tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: New to SSL - debugging tomcat
Date Thu, 22 Dec 2016 18:41:50 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Peter,

On 12/22/16 12:52 PM, Peter Wallis wrote:
> Ahh! changed the server.xml entries to 8443 tried: openssl s_client
> -connect 192.168.1.149:8443 and got: CONNECTED(00000003) 
> 3074541192:error:140790E5SSL routhines:SSL23_WRITE:ssl handshake 
> failure:s23_lib.c:177: --- no peer certificate available --- No
> client certificate CA names sent --- SSL handshake has read 0 bytes
> and written 295 bytes --- New, (NONE), Cipher is (ONE) Secure
> Renegotiation IS NOT supported Compression: NONE Expansion: NONE 
> ---
> 
> That might mean something (note I retyped it from a ssh connection
> after a stiff drink so there may be typos)


Perfect. The problem is that openssl s_clinent defaults to an SSLv2
"hello" handshake and not a TLS handshake, which is more appropriate
in this day and age.

Try this:

$ openssl s_client -tls1 -connect 192.168.1.149:8443

- -chris

> On 22 December 2016 at 16:27, Christopher Schultz < 
> chris@christopherschultz.net> wrote:
> 
> Peter,
> 
> On 12/22/16 11:03 AM, Peter Wallis wrote:
>>>> Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in 
>>>> /etc/defaults/tomcat8
> 
> Okay. Are you sure you've got that configured properly? Try
> changing port 443 to 8443 in server.xml and bouncing Tomcat. Let's
> try to solve one problem at a time.
> 
>>>> re openssl s_client -connect on a different machine; it times
>>>> out
>>>> 
>>>> Did have a thought -- one that might not be obvious to you
>>>> experts -- I am serving that page via No-IP dynamic dns.
>>>> Their support people are "cagey" about whether this works or
>>>> not (they don't answer the question and suggest I buy an
>>>> upgraded service)  I believe people who know what they are
>>>> doing just run their own dns using unbound?  If that makes no
>>>> sense, please ignore; I don't know what I'm talking about but
>>>> it seems we are looking for something I've done that is
>>>> weird.
> 
> Let's try this: what's the actual IP address of your pi?
> 192.168.0.10 or somesuch?
> 
> Change your port from 443 -> 8443 and then try this:
> 
> $ openssl s_client -connect 192.168.0.10:8443
> 
> If that connects and shows the cert, then your TLS configuration
> is correct. It will complain about the hostname (IP address) not
> matching the cert's CN, but that's okay).
> 
> Since you have lots of moving parts, let's find out what's working 
> first and then fix whatever problems remain.
> 
> -chris
> 
>>>> On 22 December 2016 at 15:38, Christopher Schultz < 
>>>> chris@christopherschultz.net> wrote:
>>>> 
>>>> Peter,
>>>> 
>>>> On 12/22/16 2:43 AM, Peter Wallis wrote:
>>>>>>> Hi Christopher, so it seems I have done something
>>>>>>> exceptional :-) Thanks for taking a look...
>>>>>>> 
>>>>>>> <Connector port="443" 
>>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" 
>>>>>>> maxThreads="150" SSLEnabled="true" scheme="https" 
>>>>>>> secure="true" keystoreFile="/home/peter/.keystore" 
>>>>>>> alias="tomcat" keystorePass="changeit"
>>>>>>> clientAuth="false" sslProtocol="TLS" />
>>>> 
>>>> This looks fine except for one thing: you are using port 443
>>>> on a *NIX system which requires you to either run as root
>>>> (bad) or make other arrangements. Have you made such
>>>> arrangements?
>>>> 
>>>>>>> Keystore type: JKS Keystore provider: SUN
>>>>>>> 
>>>>>>> Your keystore contains 2 entries
>>>>>>> 
>>>>>>> Alias name: gandi Creation date: 21-Dec-2016 Entry
>>>>>>> type: trustedCertEntry
>>>> 
>>>> Okay, that's your CA.
>>>> 
>>>>>>> Alias name: tomcat Creation date: 21-Dec-2016 Entry
>>>>>>> type: trustedCertEntry
>>>> 
>>>> Okay, that's presumably your server's cert.
>>>> 
>>>>>>> Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, 
>>>>>>> OU=Domain Control Validated
>>>> 
>>>> If that's your site name (alexa.proseco.co.uk) this looks
>>>> good.
>>>> 
>>>> What happens if you do this from the outside (e.g. not on the
>>>> pi itself) :
>>>> 
>>>> $ openssl s_client -connect alexa.proseco.co.uk:443
>>>> 
>>>> -chris
>>>>> 
>>>>> ------------------------------------------------------------------
- ---
>>>>>
>>>>>
>
>>>>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail:
>>>>> users-help@tomcat.apache.org
>>>>> 
>>>>> 
>>>> 
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYXB5uAAoJEBzwKT+lPKRY+ZYP/1faZ00ji63QXmcx4aKC/6IM
F++ivxg+QaDivCcPmQn4oYKYXyy/Yhq0eEvj7EyyQ0OVEEqJv5f/WwpW1uOEmz5E
Lx8KI+ZNwQiDRy2VqSUkhUV09sodDVanX2BCpY0VGfy8fbtRHJfZbcTf3xUH+j/D
ofeG7NbuWIrD8NRLvL4wPRv2jDhkLMPQ5tw6JcghLFkMS6/CzOELS4UpaMlI1Iel
nYBFlFpL8e+c0r6OU+jiwBMnn1sOuqe96mxN8gj9O7QJ0wlXZocoTOf/AptPWI08
NlZ5L1R2jfKT7ZInMSDVw4PNTYLUMiZV24YYCccS3X4qR+tCPWrahU1yb4npyuOI
srWRJBMNXyeedIo6UO8bVHdnZGSs3NsmSnXAXuBAGtpuAqW+Mw6R9YPvQ4OC5eJR
bva7AlJ19n8qJQRItWZPTWLOZKlBMz/BOqV1TedVZDjiZonHLhMwJTBiRipKH4ay
tu3W9sa0rYGrOIDH5spwdve3AXqwRDlUccs9VtGhxRAalpwWSP+nZHMgyUGYm8sV
lYdU6tMXJIPGGzeBPh3POPKTylG6WCYPm7MHW55TIEO0woUKyPdZGjSDraB6stKU
+anWglr5snrcdFcmiCdKZikpz3vdDBc9vpimMhEWqDmjhs5M1RqlHnwfdPGoElJF
N40qXw5NkfyZZ+/jQrds
=ljgn
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message