tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nada O'Neal" <nco2...@columbia.edu>
Subject Re: ssl_error_internal_error_alert in firefox only, dependent on jdk version (tomcat 5.5.26)
Date Wed, 07 Oct 2009 21:28:01 GMT
Thanks for your continuing endeavors to help me, Chris.

I'm pointing tomcat to a safe keystore file, not the system keystore or 
any particular keystore. So, I don't have to worry about the keystore 
getting overwritten when I upgrade. Also, just by changing JAVA_HOME, I 
can start up tomcat with Java 1.5 and watch everything work, then shut 
it down and start it up in 1.6 and see this niggling issue in Firefox.

I also tried, btw, regenerating the keystore from the private key and 
the certificate using the 1.6 version keytool. This new keystore works 
with 1.5 java but has the same problem with Firefox when I start up 
Tomcat with Java 1.6.

<shrug>

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Nada,
> 
> On 10/6/2009 4:51 PM, Nada O'Neal wrote:
>> I don't have an EV cert, it's just a standard cert signed by Equifax. I
>> have similar certs working on other servers. Again, it's the upgrade
>> from one java to another that seems to cause the problem - running java
>> 1.5, I don't have this issue.
> 
> If you've recently upgraded, then any changes you made to the "system"
> keystore may have been lost (which I think is a foolish thing to do, but
> it looks like each version of the JRE gets its own keystore, and
> upgrades don't merge or anything like that).
> 
>> $ keytool -list -keystore /path/to/keystore
>> Enter keystore password:
>>
>> Keystore type: JKS
>> Keystore provider: SUN
>>
>> Your keystore contains 2 entries
>>
>> root, Sep 29, 2009, trustedCertEntry,
>> Certificate fingerprint (MD5): [...]
>> tomcat, Sep 29, 2009, PrivateKeyEntry,
>> Certificate fingerprint (MD5): [...]
>>
>> ... is this wrong?
> 
> I'm not sure. That depends on if this is /your/ keystore or the JRE's
> keystore. It also depends on what the details of those certs are: do any
> of them have to do with Equifax?
> 
> All you really need is:
> 
> 1. Equifax CA cert in your keystore
> 2. Any Equifax intermediate certificates in your keystore
> 3. Your own certificate in your keystore
> 4. The web browser has to trust either #1 or #2
> 
> I'm not altogether clear if it all has to be the same keystore: I think
> that the JCE reads the system one no matter what, which should include
> anything Equifax has at the top-level. You may have to import their
> intermediate cert into your own keystore (or into the system one, again,
> if you upgraded).
> 
> There's nothing you can do about #4 above, except that if the browser
> trusts, say, #1, but you aren't providing the certificate chain between
> #3 and #1 (via #2), then you'll get this error from the client.
> 
> I hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkrMyjcACgkQ9CaO5/Lv0PAlpQCgsBd2nlqqEwa4fqMKaJlf0YAi
> ELwAn2+cUWZVBqJOSOKAfm8i81qLucQu
> =augc
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message