tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arseny <setev...@gmail.com>
Subject Re: Tomcat 5.5 vs 7.0 SSL
Date Mon, 02 Jun 2014 17:55:11 GMT
02.06.2014 19:56, Christopher Schultz пишет:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Арсений,
>
> On 6/2/14, 10:24 AM, Арсений Зинченко wrote:
>> Hi.
>>
>> Faced with very odd behavior of Tomcat 7...
>>
>> Have two instances on same box - Tomcat 5.5 and Tomcat 7.
>>
>> Both have same configuration - first from 5.5:
>>
>> <Connector port="${port.https}" maxHttpHeaderSize="8192"
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" disableUploadTimeout="true" acceptCount="100"
>> scheme="https" secure="true" clientAuth="want" sslProtocol="TLS"
>> keystoreFile="conf/.ssl/tomcat.jks" keyAlias="tomcat"
>> keystorePass="pass" truststoreFile="conf/.ssl/trustcacerts.jks"
>> truststorePass="pass" />
>>
>> Next - from 7.0:
>>
>> <Connector port="${port.https}" protocol="HTTP/1.1"
>> SSLEnabled="true" enableLookups="false"
>> disableUploadTimeout="true" scheme="https" secure="true"
>> clientAuth="want" sslProtocol="TLS"
>> keystoreFile="conf/.ssl/tomcat.jks" keyAlias="tomcat"
>> keystorePass="pass" truststoreFile="conf/.ssl/trustcacerts.jks"
>> truststorePass="pass" />
>>
>> Also - both configured for CLIENT-CERT authentification (same
>> applicaion with same web.xml).
>>
>> In browser installed  cert, but - when I'm trying open connection
>> to 7 Tomcat - I got 401 - Cannot authenticate with the provided
>> credentials and no authentification attempt in log:
>>
>> 10.***.***.15 - - [02/Jun/2014:17:10:31 +0300] "GET /service/
>> HTTP/1.1" 401 1049
>>
>> But connection to 5.5 - succsessfull with same browser &&
>> certificate.
>>
>> Also, in ssldump I see that browser can't make "handshake" with 7.0
>> server:
>>
>> 1 2  0.0317 (0.0308)  S>C  Handshake ServerHello Version 3.1
>> session_id[32]= 53 8c 85 d7 cf 17 a1 45 8a 4e 64 e6 95 7f 2b f3 cb
>> 74 0a f3 13 40 71 e8 74 50 53 1a 00 24 a0 76 cipherSuite
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA compressionMethod
>> NULL Certificate ServerKeyExchange CertificateRequest
>> certificate_types                   rsa_sign certificate_types
>> dss_sign certificate_authority 30 62 31 0b 30 09 06 03 55 04 06 13
>> 02 55 41 31 10 30 0e 06 03 55 04 08 13 07 55 6e 6b 6e 6f 77 6e 31
>> 0d 30 0b 06 03 55 04 07 13 04 4b 69 65 76 31 0f 30 0d 06 03 55 04
>> 0a 13 06 4c 75 78 6f 66 74 31 0c 30 0a 06 03 55 04 0b 13 03 4c 4d
>> 53 31 13 30 11 06 03 55 04 03 13 0a 61 7a 69 6e 63 68 65 6e 6b 6f
>> certificate_authority 30 60 31 0b 30 09 06 03 55 04 06 13 02 55 41
>> 31 // and that's all
>>
>> But on 5.5 - everyting OK:
>>
>> 1 2  0.0213 (0.0195)  S>C  Handshake ServerHello Version 3.1
>> session_id[32]= 53 8c 85 89 be 1f c5 63 e2 16 a0 a0 dc 5b aa 68 0d
>> 1c 8d b7 24 c5 13 0a 24 0a 66 9b 54 f4 b0 0f cipherSuite
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA compressionMethod
>> NULL Certificate ServerKeyExchange ServerHelloDone 1 3  0.0256
>> (0.0042)  C>S  Handshake ClientKeyExchange
>> DiffieHellmanClientPublicValue[96]= 4a 39 5e f5 2a c1 58 13 6b 7c
>> 98 0b 44 d7 9a 42 bf 48 c2 6e a4 c6 6d 50 a7 89 8f 53 a4 54 92 a5
>> 81 18 1b 22 63 cf c1 63 8f 36 9f d2 59 c3 3e 67 1f 4e 18 01 db f2
>> 9d 07 0b 81 12 39 64 62 83 84 78 dc 36 9b 00 34 f5 34 44 2d 92 eb
>> d9 f6 b0 7e c4 66 d9 ad f2 bf 7f fb 07 56 eb 58 5d 58 41 2e
>>
>> What I'm doing wrong?
> Anything in the catalina.out or other log files in logs/* ?
>
> Are both Tomcats running on the same server?
>
> In the Tomcat 7 case, does ssldump tell you whether the S>C has hung?
> Can you tell if the TCP message is incomplete? Can you get a thread
> dump on the Tomcat 7 side?
>
> The configuration itself looks okay to me.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTjKygAAoJEBzwKT+lPKRYVJEQAKlVEFFwEyfyYFML/aArNHqb
> 00qGyoyzu7+mLNlZlMvP4wvuXivK13Sxy+NNJ/TqkijZ4ZlaSTx82vUBHt2HNX9J
> Rsq5lTL1FRHNDzHABoXwkDLj64xhJ41iBFUcdsGENJ9K9mpFtPXi3wSRsQK4eguv
> ynRr+f3pJwWsiPlXxWiGICV55mKGsUvSwjKzXhG6RYMpUmHeT1V7SOyOfPA73Jks
> GGPaDsc0tNT9K6c8NGX+c5+u0h5Af5UQn10Rcpp/22QSzfIDwq4kv1MPZ9I+TTQa
> l/S/L6VfVtbacUuvVMsnN15eIEQDfTVA9RoKjacG0rsrB+oqoSG0UDjFhuP8LXHx
> huvhim7CJcZyaNR3Ydp8Q+NFz5ON4w6tlP/APA48x6HUgAJq3DoSlFbrbJGu4HVV
> NgziXOdlwz7KD7yVdUckrbCsLVCFrxkBENtOUdQ5a6dp1bjPBfOcxrtPcEduvLUR
> mdNsoXQA8pOFBLHwIJSONBn7lSXQPBR+XCkxGJDqYzdmaykoz2OrB7aA4DqtYXCD
> iwA0bvwFCOOzq/DiNlLgqscQz9+sAbT7ROjCvkKpDfjJYBi7S26eNx9Gg1S39scX
> uAlDoRe96CQDmcitZ8Oqrn5ErKReTpbhGULn0YnHB1uL9Vxd5M8EkAI0whTQMQ5u
> qYcRj4u7cd24Okq8KQUd
> =zoKs
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

Hi, Chris.

Thanks for replay and sorry spending your time - there was my error in 
server.xml - include ojdbc Realm in wrong place (our from Host element).

I think so... Because I made a lot of experiments today trying fix it...

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message