Return-Path: 
 <users-return-245547-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2E7FB10958
	for <apmail-tomcat-users-archive@www.apache.org>;
 Tue,  7 Jan 2014 18:17:29 +0000 (UTC)
Received: (qmail 44525 invoked by uid 500); 7 Jan 2014 18:12:11 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 44262 invoked by uid 500); 7 Jan 2014 18:11:51 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 44236 invoked by uid 99); 7 Jan 2014 18:11:48 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Jan 2014 18:11:48 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy includes SPF record at
 spf.trusted-forwarder.org)
Received: from [76.96.30.16] (HELO qmta01.emeryville.ca.mail.comcast.net)
 (76.96.30.16)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Jan 2014 18:11:40 +0000
Received: from omta07.emeryville.ca.mail.comcast.net ([76.96.30.59])
	by qmta01.emeryville.ca.mail.comcast.net with comcast
	id B3Kn1n0021GXsucA16BHSq; Tue, 07 Jan 2014 18:11:17 +0000
Received: from Christophers-MacBook-Pro.local ([98.226.18.8])
	by omta07.emeryville.ca.mail.comcast.net with comcast
	id B6B81n00e0AT6Uq8U6BApB; Tue, 07 Jan 2014 18:11:16 +0000
Message-ID: <52CC433C.8060006@christopherschultz.net>
Date: Tue, 07 Jan 2014 13:11:08 -0500
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
 rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: detailed APR/SSL logging
References: 
 <CABUMjvDUeM+4r3ZFjujyQdMHyscmokcUED+oE7kLrB29=fRedw@mail.gmail.com>
	<BLU172-W11FDE594033ED22D9A5D5CAEB60@phx.gbl>
	<CABUMjvDE5Yhn+gfpBwg2ocsK7JV+xNLh6GhQjRiaAF1ZC-BQrg@mail.gmail.com>
 <CABUMjvDz8VOxRvpgpXq2tJ3up7g3Cn=eyAdQkJUu4qhPtAz+Fg@mail.gmail.com>
In-Reply-To: 
 <CABUMjvDz8VOxRvpgpXq2tJ3up7g3Cn=eyAdQkJUu4qhPtAz+Fg@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;
	s=q20121106; t=1389118277;
	bh=qjvfNLK+JOLbcFoAgOiMw6ZicykotQH3LaXmtdsfiI4=;
	h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject:
	 Content-Type;
	b=XkUVmWCyu8IAcZJit7fih1Rh1TWX1dy1PxeQ8BImTQKU0OmD+L2xfMzL3cYUUtyTT
	 x5G/AvLR5WOUu+/roHab3j/D5cBQmRG/xjqcpQfmpkC6GG/qTQznzEsg5t6whJgShg
	 1xc3PoG8kwTubtIvb+yU4yl2wUdis+X46sfd+EH/+k328+p7/DP4rVXOmkAwWs9O0r
	 8rcIqvmzBbPXrZyivWenPHgePfCKP8D4vPFO3eNJP+JpPVyeTDqT4o8qQFw1vvrwqu
	 Z5lGl/D9msowmYcxoqbrsTsv98O8I3XnMlrXcygQW37cd1aYqg8dwT5YJtBItfZ6hp
	 VP0Zb7+7c5jsw==
X-Virus-Checked: Checked by ClamAV on apache.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sanaullah,

On 1/7/14, 8:06 AM, Sanaullah wrote:
> This issue is only with my ECC certificates. the whole
> configuration works pretty good with TLS1.2 when i am using the RSA
> certs. openssl selfsinged ECC certs are also working.
> 
> 
> On Tue, Jan 7, 2014 at 5:56 PM, Sanaullah <sanaullah82@gmail.com>
> wrote:
> 
>> Here is my configuration. I am using openssl. I haven't installed
>> any certificate to JVM truststore.
>> 
>> <Connector address="0.0.0.0" port="8443" SSLEnabled="true" 
>> maxThreads="150" scheme="https" secure="true" clientAuth="false" 
>> SSLProtocol="All"
>> 
>> SSLCertificateChainFile="/home/san/certs/pay-test/chain.pem" 
>> SSLCertificateFile="/home/san/certs/pay-test/test.pem"
>> 
>> SSLCertificateKeyFile="/home/san/certs/pay-test/test-key.pem"/>
>> 
>> 
>> 
>> 
>> 
>> On Tue, Jan 7, 2014 at 5:44 PM, Martin Gainty
>> <mgainty@hotmail.com> wrote:
>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> Date: Tue, 7 Jan 2014 14:51:21 +0500 Subject: detailed
>>>> APR/SSL logging From: sanaullah82@gmail.com To:
>>>> users@tomcat.apache.org
>>>> 
>>>> Hi,
>>>> 
>>>> Anyone knows, how do i can get the detailed APR/SSL debug
>>>> logs. i need
>>> to
>>>> know where my SSL session is getting broken? there is nothing
>>>> in the catalina.out log.
>>>> 
>>>> usage: java org.apache.catalina.startup.Catalina [ -config
>>>> {pathname} ]
>>> [
>>>> -nonaming ] { -help | start | stop } Jan 07, 2014 1:43:12 AM
>>>> org.apache.catalina.core.AprLifecycleListener
>>> init
>>>> INFO: Loaded APR based Apache Tomcat Native library 1.1.29
>>>> using APR version 1.5.1. Jan 07, 2014 1:43:12 AM
>>>> org.apache.catalina.core.AprLifecycleListener
>>> init
>>>> INFO: APR capabilities: IPv6 [true], sendfile [true], accept
>>>> filters [false], random [true]. Jan 07, 2014 1:43:12 AM
>>>> org.apache.catalina.core.AprLifecycleListener initializeSSL 
>>>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
>>>> 2013) Jan 07, 2014 1:43:12 AM
>>>> org.apache.coyote.AbstractProtocol init INFO: Initializing
>>>> ProtocolHandler ["http-apr-8080"] Jan 07, 2014 1:43:12 AM
>>>> org.apache.coyote.AbstractProtocol init INFO: Initializing
>>>> ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07, 2014
>>>> 1:43:12 AM org.apache.catalina.startup.Catalina load INFO:
>>>> Initialization processed in 696 ms Jan 07, 2014 1:43:12 AM
>>>> org.apache.catalina.core.StandardService startInternal INFO:
>>>> Starting service Catalina Jan 07, 2014 1:43:12 AM
>>>> org.apache.catalina.core.StandardEngine startInternal INFO:
>>>> Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 07, 2014
>>>> 1:43:12 AM org.apache.catalina.startup.HostConfig 
>>>> deployDirectory INFO: Deploying web application directory 
>>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/docs
>>>>
>>>> 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>>>> deployDirectory INFO: Deploying web application directory 
>>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/manager
>>>>
>>>> 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>>>> deployDirectory INFO: Deploying web application directory 
>>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/ROOT
>>>>
>>>> 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>>>> deployDirectory INFO: Deploying web application directory 
>>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/host-manager
>>>>
>>>> 
Jan 07, 2014 1:43:13 AM org.apache.catalina.startup.HostConfig
>>>> deployDirectory INFO: Deploying web application directory 
>>>> /opt/tomcat/apache-tomcat-7.0.47-src/output/build/webapps/examples
>>>>
>>>> 
Jan 07, 2014 1:43:13 AM org.apache.coyote.AbstractProtocol start
>>>> INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 07, 2014
>>>> 1:43:13 AM org.apache.coyote.AbstractProtocol start INFO:
>>>> Starting ProtocolHandler ["http-apr-0.0.0.0-8443"] Jan 07,
>>>> 2014 1:43:13 AM org.apache.catalina.startup.Catalina start 
>>>> INFO: Server startup in 935 ms
>>>> 
>>>> 
>>>> 
>>> ----------------------------------------------------------------------------------------------------------------------
>>>>
>>> 
Server looks up properly with openssl and certs but when i try to
>>> connect
>>>> it with openssl s_client its getting error
>>>> 
>>> ----------------------------------------------------------------------------------------------------------------------
>>>>
>>> 
root@ubuntu:/home/san/certs/pay-test# openssl s_client -connect
>>>> 127.0.0.1:8443 -tls1_2 -debug CONNECTED(00000003) write to
>>>> 0x8a03258 [0x8a0cfe3] (319 bytes => 319 (0x13F)) 0000 - 16 03
>>>> 01 01 3a 01 00 01-36 03 03 52 cb cd f1 45 ....:...6..R...E 
>>>> 0010 - e9 1b fc 26 6f d9 b3 c7-90 58 88 80 92 eb 3f 57
>>>> ...&o....X....?W 0020 - ab 9f be 49 2d 52 b4 1f-f1 c1 d6 00
>>>> 00 9e c0 30 ...I-R.........0 0030 - c0 2c c0 28 c0 24 c0
>>>> 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.....".!.. 0040 - 00 9f 00
>>>> 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.....2 0050
>>>> - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35
>>>> ...*.&.......=.5 0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16
>>>> 00 13 c0 0d ................ 0070 - c0 03 00 0a c0 2f c0
>>>> 2b-c0 27 c0 23 c0 13 c0 09 ...../.+.'.#.... 0080 - c0 1f c0
>>>> 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .........g.@.3.2 0090
>>>> - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25
>>>> .....E.D.1.-.).% 00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96
>>>> 00 41 c0 11 .......<./...A.. 00b0 - c0 07 c0 0c c0 02 00
>>>> 05-00 04 00 15 00 12 00 09 ................ 00c0 - 00 14 00
>>>> 11 00 08 00 06-00 03 00 ff 01 00 00 6f ...............o 00d0
>>>> - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e
>>>> ...........4.2.. 00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09
>>>> 00 0a 00 16 ................ 00f0 - 00 17 00 08 00 06 00
>>>> 07-00 14 00 15 00 04 00 05 ................ 0100 - 00 12 00
>>>> 13 00 01 00 02-00 03 00 0f 00 10 00 11 ................ 0110
>>>> - 00 23 00 00 00 0d 00 22-00 20 06 01 06 02 06 03 .#.....".
>>>> ...... 0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02
>>>> ................ 0130 - 03 03 02 01 02 02 02 03-01 01 00 0f
>>>> 00 01 01 ............... read from 0x8a03258 [0x8a08a93] (5
>>>> bytes => 5 (0x5)) 0000 - 15 03 03 00 02 ..... read from
>>>> 0x8a03258 [0x8a08a98] (2 bytes => 2 (0x2)) 0000 - 02 28 .( 
>>>> 3074095420:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
>>>> alert handshake failure:s3_pkt.c:1256:SSL alert number 40 
>>>> 3074095420:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
>>>> handshake failure:s3_pkt.c:596: --- no peer certificate
>>>> available
>>> 
>>> MG>did you install at least 1+ CA cert(s) to JVM truststore?
>>> 
>>>> No client certificate CA names sent --- SSL handshake has
>>>> read 7 bytes and written 0 bytes --- New, (NONE), Cipher is
>>>> (NONE) Secure Renegotiation IS NOT supported Compression:
>>>> NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher :
>>>> 0000
>>> 
>>> MG> did you enable ALL ciphers for connector that is
>>> implementing protocol=TLSV1.2
>>> 
>>>> Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK
>>>> identity: None PSK identity hint: None SRP username: None 
>>>> Start Time: 1389088241 Timeout : 7200 (sec) Verify return
>>>> code: 0 (ok)
>>>> 
>>>> 
>>>> Regards, San

On 1/5/14, 9:08 AM, Sanaullah wrote:
> most of the people puking here regarding the tlsv1.1 and tlsv1.2 
> support in tomcat 7.0.47 or just trying them-self to look over 
> smart.

I think I'm done puking on you for a while.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSzEM5AAoJEBzwKT+lPKRYrZoP/1ULzV9QE//K+CfpyysAbkuc
4jo8RgUv7Uj+nywfVhPBJyBO5C0jdplwo1Io1IjSyi+sjYvPGvyY5zQBjKb2Zc6a
j0qcnNFfi8xaMZlO5/neC7YmMobH4hG16cq2Lu6FrRZI7jcPwJqVJNKPZdzBkYML
y0WpVBErma7jaCthtEUT9WzogjFR5IO9cH+xXPTudMG2OTjT8UCtcQ6DI3Ki4xoH
eMCeiZcZ7cknjE/b4hfxQcZ/lCnECnPCQllaalU5w2o8KH5wHe7jnhyMKXMqyEbw
lt+YaW42P3Yu2OpSbKHW/HkHXEQSD5P/WjdDl5VbR+IrFF2DBXC0P85L8XTZXu5k
+62Rggp4SjqLBZONYdamlLbHmTaOsn39YNzKJmNAs/lDiCDb2pt0aGQlVjnnlaFC
+EXLXnccgTLj5+o/E4qkD8IUWcVCvQVfzeiFCezfYKJTnviaJaoKOKg25fGZZHzq
hZLWuAt2jzAEMiN1/6Kra1RfVFSJ3Z0JOyM19uwt4Xqk0FBDrMVpGkErk/B+9aD4
T2Yj7aW64QxZlVLuKGpEf8oMg94azs8Xla2bamxYwtH7ewWXQOp2szauxiK6ctxn
BV9JNi/XDaPIHS2Ibna7iknU2RwiMDrMAloVSofz86cMMjIMFZICgCMxT6iVaTw7
O6iEgDvRAsBA3OGCmiZb
=qRQr
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org