tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Implementing SSL and error invocating https://localhost:8443/ (Tomcat 7.0 on Windows 7)
Date Fri, 26 Oct 2012 14:57:13 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gabriel,

On 10/25/12 5:32 PM, Gabriel Huerta Araujo wrote:
> 
> My web.xml's connector section originally was:
> 
> <Connector SSLEnabled="true" acceptCount="100" clientAuth="false" 
> disableUploadTimeout="true" enableLookups="false" maxThreads="25" 
> port="8443" keystoreFile="${user.home}/.keystore"
> keystorePass=<my_key_pass> 
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> scheme="https" secure="true" sslProtocol="TLS" />
> 
> and I had to replace for this (because I wanted to know at least
> one message error, this way I could do something else):
> 
> <Connector port="8443" maxThreads="200" scheme="https"
> secure="true" SSLEnabled="true" 
> keystoreFile="${user.home}/.keystore" keystorePass<my_key_pass>
> clientAuth="false" sslProtocol="TLS"/>

So that's pretty much identical as far as SSL configuration goes.

> Below it is whar Tomcat reports:
> 
> 25/10/2012 04:23:20 PM
> org.apache.catalina.core.AprLifecycleListener init INFO: La
> biblioteca nativa de Apache Tomcat basada en ARP que permite un
> rendimiento óptimo en entornos de desarrollo no ha sido hallada en
> java.library.path:
> C:\jdk1.6.35\bin;C:\windows\Sun\Java\bin;C:\windows\system32;C:\windows;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\mingw\mingw64\bin;C:\Program
> Files (x86)\ATI
> Technologies\ATI.ACE\Core-Static;C:\jdk1.6.35\bin;C:\Spring\apache-maven-3.0.4\bin;C:\Program
> Files (x86)\Liquid Technologies\Liquid XML Studio
> 2011\XmlDataBinder9\Redist9\cpp\win32\bin;C:\cygwin\bin\;C:\apache-ant-1.8.2/bin;C:\Program
> Files (x86)\Microchip\MPLAB C32 Suite\bin;C:\Program Files
> (x86)\QuickTime\QTSystem\;C:\Program
> Files\TortoiseSVN\bin;C:\Program Files (x86)\CVSNT\;.

Okay, no APR. That's good, since you have a JSSE certificate
configuration.

> 25/10/2012 04:23:20 PM org.apache.coyote.AbstractProtocol init 
> INFO: Initializing ProtocolHandler ["http-bio-8080"] 25/10/2012
> 04:23:21 PM org.apache.coyote.AbstractProtocol init INFO:
> Initializing ProtocolHandler ["http-bio-8443"] 25/10/2012 04:23:21
> PM org.apache.coyote.AbstractProtocol init GRAVE: Failed to
> initialize end point associated with ProtocolHandler
> ["http-bio-8443"] java.io.IOException: La configuración SSL no es
> válida debido a No available certificate or key corresponds to the
> SSL cipher suites which are enabled.

So either you have failed to configure a set of cipher suites that are
compatible with the JRE or the certificate (not likely, since you have
accepted the default) or your certificate can't be loaded.

> Caused by: javax.net.ssl.SSLException: No available certificate or
> key corresponds to the SSL cipher suites which are enabled. at
> com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
>
> 
at
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:818)
>
> 
... 20 more

It's odd that the cipher suite check is failing instead of something
earlier.

Are you sure that your keystore can be found under
${user.home}/.keystore? Are you sure that the password is correct? (I
would have expected a different kind of error if something were wrong
with that configuration, but it's worth double-checking).

You might have to set the "keyAlias" attribute in your <Connector>,
otherwise it will choose the "first key read in the keystore" as your
certificate. As your keystore contains these entries:

> Su almacen de claves contiene 2 entradas
> 
> root, 24/10/2012, trustedCertEntry, Huella digital de certificado
> (MD5): E2:FF:EB:EF:B5:FA:85:2F:B4:85:FC:1B:1E:0E:94:37 tomcat,
> 24/10/2012, trustedCertEntry, Huella digital de certificado (MD5):
> E2:FF:EB:EF:B5:FA:85:2F:B4:85:FC:1B:1E:0E:94:37

...Tomcat may be choosing the first certificate when you really want
it to choose the second one. Try this:

<Connector ..... keyAlias="tomcat" .... />

See if that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCKpMkACgkQ9CaO5/Lv0PAvoQCgv1u4W7wXxlkKgYW+Rd6HHxEu
jW4An1iotoQTNxXuVzlxM/+w99PbuyFm
=BjW8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message