Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 50523 invoked from network); 1 Sep 2008 06:47:48 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 Sep 2008 06:47:48 -0000 Received: (qmail 5301 invoked by uid 500); 1 Sep 2008 06:47:34 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 4783 invoked by uid 500); 1 Sep 2008 06:47:33 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 4772 invoked by uid 99); 1 Sep 2008 06:47:33 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 31 Aug 2008 23:47:33 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of suresh.kumar.j@gmail.com designates 209.85.198.244 as permitted sender) Received: from [209.85.198.244] (HELO rv-out-0708.google.com) (209.85.198.244) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Sep 2008 06:46:33 +0000 Received: by rv-out-0708.google.com with SMTP id c5so1397704rvf.24 for ; Sun, 31 Aug 2008 23:46:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=VorC+ljrRQtUTvEnRSUfrLHUtwyAx8tuaaKnOQ0IVR4=; b=UKtHHn3wN1rvumbA4ZAn8q5z8OT9FsXdui07PYbKQbVKLd6Qy6IeLogHc84q8dDlkB bvB9DGdtjc0EbAySUE95v7gHd8TedKuEjBEJ9gLEfAe6Oyu5ES4MV/nPpe4EYESKGrrt BPiCbGjp4CYGTJ7BVYcaRPYU9y4ZatDtF8lLM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=terMqjQ+IfQZYJAk7WLsVLciPScrn6i637lMwm9mHKBEZRu7m9J4hlvXFyGNsZLTC6 1IKn/4wltlp9eFO2ZIIjq/bF4CO6NHFXD5Ye8M2F1Q8NMSoW0OEZdE1Zzf8Hl822fWCV USXeWkrzt+plfovWeH38oaYZ9461odRuC8XME= Received: by 10.140.147.5 with SMTP id u5mr3198250rvd.274.1220251614078; Sun, 31 Aug 2008 23:46:54 -0700 (PDT) Received: from ?10.10.10.22? ( [67.153.189.130]) by mx.google.com with ESMTPS id f21sm9804042rvb.5.2008.08.31.23.46.51 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 31 Aug 2008 23:46:52 -0700 (PDT) Message-ID: <48BB8FDA.4030107@gmail.com> Date: Sun, 31 Aug 2008 23:46:50 -0700 From: Suresh Kumar J User-Agent: Spicebird 0.4 (Windows/2008011302) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols References: <48B87E6C.4000409@gmail.com> <8CAD8A19F466120-880-2CE3@CEN2-L08.sis.aol.com> <48B97969.5090503@gmail.com> <8CADA0C22D01160-880-A754@CEN2-L08.sis.aol.com> <48BB8425.6020202@gmail.com> <8CADA1380D325F2-880-AA63@CEN2-L08.sis.aol.com> In-Reply-To: <8CADA1380D325F2-880-AA63@CEN2-L08.sis.aol.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org no, I wanted to use an opensource JRE in this case. The issue I was trying to put forward is that Tomcat 6.0.13 errors out with the following error when the FireFox3.0.1 browser tries to send a 'SSLv2 Record Layer - Client Hello' message. -------------------------------------------------- Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed Throwable occurred: java.net.SocketException: SSL handshake error javax.net.ssl.SSLException: INTERNAL ERROR at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket Factory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310) at java.lang.Thread.run(Thread.java:657) -------------------------------------------------- But the same Tomcat 6.0.13 server is able to successfully handle the 'SSLv2 Record Layer - Client Hello' message coming from the IE6.0 browser. There doesn't seem to be any difference in message format of the 'SSLv2 Record Layer' sent by FF and IE browsers. Any help in narrowing down the issues would be appreciated. Thanks, Suresh bhooshanpandit@aol.com wrote: > Then it's most likely an issue with harmony JRE (I think it doesn't > provide an SSLContext implementation that you are looking for i.e. SSL). > > Have you tried Sun JRE?? > > > -----Original Message----- > From: Suresh Kumar J > To: Tomcat Users List > Sent: Mon, 1 Sep 2008 11:26 am > Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of > SSLv2/SSLv3 and TLS protocols > > > > > > > > > > Am having the Apache Harmony JRE. > > > bhooshanpandit@aol.com wrote: > >> What JRE / JDK are you using with Tomcat 6.0.13? > >> > >> -----Original Message----- > >> From: Suresh Kumar J > >> To: Tomcat Users List > >> Sent: Sat, 30 Aug 2008 10:16 pm > >> Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of >> SSLv2/SSLv3 and TLS protocols > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> I tried changing the "sslProtocol" attribute in conf/server.xml to > "SSL" > >> and but Tomcat couldn't start. > >> > >> Observed the following error in catalina.out: > >> > >> -------------------------------------- > >> > >> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init > >> > >> SEVERE: Error initializing endpoint > >> > >> Throwable occurred: java.io.IOException: SSLContext SSL > implementation > >> > >> not found > >> > >> at > >> > >> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory. > > >> java:394) > >> > >> at > >> > >> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket > > >> Factory.java:125) > >> > >> at > >> > >> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496) > >> > >> at > >> > >> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177) > >> > >> at > >> > >> > org.apache.catalina.connector.Connector.initialize(Connector.java:1059) > >> > >> at > >> > >> > org.apache.catalina.core.StandardService.initialize(StandardService.java: > > >> 677) > >> > >> at > >> > >> > org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79 > > >> 2) > >> > >> at org.apache.catalina.startup.Catalina.load(Catalina.java:518) > >> > >> at org.apache.catalina.startup.Catalina.load(Catalina.java:538) > >> > >> at > java.lang.reflect.VMReflection.invokeMethod(VMReflection.java) > >> > >> at java.lang.reflect.Method.invoke(Method.java:317) > >> > >> at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260) > >> > >> at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) > >> > >> -------------------------------------- > >> > >> > >> Another question is that how do I make Tomcat to recognize both > >> SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some > >> browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase. > >> Tomcat doesn't seems to recognize SSLv2 messages and errors out with > the > >> following message: > >> > >> -------------------------------------------------- > >> > >> Aug 29, 2008 2:52:52 PM >> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run > >> > >> SEVERE: Socket accept failed > >> > >> Throwable occurred: java.net.SocketException: SSL handshake error > >> > >> javax.net.ssl.SSLException: INTERNAL ERROR > >> > >> at > >> > >> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket > > >> Factory.java:150) > >> > >> at > >> > >> > org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310) > > >> > >> > >> at java.lang.Thread.run(Thread.java:657) > >> > >> -------------------------------------------------- > >> > >> > >> Any inputs would be appreciated. > >> > >> > >> Thanks, > >> > >> Suresh > >> > >> > >> bhooshanpandit@aol.com wrote: > >> > >>>>> I tried changing the "sslProtocol" attribute in the "Connector" > >>> element > >> > >>>>> in conf/server.xml file and when the Tomcat couldn't start. >> Observed > >>> the > >> > >>>>> following error in catalina.out: > >> > >>> > >> > >>> what value did you specify for sslProtocol. I tried using SSL and it > >>> worked. > >> > >>> > >> > >>> -----Original Message----- > >> > >>> From: Suresh Kumar J > >> > >>> To: users@tomcat.apache.org > >> > >>> Sent: Sat, 30 Aug 2008 4:25 am > >> > >>> Subject: How to make to Apache-Tomcat 6.0.13 to support all of > >>> SSLv2/SSLv3 and TLS protocols > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> Hi! > >> > >>> > >> > >>> > >> > >>> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the > >> > >>> > >> > >>> snippet of the server.xml config: > >> > >>> > >> > >>> ---------------------------- > >> > >>> > >> > >>> >> > >>> > >> > >>> maxThreads="150" scheme="https" secure="true" > >> > >>> > >> > >>> clientAuth="false" sslProtocol="TLS" >> keystoreType="PKCS12" > >> > >>> > >> > >>> keystoreFile="conf/my-key-store" keystorePass="abcd"/> > >> > >>> > >> > >>> ---------------------------- > >> > >>> > >> > >>> > >> > >>> The https connection(TLS based) works fine with IE6.0/7.x and > FireFox > >> > >>> > >> > >>> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP > with > >> > >>> > >> > >>> the default settings. When I try to connect(https on 443) to Apache > >> > >>> > >> > >>> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1 >> window: > >> > >>> > >> > >>> ------------------------------------------- > >> > >>> > >> > >>> Secure Connection Failed > >> > >>> > >> > >>> An error occurred during a connection to 10.xx.xx.xx > >> > >>> > >> > >>> Cannot communicate securely with peer: no common encryption >> algorithm(s): > >> > >>> > >> > >>> (Error code: ssl_error_no_cypher_overlap) > >> > >>> > >> > >>> ------------------------------------------- > >> > >>> > >> > >>> > >> > >>> Have observed the following error in the Catalina.out file: > >> > >>> > >> > >>> -------------------------------------------------- > >> > >>> > >> > >>> Aug 29, 2008 2:52:52 PM > >>> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run > >> > >>> > >> > >>> SEVERE: Socket accept failed > >> > >>> > >> > >>> Throwable occurred: java.net.SocketException: SSL handshake error > >> > >>> > >> > >>> javax.net.ssl.SSLException: INTERNAL ERROR > >> > >>> > >> > >>> at > >> > >>> > >> > >>> > >> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket > > >> > >> > >>> Factory.java:150) > >> > >>> > >> > >>> at > >> > >>> > >> > >>> > >> > org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310) > > >> > >> > >>> > >> > >>> > >> > >>> at java.lang.Thread.run(Thread.java:657) > >> > >>> > >> > >>> -------------------------------------------------- > >> > >>> > >> > >>> > >> > >>> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 > is > >> > >>> > >> > >>> disabled) in the browser security settings. The web-server is >> correctly > >> > >>> > >> > >>> configured for secured http on TLS. Earlier with Firefox2.0.x, it > was > >> > >>> > >> > >>> working fine. Also checked with Linux version of FireFox3.0.1 and > the > >> > >>> > >> > >>> TLS connection is working fine. > >> > >>> > >> > >>> > >> > >>> When I tried to analysis the packets capture of the >> browser/web-server > >> > >>> > >> > >>> communication via "WireShark/Ethereal" tools, I observed that the > >> > >>> > >> > >>> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for > SSL > >> > >>> > >> > >>> handshake negotiations. As my Tomcat webserver is configured for > TLS, >> it > >> > >>> > >> > >>> doesn't seem to understand the SSLv2 record layer format, eventually > >> > >>> > >> > >>> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR. > >> > >>> > >> > >>> > >> > >>> Since SSLv2 is generally considered to be a weaker protocol than >> SSLv3 > >> > >>> > >> > >>> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record > >> > >>> > >> > >>> protocol, also SSLv2 is disabled by default. On Redhat Linux, the >> same > >> > >>> > >> > >>> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)" >> for > >> > >>> > >> > >>> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 >> Record > >> > >>> > >> > >>> Layer(Client Hello)" which seems to fine. Am able to launch the > https > >> > >>> > >> > >>> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is > on > >> > >>> > >> > >>> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL > >> > >>> > >> > >>> handshake negotiations. Tomcat works well with TLS protocol, but > when > >> > >>> > >> > >>> the browser uses SSLv2 then it fails. > >> > >>> > >> > >>> > >> > >>> I tried changing the "sslProtocol" attribute in the "Connector" >> element > >> > >>> > >> > >>> in conf/server.xml file and when the Tomcat couldn't start. Observed >> the > >> > >>> > >> > >>> following error in catalina.out: > >> > >>> > >> > >>> -------------------------------------- > >> > >>> > >> > >>> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init > >> > >>> > >> > >>> SEVERE: Error initializing endpoint > >> > >>> > >> > >>> Throwable occurred: java.io.IOException: SSLContext SSL >> implementation > >> > >>> > >> > >>> not found > >> > >>> > >> > >>> at > >> > >>> > >> > >>> > >> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory. > > >> > >> > >>> java:394) > >> > >>> > >> > >>> at > >> > >>> > >> > >>> > >> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket > > >> > >> > >>> Factory.java:125) > >> > >>> > >> > >>> at > >> > >>> > >> > >>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496) > >> > >>> > >> > >>> at > >> > >>> > >> > >>> > org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177) > >> > >>> > >> > >>> at > >> > >>> > >> > >>> > >> > org.apache.catalina.connector.Connector.initialize(Connector.java:1059) > >> > >>> > >> > >>> at > >> > >>> > >> > >>> > >> > org.apache.catalina.core.StandardService.initialize(StandardService.java: > > >> > >> > >>> 677) > >> > >>> > >> > >>> at > >> > >>> > >> > >>> > >> > org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79 > > >> > >> > >>> 2) > >> > >>> > >> > >>> at > org.apache.catalina.startup.Catalina.load(Catalina.java:518) > >> > >>> > >> > >>> at > org.apache.catalina.startup.Catalina.load(Catalina.java:538) > >> > >>> > >> > >>> at >> java.lang.reflect.VMReflection.invokeMethod(VMReflection.java) > >> > >>> > >> > >>> at java.lang.reflect.Method.invoke(Method.java:317) > >> > >>> > >> > >>> at >> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260) > >> > >>> > >> > >>> at >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) > >> > >>> > >> > >>> -------------------------------------- > >> > >>> > >> > >>> > >> > >>> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to >> make > >> > >>> > >> > >>> the Tomcat to understand both SSL and TLS protocols so that all the > >> > >>> > >> > >>> browsers are supported. It seems to be critical to make the >> application > >> > >>> > >> > >>> I use the certificate in the format of PKCS12, created via openssl >> tool. > >> > >>> > >> > >>> > >> > >>> Did anyone else face similar kind of problem in this regard. > >> > >>> > >> > >>> > >> > >>> Thanks, > >> > >>> > >> > >>> Suresh > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > --------------------------------------------------------------------- > >> > >>> > >> > >>> To start a new topic, e-mail: users@tomcat.apache.org > >> > >>> > >> > >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >> > >>> > >> > >>> For additional commands, e-mail: users-help@tomcat.apache.org > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > >>> > >> > ________________________________________________________________________ > >> > >>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in > >> > >>> > >> > >>> > >> > >>> > --------------------------------------------------------------------- > >> > >>> To start a new topic, e-mail: users@tomcat.apache.org > >> > >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >> > >>> For additional commands, e-mail: users-help@tomcat.apache.org > >> > >>> > >> > >> > >> --------------------------------------------------------------------- > >> > >> To start a new topic, e-mail: users@tomcat.apache.org > >> > >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >> > >> For additional commands, e-mail: users-help@tomcat.apache.org > >> > >> > >> > >> > >> > >> > >> > >> > ________________________________________________________________________ > >> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in > >> > >> > >> --------------------------------------------------------------------- > >> To start a new topic, e-mail: users@tomcat.apache.org > >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >> For additional commands, e-mail: users-help@tomcat.apache.org > >> > > > --------------------------------------------------------------------- > > To start a new topic, e-mail: users@tomcat.apache.org > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > > For additional commands, e-mail: users-help@tomcat.apache.org > > > > > > > > ________________________________________________________________________ > You are invited to Get a Free AOL Email ID. - http://webmail.aol.in > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org