tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Beyer, Gregory L" <gregory.be...@business.gatech.edu>
Subject RE: Tomcat answers on port 80, not on 443
Date Fri, 23 Oct 2015 14:53:43 GMT
Thank you Konstantin and Chris Schultz.  Been trying all you suggested Konstantin, and a heck
of a lot more without much success.  But I finally did get /something/ in a log that might
be helpful if anyone can interpret it.

Chris, on your observation:

	I'm not sure how Apache Felix fits into this (I don't know a thing about Felix), but:

	> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
	>                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
	>                clientAuth="false" sslProtocol="TLS" />

	This connector has no reference to any keystore configuration. Unless Felix is somehow wiring
that all up, then you haven't configured a viable TLS connector.

I also don't know what role Felix plays.  Apparently you spotted something missing in the
snippet above that tells you there's no connector configured.  The above is right out of the
server.xml.  I simply un-remmed it. 

Now, my java app's configuration file DOES have an entry that references a keystore: 

	##############################
	# Inbound SSL Settings
	##############################

	org.apache.felix.https.enable=true
	org.osgi.service.http.port.secure=443
	org.apache.felix.https.keystore=E:\\Program Files\\Connector\\.keystore
	org.apache.felix.https.keystore.password=REDACTED
	org.apache.felix.https.keystore.key.password= REDACTED
	org.apache.felix.https.truststore=C:\\Program Files\\Java\\jre1.8.0_60\\lib\\security\\cacerts
	org.apache.felix.https.truststore.password= REDACTED

Question  -- Does anyone think " Program Files"  (space) above is contributing to the problem?

BTW the \\Connector\\ in the paths above is the install directory of my java app, which is,
I think, a different connector than that in the server.xml.

So here is the snippet from my log:

<snip>

2015-10-23 09:34:10 [o.e.j.u.c.AbstractLifeCycle] WARN   - FAILED SslContextFactory@2cc0a31e(E:\Program
Files\Connector\.keystore,C:\Program Files\Java\jre1.8.0_60\lib\security\cacerts): java.security.UnrecoverableKeyException:
Cannot recover key
java.security.UnrecoverableKeyException: Cannot recover key
	at sun.security.provider.KeyProtector.recover(Unknown Source) ~[na:1.8.0_60]
	at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source) ~[na:1.8.0_60]
	at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source) ~[na:1.8.0_60]
	at sun.security.provider.KeyStoreDelegator.engineGetKey(Unknown Source) ~[na:1.8.0_60]
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(Unknown Source) ~[na:1.8.0_60]
	at java.security.KeyStore.getKey(Unknown Source) ~[na:1.8.0_60]
	at sun.security.ssl.SunX509KeyManagerImpl.<init>(Unknown Source) ~[na:1.8.0_60]
	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(Unknown Source) ~[na:1.8.0_60]
	at javax.net.ssl.KeyManagerFactory.init(Unknown Source) ~[na:1.8.0_60]
	at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1080)
~[na:na]
	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:291) ~[na:na]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64) ~[na:na]
	at org.eclipse.jetty.server.ssl.SslSelectChannelConnector.doStart(SslSelectChannelConnector.java:612)
~[na:na]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64) ~[na:na]
	at org.apache.felix.http.jetty.internal.JettyService.startConnector(JettyService.java:421)
~[na:na]
	at org.apache.felix.http.jetty.internal.JettyService.initializeHttps(JettyService.java:327)
~[na:na]
	at org.apache.felix.http.jetty.internal.JettyService.initializeJetty(JettyService.java:273)
~[na:na]
	at org.apache.felix.http.jetty.internal.JettyService.startJetty(JettyService.java:197) ~[na:na]
	at org.apache.felix.http.jetty.internal.JettyService.start(JettyService.java:130) ~[na:na]
	at org.apache.felix.http.jetty.internal.JettyActivator.doStart(JettyActivator.java:29) ~[na:na]
	at org.apache.felix.http.base.internal.AbstractActivator.start(AbstractActivator.java:41)
~[na:na]
	at org.apache.felix.http.bundle.internal.CombinedActivator.start(CombinedActivator.java:56)
~[na:na]
	at org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:645) ~[org.apache.felix.main-4.2.1.jar:na]
	at org.apache.felix.framework.Felix.activateBundle(Felix.java:2146) ~[org.apache.felix.main-4.2.1.jar:na]
	at org.apache.felix.framework.Felix.startBundle(Felix.java:2064) ~[org.apache.felix.main-4.2.1.jar:na]
	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1291) ~[org.apache.felix.main-4.2.1.jar:na]
	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:304)
~[org.apache.felix.main-4.2.1.jar:na]
	at java.lang.Thread.run(Unknown Source) ~[na:1.8.0_60]
2015-10-23 09:34:11 [o.e.j.u.c.AbstractLifeCycle] WARN   - FAILED SslSelectChannelConnector@0.0.0.0:443:
java.security.UnrecoverableKeyException: Cannot recover key
java.security.UnrecoverableKeyException: Cannot recover key
	at sun.security.provider.KeyProtector.recover(Unknown Source) ~[na:1.8.0_60]
	at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source) ~[na:1.8.0_60]

<snip>

Second Question - am I supposed to import the .keystore into my cacerts file?  When I open
the cacerts file that came with the java install,  it contains  30-40 certifs (key-pairs?)
  that I didn't create.

Thanks all for any leads or answers to my SSL noob questions you can provide.

__________________________________________
Gregory Beyer
gbeyer3@gatech.edu

-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com] 
Sent: Friday, October 16, 2015 10:54 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat answers on port 80, not on 443

2015-10-15 20:48 GMT+03:00 Beyer, Gregory L <gregory.beyer@business.gatech.edu>:
>
> Hello,
>
> I'm trying to get my web app, which is otherwise running fine on port 80 to respond on
SSL.   Sorry if this is a resend.  I only just started getting list messages so my first may
not have gone.  Don't intend to bump.
>
> Scenario:
>
> The server in question is a Windows12 web application host running Tomcat 8.0.26.   Running
on Tomcat is a java application which accepts port 80  connections from another host across
the 'net.  I have firewall rules configured to allow port 80 and 443 traffic between the servers.
  80 This is working fine.   I'm not running IIS - only Tomcat.
>
> However, we don't want to have our data stream exposed clear text over the internet -
we need to use SSL.
>
> I have used %JAVA_HOME%\bin\keytool to generate a keystore and then have configured the
InBound SSL Settings in my apps config.properties file with the path to the keystore and the
password.  The # lines are variations on the path to the truststore that I have attempted
unsuccessfully.  I'm using the default certificate, below.  Webclients will not be connecting
so we don't need a commercial certificate.  This is a server to server web call.
>
> ##############################
> # Inbound SSL Settings
> ##############################
>
> org.apache.felix.https.enable=true
> org.osgi.service.http.port.secure=443
> org.apache.felix.https.keystore=E:\keystore\scilexcon
> #org.apache.felix.https.keystore=./keystore/scilexcon
> org.apache.felix.https.keystore.password=redacted
> org.apache.felix.https.keystore.key.password= redacted 
> org.apache.felix.https.truststore=E:\keystore\scilexcon
> #org.apache.felix.https.truststore=C:\Program 
> Files\Java\jre1.8.0_60\lib\security\cacerts
> #org.apache.felix.https.truststore=./keystore/scilexcon
> org.apache.felix.https.truststore.password= redacted
>

1)
Is above a *.properties file?  If so then '\' works as an escape symbol and must be doubled
(\\). Usually people just use '/' instead, it usually works with Java.

> ./keystore/scilexcon

2)
"." is the current directory when you start a program. It may be different depending on you
you start it. (E.g. for Tomcat started explicitly via startup.bat vs started as a service
 it may be different).

> I've also configured the java runtime of my application with the trustore path:
>
> -Djavax.net.ssl.trustStore=E:\keystore\scilexcon
>
>
>
> An http connect to my connect runtime is successful.  http://<hostname>    https://<hostname>
    times out
>
> Netstat -a reveals that port 443 is listening on <hostname>
>
>
> Documents I have used so far is one documenting the Inbound SSL 
> connections of my apps config file, and the SLL documentation of 
> Apache Tomcat  http://<hostname>8080/docs/ssl-howto.html
>
> In my server.xml, I've unremmed the connector section and changed the connector port
to 443:
>
>
> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS" />
>
>
>          Define an AJP 1.3 Connector on port 8009 -->
>     <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
>
> I've looked through my logs, but don't find anything to indicate why it just clocks until
timing out.  Maybe I'm missing something?
>
> Having read the SSL howto, I don't think I've missed anything.

3)
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario

Try connecting with a web browser or a standard tool (like wget, openssl client) to check
that HTTPS works.

Look into an access log.

Take a series of thread dumps (for your client as well).

4) Is Java trusing your self-signed server certificate (so that it is able to connect to it)?

Old versions of Java (Java 6) use SSLv2Hello when initialing a HTTPS connection. That protocol
is disabled by default in current versions of Tomcat.
https://wiki.apache.org/tomcat/Security/POODLE

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message