Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 32995 invoked from network); 4 Sep 2008 14:22:58 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 4 Sep 2008 14:22:58 -0000 Received: (qmail 93836 invoked by uid 500); 4 Sep 2008 14:22:44 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 93805 invoked by uid 500); 4 Sep 2008 14:22:44 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 93794 invoked by uid 99); 4 Sep 2008 14:22:44 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Sep 2008 07:22:44 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of haimcn@gmail.com designates 209.85.200.174 as permitted sender) Received: from [209.85.200.174] (HELO wf-out-1314.google.com) (209.85.200.174) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Sep 2008 14:21:46 +0000 Received: by wf-out-1314.google.com with SMTP id 25so3367939wfc.12 for ; Thu, 04 Sep 2008 07:22:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=2FLKgp420xbNjYi3vz1/IZ/2wt8q4SZOFMTghfOkPro=; b=IE54VfCJnPvy+m1OscyNEBsrhMy2uLlRTsZuJjXa30oG1X5gcgwuWpDcwp72KAlEZQ qU3LYTmWZMB1JqMXPCYzaFMnKrk6Iq/eyVfoKtdMGkuX4q1wT6nsN83C34uYKXbFzc0u cjjtdobmMxW5Cwr9Oz3JI/1fyA8oI7wJcqsLA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=ez9HTMPN8bc4tenWBiS8F0z64OouIebzvTPq/7x2WMQc4z75JAL4RH3T5FiVYbNHME 5XmWBZ+n67NH2jpd6+DaM2eyALNTUacKLZ+ZJ1j1bLsw7/gY51oUXMx25+Kpia16kU2i pL0PH+NgJBWbf9LelYa3pydBSi/ttSuydU+bg= Received: by 10.142.163.13 with SMTP id l13mr3577648wfe.34.1220538127703; Thu, 04 Sep 2008 07:22:07 -0700 (PDT) Received: by 10.142.212.13 with HTTP; Thu, 4 Sep 2008 07:22:07 -0700 (PDT) Message-ID: <8e554cf90809040722t8c54308t8e567b85721d2106@mail.gmail.com> Date: Thu, 4 Sep 2008 17:22:07 +0300 From: "Haim Cohen" To: users@tomcat.apache.org Subject: Error while trying to use trial certificate for SSL in Tomcat MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_40680_27417605.1220538127709" X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_40680_27417605.1220538127709 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi I'm new to Tomcat and I'm trying to set SSL on a Tomcat server and to understand how it should be done. I started with generating key as explained in the Tomcat SSL howto and everything went well and I succeeded to connect using https to my server, of course the browser did not recognize the certificate but this is ok. Then I moved to the next phase and created a trial certificate in Verisign and followed the instructions specified in the Verisign site and in the howto. After the installation Tomcat getting to following exception: Sep 4, 2008 4:43:06 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310) at java.lang.Thread.run(Unknown Source) Tomcat kept getting this exception and hunged the machine after creating a log file in the size of all the free disk space (I only had there 10GB). Can anyone help me understand where I was wrong? To enable the SSL I made the following: 1. generated trial key and got the intermediateCA from Verisign 2. run keytool to create keystore: keytool.exe -import -alias intermediateCA -keystore .\myKeystore -trustcacerts -file intermediateCA.cert keytool.exe -import -alias tomcat -keystore .\myKeystore -trustcacerts -file mine.cert 3. updated the server.xml and added a connector as following: The only difference I found was that when I listed the keys in the keystore I got PrivateKeyEntry for the generated keys and trustedCertEntry for the trial keys. can it be connected? The self generated file: ---------------------------- Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Sep 3, 2008, PrivateKeyEntry, Certificate fingerprint (MD5): 6F:EC:48:31:4C:CC:2A:C3:AB:10:22:BD:A3:78:44:AF ---------------------------- The trial file: ---------------------------- Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries intermediateca, Sep 4, 2008, trustedCertEntry, Certificate fingerprint (MD5): 8D:E9:89:DB:7F:CC:5E:3B:FD:DE:2C:42:08:13:EF:43 tomcat, Sep 4, 2008, trustedCertEntry, Certificate fingerprint (MD5): AC:9F:D0:82:72:BC:61:26:CB:7F:44:5C:AF:06:F1:20 --------------------------- Thanks!!! Haim ------=_Part_40680_27417605.1220538127709--