Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3A4F310C91 for ; Tue, 7 Jan 2014 19:41:46 +0000 (UTC) Received: (qmail 53395 invoked by uid 500); 7 Jan 2014 19:41:42 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 53306 invoked by uid 500); 7 Jan 2014 19:41:42 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 53297 invoked by uid 99); 7 Jan 2014 19:41:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Jan 2014 19:41:41 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of skizchi@gmail.com designates 209.85.212.43 as permitted sender) Received: from [209.85.212.43] (HELO mail-vb0-f43.google.com) (209.85.212.43) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Jan 2014 19:41:36 +0000 Received: by mail-vb0-f43.google.com with SMTP id p6so452937vbe.16 for ; Tue, 07 Jan 2014 11:41:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=jBvNViCwa2C5WGPCP3yVcyokJLuyTKBIDvkYVB/fSyI=; b=IJjGbtekTtx0go1OjKs81FUCnUbRkqudWUQ0L80gRd/x8ufa6JVo5K+KGBqhochaQ+ MbptuZjj/uspaQRfciSajaK6BYJQji3wzKdPR0NjzqilQQp46dM2efm4TZgEEH5KZrEB +zSzDMSZIU0fM0EtBbdASZsc6nOLWgUJzs8iYgjKsknnikhHD6CeJkwFjX3BUJEnihud 6H32cgs21TRVvPcQWHWducWD1yVLiLw8MCcnU66MNtnOF7zaOZ5F36+j9G3Rj7v/6k7p +izAqxGgkWJu/HfIiTSjiFfULAf/ee6D+eNaJlQ4RjCB1ZqRsvMECbtI2WF/SIwwV17Q 8mcA== MIME-Version: 1.0 X-Received: by 10.58.248.198 with SMTP id yo6mr4661247vec.40.1389123675224; Tue, 07 Jan 2014 11:41:15 -0800 (PST) Sender: skizchi@gmail.com Received: by 10.58.186.132 with HTTP; Tue, 7 Jan 2014 11:41:15 -0800 (PST) In-Reply-To: <52C9C7CB.4010505@christopherschultz.net> References: <52C9C7CB.4010505@christopherschultz.net> Date: Tue, 7 Jan 2014 14:41:15 -0500 X-Google-Sender-Auth: vb8P35vWrRJ2PtKsHRAW7Kev67o Message-ID: Subject: Re: Problem configuring SSL From: Alex Kogan To: Tomcat Users List Content-Type: multipart/alternative; boundary=047d7bdc8f1a36051804ef668f38 X-Virus-Checked: Checked by ClamAV on apache.org --047d7bdc8f1a36051804ef668f38 Content-Type: text/plain; charset=ISO-8859-1 Gentlemen, thanks a lot for your help. I figured out what the problem was. It was not related to tomcat configuration, but to my keystore. The reason is that once you import a client certificate under the same alias as the private pair, they both get merged under the same alias inside keystore. Using keytool -delete command, meant to remove the certificate only, deletes the private pair as well. I noticed that once I dumped keystore content for my keystore and a keystore on one of my other servers. Luckily, I had a backup of the keystore I made right after it was created. Importing the certificates into that keystore resolved the issue. On Sun, Jan 5, 2014 at 3:59 PM, Christopher Schultz < chris@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Alex, > > On 1/5/14, 12:30 PM, Alex Kogan wrote: > > I have a strange problem configuring SSL to work with Tomcat. > > Environment: Tomcat 7.0.42 CentOS 5.10 Java 1.7.0_45 > > > > It's a new Tomcat installation. All keystore operations were done > > with keytool. I imported CA root/intermediate certificate and > > client certificate, configured SSL connector in server.xml. I have > > this same setup on another server that works fine. Connecting to > > this server via http works. > > > > 1. If I try to connect this address via https in Chrome I get: > > "This Webpage is not available." In Firefox: "Error code: > > ssl_error_no_cypher_overlap" > > Sounds familiar. > > Please post your configuration(s) from your server.xml > file. Remember to remove any sensitive information from the configuration. > > Also please post all of the startup messages from Tomcat's > logs/catalina.out file: we need to see the versions of various things > and what components (if any) suffer problems starting up. > > > 3. Here's a list of enabled ciphers using SSLInfo: > > > > #java -showversion SSLInfo > > Nice to see someone is getting some use out of that. ;) > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSycfKAAoJEBzwKT+lPKRYBz0P/jDoaW+t7Zi1dCRp3zz/o1PS > JXx0Pa61SkXQN4TgQFSyZ6seO1+IJjh1X1txiS81GOL3HZQCwZ9qbDfjOOKitynZ > +d9Ky5R0UGUmG3/479ZFAIGfy8RXwtMJvoCpFo5dRA+ihevOzgzngGNzMdDm2KgC > f8ZWIAue+9Hq9o0CBrjDxdYheyOgFbICzvC4YR/s5poxz3BhpGXNQVWyViyJzIo6 > bn7uLzSqaGeCtemMJeXgPJ27lNh5SnXRjUfUr9dvGF/QNrXTSYmoDlfgHSuzWCl8 > m18VrWdC8a76aQ0YW+0cIlX5TLDuQhBqsuVxNja+0GY2IP5+RBaF5LAsJ9sdTnBE > /enlA8vvzYD8jZBGMvCkPAi7ZvG/amI6xw+QlaYeYTDqDfPUrM1ERZItg7l1fjaD > SBVKaPCvtHN/IXVTDqDPfPS4v34yR+/MVwOFdiuagh3cRd/wt/WxbFC8jTFsktKB > Yc87eh4Bwc24P6Kc74/l2+8LDFzwLGwSEGGm2c2h9fDu6OKbtF23B887ZsveWjyu > RTlKcgsv8LzQi7SmnRH4S7A8KdfEv3Fh1rqLDbwzjaidoaHlDa/Rqo6zfBovCkiH > 4z/QmVpI6sOh6IoULBxhOeqaubTvAvnErRTPeTSx5XPvJB9FwNHwGRwG6F+F3mV+ > VCpWYwQ3I2qGEm5RBvbh > =9FS1 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > -- Software Engineer Department of Psychiatry and Behavioral Sciences Northwestern University a-kogan@northwestern.edu --047d7bdc8f1a36051804ef668f38--