tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikitha Benny <nikki.be...@gmail.com>
Subject Re: FIPS compliancy on Tomcat 7.00.062
Date Wed, 05 Aug 2015 11:10:03 GMT
Hi Sanaullah,

That is because we have removed the entire "ciphers" attribute from the
server.xml file.
But that should be fine as the non complaint FIPS also has the "cipher"
attribute removed and it shows the similar client to server conection and
runs fine.

Regards,
Nikitha

On Wed, Aug 5, 2015 at 4:28 PM, Sanaullah <sanaullah82@gmail.com> wrote:

> run this command with debugging prints.
>
> openssl s_client -connect 16.183.93.84:8444 -debug -msg
>
> > Protocol  : *TLSv1.2*
> > Cipher    : 0000
> it seems something broken as there is no Cipher
>
> Regards,
> Sanaullah
>
>
>
> On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny <nikki.benny@gmail.com>
> wrote:
>
> > Hi Mark, Sanaullah,
> >
> > Thank you for your valuable suggestion.
> >
> > I just ran the openssl s_client scan, and it looks like the server side
> is
> > running fine on *TLSv1.2* Protocol.
> >
> > [root]## *openssl s_client -connect 16.183.93.84:8444
> > <http://16.183.93.84:8444>*
> > CONNECTED(00000003)
> > - - -  - -  - -
> > - - -  - -  - -
> > - - -  - -  - -
> > - - -  - -  - -
> >
> > 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP
> > dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC
> > Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU
> > d/A4
> > -----END CERTIFICATE-----
> > subject=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
> > IWFVM01284.hpswlabs.adapps.hp.com
> > issuer=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
> > IWFVM01284.hpswlabs.adapps.hp.com
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 1476 bytes and written 7 bytes
> > ---
> > New, (NONE), Cipher is (NONE)
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> >     Protocol  : *TLSv1.2*
> >     Cipher    : 0000
> >     Session-ID:
> > 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377
> >     Session-ID-ctx:
> >     Master-Key:
> >     Key-Arg   : None
> >     Krb5 Principal: None
> >     PSK identity: None
> >     PSK identity hint: None
> >     Start Time: 1438771286
> >     Timeout   : 300 (sec)
> >     Verify return code: 18 (self signed certificate)
> >
> > So could it be an issue with the browser?
> > Since the browser is not FIPS compliant, could it be the reason for the
> > issue?
> >
> >
> > Regards,
> > Nikitha
> >
> > On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah <sanaullah82@gmail.com> wrote:
> >
> > > Hi Nikhita,
> > >
> > > run the sslscan tool from the command line or openssl s_client in debug
> > > mode
> > > https://github.com/rbsec/sslscan
> > >
> > > Regards,
> > > Sanaullah
> > >
> > > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny <nikki.benny@gmail.com>
> > > wrote:
> > >
> > > > Hi Mark,
> > > >
> > > > My server is not on a public domain.
> > > > How can i verify the setup which is on a private network?
> > > >
> > > > Regards,
> > > > Nikitha
> > > >
> > > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas <markt@apache.org>
> wrote:
> > > >
> > > > > On 05/08/2015 07:32, Nikitha Benny wrote:
> > > > > > Hi Mark,
> > > > > >
> > > > > > When I try to run Tomcat on the https server port:
> > > > > >
> > > > > > *https://<ip address>:8444/*
> > > > > >
> > > > > > It says as below:
> > > > > > ----------
> > > > > >
> > > > > > *SSL connection error*
> > > > > >
> > > > > > *ERR_SSL_PROTOCOL_ERROR*
> > > > > >
> > > > > > *Unable to make a secure connection to the server. This may
be a
> > > > problem
> > > > > > with the server, or it may be requiring a client authentication
> > > > > certificate
> > > > > > that you don't have*
> > > > > > *------------*
> > > > >
> > > > > That is the client side. What about server side logs?
> > > > >
> > > > > > We have set the client authentication to False, so it does not
> need
> > > any
> > > > > > client authorized certificate.
> > > > >
> > > > > I recommend you run https://www.ssllabs.com/ssltest/ against your
> > > > > server. That will tell you if you have a server side issue, a
> client
> > > > > side issue or simply a mismatch between the two.
> > > > >
> > > > > Mark
> > > > >
> > > > > >
> > > > > > Regards,
> > > > > > Nikitha
> > > > > >
> > > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny <
> > > nikki.benny@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > >>> But still Tomcat does not run on the https port.
> > > > > >>
> > > > > >> As in, when we run Tomcat on the https server port it does
not
> > > display
> > > > > the
> > > > > >> page.
> > > > > >> Where as it goes through fine on the http port. The url
opens.
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas <markt@apache.org>
> > > wrote:
> > > > > >>
> > > > > >>> On 04/08/2015 13:19, Nikitha Benny wrote:
> > > > > >>>> Hello Mark,
> > > > > >>>>
> > > > > >>>> Thanks for your valuable suggestion.
> > > > > >>>>
> > > > > >>>> We were successful in creating the pkcs12 keystore
which picks
> > up
> > > > > >>> SHA256 as
> > > > > >>>> shown below:
> > > > > >>>
> > > > > >>> <snip/>
> > > > > >>>
> > > > > >>>> But still Tomcat does not run on the https port.
> > > > > >>>
> > > > > >>> Define "does not run".
> > > > > >>>
> > > > > >>>> Any clue as to why this happens?
> > > > > >>>
> > > > > >>> Based on the information provided so far, no.
> > > > > >>>
> > > > > >>>> The protocol I am using is*
> > > > > "org.apache.coyote.http11.Http11Protocol".*
> > > > > >>>
> > > > > >>> OK. That is the HTTP BIO connector.
> > > > > >>>
> > > > > >>>> Could it be because I am not using an APR connector
protocol?
> > > > > >>>
> > > > > >>> No.
> > > > > >>>
> > > > > >>> Mark
> > > > > >>>
> > > > > >>>
> > > > > >>>
> > > ---------------------------------------------------------------------
> > > > > >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > > >>> For additional commands, e-mail: users-help@tomcat.apache.org
> > > > > >>>
> > > > > >>>
> > > > > >>
> > > > > >
> > > > >
> > > > >
> > > > >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > > > >
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message