tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Issue in setting up SHA2 certificate with tomcat6
Date Sun, 17 May 2015 13:45:19 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Pavan,

(Note: only a single post is necessary)

On 5/15/15 10:28 PM, Pavan Kasarla wrote:
> I am trying to configure SHA2 algorithm certificates with tomcat6
> in centos 6. I have created a keystore of format "JKS" using
> keytool and imported the certificate and intermediates to the
> keystore. When i restart the tomcat, logs do not show any kind of
> errors it starts up normally but when i try to connect to host from
> a browser it shows the following error
> 
> 
> my system configuration
> 
> OS : centos tomcat 6

Specifically, which Tomcat version are you using?

> java1.7.x
> 
> In chrome Version 39.0.2171.71 (64-bit)
> 
> SSL connection error Hide detailsUnable to make a secure connection
> to the server. This may be a problem with the server, or it may be
> requiring a client authentication certificate that you don't have. 
> Error code: ERR_SSL_PROTOCOL_ERROR
> 
> 
> In firefox it shows Cannot communicate securely with peer: no
> common encryption algorithm(s). (Error code:
> ssl_error_no_cypher_overlap)
> 
> tomcat configuration for the certificate in server.xml <Connector
> port="8443" maxHttpHeaderSize="8192" maxThreads="150"
> minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
> disableUploadTimeout="true" acceptCount="100" scheme="https"
> secure="true" SSLEnabled="true" 
> keystoreFile="/etc/tomcat6/xxxxx.jks" keystorePass="xxxxxx" 
> clientAuth="false"  sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
> />
> 
> When i change the tomcat keystore with another certificates of
> SHA1 algorithm everything works fine.

So the only difference is SHA1 versus SHA2 hash on the certificate?

Java 1.7 handles both of those without a problem.

Can you try connecting to your server using OpenSSL's s_client program?

$ openssl s_client -connect hostname:443
CONNECTED(00000003)
depth=1 [cert subject]
- ---
Certificate chain
 [cert chain]
- ---
Server certificate
- -----BEGIN CERTIFICATE-----
[certificate]
- -----END CERTIFICATE-----
[cert info]
- ---
No client certificate CA names sent
- ---
SSL handshake has read 3601 bytes and written 700 bytes
- ---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID:
5712CBF2C60CFB9DDD456DA9E67B1F6CDD5FDE12178266E5AB0888CF21859B8A
    Session-ID-ctx:
    Master-Key:
2EFB02FD1F605120E55D3C293CE9E5CE5076CBA1E286A91EB271F7D145825CE441EF2614
B9E0CB743C690DC4E45262CF
    Key-Arg   : None
    Start Time: 1431870170
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
- ---
^C

At the bottom, you can see the connection information that was
negotiated with the server. s_client has options to allow you to set
the protocol(s) supported, the cipher(s) supported, etc. Perhaps you
can narrow-down the problem.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVWJtvAAoJEBzwKT+lPKRY4RkP/2ffTOIT3b4XH1zZLAqUmwUt
RQ5Kl283hjPhbGqDdLhrGOUUUyANvJUTwNVGdvm4+lcgmF9HLU/wvHBodN7rQnF5
FLRGrC5qDDBdQXN+QvHrnPgEq2pXSw77ZXRNHjN+m91IXrtrbaBdMFNPGziD+xJ6
JIOv9YzgR6DPDyxmPhiWKv2/lU2VwFRhe9R4OVmSyICc27pyDxuOVrIPPvq7AJz7
mctLU0sZy741UCg4tiHXphP6ASk1aoZd8b8lRfMswMs7CI/e4QIwTUF535Pdkh0G
hht4Op+zsgDt0nesxKkheSoMmGkBaFa9e5ceTm0DXpY4RGsBme+u87vS5GF9ZsUi
uRlDgNNEaVMYn1p+zkLjrBZ6RvGpJpEpyA2+AGm24LygfOsFZwHoM89Hpr5HMRAY
uDf57CmuZE/9LaBjUSarAflxefRPb6cNSueXDnA5TVmO2d/4P52ZY5CBm+l0Egkh
YP3ojAAF/ySMpskjdPysCKg40QSwGor3pMc2cDoR2357T3syl0SuapnjuR+uoLPY
rQRDclqx9hjVYi9yGuepRSHKvlI1Hzbam9d/Go8vxk0wS2n5iTRTAs908Is9Xz0M
ZdME6e+2gtgEFU7VmZ04QazypUe+5ZlGglCHHOUF2vllKoViY9Pz39wwwMrJGJuY
Qi26dbjkau+iu/kA9/zF
=mOl8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message