Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 29FC818494 for ; Wed, 5 Aug 2015 10:58:38 +0000 (UTC) Received: (qmail 62799 invoked by uid 500); 5 Aug 2015 10:58:34 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 62733 invoked by uid 500); 5 Aug 2015 10:58:34 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 62722 invoked by uid 99); 5 Aug 2015 10:58:34 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Aug 2015 10:58:34 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id DBD45C0045 for ; Wed, 5 Aug 2015 10:58:33 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 5.152 X-Spam-Level: ***** X-Spam-Status: No, score=5.152 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, HTML_MESSAGE=3, KAM_BADIPHTTP=2, NORMAL_HTTP_TO_IP=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id KGlRSdizqTxI for ; Wed, 5 Aug 2015 10:58:24 +0000 (UTC) Received: from mail-vk0-f49.google.com (mail-vk0-f49.google.com [209.85.213.49]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 79A9224B33 for ; Wed, 5 Aug 2015 10:58:23 +0000 (UTC) Received: by vkhl6 with SMTP id l6so14131313vkh.1 for ; Wed, 05 Aug 2015 03:58:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=DW+Z9uo/5rAwHPL2NxuhtJ+/PbXd3hA/AH4t3ZjWtg0=; b=xdU56gtjswNYhLyRHGnhxl3lPBhoCnJwQSI9268FZVz+Doh1EU4wuklY0sn+hFMuB+ zFGprx7uZOF3x8S/apQxNKQJ5LO2wcyTE4WMa5893GU03phuDzCInvrXXtCrJTyJ3KYJ JgaeBuFLoBBSaRQWxd3nl9Gc9YLTSdWpPygIVXjt/6YR7wrGmKNk3NEMP/lG4TAi3qn/ ir+MOIAQC7EhxLOxawi6DjFUwOcagt/DgtzhsKpV264D/o4QO0IcmX+wRos9sqAII31I ygSyd3cCfWPUMDU2wHqtFmKg6o7Yt1EnsmhP/YGuMPDUPxT2GbVp486HxqAIO49+RI47 pa6Q== MIME-Version: 1.0 X-Received: by 10.52.115.231 with SMTP id jr7mr11981424vdb.90.1438772301993; Wed, 05 Aug 2015 03:58:21 -0700 (PDT) Received: by 10.31.77.69 with HTTP; Wed, 5 Aug 2015 03:58:21 -0700 (PDT) In-Reply-To: References: <55C080BC.1070000@apache.org> <55C0B491.8050605@apache.org> <55C1CCF4.3050906@apache.org> Date: Wed, 5 Aug 2015 15:58:21 +0500 Message-ID: Subject: Re: FIPS compliancy on Tomcat 7.00.062 From: Sanaullah To: Tomcat Users List Content-Type: multipart/alternative; boundary=bcaec547c625f91c6a051c8e470c --bcaec547c625f91c6a051c8e470c Content-Type: text/plain; charset=UTF-8 run this command with debugging prints. openssl s_client -connect 16.183.93.84:8444 -debug -msg > Protocol : *TLSv1.2* > Cipher : 0000 it seems something broken as there is no Cipher Regards, Sanaullah On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny wrote: > Hi Mark, Sanaullah, > > Thank you for your valuable suggestion. > > I just ran the openssl s_client scan, and it looks like the server side is > running fine on *TLSv1.2* Protocol. > > [root]## *openssl s_client -connect 16.183.93.84:8444 > * > CONNECTED(00000003) > - - - - - - - > - - - - - - - > - - - - - - - > - - - - - - - > > 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP > dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC > Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU > d/A4 > -----END CERTIFICATE----- > subject=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN= > IWFVM01284.hpswlabs.adapps.hp.com > issuer=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN= > IWFVM01284.hpswlabs.adapps.hp.com > --- > No client certificate CA names sent > --- > SSL handshake has read 1476 bytes and written 7 bytes > --- > New, (NONE), Cipher is (NONE) > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : *TLSv1.2* > Cipher : 0000 > Session-ID: > 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377 > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1438771286 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > > So could it be an issue with the browser? > Since the browser is not FIPS compliant, could it be the reason for the > issue? > > > Regards, > Nikitha > > On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah wrote: > > > Hi Nikhita, > > > > run the sslscan tool from the command line or openssl s_client in debug > > mode > > https://github.com/rbsec/sslscan > > > > Regards, > > Sanaullah > > > > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny > > wrote: > > > > > Hi Mark, > > > > > > My server is not on a public domain. > > > How can i verify the setup which is on a private network? > > > > > > Regards, > > > Nikitha > > > > > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas wrote: > > > > > > > On 05/08/2015 07:32, Nikitha Benny wrote: > > > > > Hi Mark, > > > > > > > > > > When I try to run Tomcat on the https server port: > > > > > > > > > > *https://:8444/* > > > > > > > > > > It says as below: > > > > > ---------- > > > > > > > > > > *SSL connection error* > > > > > > > > > > *ERR_SSL_PROTOCOL_ERROR* > > > > > > > > > > *Unable to make a secure connection to the server. This may be a > > > problem > > > > > with the server, or it may be requiring a client authentication > > > > certificate > > > > > that you don't have* > > > > > *------------* > > > > > > > > That is the client side. What about server side logs? > > > > > > > > > We have set the client authentication to False, so it does not need > > any > > > > > client authorized certificate. > > > > > > > > I recommend you run https://www.ssllabs.com/ssltest/ against your > > > > server. That will tell you if you have a server side issue, a client > > > > side issue or simply a mismatch between the two. > > > > > > > > Mark > > > > > > > > > > > > > > Regards, > > > > > Nikitha > > > > > > > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny < > > nikki.benny@gmail.com> > > > > > wrote: > > > > > > > > > >>> But still Tomcat does not run on the https port. > > > > >> > > > > >> As in, when we run Tomcat on the https server port it does not > > display > > > > the > > > > >> page. > > > > >> Where as it goes through fine on the http port. The url opens. > > > > >> > > > > >> > > > > >> > > > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas > > wrote: > > > > >> > > > > >>> On 04/08/2015 13:19, Nikitha Benny wrote: > > > > >>>> Hello Mark, > > > > >>>> > > > > >>>> Thanks for your valuable suggestion. > > > > >>>> > > > > >>>> We were successful in creating the pkcs12 keystore which picks > up > > > > >>> SHA256 as > > > > >>>> shown below: > > > > >>> > > > > >>> > > > > >>> > > > > >>>> But still Tomcat does not run on the https port. > > > > >>> > > > > >>> Define "does not run". > > > > >>> > > > > >>>> Any clue as to why this happens? > > > > >>> > > > > >>> Based on the information provided so far, no. > > > > >>> > > > > >>>> The protocol I am using is* > > > > "org.apache.coyote.http11.Http11Protocol".* > > > > >>> > > > > >>> OK. That is the HTTP BIO connector. > > > > >>> > > > > >>>> Could it be because I am not using an APR connector protocol? > > > > >>> > > > > >>> No. > > > > >>> > > > > >>> Mark > > > > >>> > > > > >>> > > > > >>> > > --------------------------------------------------------------------- > > > > >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > > > > >>> For additional commands, e-mail: users-help@tomcat.apache.org > > > > >>> > > > > >>> > > > > >> > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > > > > For additional commands, e-mail: users-help@tomcat.apache.org > > > > > > > > > > > > > > --bcaec547c625f91c6a051c8e470c--