tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: ssl_error_internal_error_alert in firefox only, dependent on jdk version (tomcat 5.5.26)
Date Wed, 07 Oct 2009 17:04:55 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nada,

On 10/6/2009 4:51 PM, Nada O'Neal wrote:
> I don't have an EV cert, it's just a standard cert signed by Equifax. I
> have similar certs working on other servers. Again, it's the upgrade
> from one java to another that seems to cause the problem - running java
> 1.5, I don't have this issue.

If you've recently upgraded, then any changes you made to the "system"
keystore may have been lost (which I think is a foolish thing to do, but
it looks like each version of the JRE gets its own keystore, and
upgrades don't merge or anything like that).

> $ keytool -list -keystore /path/to/keystore
> Enter keystore password:
> 
> Keystore type: JKS
> Keystore provider: SUN
> 
> Your keystore contains 2 entries
> 
> root, Sep 29, 2009, trustedCertEntry,
> Certificate fingerprint (MD5): [...]
> tomcat, Sep 29, 2009, PrivateKeyEntry,
> Certificate fingerprint (MD5): [...]
> 
> ... is this wrong?

I'm not sure. That depends on if this is /your/ keystore or the JRE's
keystore. It also depends on what the details of those certs are: do any
of them have to do with Equifax?

All you really need is:

1. Equifax CA cert in your keystore
2. Any Equifax intermediate certificates in your keystore
3. Your own certificate in your keystore
4. The web browser has to trust either #1 or #2

I'm not altogether clear if it all has to be the same keystore: I think
that the JCE reads the system one no matter what, which should include
anything Equifax has at the top-level. You may have to import their
intermediate cert into your own keystore (or into the system one, again,
if you upgraded).

There's nothing you can do about #4 above, except that if the browser
trusts, say, #1, but you aren't providing the certificate chain between
#3 and #1 (via #2), then you'll get this error from the client.

I hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrMyjcACgkQ9CaO5/Lv0PAlpQCgsBd2nlqqEwa4fqMKaJlf0YAi
ELwAn2+cUWZVBqJOSOKAfm8i81qLucQu
=augc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message