tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Wallis <pwal...@acm.org>
Subject Re: New to SSL - debugging tomcat
Date Thu, 22 Dec 2016 16:03:05 GMT
Hi Christopher,
 re 443 on *nix; yes, set AUTHBIND='yes' in /etc/defaults/tomcat8
 re openssl s_client -connect on a different machine; it times out

Did have a thought -- one that might not be obvious to you experts -- I am
serving that page via No-IP dynamic dns.  Their support people are "cagey"
about whether this works or not (they don't answer the question and suggest
I buy an upgraded service)  I believe people who know what they are doing
just run their own dns using unbound?  If that makes no sense, please
ignore; I don't know what I'm talking about but it seems we are looking for
something I've done that is weird.

P

On 22 December 2016 at 15:38, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Peter,
>
> On 12/22/16 2:43 AM, Peter Wallis wrote:
> > Hi Christopher, so it seems I have done something exceptional :-)
> > Thanks for taking a look...
> >
> > <Connector port="443"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > keystoreFile="/home/peter/.keystore" alias="tomcat"
> > keystorePass="changeit" clientAuth="false" sslProtocol="TLS" />
>
> This looks fine except for one thing: you are using port 443 on a *NIX
> system which requires you to either run as root (bad) or make other
> arrangements. Have you made such arrangements?
>
> > Keystore type: JKS Keystore provider: SUN
> >
> > Your keystore contains 2 entries
> >
> > Alias name: gandi Creation date: 21-Dec-2016 Entry type:
> > trustedCertEntry
>
> Okay, that's your CA.
>
> > Alias name: tomcat Creation date: 21-Dec-2016 Entry type:
> > trustedCertEntry
>
> Okay, that's presumably your server's cert.
>
> > Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, OU=Domain
> > Control Validated
>
> If that's your site name (alexa.proseco.co.uk) this looks good.
>
> What happens if you do this from the outside (e.g. not on the pi itself)
> :
>
> $ openssl s_client -connect alexa.proseco.co.uk:443
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYW/NwAAoJEBzwKT+lPKRYbf0P/3LawCFJivA7997fbYvFCw5h
> A9p1aWXNYMzRiaGcltoYk+fZVtTQ0Ve5mBtSDV8nN+mulEt2mPD6nxbvhjw1H24z
> pononiduIpv30QduqlXQeczUtdptjNMzsDP+zg1HdnEF45xSmQl/egn3/QCBqMIH
> hYNmxgxJpipDlruv5sNhM/0BRF2jvmG3mqByX/ayguCP7eC16nXMzYriVMauUj+L
> QVZHlitdeLu8ZcHMxKz0B60gho64Hivlf/HlEiEINtyq5jYgN16dLNRzuMlZ34cd
> UAdOtT28eA4hIfK4KQZrpO/iSNn4gaKV7wBH8FswvgqJdLBT/ucKuzWOmfMY0cBx
> vLtBK6y1XFasfkGOkWoS8I2ViomygUgWDTIsFSmikaMgqJg2joxatLx50rT6oXyo
> KM4y074J8CSwxP+/UiwugRGCfiDfRHDZErEWXTpQmcsHrrSwJWlqCk6l/gUscB/X
> XM3XLKFK+8JUXnsYHYe9lylrrfHKUm8SgNVkQsBF7b7RHtKh1kWJjD2/xMFb3C0P
> FuZnNdFc22MEaDnisp5ofqDAYNTDvJLkVn+2ererNmeWdrRq8Cf7/X4QrLeTlMh/
> 7GcRGq0C9/2ZRc+1pyFhjfef6MwZ1wceqiquBZYokdyoPHdQ82VAyPg1ffVRfskl
> 1TsRsxA+hHeIkgCE161B
> =yhHl
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message