tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <spr...@gmx.eu>
Subject RE: SSL not working
Date Fri, 28 Jan 2011 17:34:41 GMT
Hi,

it is TC 7.0.5, Java 1.6_22.

When I use a selfsigned certificate everything is fine - same server config,
just the other certificate. So it must be something wrong with the
certificate. But I have no clue what.

How can I debug the SSL-Handshake process?

The cert not working has:

#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]
#8: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   SSL server
]

So it should be the right type of cert.

Thank you

> -----Original Message-----
> From: Thad Humphries [mailto:thad.humphries@gmail.com] 
> Sent: Freitag, 28. Januar 2011 16:47
> To: Tomcat Users List
> Subject: Re: SSL not working
> 
> I've been fooling around *a lot* lately with SSL, so I 
> thought I'd give this
> a try.  I'm not very experienced, but I'll offer my two cents.
> 
> First of all, what version of Tomcat, Java, etc. are you 
> running? Such a
> statement is *de rigueur* for practically any question to 
> this forum. My
> system looks like
> 
> ** Server: SuSE 11.3 (2.6.34.7-0.7-desktop #1 SMP PREEMPT 2010-12-13
> 11:13:53 +0100 i686 i686 i386 GNU/Linux)
> ** Tomcat 6.0.30
> ** Java:  JRE 1.5.0_22 (though my keystore was self-generated with JDK
> 1.6.0_23)
> 
> That said, the connector you describe is working for me, even when I
> intentionally misname my keyAlias.  However I have only one 
> entry in my
> keystore.  I'm guessing that it can screw up if you have more 
> than one and
> you give the wrong alias.
> 
> You're using a JSSE implementation, correct? Run
> 
> $ keytool -list -keystore $CATALINA_HOME/conf/keystore.jks -v
> 
> and see what you get.
> 
> 
> (BTW, my self-generated openssl can be read with
> 
> $ keytool -printcert -file /srv/apache2/conf/server.crt -v
> 
> I say this only because I've also been fiddling, 
> successfully, with the APR
> and mod_jk connector.)
> 
> On Fri, Jan 28, 2011 at 8:06 AM, <spring@gmx.eu> wrote:
> 
> > Hi,
> >
> > I did it now so many times - it always worked - configuring 
> tomcat for SSL.
> >
> > Today: New server, new certificate.
> >
> > Create new keystore, imported root, intermediate and server 
> certificate,
> > configured the connector, same as usual.
> >
> > But... http does not work. No error in tomcats log, 
> nothing. Browser says
> > that it cannot load the page due to a connection problem, 
> maybe security
> > issue.
> >
> > How can I debug this ssl problem?
> >
> >  <Connector
> >        SSLEnabled="true"
> >        clientAuth="want"
> >        maxThreads="150"
> >        port="8443"
> >        protocol="org.apache.coyote.http11.Http11NioProtocol"
> >        scheme="https"
> >        secure="true"
> >        sslProtocol="TLS"
> >        keystoreFile="conf/tomcat.jks"
> >        keystoreType="JKS"
> >        keyAlias="tomcat"
> >        keystorePass="changeit"
> >        />
> >
> > Thank you
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> 
> 
> -- 
> "Hell hath no limits, nor is circumscrib'd In one self-place; 
> but where we
> are is hell, And where hell is, there must we ever be" --Christopher
> Marlowe, *Doctor Faustus* (v, 121-24)
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message