tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanaullah <sanaulla...@gmail.com>
Subject Re: detailed APR/SSL logging
Date Tue, 07 Jan 2014 19:45:51 GMT
I am still stick to my opinion..
the patches were need to apply for TLS 1.2 SSL/APR. everything is working
after applying the patch just this chain ECC certs.  I am just looking
around where to get the detailed logs.




On Tue, Jan 7, 2014 at 11:11 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sanaullah,
>
> On 1/7/14, 8:06 AM, Sanaullah wrote:
> > This issue is only with my ECC certificates. the whole
> > configuration works pretty good with TLS1.2 when i am using the RSA
> > certs. openssl selfsinged ECC certs are also working.
> >
> >
> > On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah <sanaullah82@gmail.com>
> > wrote:
> >
> >> Here is my configuration. I am using openssl. I haven't installed
> >> any certificate to JVM truststore.
> >>
> >> <Connector address="0.0.0.0" port="8443" SSLEnabled="true"
> >> maxThreads="150" scheme="https" secure="true" clientAuth="false"
> >> SSLProtocol="All"
> >>
> >> SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem"
> >> SSLCertificateFile="/home/san/certs/pay-test/test.pem"
> >>
> >> SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/>
> >>
> >>
> >>
> >>
> >>
> >> On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty
> >> <mgainty@hotmail.com> wrote:
> >>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>> Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed
> >>>> APR/SSL logging From: sanaullah82@gmail.com To:
> >>>> users@tomcat.apache.org
> >>>>
> >>>> Hi,
> >>>>
> >>>> Anyone knows, how do i can get the detailed APR/SSL debug
> >>>> logs. i need
> >>> to
> >>>> know where my SSL session is getting broken? there is nothing
> >>>> in the catalina.out log.
> >>>>
> >>>> usage: java org.apache.catalina.startup.Catalina [ -config
> >>>> {pathname} ]
> >>> [
> >>>> -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM
> >>>> org.apache.catalina.core.AprLifecycleListener
> >>> init
> >>>> INFO: Loaded APR based Apache Tomcat Native library 1.1.29
> >>>> using APR version 1.5.1. Jan 07, 2014 1:43:12 AM
> >>>> org.apache.catalina.core.AprLifecycleListener
> >>> init
> >>>> INFO: APR capabilities: IPv6 [true], sendfile [true], accept
> >>>> filters [false], random [true]. Jan 07, 2014 1:43:12 AM
> >>>> org.apache.catalina.core.AprLifecycleListener initializeSSL
> >>>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
> >>>> 2013) Jan 07, 2014 1:43:12 AM
> >>>> org.apache.coyote.AbstractProtocol init INFO: Initializing
> >>>> ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:12 AM
> >>>> org.apache.coyote.AbstractProtocol init INFO: Initializing
> >>>> ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014
> >>>> 1:43:12 AM org.apache.catalina.startup.Catalina load INFO:
> >>>> Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM
> >>>> org.apache.catalina.core.StandardService startInternal INFO:
> >>>> Starting service Catalina Jan 07, 2014 1:43:12 AM
> >>>> org.apache.catalina.core.StandardEngine startInternal INFO:
> >>>> Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014
> >>>> 1:43:12 AM org.apache.catalina.startup.HostConfig
> >>>> deployDirectory INFO: Deploying web application directory
> >>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
> >>>>
> >>>>
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> >>>> deployDirectory INFO: Deploying web application directory
> >>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
> >>>>
> >>>>
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> >>>> deployDirectory INFO: Deploying web application directory
> >>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
> >>>>
> >>>>
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> >>>> deployDirectory INFO: Deploying web application directory
> >>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
> >>>>
> >>>>
> Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
> >>>> deployDirectory INFO: Deploying web application directory
> >>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
> >>>>
> >>>>
> Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
> >>>> INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 07, 2014
> >>>> 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO:
> >>>> Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07,
> >>>> 2014 1:43:13 AM org.apache.catalina.startup.Catalina start
> >>>> INFO: Server startup in 935 ms
> >>>>
> >>>>
> >>>>
> >>>
> ----------------------------------------------------------------------------------------------------------------------
> >>>>
> >>>
> Server looks up properly with openssl and certs but when i try to
> >>> connect
> >>>> it with openssl s_client its getting error
> >>>>
> >>>
> ----------------------------------------------------------------------------------------------------------------------
> >>>>
> >>>
> root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
> >>>> 127.0.0.1:8443 -tls1_2 -debug CONNECTED(00000003) write to
> >>>> 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F)) 0000 - 16 03
> >>>> 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 ....:...6..R...E
> >>>> 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57
> >>>> ...&o....X....?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00
> >>>> 00 9e c0 30 ...I-R.........0 0030 - c0 2c c0 28 c0 24 c0
> >>>> 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.....".!.. 0040 - 00 9f 00
> >>>> 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.....2 0050
> >>>> - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35
> >>>> ...*.&.......=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16
> >>>> 00 13 c0 0d ................ 0070 - c0 03 00 0a c0 2f c0
> >>>> 2b-c0 27 c0 23 c0 13 c0 09 ...../.+.'.#.... 0080 - c0 1f c0
> >>>> 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .........g.@.3.2 0090
> >>>> - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25
> >>>> .....E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96
> >>>> 00 41 c0 11 .......<./...A.. 00b0 - c0 07 c0 0c c0 02 00
> >>>> 05-00 04 00 15 00 12 00 09 ................ 00c0 - 00 14 00
> >>>> 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...............o 00d0
> >>>> - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e
> >>>> ...........4.2.. 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09
> >>>> 00 0a 00 16 ................ 00f0 - 00 17 00 08 00 06 00
> >>>> 07-00 14 00 15 00 04 00 05 ................ 0100 - 00 12 00
> >>>> 13 00 01 00 02-00 03 00 0f 00 10 00 11 ................ 0110
> >>>> - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.....".
> >>>> ...... 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02
> >>>> ................ 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f
> >>>> 00 01 01 ............... read from 0x8a03258 [0x8a08a93] (5
> >>>> bytes => 5 (0x5)) 0000 - 15 03 03 00 02 ..... read from
> >>>> 0x8a03258 [0x8a08a98] (2 bytes => 2 (0x2)) 0000 - 02 28 .(
> >>>> 3074095420:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
> >>>> alert handshake failure:s3_pkt.c:1256:SSL alert number 40
> >>>> 3074095420:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> >>>> handshake failure:s3_pkt.c:596: --- no peer certificate
> >>>> available
> >>>
> >>> MG>did you install at least 1+ CA cert(s) to JVM truststore?
> >>>
> >>>> No client certificate CA names sent --- SSL handshake has
> >>>> read 7 bytes and written 0 bytes --- New, (NONE), Cipher is
> >>>> (NONE) Secure Renegotiation IS NOT supported Compression:
> >>>> NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher :
> >>>> 0000
> >>>
> >>> MG> did you enable ALL ciphers for connector that is
> >>> implementing protocol=TLSV1.2
> >>>
> >>>> Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK
> >>>> identity: None PSK identity hint: None SRP username: None
> >>>> Start Time: 1389088241 Timeout : 7200 (sec) Verify return
> >>>> code: 0 (ok)
> >>>>
> >>>>
> >>>> Regards, San
>
> On 1/5/14, 9:08 AM, Sanaullah wrote:
> > most of the people puking here regarding the tlsv1.1 and tlsv1.2
> > support in tomcat 7.0.47 or just trying them-self to look over
> > smart.
>
> I think I'm done puking on you for a while.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSzEM5AAoJEBzwKT+lPKRYrZoP/1ULzV9QE//K+CfpyysAbkuc
> 4jo8RgUv7Uj+nywfVhPBJyBO5C0jdplwo1Io1IjSyi+sjYvPGvyY5zQBjKb2Zc6a
> j0qcnNFfi8xaMZlO5/neC7YmMobH4hG16cq2Lu6FrRZI7jcPwJqVJNKPZdzBkYML
> y0WpVBErma7jaCthtEUT9WzogjFR5IO9cH+xXPTudMG2OTjT8UCtcQ6DI3Ki4xoH
> eMCeiZcZ7cknjE/b4hfxQcZ/lCnECnPCQllaalU5w2o8KH5wHe7jnhyMKXMqyEbw
> lt+YaW42P3Yu2OpSbKHW/HkHXEQSD5P/WjdDl5VbR+IrFF2DBXC0P85L8XTZXu5k
> +62Rggp4SjqLBZONYdamlLbHmTaOsn39YNzKJmNAs/lDiCDb2pt0aGQlVjnnlaFC
> +EXLXnccgTLj5+o/E4qkD8IUWcVCvQVfzeiFCezfYKJTnviaJaoKOKg25fGZZHzq
> hZLWuAt2jzAEMiN1/6Kra1RfVFSJ3Z0JOyM19uwt4Xqk0FBDrMVpGkErk/B+9aD4
> T2Yj7aW64QxZlVLuKGpEf8oMg94azs8Xla2bamxYwtH7ewWXQOp2szauxiK6ctxn
> BV9JNi/XDaPIHS2Ibna7iknU2RwiMDrMAloVSofz86cMMjIMFZICgCMxT6iVaTw7
> O6iEgDvRAsBA3OGCmiZb
> =qRQr
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message