tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Kogan <a-ko...@northwestern.edu>
Subject Re: Problem configuring SSL
Date Tue, 07 Jan 2014 19:41:15 GMT
Gentlemen, thanks a lot for your help. I figured out what the problem was.
It was not related to tomcat configuration, but to my keystore. The reason
is that once you import a client certificate under the same alias as the
private pair, they both get merged under the same alias inside keystore.
Using keytool -delete command, meant to remove the certificate only,
deletes the private pair as well. I noticed that once I dumped keystore
content for my keystore and a keystore on one of my other servers. Luckily,
I had a backup of the keystore I made right after it was created. Importing
the certificates into that keystore resolved the issue.


On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Alex,
>
> On 1/5/14, 12:30 PM, Alex Kogan wrote:
> > I have a strange problem configuring SSL to work with Tomcat.
> > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45
> >
> > It's a new Tomcat installation. All keystore operations were done
> > with keytool. I imported CA root/intermediate certificate and
> > client certificate, configured SSL connector in server.xml. I have
> > this same setup on another server that works fine. Connecting to
> > this server via http works.
> >
> > 1. If I try to connect this address via https in Chrome I get:
> > "This Webpage is not available." In Firefox: "Error code:
> > ssl_error_no_cypher_overlap"
>
> Sounds familiar.
>
> Please post your <Connector> configuration(s) from your server.xml
> file. Remember to remove any sensitive information from the configuration.
>
> Also please post all of the startup messages from Tomcat's
> logs/catalina.out file: we need to see the versions of various things
> and what components (if any) suffer problems starting up.
>
> > 3. Here's a list of enabled ciphers using SSLInfo:
> >
> > #java -showversion SSLInfo
>
> Nice to see someone is getting some use out of that. ;)
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS
> JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ
> +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC
> f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6
> bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8
> m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE
> /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD
> SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB
> Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu
> RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH
> 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+
> VCpWYwQ3I2qGEm5RBvbh
> =9FS1
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 
Software Engineer
Department of Psychiatry and Behavioral Sciences
Northwestern University

a-kogan@northwestern.edu

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message