tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brijesh Deo <b...@SonicWALL.com>
Subject RE: Error configuring tomcat with ssl certificates
Date Wed, 06 Mar 2013 10:10:48 GMT

-----Original Message-----
From: Siddhi Borkar [mailto:siddhi_borkar@persistent.co.in] 
Sent: 06 March 2013 15:12
To: Tomcat Users List
Subject: RE: Error configuring tomcat with ssl certificates

Thanks Brijesh,

The certificate that I am using is RSA based certificate,  I tried listing the RSA based ciphers
in the server the xml, however it still gave me the same error.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
                 maxThreads="150"  scheme="https" secure="true" keystoreFile="/tmp/.keystore"
 keystorePass="changeit" enableLookups="false"  ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"
 clientAuth="false" sslProtocol="TLS" />

Any idea what else could be going wrong?
Thanks,
Siddhi

Hi Siddhi,
You can check your keystore type. If it is not JKS, then you need to specify the keyStoreType
also in the connector definition.

-Brijesh


-----Original Message-----
From: Brijesh Deo [mailto:bdeo@SonicWALL.com] 
Sent: Wednesday, March 06, 2013 12:25 PM
To: Tomcat Users List
Subject: RE: Error configuring tomcat with ssl certificates


-----Original Message-----
From: Siddhi Borkar [mailto:siddhi_borkar@persistent.co.in] 
Sent: 06 March 2013 12:15
To: users@tomcat.apache.org
Subject: Error configuring tomcat with ssl certificates



Hi,

I need help configuring tomcat 6 will ssl certificates. I have been provided with the following
cacert.pem
prvkey.key
and sslcert.crt

I tried the following steps:

1)      Generated a keystore using java keytool and the certificate file using the following
command.

keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore keystore

2)      Added the .pem file to the keystore
                              keytool -import -trustcacerts -alias root -file cacert.pem-keystore
keystore

3)      Start the tomcat server

4)      After starting the server, the following error was seen in the logs.



Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start

SEVERE: Error starting endpoint

java.io.IOException: jsse.invalid_ssl_conf

        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)

        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)

        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)

        at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)

        at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)

        at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)

        at org.apache.catalina.connector.Connector.start(Connector.java:1107)

        at org.apache.catalina.core.StandardService.start(StandardService.java:531)

        at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)

        at org.apache.catalina.startup.Catalina.start(Catalina.java:593)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:616)

        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)

        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the
SSL cipher suites which are enabled.

        at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)

        at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)

        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)

        ... 15 more



Can someone help on this?
Thanks


Siddhi,
You might want to check your ciphers attribute value in the Connector definition in server.xml
file. Generally, the list of ciphers that you include here are based upon the type of your
certificate. If you have RSA based certificate, you need to enlist RSA based ciphers (ones
with _RSA in the cipher suite name) and similarly for DSA based certificate you should have
corresponding cipher suites (ones with _DSS in the cipher suite names). May be you have this
mismatched and that is the problem.

The other way round would be to generate or use a certificate based upon the cipher suites
that you want or are supported in your ciphers attribute value.

Brijesh Deo
Dell | SonicWALL


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent
Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed.
If you are not the intended recipient, you are not authorized to read, retain, copy, print,
distribute or use this message. If you have received this communication in error, please notify
the sender and delete all copies of this message. Persistent Systems Ltd. does not accept
any liability for virus infected mails.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message