Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 633CB1005A for ; Sun, 17 May 2015 13:46:04 +0000 (UTC) Received: (qmail 3116 invoked by uid 500); 17 May 2015 13:46:00 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 3037 invoked by uid 500); 17 May 2015 13:46:00 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 3025 invoked by uid 99); 17 May 2015 13:46:00 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 17 May 2015 13:46:00 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id B4A92C0B1C for ; Sun, 17 May 2015 13:45:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.001 X-Spam-Level: * X-Spam-Status: No, score=1.001 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id wMc2V70HJJ6D for ; Sun, 17 May 2015 13:45:52 +0000 (UTC) Received: from vms173017pub.verizon.net (vms173017pub.verizon.net [206.46.173.17]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id D258124BB6 for ; Sun, 17 May 2015 13:45:51 +0000 (UTC) Received: from Christophers-MacBook-Pro.local ([173.79.164.201]) by vms173017.mailsrvcs.net (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014)) with ESMTPA id <0NOH00EPFY7JKE20@vms173017.mailsrvcs.net> for users@tomcat.apache.org; Sun, 17 May 2015 08:45:29 -0500 (CDT) X-CMAE-Score: 0 X-CMAE-Analysis: v=2.1 cv=B/MOC1ok c=1 sm=1 tr=0 a=YZvWn4c/W8VqgPENxCgm9A==:117 a=cGdM_UB1h6QA:10 a=IkcTkHD0fZMA:10 a=-57I09spAAAA:8 a=oR5dmqMzAAAA:8 a=-9mUelKeXuEA:10 a=h1PgugrvaO0A:10 a=j4nzMFrpAAAA:8 a=sj623mZhLL3H5eGRUHgA:9 a=QEXdDO2ut3YA:10 Message-id: <55589B6F.2030508@christopherschultz.net> Date: Sun, 17 May 2015 09:45:19 -0400 From: Christopher Schultz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-version: 1.0 To: Tomcat Users List Subject: Re: Issue in setting up SHA2 certificate with tomcat6 References: In-reply-to: Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Pavan, (Note: only a single post is necessary) On 5/15/15 10:28 PM, Pavan Kasarla wrote: > I am trying to configure SHA2 algorithm certificates with tomcat6 > in centos 6. I have created a keystore of format "JKS" using > keytool and imported the certificate and intermediates to the > keystore. When i restart the tomcat, logs do not show any kind of > errors it starts up normally but when i try to connect to host from > a browser it shows the following error > > > my system configuration > > OS : centos tomcat 6 Specifically, which Tomcat version are you using? > java1.7.x > > In chrome Version 39.0.2171.71 (64-bit) > > SSL connection error Hide detailsUnable to make a secure connection > to the server. This may be a problem with the server, or it may be > requiring a client authentication certificate that you don't have. > Error code: ERR_SSL_PROTOCOL_ERROR > > > In firefox it shows Cannot communicate securely with peer: no > common encryption algorithm(s). (Error code: > ssl_error_no_cypher_overlap) > > tomcat configuration for the certificate in server.xml port="8443" maxHttpHeaderSize="8192" maxThreads="150" > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure="true" SSLEnabled="true" > keystoreFile="/etc/tomcat6/xxxxx.jks" keystorePass="xxxxxx" > clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" > /> > > When i change the tomcat keystore with another certificates of > SHA1 algorithm everything works fine. So the only difference is SHA1 versus SHA2 hash on the certificate? Java 1.7 handles both of those without a problem. Can you try connecting to your server using OpenSSL's s_client program? $ openssl s_client -connect hostname:443 CONNECTED(00000003) depth=1 [cert subject] - --- Certificate chain [cert chain] - --- Server certificate - -----BEGIN CERTIFICATE----- [certificate] - -----END CERTIFICATE----- [cert info] - --- No client certificate CA names sent - --- SSL handshake has read 3601 bytes and written 700 bytes - --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 5712CBF2C60CFB9DDD456DA9E67B1F6CDD5FDE12178266E5AB0888CF21859B8A Session-ID-ctx: Master-Key: 2EFB02FD1F605120E55D3C293CE9E5CE5076CBA1E286A91EB271F7D145825CE441EF2614 B9E0CB743C690DC4E45262CF Key-Arg : None Start Time: 1431870170 Timeout : 300 (sec) Verify return code: 0 (ok) - --- ^C At the bottom, you can see the connection information that was negotiated with the server. s_client has options to allow you to set the protocol(s) supported, the cipher(s) supported, etc. Perhaps you can narrow-down the problem. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVWJtvAAoJEBzwKT+lPKRY4RkP/2ffTOIT3b4XH1zZLAqUmwUt RQ5Kl283hjPhbGqDdLhrGOUUUyANvJUTwNVGdvm4+lcgmF9HLU/wvHBodN7rQnF5 FLRGrC5qDDBdQXN+QvHrnPgEq2pXSw77ZXRNHjN+m91IXrtrbaBdMFNPGziD+xJ6 JIOv9YzgR6DPDyxmPhiWKv2/lU2VwFRhe9R4OVmSyICc27pyDxuOVrIPPvq7AJz7 mctLU0sZy741UCg4tiHXphP6ASk1aoZd8b8lRfMswMs7CI/e4QIwTUF535Pdkh0G hht4Op+zsgDt0nesxKkheSoMmGkBaFa9e5ceTm0DXpY4RGsBme+u87vS5GF9ZsUi uRlDgNNEaVMYn1p+zkLjrBZ6RvGpJpEpyA2+AGm24LygfOsFZwHoM89Hpr5HMRAY uDf57CmuZE/9LaBjUSarAflxefRPb6cNSueXDnA5TVmO2d/4P52ZY5CBm+l0Egkh YP3ojAAF/ySMpskjdPysCKg40QSwGor3pMc2cDoR2357T3syl0SuapnjuR+uoLPY rQRDclqx9hjVYi9yGuepRSHKvlI1Hzbam9d/Go8vxk0wS2n5iTRTAs908Is9Xz0M ZdME6e+2gtgEFU7VmZ04QazypUe+5ZlGglCHHOUF2vllKoViY9Pz39wwwMrJGJuY Qi26dbjkau+iu/kA9/zF =mOl8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org