpandit@aol.com wrote:

> What JRE / JDK are you using with Tomcat 6.0.13?

>

> -----Original Message-----

> From: Suresh Kumar J <suresh.kumar.j@gmail.com>

> To: Tomcat Users List <users@tomcat.apache.org>

> Sent: Sat, 30 Aug 2008 10:16 pm

> Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of
> SSLv2/SSLv3 and TLS protocols

>

>

>

>

>

>

>

>

>

>

> I tried changing the "sslProtocol" attribute in conf/server.xml to 
"SSL"

> and but Tomcat couldn't start.

>

> Observed the following error in catalina.out:

>

> --------------------------------------

>

> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init

>

> SEVERE: Error initializing endpoint

>

> Throwable occurred: java.io.IOException: SSLContext SSL 
implementation

>

> not found

>

>       at

>

> 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.


> java:394)

>

>       at

>

> 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket


> Factory.java:125)

>

>       at

>

> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)

>

>       at

>

> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)

>

>       at

>

> 
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)

>

>       at

>

> 
org.apache.catalina.core.StandardService.initialize(StandardService.java:


> 677)

>

>       at

>

> 
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79


> 2)

>

>       at org.apache.catalina.startup.Catalina.load(Catalina.java:518)

>

>       at org.apache.catalina.startup.Catalina.load(Catalina.java:538)

>

>        at 
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)

>

>       at java.lang.reflect.Method.invoke(Method.java:317)

>

>        at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)

>

>        at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)

>

> --------------------------------------

>

>

> Another question is that how do I make Tomcat to recognize both

> SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some

> browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase.

> Tomcat doesn't seems to recognize SSLv2 messages and errors out with 
the

> following message:

>

> --------------------------------------------------

>

> Aug 29, 2008 2:52:52 PM
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run

>

> SEVERE: Socket accept failed

>

> Throwable occurred: java.net.SocketException: SSL handshake error

>

> javax.net.ssl.SSLException: INTERNAL ERROR

>

>       at

>

> 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket


> Factory.java:150)

>

>       at

>

> 
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)


>

>

>       at java.lang.Thread.run(Thread.java:657)

>

> --------------------------------------------------

>

>

> Any inputs would be appreciated.

>

>

> Thanks,

>

> Suresh

>

>

> bhooshanpandit@aol.com wrote:

>

>>>> I tried changing the "sslProtocol" attribute in the "Connector"

>> element

>

>>>> in conf/server.xml file and when the Tomcat couldn't start.
> Observed

>> the

>

>>>> following error in catalina.out:

>

>>

>

>> what value did you specify for sslProtocol. I tried using SSL and it

>> worked.

>

>>

>

>> -----Original Message-----

>

>> From: Suresh Kumar J <suresh.kumar.j@gmail.com>

>

>> To: users@tomcat.apache.org

>

>> Sent: Sat, 30 Aug 2008 4:25 am

>

>> Subject: How to make to Apache-Tomcat 6.0.13 to support all of

>> SSLv2/SSLv3 and TLS protocols

>

>>

>

>>

>

>>

>

>>

>

>>

>

>>

>

>>

>

>>

>

>>

>

>> Hi!

>

>>

>

>>

>

>> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the

>

>>

>

>> snippet of the server.xml config:

>

>>

>

>> ----------------------------

>

>>

>

>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"

>

>>

>

>>              maxThreads="150" scheme="https" secure="true"

>

>>

>

>>               clientAuth="false" sslProtocol="TLS"
> keystoreType="PKCS12"

>

>>

>

>>              keystoreFile="conf/my-key-store" keystorePass="abcd"/>

>

>>

>

>> ----------------------------

>

>>

>

>>

>

>> The https connection(TLS based) works fine with IE6.0/7.x and 
FireFox

>

>>

>

>> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP 
with

>

>>

>

>> the default settings. When I try to connect(https on 443) to Apache

>

>>

>

>> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1
> window:

>

>>

>

>> -------------------------------------------

>

>>

>

>> Secure Connection Failed

>

>>

>

>> An error occurred during a connection to 10.xx.xx.xx

>

>>

>

>> Cannot communicate securely with peer: no common encryption
> algorithm(s):

>

>>

>

>> (Error code: ssl_error_no_cypher_overlap)

>

>>

>

>> -------------------------------------------

>

>>

>

>>

>

>> Have observed the following error in the Catalina.out file:

>

>>

>

>> --------------------------------------------------

>

>>

>

>> Aug 29, 2008 2:52:52 PM

>> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run

>

>>

>

>> SEVERE: Socket accept failed

>

>>

>

>> Throwable occurred: java.net.SocketException: SSL handshake error

>

>>

>

>> javax.net.ssl.SSLException: INTERNAL ERROR

>

>>

>

>>       at

>

>>

>

>>

> 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket


>

>

>> Factory.java:150)

>

>>

>

>>       at

>

>>

>

>>

> 
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)


>

>

>>

>

>>

>

>>       at java.lang.Thread.run(Thread.java:657)

>

>>

>

>> --------------------------------------------------

>

>>

>

>>

>

>> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 
is

>

>>

>

>> disabled) in the browser security settings. The web-server is
> correctly

>

>>

>

>> configured for secured http on TLS. Earlier with Firefox2.0.x, it 
was

>

>>

>

>> working fine. Also checked with Linux version of FireFox3.0.1 and 
the

>

>>

>

>> TLS connection is working fine.

>

>>

>

>>

>

>> When I tried to analysis the packets capture of the
> browser/web-server

>

>>

>

>> communication via "WireShark/Ethereal" tools, I observed that the

>

>>

>

>> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for 
SSL

>

>>

>

>> handshake negotiations. As my Tomcat webserver is configured for 
TLS,
> it

>

>>

>

>> doesn't seem to understand the SSLv2 record layer format, eventually

>

>>

>

>> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.

>

>>

>

>>

>

>> Since SSLv2 is generally considered to be a weaker protocol than
> SSLv3

>

>>

>

>> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record

>

>>

>

>> protocol, also SSLv2 is disabled by default. On Redhat Linux, the
> same

>

>>

>

>> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)"
> for

>

>>

>

>> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3
> Record

>

>>

>

>> Layer(Client Hello)" which seems to fine. Am able to launch the 
https

>

>>

>

>> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is 
on

>

>>

>

>> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL

>

>>

>

>> handshake negotiations. Tomcat works well with TLS protocol, but 
when

>

>>

>

>> the browser uses SSLv2 then it fails.

>

>>

>

>>

>

>> I tried changing the "sslProtocol" attribute in the "Connector"
> element

>

>>

>

>> in conf/server.xml file and when the Tomcat couldn't start. Observed
> the

>

>>

>

>> following error in catalina.out:

>

>>

>

>> --------------------------------------

>

>>

>

>> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init

>

>>

>

>> SEVERE: Error initializing endpoint

>

>>

>

>> Throwable occurred: java.io.IOException: SSLContext SSL
> implementation

>

>>

>

>> not found

>

>>

>

>>       at

>

>>

>

>>

> 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.


>

>

>> java:394)

>

>>

>

>>       at

>

>>

>

>>

> 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket


>

>

>> Factory.java:125)

>

>>

>

>>       at

>

>>

>

>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)

>

>>

>

>>       at

>

>>

>

>> 
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)

>

>>

>

>>       at

>

>>

>

>>

> 
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)

>

>>

>

>>       at

>

>>

>

>>

> 
org.apache.catalina.core.StandardService.initialize(StandardService.java:


>

>

>> 677)

>

>>

>

>>       at

>

>>

>

>>

> 
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79


>

>

>> 2)

>

>>

>

>>       at 
org.apache.catalina.startup.Catalina.load(Catalina.java:518)

>

>>

>

>>       at 
org.apache.catalina.startup.Catalina.load(Catalina.java:538)

>

>>

>

>>        at
> java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)

>

>>

>

>>       at java.lang.reflect.Method.invoke(Method.java:317)

>

>>

>

>>        at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)

>

>>

>

>>        at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)

>

>>

>

>> --------------------------------------

>

>>

>

>>

>

>> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to
> make

>

>>

>

>> the Tomcat to understand both SSL and TLS protocols so that all the

>

>>

>

>> browsers are supported. It seems to be critical to make the
> application

>

>>

>

>> I use the certificate in the format of PKCS12, created via openssl
> tool.

>

>>

>

>>

>

>> Did anyone else face similar kind of problem in this regard.

>

>>

>

>>

>

>> Thanks,

>

>>

>

>> Suresh

>

>>

>

>>

>

>>

>

>>

>

>> 
---------------------------------------------------------------------

>

>>

>

>> To start a new topic, e-mail: users@tomcat.apache.org

>

>>

>

>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org

>

>>

>

>> For additional commands, e-mail: users-help@tomcat.apache.org

>

>>

>

>>

>

>>

>

>>

>

>>

>

>>

>

>>

>

>>

> 
________________________________________________________________________ 


>

>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

>

>>

>

>>

>

>> 
---------------------------------------------------------------------

>

>> To start a new topic, e-mail: users@tomcat.apache.org

>

>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org

>

>> For additional commands, e-mail: users-help@tomcat.apache.org

>

>>

>

>

> ---------------------------------------------------------------------

>

> To start a new topic, e-mail: users@tomcat.apache.org

>

> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org

>

> For additional commands, e-mail: users-help@tomcat.apache.org

>

>

>

>

>

>

>

> 
________________________________________________________________________ 


> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

>

>

> ---------------------------------------------------------------------

> To start a new topic, e-mail: users@tomcat.apache.org

> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org

> For additional commands, e-mail: users-help@tomcat.apache.org

>


---------------------------------------------------------------------

To start a new topic, e-mail: users@tomcat.apache.org

To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org

For additional commands, e-mail: users-help@tomcat.apache.org







________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message