tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nada O'Neal" <nco2...@columbia.edu>
Subject Re: ssl_error_internal_error_alert in firefox only, dependent on jdk version (tomcat 5.5.26)
Date Tue, 06 Oct 2009 20:51:41 GMT
Hi Chris,

Thanks for responding to my question!

I don't have an EV cert, it's just a standard cert signed by Equifax. I 
have similar certs working on other servers. Again, it's the upgrade 
from one java to another that seems to cause the problem - running java 
1.5, I don't have this issue.

But, this may be a case of me getting away with something under 1.5 that 
I wouldn't be able to get away with under 1.6.

The two keys in the keystore currently look like:

$ keytool -list -keystore /path/to/keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

root, Sep 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): [...]
tomcat, Sep 29, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): [...]

... is this wrong?

Thanks again for writing back, I really appreciate it.

Christopher Schultz <chris@christopherschultz.net> wrote:
>> Firefox, but not Safari or IE, will report on https connections:
>>
>>     Secure Connection Error
>>     An error occurred during a connection to mysite.com:8443.
>>     Peer reports it experienced an internal error.
>>     (Error code: ssl_error_internal_error_alert)
> 
> What kind of certificate is it? Self-Signed? Signed by a real CA? One of
> those new-fangled EV certs?
> 
> If it's an EV cert, then you need not one but /two/ intermediate certs
> to be installed in your keystore and provided to the client during the
> SSL handshake.

my original message was:
> Hey everyone -
> 
> I'm stuck on Tomcat 5.5.26 to support a specific application. This is a Solaris 9 server
with no Apache - tomcat is handling its own webserving. We're hoping to upgrade the JDK. I
can use JDK-1.5.0_21 successfully. When I start tomcat with JDK-1.6.0_16, I get one specific
issue...
> 
> Firefox, but not Safari or IE, will report on https connections:
> 
>     Secure Connection Error
>     An error occurred during a connection to mysite.com:8443.
>     Peer reports it experienced an internal error.
>     (Error code: ssl_error_internal_error_alert)
> 
> Weirdly, there is no error in any error log when this happens.
> 
> I think this might be a configuration error on my part. Here's our SSL conf stanza:
> 
>            <Connector port="8443" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>         keystoreFile="/path/to/my/keystore"
>                 keystorePass="somePass" />
> 
> ... I notice that in other people's configs, they have a specific reference to a TrustStore.
I have the CA certs imported into the keystore, though, and I'm using this config on other
servers, with other versions of tomcat, other versions of the JDK, etc. (However, those are
all linux servers.) I'm especially suspicious about this possibility because lately there
have been other Firefox https bugs (like the Flash uploader bug) that ultimately have to do
with verifying the certificate authority. Adding in a truststore doesn't seem to help, but
maybe i r doin it wrong.
> 
> Thanks for any references or wild speculation you can provide.
> 
> - Nada
> 
> (p.s. if you're curious about the Flash uploader bug, see e.g.:
> http://bugs.adobe.com/jira/browse/FP-201
> http://bugs.adobe.com/jira/browse/FP-226
> https://bugs.adobe.com/jira/browse/SDK-13196
> http://swfupload.org/forum/generaldiscussion/347 ) 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message