Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of suresh.kumar.j@gmail.com
 designates 209.85.198.251 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type:content-transfer-encoding;
        b=RRbsFJdwiNa56mfD4ht6oyvqRwTfM+5TH4h4j7bDUlrEVjI3vGYJTcQVN6N5JeAZKu
         1YqoyDyha1Js1jZsCmv6bC+TbcwPg4XDxaX/HBh++fQF0SwA4V/jOoEZxc+IAOmB54n6
         4wpDIC46xRQeRKoSyX4WSXjqWXXs3WXUYz9p0=
Message-ID: <48BD8296.2060708@gmail.com>
Date: Tue, 02 Sep 2008 11:14:46 -0700
From: Suresh Kumar J <suresh.kumar.j@gmail.com>
User-Agent: Spicebird 0.4 (Windows/2008011302)
MIME-Version: 1.0
To: users@tomcat.apache.org
Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3
 and TLS protocols
References: <48B87E6C.4000409@gmail.com>
In-Reply-To: <48B87E6C.4000409@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

The issue turns out to be that the Apache-Tomcat is not able to handle 
the full set of cipher suites implemented in the latest FireFox v3.0.1. 
When I try to the establish the https connection, the tomcat server 
seems to choke with the set of cipher suites negotiated by the FireFox 
browser and eventually errors out with the error:
java.net.SocketException: SSL handshake error
javax.net.ssl.SSLException: INTERNAL ERROR

I had to disable the following cipher suites in the FireFox (v3.0.1) 
browser via the "about:config" option:
security.ssl3.dhe_dss_camellia_128_sha
security.ssl3.dhe_dss_camellia_256_sha
security.ssl3.dhe_rsa_camellia_128_sha
security.ssl3.dhe_rsa_camellia_256_sha
security.ssl3.rsa_camellia_128_sha
security.ssl3.rsa_camellia_256_sha

Wonder if anybody else has encountered this issue while using Tomcat 
server with the FireFox browser.

Thanks,
Suresh

Suresh Kumar J wrote:
> Hi!
>
> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
> snippet of the server.xml config:
> ----------------------------
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>               maxThreads="150" scheme="https" secure="true"
>               clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
>               keystoreFile="conf/my-key-store" keystorePass="abcd"/>
> ----------------------------
>
> The https connection(TLS based) works fine with IE6.0/7.x and FireFox
> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with
> the default settings. When I try to connect(https on 443) to Apache
> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1 window:
> -------------------------------------------
> Secure Connection Failed
> An error occurred during a connection to 10.xx.xx.xx
> Cannot communicate securely with peer: no common encryption algorithm(s):
> (Error code: ssl_error_no_cypher_overlap)
> -------------------------------------------
>
> Have observed the following error in the Catalina.out file:
> --------------------------------------------------
> Aug 29, 2008 2:52:52 PM 
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
> SEVERE: Socket accept failed
> Throwable occurred: java.net.SocketException: SSL handshake error
> javax.net.ssl.SSLException: INTERNAL ERROR
>        at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150) 
>
>        at
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>        at java.lang.Thread.run(Thread.java:657)
> --------------------------------------------------
>
> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is
> disabled) in the browser security settings. The web-server is correctly
> configured for secured http on TLS. Earlier with Firefox2.0.x, it was
> working fine. Also checked with Linux version of FireFox3.0.1 and the
> TLS connection is working fine.
>
> When I tried to analysis the packets capture of the browser/web-server
> communication via "WireShark/Ethereal" tools, I observed that the
> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL
> handshake negotiations. As my Tomcat webserver is configured for TLS, it
> doesn't seem to understand the SSLv2 record layer format, eventually
> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
>
> Since SSLv2 is generally considered to be a weaker protocol than SSLv3
> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
> protocol, also SSLv2 is disabled by default. On Redhat Linux, the same
> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)" for
> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 Record
> Layer(Client Hello)" which seems to fine. Am able to launch the https
> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on
> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
> handshake negotiations. Tomcat works well with TLS protocol, but when
> the browser uses SSLv2 then it fails.
>
> I tried changing the "sslProtocol" attribute in the "Connector" element
> in conf/server.xml file and when the Tomcat couldn't start. Observed the
> following error in catalina.out:
> --------------------------------------
> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
> SEVERE: Error initializing endpoint
> Throwable occurred: java.io.IOException: SSLContext SSL implementation
> not found
>        at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394) 
>
>        at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125) 
>
>        at
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>        at
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>        at
> org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>        at
> org.apache.catalina.core.StandardService.initialize(StandardService.java:677) 
>
>        at
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:792) 
>
>        at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>        at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>        at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>        at java.lang.reflect.Method.invoke(Method.java:317)
>        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> --------------------------------------
>
> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to make
> the Tomcat to understand both SSL and TLS protocols so that all the
> browsers are supported. It seems to be critical to make the application
> I use the certificate in the format of PKCS12, created via openssl tool.
>
> Did anyone else face similar kind of problem in this regard.
>
> Thanks,
> Suresh
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org