tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: truststoreFile vs javax.net.ssl.trustStore
Date Fri, 13 Aug 2010 20:13:38 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Estani,

On 8/13/2010 5:31 AM, Estanislao Gonzalez wrote:
> privatekey (I'm connecting two servlet running at the moment in the same
> machine and requiring server and client ssl authentication)
> # keytool -list -keystore /usr/local/tomcat/conf/ssl_tomcat_cert
> 
> Keystore type: JKS
> Keystore provider: SUN
> 
> Your keystore contains 1 entry
> 
> tomcat, Aug 11, 2010, PrivateKeyEntry,
> Certificate fingerprint (MD5):
> 35:8F:8D:37:76:E5:E4:A8:B6:75:CD:E7:50:B7:9A:5C
> 
> I'll just copy my previous mail as I think it contains a more detailed
> information on what's happening.
> 
> But to sum things up: if I use the javax.net.ssl.trustStore things work.
> If I use the trustoreFile in the connector it doesn't (as a different
> trustore is loaded)


What value are you using for javax.net.ssl.trustStore?

> Ok, everything's fine (that's my cert). But while trying to access to a
> SSL:
> 
> ...
> init keystore
> init keymanager of type SunX509
> trustStore is: No File Available, using empty keystore.

That looks like a problem. Is that an error message that isn't really
telling the truth? Perhaps it means "No file available, defaulting to
javax.net.ssl.trustStore".

> trustStore type is : jks
> trustStore provider is :
> ...
> *** Certificate chain
> chain [0] = [
> [
> Version: V3
> Subject: CN=albedo2.dkrz.de, OU=WDCC, O=DKRZ, L=Hamburg, C=DE
> Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
> ....
>  Validity: [From: Wed Aug 11 11:54:14 CEST 2010,
>               To: Tue Nov 09 10:54:14 CET 2010]
>  Issuer: CN=albedo2.dkrz.de, OU=WDCC, O=DKRZ, L=Hamburg, C=DE
>  SerialNumber: [    4c627346]
> 
> ]

That's certainly /not/ an empty keystore, so I'm confused by the above
error message.

> http-443-1, handling exception: java.lang.RuntimeException: Unexpected
> error: java.security.InvalidAlgorithmParameterException: the
> trustAnchors parameter must be non-empty
> http-443-1, SEND TLSv1 ALERT:  fatal, description = internal_error
> http-443-1, WRITE: TLSv1 Alert, length = 2
> http-443-1, called closeSocket()
> http-443-2, READ: TLSv1 Alert, length = 2
> http-443-1, called close()

When does this occur? During SSL negotiation for a request?

> Note: I've moved the default java jssecacaertas and cacerts files to be
> sure they are not loaded. If not this step was previously accessing
> those certs.

That's probably not a good idea: you generally want the system-trusted
certificates to be available at some level.

> Launching tomcat with
> -Djavax.net.ssl.trustStore=/usr/local/tomcat/conf/jssecacerts I have no
> problem:
> ...
> init keystore
> init keymanager of type SunX509
> trustStore is: /usr/local/tomcat/conf/jssecacerts

Looks good.

> If I use a non existing file for the truststoreFile parameter I get:
> 
> FINE: Creating name for connector Catalina:type=Connector,port=443
> Aug 11, 2010 2:45:53 PM
> org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
> SEVERE: Failed to load keystore type JKS with path
> /usr/local/tomcat/conf/jssecacerts2 due to
> /usr/local/tomcat/conf/jssecacerts2 (No such file or directory)

Okay, that looks good, too.

> So I'm pretty sure that the file is valid and can be found. Any Idea?

Maybe it's a more subtle error: can Tomcat read the file even though
it's there? Maybe it's missing the read bit for the Tomcat user?
Probably not, but it's a simple check and might explain what's going on.

> I know you might need a lot more information (if this is indeed a bug).
> Just tell me and I'll provide :-)
> 
> Some info though:
> apache-tomcat-6.0.26

Any possibility of upgrading to 6.0.29? I don't see anything in the
ChangeLog that suggests a fix for something like this, but it's possible
that something has changed.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxlp3IACgkQ9CaO5/Lv0PCd8wCfcdpxPOO6kA1TO/QsBJgUkmIZ
W6UAoIIz/f+aPdXR30P6cWTxa3ERJIAJ
=+rH2
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message