What JRE / JDK are you using with Tomcat 6.0.13?
-----Original Message-----
From: Suresh Kumar J <suresh.kumar.j@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Sat, 30 Aug 2008 10:16 pm
Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of
SSLv2/SSLv3 and TLS protocols
I tried changing the "sslProtocol" attribute in conf/server.xml to
"SSL"
and but Tomcat couldn't start.
Observed the following error in catalina.out:
--------------------------------------
Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
Throwable occurred: java.io.IOException: SSLContext SSL implementation
not found
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
java:394)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
Factory.java:125)
at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
at
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:
677)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
2)
at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
at
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
at java.lang.reflect.Method.invoke(Method.java:317)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
--------------------------------------
Another question is that how do I make Tomcat to recognize both
SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some
browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase.
Tomcat doesn't seems to recognize SSLv2 messages and errors out with
the
following message:
--------------------------------------------------
Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor
run
SEVERE: Socket accept failed
Throwable occurred: java.net.SocketException: SSL handshake error
javax.net.ssl.SSLException: INTERNAL ERROR
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
Factory.java:150)
at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
at java.lang.Thread.run(Thread.java:657)
--------------------------------------------------
Any inputs would be appreciated.
Thanks,
Suresh
bhooshanpandit@aol.com wrote:
>>> I tried changing the "sslProtocol" attribute in the "Connector"
> element
>>> in conf/server.xml file and when the Tomcat couldn't start.
Observed
> the
>>> following error in catalina.out:
>
> what value did you specify for sslProtocol. I tried using SSL and it
> worked.
>
> -----Original Message-----
> From: Suresh Kumar J <suresh.kumar.j@gmail.com>
> To: users@tomcat.apache.org
> Sent: Sat, 30 Aug 2008 4:25 am
> Subject: How to make to Apache-Tomcat 6.0.13 to support all of
> SSLv2/SSLv3 and TLS protocols
>
>
>
>
>
>
>
>
>
> Hi!
>
>
> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
>
> snippet of the server.xml config:
>
> ----------------------------
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>
> maxThreads="150" scheme="https" secure="true"
>
> clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12"
>
> keystoreFile="conf/my-key-store" keystorePass="abcd"/>
>
> ----------------------------
>
>
> The https connection(TLS based) works fine with IE6.0/7.x and FireFox
>
> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with
>
> the default settings. When I try to connect(https on 443) to Apache
>
> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1
window:
>
> -------------------------------------------
>
> Secure Connection Failed
>
> An error occurred during a connection to 10.xx.xx.xx
>
> Cannot communicate securely with peer: no common encryption
algorithm(s):
>
> (Error code: ssl_error_no_cypher_overlap)
>
> -------------------------------------------
>
>
> Have observed the following error in the Catalina.out file:
>
> --------------------------------------------------
>
> Aug 29, 2008 2:52:52 PM
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
> SEVERE: Socket accept failed
>
> Throwable occurred: java.net.SocketException: SSL handshake error
>
> javax.net.ssl.SSLException: INTERNAL ERROR
>
> at
>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
> Factory.java:150)
>
> at
>
>
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
> at java.lang.Thread.run(Thread.java:657)
>
> --------------------------------------------------
>
>
> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is
>
> disabled) in the browser security settings. The web-server is
correctly
>
> configured for secured http on TLS. Earlier with Firefox2.0.x, it was
>
> working fine. Also checked with Linux version of FireFox3.0.1 and the
>
> TLS connection is working fine.
>
>
> When I tried to analysis the packets capture of the
browser/web-server
>
> communication via "WireShark/Ethereal" tools, I observed that the
>
> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL
>
> handshake negotiations. As my Tomcat webserver is configured for TLS,
it
>
> doesn't seem to understand the SSLv2 record layer format, eventually
>
> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
>
>
> Since SSLv2 is generally considered to be a weaker protocol than
SSLv3
>
> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
>
> protocol, also SSLv2 is disabled by default. On Redhat Linux, the
same
>
> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)"
for
>
> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3
Record
>
> Layer(Client Hello)" which seems to fine. Am able to launch the https
>
> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on
>
> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
>
> handshake negotiations. Tomcat works well with TLS protocol, but when
>
> the browser uses SSLv2 then it fails.
>
>
> I tried changing the "sslProtocol" attribute in the "Connector"
element
>
> in conf/server.xml file and when the Tomcat couldn't start. Observed
the
>
> following error in catalina.out:
>
> --------------------------------------
>
> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
> SEVERE: Error initializing endpoint
>
> Throwable occurred: java.io.IOException: SSLContext SSL
implementation
>
> not found
>
> at
>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
> java:394)
>
> at
>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
> Factory.java:125)
>
> at
>
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
> at
>
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
> at
>
>
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
> at
>
>
org.apache.catalina.core.StandardService.initialize(StandardService.java:
> 677)
>
> at
>
>
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
> 2)
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
> at
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
> at java.lang.reflect.Method.invoke(Method.java:317)
>
> at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
> at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
> --------------------------------------
>
>
> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to
make
>
> the Tomcat to understand both SSL and TLS protocols so that all the
>
> browsers are supported. It seems to be critical to make the
application
>
> I use the certificate in the format of PKCS12, created via openssl
tool.
>
>
> Did anyone else face similar kind of problem in this regard.
>
>
> Thanks,
>
> Suresh
>
>
>
>
> ---------------------------------------------------------------------
>
> To start a new topic, e-mail: users@tomcat.apache.org
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
>
>
>
________________________________________________________________________
> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|