tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stu Smith <stu26c...@gmail.com>
Subject Re: Tomcat Maven plugin failure: tries to use a TLSv1 handshake with a TLSv1.2 server.
Date Fri, 06 Mar 2015 06:12:29 GMT
Hello Chris,
  With maven, I am using:

java -version
java version "1.7.0_55"
OpenJDK Runtime Environment (IcedTea 2.4.7) (7u55-2.4.7-1ubuntu1~0.13.10.1)
OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode)

On the server,
java version "1.7.0_65"
OpenJDK Runtime Environment (IcedTea 2.5.1) (7u65-2.5.1-4ubuntu1~0.14.04.2)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)

The tomcat configuration that works (password fields elided):

      <Connector
           protocol="HTTP/1.1"
           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/etc/shareplaylearn.jks"
           keyAlias="shareplaylearn"
           keystorePass="[password]"
           keyPass="[password]"
           clientAuth="false"
           sslProtocol="TLS"
           sslEnabledProtocols="TLSv1.2,TLSv1,TLSv1.1"
        />

The one that does not work:


      <Connector
           protocol="HTTP/1.1"
           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/etc/shareplaylearn.jks"
           keyAlias="shareplaylearn"
           keystorePass="[password]"
           keyPass="[password]"
           clientAuth="false"
           sslProtocol="TLS"
           sslEnabledProtocols="TLSv1.2"
        />

(Exactly the same, except more protocols enabled on sslEnabledProtocols)

I can try to run the tool, but not tonight! Thanks!

Also, given the only difference between working/not working is enabled
protocol...... I'm not totally sure what we're looking for.
I guess maybe to see what ciphers are enabled?

The site, while neither beautiful nor functional, does support ssl
correctly in all the browsers I've tested (even on my gingerbread phone):

https://www.shareplaylearn.com/#/share

I do have it working, and I was a bit frustrated last night - so I'm a
little happier now - but still, it would be really nice to the plugin
support 1.2.. even nicer it if was smart enough to look for the CA certs in
the standard locations, and "just work" (or something close to that) like a
browser. I've used HttpComponents HttpClient fairly often fairly recently,
and the most recent stable version seems to handle ssl just fine,
defaulting to the jvm cacert, etc.. no mavenrc necessary... which is one
reason why I was little bit confused by the maven plugin behavior.

Hope that doesn't sound too whiny - just explaining the POV - I do
appreciate the help!

Take care,
  -stu


On Thu, Mar 5, 2015 at 8:34 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Stu,
>
> On 3/5/15 2:23 AM, Stu Smith wrote:
> > Hello,
> >
> > I'm using the tomcat maven plugin to deploy to an SSL-enabled host.
> > I've pointed maven at copy of the keystore used on the tomcat
> > server itself, so all the keys should be there. Also, I enabled
> > java.net.ssl.debug=all, and confirmed the public key, intermediate
> > cert, and CA cert are loaded. Yet, with TLSv1.2 on the server, the
> > handshake failed at this point:
> >
> > 0070: 00 17 00 01 00 03 00 13   00 15 00 06 00 07 00 09
> > ................ 0080: 00 0A 00 18 00 0B 00 0C   00 19 00 0D 00 0E
> > 00 0F  ................ 0090: 00 10 00 11 00 02 00 12   00 04 00 05
> > 00 14 00 08  ................ 00A0: 00 16 00 0B 00 02 01 00
> > ........ [Raw read]: length = 5 0000: 15 03 01 00 02
> > ..... [Raw read]: length = 2 0000: 02 28
> > .( main, READ: TLSv1 Alert, length = 2 main, RECV TLSv1 ALERT:
> > fatal, handshake_failure main, called closeSocket() main, handling
> > exception: javax.net.ssl.SSLHandshakeException: Received fatal
> > alert: handshake_failure main, called close() main, called
> > closeInternal(true)
> >
> > I really had no idea how to interrupt the error - it's a bit
> > ambiguous.
> >
> > I took a wild guess that maybe it was because it was trying TLSv1,
> > and enabled 1.1 and 1 on the server - and it appeared to fix the
> > error.
> >
> > So as best as I can tell, even thought tomcat 7 supports TLSv1, the
> > tomcat maven plugin does not. I think?
>
> What's the configuration of Tomcat's <Connector>(s) in both the
> working and non-working example? What version of the JVM is in use?
>
> > My two main questions would be:
> >
> > - is there a better way to debug this issue? - is there a way to
> > enabled TLSv1.2 support in the tomcat maven plugin?
> >
> > The maven plugin is version 2.2, maven is 3.0.4 The server is
> > tomcat 7.
>
> What about the JVM being used with Maven?
>
> Can you try running this tool against your server?
> http://markmail.org/thread/tz4z44nfjl7sy2lj
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJU+IWnAAoJEBzwKT+lPKRYwDIP/27+p8e6NAdn7qodRKO+WRlr
> ofecmUEk2OIxDz3V3NXMa6ZPBBkpnvEJ0snd8WuXDuLUjqsfy4SZpTnWuV2cx5Vh
> V84JJAnRN2aH3MIm9X+Qi8X4msrdmWg2ZBmU4yf+rNOuX9Uz1OO2kic9kBjRa/WF
> R7sZj4NUrdBag9d4WKCGt7gmUvFVSrmWmEAjof2fi/5FsSyqhT4Jue/J76RDIrGH
> HmRQXBrLyngUqExrVGlCbzQegPvpziBNX0P8mqlSZZ90BCEHm1eB7m4dsR3/wTAD
> 0o1Y2cOrWbgWt34pUiSDudX77p4/ENXDpusZ3rje2b7s278C9c5l2NVUJLyLO6uz
> mQNc6rJL8jzMAA6wsDMeOWlHCwjMS7EJ5mlB2teH8EVIG1V1LvJrmqVSC0GWKDz4
> jMVMw/dG6cGEUPPt15uVX6PVDvRPHd54eZoFy/UDNeMhhg9e+6bRcHlV8UmtcOlb
> ZKNtp2TA+8cdpszvab/e6t84v9e78Iwd7k4Vhl+xqXPkVngVnr9zG2PXJq2PxDNj
> niSPIP3oQd9A7W4ctFr0A+u60ASIvWiottN69Yv0ku25Z00e3swXO3Q3OMEmymvk
> qFsVHP2FK9ARBJEQbpHAOgh3Vsg0Ttx6EnwkSztMQ2augYkUSNeR+qw1ORos82M1
> cNilBEoJd3EdyeAijff0
> =Z+h2
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message