tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikitha Benny <nikki.be...@gmail.com>
Subject Re: FIPS compliancy on Tomcat 7.00.062
Date Wed, 05 Aug 2015 10:52:59 GMT
Hi Mark, Sanaullah,

Thank you for your valuable suggestion.

I just ran the openssl s_client scan, and it looks like the server side is
running fine on *TLSv1.2* Protocol.

[root]## *openssl s_client -connect 16.183.93.84:8444
<http://16.183.93.84:8444>*
CONNECTED(00000003)
- - -  - -  - -
- - -  - -  - -
- - -  - -  - -
- - -  - -  - -

9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP
dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC
Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU
d/A4
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
IWFVM01284.hpswlabs.adapps.hp.com
issuer=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
IWFVM01284.hpswlabs.adapps.hp.com
---
No client certificate CA names sent
---
SSL handshake has read 1476 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : *TLSv1.2*
    Cipher    : 0000
    Session-ID:
55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1438771286
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

So could it be an issue with the browser?
Since the browser is not FIPS compliant, could it be the reason for the
issue?


Regards,
Nikitha

On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah <sanaullah82@gmail.com> wrote:

> Hi Nikhita,
>
> run the sslscan tool from the command line or openssl s_client in debug
> mode
> https://github.com/rbsec/sslscan
>
> Regards,
> Sanaullah
>
> On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny <nikki.benny@gmail.com>
> wrote:
>
> > Hi Mark,
> >
> > My server is not on a public domain.
> > How can i verify the setup which is on a private network?
> >
> > Regards,
> > Nikitha
> >
> > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas <markt@apache.org> wrote:
> >
> > > On 05/08/2015 07:32, Nikitha Benny wrote:
> > > > Hi Mark,
> > > >
> > > > When I try to run Tomcat on the https server port:
> > > >
> > > > *https://<ip address>:8444/*
> > > >
> > > > It says as below:
> > > > ----------
> > > >
> > > > *SSL connection error*
> > > >
> > > > *ERR_SSL_PROTOCOL_ERROR*
> > > >
> > > > *Unable to make a secure connection to the server. This may be a
> > problem
> > > > with the server, or it may be requiring a client authentication
> > > certificate
> > > > that you don't have*
> > > > *------------*
> > >
> > > That is the client side. What about server side logs?
> > >
> > > > We have set the client authentication to False, so it does not need
> any
> > > > client authorized certificate.
> > >
> > > I recommend you run https://www.ssllabs.com/ssltest/ against your
> > > server. That will tell you if you have a server side issue, a client
> > > side issue or simply a mismatch between the two.
> > >
> > > Mark
> > >
> > > >
> > > > Regards,
> > > > Nikitha
> > > >
> > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny <
> nikki.benny@gmail.com>
> > > > wrote:
> > > >
> > > >>> But still Tomcat does not run on the https port.
> > > >>
> > > >> As in, when we run Tomcat on the https server port it does not
> display
> > > the
> > > >> page.
> > > >> Where as it goes through fine on the http port. The url opens.
> > > >>
> > > >>
> > > >>
> > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas <markt@apache.org>
> wrote:
> > > >>
> > > >>> On 04/08/2015 13:19, Nikitha Benny wrote:
> > > >>>> Hello Mark,
> > > >>>>
> > > >>>> Thanks for your valuable suggestion.
> > > >>>>
> > > >>>> We were successful in creating the pkcs12 keystore which picks
up
> > > >>> SHA256 as
> > > >>>> shown below:
> > > >>>
> > > >>> <snip/>
> > > >>>
> > > >>>> But still Tomcat does not run on the https port.
> > > >>>
> > > >>> Define "does not run".
> > > >>>
> > > >>>> Any clue as to why this happens?
> > > >>>
> > > >>> Based on the information provided so far, no.
> > > >>>
> > > >>>> The protocol I am using is*
> > > "org.apache.coyote.http11.Http11Protocol".*
> > > >>>
> > > >>> OK. That is the HTTP BIO connector.
> > > >>>
> > > >>>> Could it be because I am not using an APR connector protocol?
> > > >>>
> > > >>> No.
> > > >>>
> > > >>> Mark
> > > >>>
> > > >>>
> > > >>>
> ---------------------------------------------------------------------
> > > >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > >>> For additional commands, e-mail: users-help@tomcat.apache.org
> > > >>>
> > > >>>
> > > >>
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message