tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: My web application to use SSL (JSSE - RSA)
Date Fri, 10 Jun 2011 19:59:14 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Charles,

On 6/10/2011 9:25 AM, Charles Van Damme wrote:
> 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener init
> INFO: The APR based Apache Tomcat Native library which allows optimal
> performance in production environments was not found on the
> java.library.path: [...]

FWIW, that's just an INFO message, but if you are going to be using SSL,
you might want to go ahead and install the APR library: your performance
will improve measurably. Note that <Connector> configuration for an APR
connector using SSL is completely different if you choose to go this route.

If you are not going to be using APR, you can disable the APR lifecycle
listener because you aren't using it.

> java.security.NoSuchAlgorithmException: RSA SSLContext not available

As Pid points out, it's pretty obvious that "RSA" is not a valid
algorithm in this situation:

>     at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
>     at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
>     at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:490)

So, it's an SSL configuration problem. Let's look at your SSL <Connector>:

>     <!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port
> 443 -->
>     <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="443"
>                maxThreads="150" scheme="https" secure="true"
> SSLEnabled="true"
>                keystoreFile="C:/Documents and Settings/Papa/.keystore"
> keystorePass="changeit"
>                clientAuth="false" sslProtocol="RSA" />

SO, you have sslProtocol="RSA"... seems like a good place to look. If
you check the <Connector> documentation, you can see that there are only
a few recognized protocols you can choose.

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support

Note that "protocol" refers to the protocol used for SSL, not for any
specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat
documentation does not list all the available protocols, nor should it:
the protocols available to you are determined by JVM support.

The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to
documentation for "standard names" (which takes you through several hops
to) here:
http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#SSLContext

Those are the valid ssl protocol names you can choose.

If you want use only ciphers that use the RSA algorithm (which is really
limiting, IMO), you can look up their names here (after scrolling a bit
downward):

http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#jssenames

Just look for stuff like SSL_DH_DSS_blah_blah_blah.

Of course, support for a certain algorithm might not be available in
your environment. It's best to find out what your JVM supports and use that.

I wrote a short bit of code a while back to determine the supported
algorithms and the default cipher suite for an SSLSocketFactory. I'll
try to dig it up and post it.

>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

If you aren't using AJP, then disable the extra connector.

> Hoping you are not overwhelmed. Anything else ?

You had other errors in the log file. After you get SSL working
properly, stop Tomcat, delete all your logs and re-launch it. Anything
that looks like an error should be investigated and fixed.

Feel free to come back to the list for help on those additional issues:
just remember start a new thread if you do.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3yd5IACgkQ9CaO5/Lv0PCSwQCggfhTML/aJwMtBlw1pVJ+mJIt
rg8AoJOrh9amZcTCiLFrXjZQtFRGQbd0
=fu8H
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message