tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanaullah <sanaulla...@gmail.com>
Subject Re: FIPS compliancy on Tomcat 7.00.062
Date Wed, 05 Aug 2015 10:58:21 GMT
run this command with debugging prints.

openssl s_client -connect 16.183.93.84:8444 -debug -msg

> Protocol  : *TLSv1.2*
> Cipher    : 0000
it seems something broken as there is no Cipher

Regards,
Sanaullah



On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny <nikki.benny@gmail.com> wrote:

> Hi Mark, Sanaullah,
>
> Thank you for your valuable suggestion.
>
> I just ran the openssl s_client scan, and it looks like the server side is
> running fine on *TLSv1.2* Protocol.
>
> [root]## *openssl s_client -connect 16.183.93.84:8444
> <http://16.183.93.84:8444>*
> CONNECTED(00000003)
> - - -  - -  - -
> - - -  - -  - -
> - - -  - -  - -
> - - -  - -  - -
>
> 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP
> dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC
> Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU
> d/A4
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
> IWFVM01284.hpswlabs.adapps.hp.com
> issuer=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
> IWFVM01284.hpswlabs.adapps.hp.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1476 bytes and written 7 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : *TLSv1.2*
>     Cipher    : 0000
>     Session-ID:
> 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377
>     Session-ID-ctx:
>     Master-Key:
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1438771286
>     Timeout   : 300 (sec)
>     Verify return code: 18 (self signed certificate)
>
> So could it be an issue with the browser?
> Since the browser is not FIPS compliant, could it be the reason for the
> issue?
>
>
> Regards,
> Nikitha
>
> On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah <sanaullah82@gmail.com> wrote:
>
> > Hi Nikhita,
> >
> > run the sslscan tool from the command line or openssl s_client in debug
> > mode
> > https://github.com/rbsec/sslscan
> >
> > Regards,
> > Sanaullah
> >
> > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny <nikki.benny@gmail.com>
> > wrote:
> >
> > > Hi Mark,
> > >
> > > My server is not on a public domain.
> > > How can i verify the setup which is on a private network?
> > >
> > > Regards,
> > > Nikitha
> > >
> > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas <markt@apache.org> wrote:
> > >
> > > > On 05/08/2015 07:32, Nikitha Benny wrote:
> > > > > Hi Mark,
> > > > >
> > > > > When I try to run Tomcat on the https server port:
> > > > >
> > > > > *https://<ip address>:8444/*
> > > > >
> > > > > It says as below:
> > > > > ----------
> > > > >
> > > > > *SSL connection error*
> > > > >
> > > > > *ERR_SSL_PROTOCOL_ERROR*
> > > > >
> > > > > *Unable to make a secure connection to the server. This may be a
> > > problem
> > > > > with the server, or it may be requiring a client authentication
> > > > certificate
> > > > > that you don't have*
> > > > > *------------*
> > > >
> > > > That is the client side. What about server side logs?
> > > >
> > > > > We have set the client authentication to False, so it does not need
> > any
> > > > > client authorized certificate.
> > > >
> > > > I recommend you run https://www.ssllabs.com/ssltest/ against your
> > > > server. That will tell you if you have a server side issue, a client
> > > > side issue or simply a mismatch between the two.
> > > >
> > > > Mark
> > > >
> > > > >
> > > > > Regards,
> > > > > Nikitha
> > > > >
> > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny <
> > nikki.benny@gmail.com>
> > > > > wrote:
> > > > >
> > > > >>> But still Tomcat does not run on the https port.
> > > > >>
> > > > >> As in, when we run Tomcat on the https server port it does not
> > display
> > > > the
> > > > >> page.
> > > > >> Where as it goes through fine on the http port. The url opens.
> > > > >>
> > > > >>
> > > > >>
> > > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas <markt@apache.org>
> > wrote:
> > > > >>
> > > > >>> On 04/08/2015 13:19, Nikitha Benny wrote:
> > > > >>>> Hello Mark,
> > > > >>>>
> > > > >>>> Thanks for your valuable suggestion.
> > > > >>>>
> > > > >>>> We were successful in creating the pkcs12 keystore which
picks
> up
> > > > >>> SHA256 as
> > > > >>>> shown below:
> > > > >>>
> > > > >>> <snip/>
> > > > >>>
> > > > >>>> But still Tomcat does not run on the https port.
> > > > >>>
> > > > >>> Define "does not run".
> > > > >>>
> > > > >>>> Any clue as to why this happens?
> > > > >>>
> > > > >>> Based on the information provided so far, no.
> > > > >>>
> > > > >>>> The protocol I am using is*
> > > > "org.apache.coyote.http11.Http11Protocol".*
> > > > >>>
> > > > >>> OK. That is the HTTP BIO connector.
> > > > >>>
> > > > >>>> Could it be because I am not using an APR connector protocol?
> > > > >>>
> > > > >>> No.
> > > > >>>
> > > > >>> Mark
> > > > >>>
> > > > >>>
> > > > >>>
> > ---------------------------------------------------------------------
> > > > >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > >>> For additional commands, e-mail: users-help@tomcat.apache.org
> > > > >>>
> > > > >>>
> > > > >>
> > > > >
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message