Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 92CC2200D5F for ; Mon, 4 Dec 2017 02:49:53 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 9166D160C1A; Mon, 4 Dec 2017 01:49:53 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 64D98160C0B for ; Mon, 4 Dec 2017 02:49:52 +0100 (CET) Received: (qmail 79045 invoked by uid 500); 4 Dec 2017 01:49:50 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 79034 invoked by uid 99); 4 Dec 2017 01:49:50 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Dec 2017 01:49:50 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 7B5B01805D6 for ; Mon, 4 Dec 2017 01:49:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.199 X-Spam-Level: X-Spam-Status: No, score=0.199 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, HTML_OBFUSCATE_05_10=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id YpwFR_oTG_gr for ; Mon, 4 Dec 2017 01:49:46 +0000 (UTC) Received: from alum-mailsec-scanner-3.mit.edu (alum-mailsec-scanner-3.mit.edu [18.7.68.14]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id A6D8F5F3CC for ; Mon, 4 Dec 2017 01:49:45 +0000 (UTC) X-AuditID: 1207440e-be1ff70000007085-68-5a24a9a94895 Received: from outgoing-alum.mit.edu (OUTGOING-ALUM.MIT.EDU [18.7.68.33]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by alum-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id DB.A0.28805.AA9A42A5; Sun, 3 Dec 2017 20:49:31 -0500 (EST) Received: from mail-oi0-f50.google.com (mail-oi0-f50.google.com [209.85.218.50]) (authenticated bits=0) (User authenticated as flinn@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.13.8/8.12.4) with ESMTP id vB41nSw8007014 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Sun, 3 Dec 2017 20:49:29 -0500 Received: by mail-oi0-f50.google.com with SMTP id o64so10684017oia.9 for ; Sun, 03 Dec 2017 17:49:29 -0800 (PST) X-Gm-Message-State: AJaThX6iTNVoAJjhbQ1gSdbDDSG7RtdJewd3RyFQrT7fpwudJDrPC741 YnLblP+H1t0EqazmtHx1+ZUwYWjzLEMCE2hJK3Y= X-Google-Smtp-Source: AGs4zMYpRkppJNg1DHFEDUmCM/BydpDlzML5hOR8p2a7hqyr/j0hKMBX0sF/xCXAMBWIv3Vsc8TmDCeOmKxuO58ovqc= X-Received: by 10.202.71.207 with SMTP id u198mr12157118oia.280.1512352168489; Sun, 03 Dec 2017 17:49:28 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.44.35 with HTTP; Sun, 3 Dec 2017 17:49:27 -0800 (PST) In-Reply-To: <0c8ff378-6f93-db12-7dc0-f97db9f82382@christopherschultz.net> References: <86948fef-641e-22ee-94a1-12501e98c071@christopherschultz.net> <0c8ff378-6f93-db12-7dc0-f97db9f82382@christopherschultz.net> From: Don Flinn Date: Sun, 3 Dec 2017 20:49:27 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Trying to understand How Tomcat uses Keystore for SSL To: Tomcat Users List Content-Type: multipart/mixed; boundary="001a113e574ec7565b055f79ed22" X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMJsWRmVeSWpSXmKPExsUixO6iqLt6pUqUwevXhhZbP35ldGD02Pis mzmAMYrLJiU1J7MstUjfLoEr48G2M2wF7bM4Kw48X83ewHjsHUcXIyeHhICJxL21Exi7GLk4 hAR2MEmcm7+VCcJ5zCQxY8cDFghnEqPE6/NHmCBayiWW32tlgbCLJL59e8cMYZdJ3Pr3BCzO KyAocXImhC0k4CnxsOEeWC+ngJfErXn7oDbsZ5OY3tEP1swmoCJx58sbdhCbBche9fcx1IJE ie277zBDDA2QuL/yEWsXIweHsICTxPrJ6iCmiIC+xI53TiAVzAJuEnv3LWOcwCg0C8kVs5Ck IGwfibcvL7NB2JoSrdt/s0PYGhIL7uyDqtGWWLbwNTOE7SjxueUYVI2LxIR3x1ghbEWJKd0P weISAjISp/efZV/AyLWKUS4xpzRXNzcxM6c4NVm3ODkxLy+1SNdYLzezRC81pXQTIyTm+HYw tq+XOcQowMGoxMN7Ik4lSog1say4MvcQoyQHk5Io74weoBBfUn5KZUZicUZ8UWlOavEhRhWg xY82rL7AKMWSl5+XqiTCazQFqI43JbGyKrUoH6ZMmoNFSZxXbYm6n5BAemJJanZqakFqEUxW hoNDSYL3xgqgRsGi1PTUirTMnBKENBMH5yFGCQ4eoOErQWp4iwsSc4sz0yHypxjDOS7cufSH iePAnltA8tGNu0Byw00QuQ9M7tqz9T8Tx7OZrxuYOaas/NfMLAR2q5Q4ryvIOAGQcRmleXAb YWn5FaM4MDCEeftBqniAKR1u5yugc5iAzslZowxyTkkiQkqqgXHKOknX0InBHc9rt2yZdFJt pey8V+tnbTNdOMFj38Lejan8ivKirHKbbE8Y1ho/95pweH6XduWj6MdXeUJ+3FlXuelKxh9l tqIaZVFVxp6YX71Jaz/7GIfMlHJ4MzcufaKdZcyzKavO1FjkOZisE31iHsVuIDjt+QWj8AdT Y2PsRd3mX1qhvV+JpTgj0VCLuag4EQD9FKhXpgMAAA== archived-at: Mon, 04 Dec 2017 01:49:53 -0000 --001a113e574ec7565b055f79ed22 Content-Type: multipart/alternative; boundary="001a113e574ec75657055f79ed20" --001a113e574ec75657055f79ed20 Content-Type: text/plain; charset="UTF-8" Chris, Attached is a first cut at setting up SSL for Tomcat. It is in MicroSoft Word. Hopefully people have that. If not I'll send it in another format that is acceptable. I tried to achieve a balance between completeness and brevity by only going deep enough to give the reader enough information to understand what is needed to use SSL/TLS with Tomcat. When it got down to keystore I effectively just repeated what was on the Tomcat SSL website. A weak point in the writeup (among many others) is getting Tomcat to listen on port 80 for letsencrpy. If this might be useful please comment and correct. Don On Fri, Dec 1, 2017 at 11:32 AM, Christopher Schultz < chris@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Don, > > On 12/1/17 3:14 AM, Don Flinn wrote: > > I'll be happy to accept your challenge to try to write some > > documentation for the site from a newbee's point of view. It will > > be on the slow side as my 'day job' will interfere somewhat. It > > also will require some correction of errors. > > No problem at all. Just reach-out to the group if you need any > hand-holding. > > - -chris > > On Wed, Nov 29, 2017 at 9:37 AM, Christopher Schultz < > > chris@christopherschultz.net> wrote: > > > > Don, > > > > On 11/28/17 4:55 PM, Don Flinn wrote: > >>>>>> In fact, I think you are using PEM-encoded DER files and > >>>>>> not a packaged keystore, even though your > >>>>>> SSLHostConfig's keystoreType is set to "PKCS12". > >>>> > >>>> Yes, I am using PEM files. Got to read more on DER files. > > > > PEM is an encoding, while DER is really the file format. It's like > > saying "is this file text/plain or UTF-8?" > > > > This is a great read for almost anyone who cares about x509 > > certificates : > > > > https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs- > ce > > > > > r-vs-pem-certificates-and-how-to-convert-them > > > >>>> So do I just drop the keystoreType="PKCS12" from the > >>>> connector? > > Theoretically, yes. The keystoreType is only used when there is a > > keystore and not "certificate files", etc. > > > >>>>> If there's anything inaccurate on the Tomcat site > >>>> > >>>> No, I was talking about other sites, not the Tomcat site. > >>>> I've been reading all over the internet for that which seems > >>>> related. My statement was a caution to not believe everything > >>>> you read. 'Trust but verify' > > > > Mark has given a number of presentations on TLS and they are very > > accessible. Have a look at the slides (and some audio/video) on > > the "presentations" page on the Tomcat site. Each of them has a > > varying level of "introductoryness", but I think the more recent > > ones like "Introduction to Tomcat and TLS" from TomcatCon in Miami > > are probably the best ones to see for beginners. > > > >>>> Your e-mail has been very helpful, not only to me, but I > >>>> believe to others. With respect to the Tomcat site, I think > >>>> a lot of what you wrote would be very helpful there. For > >>>> example, the Tomcat write up on SSL describes how to do self > >>>> signed certificates and fleetingly mentions that if you have > >>>> a certificate from a CA that you could use e.g. openssl and > >>>> then refers the reader to their java documentation and > >>>> openssl documentation. Not too helpful to the > >>>> security/Tomcat novice. > > > > Agreed. Would you care to write some new documentation and/or > > prepare a patch for the site? IT's usually best when beginners > > write for their own audience. I, for example, understand it > > backwards and forwards so when I write I have a skewed perspective. > > Writing as a beginner can re-focus the narrative for a different > > audience. > > > > If you need any help grabbing the site from svn, etc. please just > > ask. > > > >>>> Thanks for your patience and help. > > > > You are more important than the software. No, really: > > https://blogs.apache.org/foundation/entry/asf_15_community_over_code > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >> For additional commands, e-mail: users-help@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlohhBIdHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjrXxAApjseUCOZqro7Hutg > qXYaLdy6KD4ws4A5abYWnCMHvgO2oJxfxXAxnM5YNDgVgPR3r579ZF/zjLBsdYbx > kANY/4bMNse3LkJCkrwy1PclAyWDAMHVLIcc4iKEHL0dsCyGp7qIXHfx4eKv3Jnb > h4wsaoCi7QVk2TUOecOKKEiWRQ2tV1B6W4pAhCACAd0OSG/vYqdxVP2xzPE4AFe9 > vaIi5VwHNU+o/yYMhc5Qy5b+rHs7d1xNS0hr1jiJ4amzNfKUaUTjVAl1U9u9mZb7 > FI3sOIuEvtmXoBEfjWgohFC9XW2lS/EiQKptPT0HzLPUDfNXWi9QD9Ii1OI3sTMH > mw57kST/uz68S4MEiP4os/Cr4O0gnXSzc2uHQQHdqvsOBHbNnBAO9doL07lLzc8B > nktNwbl7G4aAp463gL6H8wk+pRQTUXTnm/oxTtROTF/TYaoYTpcsLdBB0PvMFV0N > lpasDBNvIu+4AR6kv8/i1oqjhcAfL3Y8c8H7Av2nF7/HPOwqhbs15CV9DJLPxoKx > rZh+MwSoAepx19fsWn+i4rYwUHjjka/BSbumTlkQYGlIhOkpSCjnX6l4tgneTOUG > aX82hHfzROxAqHj8DxXtJ3axZJ4kPewQIIJbJqk685YsRrCj0DR4QdAZsx/ntpY3 > pDS0b1ShEv1e9EdMTlojrYMTy78= > =+sZ1 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --001a113e574ec75657055f79ed20 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Chris,

Attached is a first cut at setti= ng up SSL for Tomcat.=C2=A0 It is in MicroSoft Word. Hopefully people have = that. If not I'll send it in another format that is acceptable.

I tried to achieve a balance between completeness and bre= vity by only going deep enough to give the reader enough information to und= erstand what is needed to use SSL/TLS with Tomcat.=C2=A0 When it got down t= o keystore I effectively just repeated what was on the Tomcat SSL website.= =C2=A0 A weak point in the writeup (among many others) is getting Tomcat to= listen on port 80 for letsencrpy.=C2=A0

If this m= ight be useful please comment and correct.

Don

On Fri, D= ec 1, 2017 at 11:32 AM, Christopher Schultz <chris@christophe= rschultz.net> wrote:
-----B= EGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Don,

On 12/1/17 3:14 AM, Don Flinn wrote:
> I'll be happy to accept your challenge to try to write some
> documentation for the site from a newbee's point of view.=C2=A0 It= will
> be on the slow side as my 'day job' will interfere somewhat.= =C2=A0 It
> also will require some correction of errors.

No problem at all. Just reach-out to the group if you need any
hand-holding.

- -chris
> On Wed, Nov 29, 2017 at 9:37 AM, Christopher Schultz <
> chris@christopherschul= tz.net> wrote:
>
> Don,
>
> On 11/28/17 4:55 PM, Don Flinn wrote:
>>>>>> In fact, I think you are using PEM-encoded DER fil= es and
>>>>>> not a packaged keystore, even though your
>>>>>> SSLHostConfig's keystoreType is set to "P= KCS12".
>>>>
>>>> Yes, I am using PEM files.=C2=A0 Got to read more on DER f= iles.
>
> PEM is an encoding, while DER is really the file format. It's like=
> saying "is this file text/plain or UTF-8?"
>
> This is a great read for almost anyone who cares about x509
> certificates :
>
> https://support.ssl.com/<= wbr>Knowledgebase/Article/View/19/0/der-vs-crt-vs-
ce
>
>
r-vs-pem-certificates-and-how-to-convert-them
>
>>>> So do I just drop the keystoreType=3D"PKCS12"=C2= =A0 from the
>>>> connector?
> Theoretically, yes. The keystoreType is only used when there is a
> keystore and not "certificate files", etc.
>
>>>>> If there's anything inaccurate on the Tomcat site<= br> >>>>
>>>> No, I was talking about other sites, not the Tomcat site.<= br> >>>> I've been reading all over the internet for that which= seems
>>>> related. My statement was a caution to not believe everyth= ing
>>>> you read. 'Trust but verify'
>
> Mark has given a number of presentations on TLS and they are very
> accessible. Have a look at the slides (and some audio/video) on
> the "presentations" page on the Tomcat site. Each of them ha= s a
> varying level of "introductoryness", but I think the more re= cent
> ones like "Introduction to Tomcat and TLS" from TomcatCon in= Miami
> are probably the best ones to see for beginners.
>
>>>> Your e-mail has been very helpful, not only to me, but I >>>> believe to others.=C2=A0 With respect to the Tomcat site, = I think
>>>> a lot of what you wrote would be very helpful there.=C2=A0= For
>>>> example, the Tomcat write up on SSL describes how to do se= lf
>>>> signed certificates and fleetingly mentions that if you ha= ve
>>>> a certificate from a CA that you could use e.g. openssl an= d
>>>> then refers the reader to their java documentation and
>>>> openssl documentation.=C2=A0 Not too helpful to the
>>>> security/Tomcat novice.
>
> Agreed. Would you care to write some new documentation and/or
> prepare a patch for the site? IT's usually best when beginners
> write for their own audience. I, for example, understand it
> backwards and forwards so when I write I have a skewed perspective. > Writing as a beginner can re-focus the narrative for a different
> audience.
>
> If you need any help grabbing the site from svn, etc. please just
> ask.
>
>>>> Thanks for your patience and help.
>
> You are more important than the software. No, really:
> https://blogs.apache.org/foundation/entry/asf_15_community_over_code
>
>=C2=A0 -chris
>>
>> ------------------------------------------------------------<= wbr>---------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlohhBIdHGNocmlzQGNo<= br> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjrXxAApjseUCOZqro7Hutg<= br> qXYaLdy6KD4ws4A5abYWnCMHvgO2oJxfxXAxnM5YNDgVgPR3r579ZF/zjLBsdYbx<= br> kANY/4bMNse3LkJCkrwy1PclAyWDAMHVLIcc4iKEHL0dsCyGp7qIXHfx4eKv3Jnb<= br> h4wsaoCi7QVk2TUOecOKKEiWRQ2tV1B6W4pAhCACAd0OSG/vYqdxVP2xzPE4AFe9<= br> vaIi5VwHNU+o/yYMhc5Qy5b+rHs7d1xNS0hr1jiJ4amzNfKUaUTjVAl1U9u9mZb7<= br> FI3sOIuEvtmXoBEfjWgohFC9XW2lS/EiQKptPT0HzLPUDfNXWi9QD9Ii1OI3sTMH<= br> mw57kST/uz68S4MEiP4os/Cr4O0gnXSzc2uHQQHdqvsOBHbNnBAO9doL07lLzc8B<= br> nktNwbl7G4aAp463gL6H8wk+pRQTUXTnm/oxTtROTF/TYaoYTpcsLdBB0PvMFV0N<= br> lpasDBNvIu+4AR6kv8/i1oqjhcAfL3Y8c8H7Av2nF7/HPOwqhbs15CV9DJLPxoKx<= br> rZh+MwSoAepx19fsWn+i4rYwUHjjka/BSbumTlkQYGlIhOkpSCjnX6l4tgneTOUG
aX82hHfzROxAqHj8DxXtJ3axZJ4kPewQIIJbJqk685YsRrCj0DR4QdAZsx/ntpY3<= br> pDS0b1ShEv1e9EdMTlojrYMTy78=3D
=3D+sZ1
-----END PGP SIGNATURE-----

-----------------------------------------------------------------= ----
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


--001a113e574ec75657055f79ed20-- --001a113e574ec7565b055f79ed22 Content-Type: text/plain; charset=us-ascii --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org --001a113e574ec7565b055f79ed22--