tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: detailed APR/SSL logging
Date Tue, 07 Jan 2014 18:11:08 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sanaullah,

On 1/7/14, 8:06 AM, Sanaullah wrote:
> This issue is only with my ECC certificates. the whole
> configuration works pretty good with TLS1.2 when i am using the RSA
> certs. openssl selfsinged ECC certs are also working.
> 
> 
> On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah <sanaullah82@gmail.com>
> wrote:
> 
>> Here is my configuration. I am using openssl. I haven't installed
>> any certificate to JVM truststore.
>> 
>> <Connector address="0.0.0.0" port="8443" SSLEnabled="true" 
>> maxThreads="150" scheme="https" secure="true" clientAuth="false" 
>> SSLProtocol="All"
>> 
>> SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem" 
>> SSLCertificateFile="/home/san/certs/pay-test/test.pem"
>> 
>> SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/>
>> 
>> 
>> 
>> 
>> 
>> On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty
>> <mgainty@hotmail.com> wrote:
>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed
>>>> APR/SSL logging From: sanaullah82@gmail.com To:
>>>> users@tomcat.apache.org
>>>> 
>>>> Hi,
>>>> 
>>>> Anyone knows, how do i can get the detailed APR/SSL debug
>>>> logs. i need
>>> to
>>>> know where my SSL session is getting broken? there is nothing
>>>> in the catalina.out log.
>>>> 
>>>> usage: java org.apache.catalina.startup.Catalina [ -config
>>>> {pathname} ]
>>> [
>>>> -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM
>>>> org.apache.catalina.core.AprLifecycleListener
>>> init
>>>> INFO: Loaded APR based Apache Tomcat Native library 1.1.29
>>>> using APR version 1.5.1. Jan 07, 2014 1:43:12 AM
>>>> org.apache.catalina.core.AprLifecycleListener
>>> init
>>>> INFO: APR capabilities: IPv6 [true], sendfile [true], accept
>>>> filters [false], random [true]. Jan 07, 2014 1:43:12 AM
>>>> org.apache.catalina.core.AprLifecycleListener initializeSSL 
>>>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
>>>> 2013) Jan 07, 2014 1:43:12 AM
>>>> org.apache.coyote.AbstractProtocol init INFO: Initializing
>>>> ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:12 AM
>>>> org.apache.coyote.AbstractProtocol init INFO: Initializing
>>>> ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014
>>>> 1:43:12 AM org.apache.catalina.startup.Catalina load INFO:
>>>> Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM
>>>> org.apache.catalina.core.StandardService startInternal INFO:
>>>> Starting service Catalina Jan 07, 2014 1:43:12 AM
>>>> org.apache.catalina.core.StandardEngine startInternal INFO:
>>>> Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014
>>>> 1:43:12 AM org.apache.catalina.startup.HostConfig 
>>>> deployDirectory INFO: Deploying web application directory 
>>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
>>>>
>>>> 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>>>> deployDirectory INFO: Deploying web application directory 
>>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
>>>>
>>>> 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>>>> deployDirectory INFO: Deploying web application directory 
>>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
>>>>
>>>> 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>>>> deployDirectory INFO: Deploying web application directory 
>>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
>>>>
>>>> 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>>>> deployDirectory INFO: Deploying web application directory 
>>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
>>>>
>>>> 
Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
>>>> INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 07, 2014
>>>> 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO:
>>>> Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07,
>>>> 2014 1:43:13 AM org.apache.catalina.startup.Catalina start 
>>>> INFO: Server startup in 935 ms
>>>> 
>>>> 
>>>> 
>>> ----------------------------------------------------------------------------------------------------------------------
>>>>
>>> 
Server looks up properly with openssl and certs but when i try to
>>> connect
>>>> it with openssl s_client its getting error
>>>> 
>>> ----------------------------------------------------------------------------------------------------------------------
>>>>
>>> 
root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
>>>> 127.0.0.1:8443 -tls1_2 -debug CONNECTED(00000003) write to
>>>> 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F)) 0000 - 16 03
>>>> 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 ....:...6..R...E 
>>>> 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57
>>>> ...&o....X....?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00
>>>> 00 9e c0 30 ...I-R.........0 0030 - c0 2c c0 28 c0 24 c0
>>>> 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.....".!.. 0040 - 00 9f 00
>>>> 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.....2 0050
>>>> - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35
>>>> ...*.&.......=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16
>>>> 00 13 c0 0d ................ 0070 - c0 03 00 0a c0 2f c0
>>>> 2b-c0 27 c0 23 c0 13 c0 09 ...../.+.'.#.... 0080 - c0 1f c0
>>>> 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .........g.@.3.2 0090
>>>> - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25
>>>> .....E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96
>>>> 00 41 c0 11 .......<./...A.. 00b0 - c0 07 c0 0c c0 02 00
>>>> 05-00 04 00 15 00 12 00 09 ................ 00c0 - 00 14 00
>>>> 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...............o 00d0
>>>> - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e
>>>> ...........4.2.. 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09
>>>> 00 0a 00 16 ................ 00f0 - 00 17 00 08 00 06 00
>>>> 07-00 14 00 15 00 04 00 05 ................ 0100 - 00 12 00
>>>> 13 00 01 00 02-00 03 00 0f 00 10 00 11 ................ 0110
>>>> - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.....".
>>>> ...... 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02
>>>> ................ 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f
>>>> 00 01 01 ............... read from 0x8a03258 [0x8a08a93] (5
>>>> bytes => 5 (0x5)) 0000 - 15 03 03 00 02 ..... read from
>>>> 0x8a03258 [0x8a08a98] (2 bytes => 2 (0x2)) 0000 - 02 28 .( 
>>>> 3074095420:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
>>>> alert handshake failure:s3_pkt.c:1256:SSL alert number 40 
>>>> 3074095420:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
>>>> handshake failure:s3_pkt.c:596: --- no peer certificate
>>>> available
>>> 
>>> MG>did you install at least 1+ CA cert(s) to JVM truststore?
>>> 
>>>> No client certificate CA names sent --- SSL handshake has
>>>> read 7 bytes and written 0 bytes --- New, (NONE), Cipher is
>>>> (NONE) Secure Renegotiation IS NOT supported Compression:
>>>> NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher :
>>>> 0000
>>> 
>>> MG> did you enable ALL ciphers for connector that is
>>> implementing protocol=TLSV1.2
>>> 
>>>> Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK
>>>> identity: None PSK identity hint: None SRP username: None 
>>>> Start Time: 1389088241 Timeout : 7200 (sec) Verify return
>>>> code: 0 (ok)
>>>> 
>>>> 
>>>> Regards, San

On 1/5/14, 9:08 AM, Sanaullah wrote:
> most of the people puking here regarding the tlsv1.1 and tlsv1.2 
> support in tomcat 7.0.47 or just trying them-self to look over 
> smart.

I think I'm done puking on you for a while.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSzEM5AAoJEBzwKT+lPKRYrZoP/1ULzV9QE//K+CfpyysAbkuc
4jo8RgUv7Uj+nywfVhPBJyBO5C0jdplwo1Io1IjSyi+sjYvPGvyY5zQBjKb2Zc6a
j0qcnNFfi8xaMZlO5/neC7YmMobH4hG16cq2Lu6FrRZI7jcPwJqVJNKPZdzBkYML
y0WpVBErma7jaCthtEUT9WzogjFR5IO9cH+xXPTudMG2OTjT8UCtcQ6DI3Ki4xoH
eMCeiZcZ7cknjE/b4hfxQcZ/lCnECnPCQllaalU5w2o8KH5wHe7jnhyMKXMqyEbw
lt+YaW42P3Yu2OpSbKHW/HkHXEQSD5P/WjdDl5VbR+IrFF2DBXC0P85L8XTZXu5k
+62Rggp4SjqLBZONYdamlLbHmTaOsn39YNzKJmNAs/lDiCDb2pt0aGQlVjnnlaFC
+EXLXnccgTLj5+o/E4qkD8IUWcVCvQVfzeiFCezfYKJTnviaJaoKOKg25fGZZHzq
hZLWuAt2jzAEMiN1/6Kra1RfVFSJ3Z0JOyM19uwt4Xqk0FBDrMVpGkErk/B+9aD4
T2Yj7aW64QxZlVLuKGpEf8oMg94azs8Xla2bamxYwtH7ewWXQOp2szauxiK6ctxn
BV9JNi/XDaPIHS2Ibna7iknU2RwiMDrMAloVSofz86cMMjIMFZICgCMxT6iVaTw7
O6iEgDvRAsBA3OGCmiZb
=qRQr
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message