Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C16C3100FB for ; Fri, 6 Mar 2015 06:12:58 +0000 (UTC) Received: (qmail 90593 invoked by uid 500); 6 Mar 2015 06:12:55 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 90506 invoked by uid 500); 6 Mar 2015 06:12:54 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 90495 invoked by uid 99); 6 Mar 2015 06:12:54 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Mar 2015 06:12:54 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of stu26code@gmail.com designates 209.85.215.51 as permitted sender) Received: from [209.85.215.51] (HELO mail-la0-f51.google.com) (209.85.215.51) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Mar 2015 06:12:50 +0000 Received: by labgf13 with SMTP id gf13so31062682lab.5 for ; Thu, 05 Mar 2015 22:12:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=96n2Mjey25ldw4RWbIBIkG0btCrSHMOG4kPMauqdq/k=; b=zJRJuLgg08vT51tQvPMH7LLGHcjjSFQ+ownSKFzb0davzBJQiKVQPnxN5reXIab7M1 gfXSlzVknMJwIFRqRpkfyhhQk6AcnfRORLNtOxxlHTJkpgy22I9/sXWNl+eZA0SpPKVH J4Y/fdnc4CkT2LcgwoJ/LIvT2hIqa4dYXeHc4mJHO5ji7MTp5fXBOO9vnKAS9JcOZxx3 GVog2od6JjNAywpBEr6ZNs7NKBzIVVZ5k9d995VUv/+Z1BdLn+xNCU4raIuc4vZtFNsW UJNoYF0NUBsg55gWncIr+HVr2boyYXOxSEDRrB2icPLnBWntyfnVfHBFWUE0T+yO4Uka zt1Q== MIME-Version: 1.0 X-Received: by 10.112.131.66 with SMTP id ok2mr8409249lbb.51.1425622349453; Thu, 05 Mar 2015 22:12:29 -0800 (PST) Received: by 10.114.160.138 with HTTP; Thu, 5 Mar 2015 22:12:29 -0800 (PST) In-Reply-To: <54F885A7.40006@christopherschultz.net> References: <54F885A7.40006@christopherschultz.net> Date: Thu, 5 Mar 2015 22:12:29 -0800 Message-ID: Subject: Re: Tomcat Maven plugin failure: tries to use a TLSv1 handshake with a TLSv1.2 server. From: Stu Smith To: Tomcat Users List Content-Type: multipart/alternative; boundary=047d7b33dbd6b9376605109891ac X-Virus-Checked: Checked by ClamAV on apache.org --047d7b33dbd6b9376605109891ac Content-Type: text/plain; charset=UTF-8 Hello Chris, With maven, I am using: java -version java version "1.7.0_55" OpenJDK Runtime Environment (IcedTea 2.4.7) (7u55-2.4.7-1ubuntu1~0.13.10.1) OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode) On the server, java version "1.7.0_65" OpenJDK Runtime Environment (IcedTea 2.5.1) (7u65-2.5.1-4ubuntu1~0.14.04.2) OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode) The tomcat configuration that works (password fields elided): The one that does not work: (Exactly the same, except more protocols enabled on sslEnabledProtocols) I can try to run the tool, but not tonight! Thanks! Also, given the only difference between working/not working is enabled protocol...... I'm not totally sure what we're looking for. I guess maybe to see what ciphers are enabled? The site, while neither beautiful nor functional, does support ssl correctly in all the browsers I've tested (even on my gingerbread phone): https://www.shareplaylearn.com/#/share I do have it working, and I was a bit frustrated last night - so I'm a little happier now - but still, it would be really nice to the plugin support 1.2.. even nicer it if was smart enough to look for the CA certs in the standard locations, and "just work" (or something close to that) like a browser. I've used HttpComponents HttpClient fairly often fairly recently, and the most recent stable version seems to handle ssl just fine, defaulting to the jvm cacert, etc.. no mavenrc necessary... which is one reason why I was little bit confused by the maven plugin behavior. Hope that doesn't sound too whiny - just explaining the POV - I do appreciate the help! Take care, -stu On Thu, Mar 5, 2015 at 8:34 AM, Christopher Schultz < chris@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Stu, > > On 3/5/15 2:23 AM, Stu Smith wrote: > > Hello, > > > > I'm using the tomcat maven plugin to deploy to an SSL-enabled host. > > I've pointed maven at copy of the keystore used on the tomcat > > server itself, so all the keys should be there. Also, I enabled > > java.net.ssl.debug=all, and confirmed the public key, intermediate > > cert, and CA cert are loaded. Yet, with TLSv1.2 on the server, the > > handshake failed at this point: > > > > 0070: 00 17 00 01 00 03 00 13 00 15 00 06 00 07 00 09 > > ................ 0080: 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E > > 00 0F ................ 0090: 00 10 00 11 00 02 00 12 00 04 00 05 > > 00 14 00 08 ................ 00A0: 00 16 00 0B 00 02 01 00 > > ........ [Raw read]: length = 5 0000: 15 03 01 00 02 > > ..... [Raw read]: length = 2 0000: 02 28 > > .( main, READ: TLSv1 Alert, length = 2 main, RECV TLSv1 ALERT: > > fatal, handshake_failure main, called closeSocket() main, handling > > exception: javax.net.ssl.SSLHandshakeException: Received fatal > > alert: handshake_failure main, called close() main, called > > closeInternal(true) > > > > I really had no idea how to interrupt the error - it's a bit > > ambiguous. > > > > I took a wild guess that maybe it was because it was trying TLSv1, > > and enabled 1.1 and 1 on the server - and it appeared to fix the > > error. > > > > So as best as I can tell, even thought tomcat 7 supports TLSv1, the > > tomcat maven plugin does not. I think? > > What's the configuration of Tomcat's (s) in both the > working and non-working example? What version of the JVM is in use? > > > My two main questions would be: > > > > - is there a better way to debug this issue? - is there a way to > > enabled TLSv1.2 support in the tomcat maven plugin? > > > > The maven plugin is version 2.2, maven is 3.0.4 The server is > > tomcat 7. > > What about the JVM being used with Maven? > > Can you try running this tool against your server? > http://markmail.org/thread/tz4z44nfjl7sy2lj > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJU+IWnAAoJEBzwKT+lPKRYwDIP/27+p8e6NAdn7qodRKO+WRlr > ofecmUEk2OIxDz3V3NXMa6ZPBBkpnvEJ0snd8WuXDuLUjqsfy4SZpTnWuV2cx5Vh > V84JJAnRN2aH3MIm9X+Qi8X4msrdmWg2ZBmU4yf+rNOuX9Uz1OO2kic9kBjRa/WF > R7sZj4NUrdBag9d4WKCGt7gmUvFVSrmWmEAjof2fi/5FsSyqhT4Jue/J76RDIrGH > HmRQXBrLyngUqExrVGlCbzQegPvpziBNX0P8mqlSZZ90BCEHm1eB7m4dsR3/wTAD > 0o1Y2cOrWbgWt34pUiSDudX77p4/ENXDpusZ3rje2b7s278C9c5l2NVUJLyLO6uz > mQNc6rJL8jzMAA6wsDMeOWlHCwjMS7EJ5mlB2teH8EVIG1V1LvJrmqVSC0GWKDz4 > jMVMw/dG6cGEUPPt15uVX6PVDvRPHd54eZoFy/UDNeMhhg9e+6bRcHlV8UmtcOlb > ZKNtp2TA+8cdpszvab/e6t84v9e78Iwd7k4Vhl+xqXPkVngVnr9zG2PXJq2PxDNj > niSPIP3oQd9A7W4ctFr0A+u60ASIvWiottN69Yv0ku25Z00e3swXO3Q3OMEmymvk > qFsVHP2FK9ARBJEQbpHAOgh3Vsg0Ttx6EnwkSztMQ2augYkUSNeR+qw1ORos82M1 > cNilBEoJd3EdyeAijff0 > =Z+h2 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --047d7b33dbd6b9376605109891ac--