What JRE / JDK are you using with Tomcat 6.0.13? -----Original Message----- From: Suresh Kumar J To: Tomcat Users List Sent: Sat, 30 Aug 2008 10:16 pm Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols I tried changing the "sslProtocol" attribute in conf/server.xml to "SSL" and but Tomcat couldn't start. Observed the following error in catalina.out: -------------------------------------- Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init SEVERE: Error initializing endpoint Throwable occurred: java.io.IOException: SSLContext SSL implementation not found at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory. java:394) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket Factory.java:125) at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496) at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177) at org.apache.catalina.connector.Connector.initialize(Connector.java:1059) at org.apache.catalina.core.StandardService.initialize(StandardService.java: 677) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79 2) at org.apache.catalina.startup.Catalina.load(Catalina.java:518) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java) at java.lang.reflect.Method.invoke(Method.java:317) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) -------------------------------------- Another question is that how do I make Tomcat to recognize both SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase. Tomcat doesn't seems to recognize SSLv2 messages and errors out with the following message: -------------------------------------------------- Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed Throwable occurred: java.net.SocketException: SSL handshake error javax.net.ssl.SSLException: INTERNAL ERROR at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket Factory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310) at java.lang.Thread.run(Thread.java:657) -------------------------------------------------- Any inputs would be appreciated. Thanks, Suresh bhooshanpandit@aol.com wrote: >>> I tried changing the "sslProtocol" attribute in the "Connector" > element >>> in conf/server.xml file and when the Tomcat couldn't start. Observed > the >>> following error in catalina.out: > > what value did you specify for sslProtocol. I tried using SSL and it > worked. > > -----Original Message----- > From: Suresh Kumar J > To: users@tomcat.apache.org > Sent: Sat, 30 Aug 2008 4:25 am > Subject: How to make to Apache-Tomcat 6.0.13 to support all of > SSLv2/SSLv3 and TLS protocols > > > > > > > > > > Hi! > > > Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the > > snippet of the server.xml config: > > ---------------------------- > > > maxThreads="150" scheme="https" secure="true" > > clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" > > keystoreFile="conf/my-key-store" keystorePass="abcd"/> > > ---------------------------- > > > The https connection(TLS based) works fine with IE6.0/7.x and FireFox > > 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with > > the default settings. When I try to connect(https on 443) to Apache > > Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1 window: > > ------------------------------------------- > > Secure Connection Failed > > An error occurred during a connection to 10.xx.xx.xx > > Cannot communicate securely with peer: no common encryption algorithm(s): > > (Error code: ssl_error_no_cypher_overlap) > > ------------------------------------------- > > > Have observed the following error in the Catalina.out file: > > -------------------------------------------------- > > Aug 29, 2008 2:52:52 PM > org.apache.tomcat.util.net.JIoEndpoint$Acceptor run > > SEVERE: Socket accept failed > > Throwable occurred: java.net.SocketException: SSL handshake error > > javax.net.ssl.SSLException: INTERNAL ERROR > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket > Factory.java:150) > > at > > org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310) > > > at java.lang.Thread.run(Thread.java:657) > > -------------------------------------------------- > > > In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is > > disabled) in the browser security settings. The web-server is correctly > > configured for secured http on TLS. Earlier with Firefox2.0.x, it was > > working fine. Also checked with Linux version of FireFox3.0.1 and the > > TLS connection is working fine. > > > When I tried to analysis the packets capture of the browser/web-server > > communication via "WireShark/Ethereal" tools, I observed that the > > FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL > > handshake negotiations. As my Tomcat webserver is configured for TLS, it > > doesn't seem to understand the SSLv2 record layer format, eventually > > errors out with "javax.net.ssl.SSLException: INTERNAL ERROR. > > > Since SSLv2 is generally considered to be a weaker protocol than SSLv3 > > and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record > > protocol, also SSLv2 is disabled by default. On Redhat Linux, the same > > FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)" for > > security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 Record > > Layer(Client Hello)" which seems to fine. Am able to launch the https > > webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on > > FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL > > handshake negotiations. Tomcat works well with TLS protocol, but when > > the browser uses SSLv2 then it fails. > > > I tried changing the "sslProtocol" attribute in the "Connector" element > > in conf/server.xml file and when the Tomcat couldn't start. Observed the > > following error in catalina.out: > > -------------------------------------- > > Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init > > SEVERE: Error initializing endpoint > > Throwable occurred: java.io.IOException: SSLContext SSL implementation > > not found > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory. > java:394) > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket > Factory.java:125) > > at > > org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496) > > at > > org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177) > > at > > org.apache.catalina.connector.Connector.initialize(Connector.java:1059) > > at > > org.apache.catalina.core.StandardService.initialize(StandardService.java: > 677) > > at > > org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79 > 2) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:518) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:538) > > at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java) > > at java.lang.reflect.Method.invoke(Method.java:317) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) > > -------------------------------------- > > > Does Tomcat 6.0.x supports SSL implementation?. Is it possible to make > > the Tomcat to understand both SSL and TLS protocols so that all the > > browsers are supported. It seems to be critical to make the application > > I use the certificate in the format of PKCS12, created via openssl tool. > > > Did anyone else face similar kind of problem in this regard. > > > Thanks, > > Suresh > > > > > --------------------------------------------------------------------- > > To start a new topic, e-mail: users@tomcat.apache.org > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > > For additional commands, e-mail: users-help@tomcat.apache.org > > > > > > > > ________________________________________________________________________ > You are invited to Get a Free AOL Email ID. - http://webmail.aol.in > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org ________________________________________________________________________ You are invited to Get a Free AOL Email ID. - http://webmail.aol.in --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org