tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <spr...@gmx.eu>
Subject RE: SSL not working
Date Fri, 28 Jan 2011 18:30:07 GMT
OK, i enabled ssl-debug an got this:

Using SSLEngineImpl.
http-8443-exec-6, READ: TLSv1 Handshake, length = 72
*** ClientHello, TLSv1
RandomCookie:  GMT: 1296237960 bytes = { 29, 26, 93, 201, 51, 195, 57, 220,
172, 159, 182, 24, 23, 109, 229, 241, 219, 44, 93, 9, 215, 107, 176, 92,
192, 250, 134, 108 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods:  { 0 }
Unsupported extension type_65281, data: 00
***
http-8443-exec-6, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-6, SEND TLSv1 ALERT:  fatal, description = handshake_failure
http-8443-exec-6, WRITE: TLSv1 Alert, length = 2
http-8443-exec-6, fatal: engine already closed.  Rethrowing
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-6, called closeOutbound()
http-8443-exec-6, closeOutboundInternal()
Using SSLEngineImpl.
http-8443-exec-7, READ: SSLv3 Handshake, length = 67
*** ClientHello, SSLv3
RandomCookie:  GMT: 1296237960 bytes = { 167, 41, 66, 68, 100, 105, 126,
191, 190, 109, 143, 141, 122, 89, 201, 33, 1, 45, 228, 214, 141, 218, 73,
253, 8, 9, 118, 204 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, Unknown 0x0:0xff]
Compression Methods:  { 0 }
***
http-8443-exec-7, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-7, SEND SSLv3 ALERT:  fatal, description = handshake_failure
http-8443-exec-7, WRITE: SSLv3 Alert, length = 2
http-8443-exec-7, fatal: engine already closed.  Rethrowing
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-7, called closeOutbound()
http-8443-exec-7, closeOutboundInternal()
Using SSLEngineImpl.
http-8443-exec-8, called closeOutbound()
http-8443-exec-8, closeOutboundInternal()
http-8443-exec-8, SEND TLSv1 ALERT:  warning, description = close_notify
http-8443-exec-8, WRITE: TLSv1 Alert, length = 2 


When I open the cert I can see:

         MD5:  3C:33:0A:7C:BC:8B:8D:9E:A5:C1:8C:49:F9:E1:84:0A
         SHA1: 7F:02:49:61:4E:55:AE:11:F0:93:82:06:8A:44:95:56:2D:1E:0E:EB
         Unterschrift-Algorithmusname: SHA1withRSA
         Version: 3

So is my java runtime mising SHA1withRSA? 

> -----Original Message-----
> From: spring@gmx.eu [mailto:spring@gmx.eu] 
> Sent: Freitag, 28. Januar 2011 18:35
> To: 'Tomcat Users List'
> Subject: RE: SSL not working
> 
> Hi,
> 
> it is TC 7.0.5, Java 1.6_22.
> 
> When I use a selfsigned certificate everything is fine - same 
> server config, just the other certificate. So it must be 
> something wrong with the certificate. But I have no clue what.
> 
> How can I debug the SSL-Handshake process?
> 
> The cert not working has:
> 
> #7: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
>   serverAuth
>   clientAuth
> ]
> #8: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
> NetscapeCertType [
>    SSL client
>    SSL server
> ]
> 
> So it should be the right type of cert.
> 
> Thank you
> 
> > -----Original Message-----
> > From: Thad Humphries [mailto:thad.humphries@gmail.com] 
> > Sent: Freitag, 28. Januar 2011 16:47
> > To: Tomcat Users List
> > Subject: Re: SSL not working
> > 
> > I've been fooling around *a lot* lately with SSL, so I 
> > thought I'd give this
> > a try.  I'm not very experienced, but I'll offer my two cents.
> > 
> > First of all, what version of Tomcat, Java, etc. are you 
> > running? Such a
> > statement is *de rigueur* for practically any question to 
> > this forum. My
> > system looks like
> > 
> > ** Server: SuSE 11.3 (2.6.34.7-0.7-desktop #1 SMP PREEMPT 2010-12-13
> > 11:13:53 +0100 i686 i686 i386 GNU/Linux)
> > ** Tomcat 6.0.30
> > ** Java:  JRE 1.5.0_22 (though my keystore was 
> self-generated with JDK
> > 1.6.0_23)
> > 
> > That said, the connector you describe is working for me, even when I
> > intentionally misname my keyAlias.  However I have only one 
> > entry in my
> > keystore.  I'm guessing that it can screw up if you have more 
> > than one and
> > you give the wrong alias.
> > 
> > You're using a JSSE implementation, correct? Run
> > 
> > $ keytool -list -keystore $CATALINA_HOME/conf/keystore.jks -v
> > 
> > and see what you get.
> > 
> > 
> > (BTW, my self-generated openssl can be read with
> > 
> > $ keytool -printcert -file /srv/apache2/conf/server.crt -v
> > 
> > I say this only because I've also been fiddling, 
> > successfully, with the APR
> > and mod_jk connector.)
> > 
> > On Fri, Jan 28, 2011 at 8:06 AM, <spring@gmx.eu> wrote:
> > 
> > > Hi,
> > >
> > > I did it now so many times - it always worked - configuring 
> > tomcat for SSL.
> > >
> > > Today: New server, new certificate.
> > >
> > > Create new keystore, imported root, intermediate and server 
> > certificate,
> > > configured the connector, same as usual.
> > >
> > > But... http does not work. No error in tomcats log, 
> > nothing. Browser says
> > > that it cannot load the page due to a connection problem, 
> > maybe security
> > > issue.
> > >
> > > How can I debug this ssl problem?
> > >
> > >  <Connector
> > >        SSLEnabled="true"
> > >        clientAuth="want"
> > >        maxThreads="150"
> > >        port="8443"
> > >        protocol="org.apache.coyote.http11.Http11NioProtocol"
> > >        scheme="https"
> > >        secure="true"
> > >        sslProtocol="TLS"
> > >        keystoreFile="conf/tomcat.jks"
> > >        keystoreType="JKS"
> > >        keyAlias="tomcat"
> > >        keystorePass="changeit"
> > >        />
> > >
> > > Thank you
> > >
> > >
> > > 
> > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > >
> > 
> > 
> > -- 
> > "Hell hath no limits, nor is circumscrib'd In one self-place; 
> > but where we
> > are is hell, And where hell is, there must we ever be" --Christopher
> > Marlowe, *Doctor Faustus* (v, 121-24)
> > 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message