Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1D36D11B82 for ; Mon, 2 Jun 2014 18:03:04 +0000 (UTC) Received: (qmail 92161 invoked by uid 500); 2 Jun 2014 17:55:43 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 92091 invoked by uid 500); 2 Jun 2014 17:55:43 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 92080 invoked by uid 99); 2 Jun 2014 17:55:43 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jun 2014 17:55:43 +0000 X-ASF-Spam-Status: No, hits=-0.5 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of setevoy4@gmail.com designates 74.125.82.175 as permitted sender) Received: from [74.125.82.175] (HELO mail-we0-f175.google.com) (74.125.82.175) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jun 2014 17:55:40 +0000 Received: by mail-we0-f175.google.com with SMTP id p10so5598441wes.34 for ; Mon, 02 Jun 2014 10:55:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=liuJ0RHzUdQInprM3hokzFEZvLQKGQtUye6KyJScWNM=; b=YKqNQvxBXLWJXv9cR0/7GeMsgmFY5THYQOoIVjEa4dPavkUNY1JO30rIzhnTuqeCXm nEqhWbArjVVf08KLMdwfdRzbecKX0aRCl50hYWstcGSUCwaZqhljk7GeiS1nRKL+H/GJ gwCbcEJUebQOKxx7JPwSTEPwoFfEHQ96Vyfzj20vrpiN9j+nqWAotezpODNO9j4B6ize KUGjXIT5vong3AoWiIuLM5/SJbWrQ35PRYcUy2DpgD/M7kE447AWh1M8h+7CsPgEOPid 1T+lysaxKUdVjirfr+TiPsqqWQbEHQsYtaSUXKvjRRf3eHCWoFpcRKD42BiP1tEMfy3M Ow0A== X-Received: by 10.180.84.41 with SMTP id v9mr16504915wiy.1.1401731716639; Mon, 02 Jun 2014 10:55:16 -0700 (PDT) Received: from [192.168.1.136] ([37.115.113.56]) by mx.google.com with ESMTPSA id kp5sm37139231wjb.30.2014.06.02.10.55.14 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Jun 2014 10:55:15 -0700 (PDT) Message-ID: <538CBA7F.6020205@gmail.com> Date: Mon, 02 Jun 2014 20:55:11 +0300 From: Arseny User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Tomcat 5.5 vs 7.0 SSL References: <538CACA2.50807@christopherschultz.net> In-Reply-To: <538CACA2.50807@christopherschultz.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org 02.06.2014 19:56, Christopher Schultz пишет: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Арсений, > > On 6/2/14, 10:24 AM, Арсений Зинченко wrote: >> Hi. >> >> Faced with very odd behavior of Tomcat 7... >> >> Have two instances on same box - Tomcat 5.5 and Tomcat 7. >> >> Both have same configuration - first from 5.5: >> >> > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" >> enableLookups="false" disableUploadTimeout="true" acceptCount="100" >> scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" >> keystoreFile="conf/.ssl/tomcat.jks" keyAlias="tomcat" >> keystorePass="pass" truststoreFile="conf/.ssl/trustcacerts.jks" >> truststorePass="pass" /> >> >> Next - from 7.0: >> >> > SSLEnabled="true" enableLookups="false" >> disableUploadTimeout="true" scheme="https" secure="true" >> clientAuth="want" sslProtocol="TLS" >> keystoreFile="conf/.ssl/tomcat.jks" keyAlias="tomcat" >> keystorePass="pass" truststoreFile="conf/.ssl/trustcacerts.jks" >> truststorePass="pass" /> >> >> Also - both configured for CLIENT-CERT authentification (same >> applicaion with same web.xml). >> >> In browser installed cert, but - when I'm trying open connection >> to 7 Tomcat - I got 401 - Cannot authenticate with the provided >> credentials and no authentification attempt in log: >> >> 10.***.***.15 - - [02/Jun/2014:17:10:31 +0300] "GET /service/ >> HTTP/1.1" 401 1049 >> >> But connection to 5.5 - succsessfull with same browser && >> certificate. >> >> Also, in ssldump I see that browser can't make "handshake" with 7.0 >> server: >> >> 1 2 0.0317 (0.0308) S>C Handshake ServerHello Version 3.1 >> session_id[32]= 53 8c 85 d7 cf 17 a1 45 8a 4e 64 e6 95 7f 2b f3 cb >> 74 0a f3 13 40 71 e8 74 50 53 1a 00 24 a0 76 cipherSuite >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA compressionMethod >> NULL Certificate ServerKeyExchange CertificateRequest >> certificate_types rsa_sign certificate_types >> dss_sign certificate_authority 30 62 31 0b 30 09 06 03 55 04 06 13 >> 02 55 41 31 10 30 0e 06 03 55 04 08 13 07 55 6e 6b 6e 6f 77 6e 31 >> 0d 30 0b 06 03 55 04 07 13 04 4b 69 65 76 31 0f 30 0d 06 03 55 04 >> 0a 13 06 4c 75 78 6f 66 74 31 0c 30 0a 06 03 55 04 0b 13 03 4c 4d >> 53 31 13 30 11 06 03 55 04 03 13 0a 61 7a 69 6e 63 68 65 6e 6b 6f >> certificate_authority 30 60 31 0b 30 09 06 03 55 04 06 13 02 55 41 >> 31 // and that's all >> >> But on 5.5 - everyting OK: >> >> 1 2 0.0213 (0.0195) S>C Handshake ServerHello Version 3.1 >> session_id[32]= 53 8c 85 89 be 1f c5 63 e2 16 a0 a0 dc 5b aa 68 0d >> 1c 8d b7 24 c5 13 0a 24 0a 66 9b 54 f4 b0 0f cipherSuite >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA compressionMethod >> NULL Certificate ServerKeyExchange ServerHelloDone 1 3 0.0256 >> (0.0042) C>S Handshake ClientKeyExchange >> DiffieHellmanClientPublicValue[96]= 4a 39 5e f5 2a c1 58 13 6b 7c >> 98 0b 44 d7 9a 42 bf 48 c2 6e a4 c6 6d 50 a7 89 8f 53 a4 54 92 a5 >> 81 18 1b 22 63 cf c1 63 8f 36 9f d2 59 c3 3e 67 1f 4e 18 01 db f2 >> 9d 07 0b 81 12 39 64 62 83 84 78 dc 36 9b 00 34 f5 34 44 2d 92 eb >> d9 f6 b0 7e c4 66 d9 ad f2 bf 7f fb 07 56 eb 58 5d 58 41 2e >> >> What I'm doing wrong? > Anything in the catalina.out or other log files in logs/* ? > > Are both Tomcats running on the same server? > > In the Tomcat 7 case, does ssldump tell you whether the S>C has hung? > Can you tell if the TCP message is incomplete? Can you get a thread > dump on the Tomcat 7 side? > > The configuration itself looks okay to me. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTjKygAAoJEBzwKT+lPKRYVJEQAKlVEFFwEyfyYFML/aArNHqb > 00qGyoyzu7+mLNlZlMvP4wvuXivK13Sxy+NNJ/TqkijZ4ZlaSTx82vUBHt2HNX9J > Rsq5lTL1FRHNDzHABoXwkDLj64xhJ41iBFUcdsGENJ9K9mpFtPXi3wSRsQK4eguv > ynRr+f3pJwWsiPlXxWiGICV55mKGsUvSwjKzXhG6RYMpUmHeT1V7SOyOfPA73Jks > GGPaDsc0tNT9K6c8NGX+c5+u0h5Af5UQn10Rcpp/22QSzfIDwq4kv1MPZ9I+TTQa > l/S/L6VfVtbacUuvVMsnN15eIEQDfTVA9RoKjacG0rsrB+oqoSG0UDjFhuP8LXHx > huvhim7CJcZyaNR3Ydp8Q+NFz5ON4w6tlP/APA48x6HUgAJq3DoSlFbrbJGu4HVV > NgziXOdlwz7KD7yVdUckrbCsLVCFrxkBENtOUdQ5a6dp1bjPBfOcxrtPcEduvLUR > mdNsoXQA8pOFBLHwIJSONBn7lSXQPBR+XCkxGJDqYzdmaykoz2OrB7aA4DqtYXCD > iwA0bvwFCOOzq/DiNlLgqscQz9+sAbT7ROjCvkKpDfjJYBi7S26eNx9Gg1S39scX > uAlDoRe96CQDmcitZ8Oqrn5ErKReTpbhGULn0YnHB1uL9Vxd5M8EkAI0whTQMQ5u > qYcRj4u7cd24Okq8KQUd > =zoKs > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > Hi, Chris. Thanks for replay and sorry spending your time - there was my error in server.xml - include ojdbc Realm in wrong place (our from Host element). I think so... Because I made a lot of experiments today trying fix it... --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org