Fmota Tech

Using Tomcat 6.0.14 on an amazon EC2 server instance, trying to get SSL working.

1) succeeded when following Tomcat doc for installing a self-signed certificate so I know server works and can do SSL

2) tomcat gives errors on startup using a .keystore made with java keytool by adding cert chain from go-daddy.

Here’s server.xml connector being used:

I proved that it is finding the tomcat.keystore by renaming and getting a not-found error.

Running keytool -list on it reveals 3 entries:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 3 entries

intermediate, Jul 8, 2010, trustedCertEntry,

Certificate fingerprint (MD5): D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34

tomcat, Jul 8, 2010, trustedCertEntry,

Certificate fingerprint (MD5): 73:B5:1A:91:E5:F5:56:A1:10:8A:95:E1:A5:7A:0D:AF

cross, Jul 8, 2010, trustedCertEntry,

Certificate fingerprint (MD5): 82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45

After startup.sh, my catalina.out says:

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

Anything obvious I’m missing??

Allen Razdow

founder & president

True Engineering Technology, LLC

One Broadway, Cambridge, MA 02142 USA

T: +1.617.674.2460 x101

E-mail: arazdow@truenum.com

Hi,

can someone help?

many thanks, Mauri

2010/7/2 Mauri

Hi All,

I am working on upgrading tomcat from 5.5.28 to 5.5.29 for one of the applications. I see that the website renders and works fine in 5.5.29 on port 8080 (non SSL) but with SSL (port 8443) the website doesnot run at all. When I try to see what’s going on in Fiddle, I see 502 error. Also nothing is written to the log flies. It is as if tomcat is not even running in port 8443.

Under tomcat 5.5.28, the site renders fine with SSL and non SSL.

Is there something I could be missing?

Regards, Kareem

Hi,

Using “ProxyRequests off” means the apache is going to be a reverse proxy but I can’t see your ProxyPassreverse statement. Also the order of the proxy commands is little bit weird. I wold do it in this way:

ProxyRequests off ProxyHTMLLogVerbose On ProxyPreserveHost On ProxyPass / https://10.10.0.1:8443/ ProxyPassReverse / https://10.10.0.1:8443/ ProxyHTMLURLMap https://itsmtest/ /

Cheers, Igor

On Fri, Jul 2, 2010 at 12:28 AM, Mauri wrote:

Thanks, Eric.

I’m a little confused. I _think_ you’re saying that the vhost-scope configuration _for the SSL Certificate stuff only_ will be served up to all, but the remaining directives (Directory, FastCGI stuff, etc) will be on a per NVH basis? At least those are the results that I’m seeing.

Which, if I’m reading this correctly, should be a complete non-issue, assuming that all sites are using the same wildcard certificates, right?

The FAQ for that release should say that the vhost-scope SSL configuration of the first-listed NVH will be used, limiting the certificate that can be prevented to the default vhosts’.

tomcat version 6.0.20 os: windows xp sp3 professional edition sun java jdk 1.5.11

I am trying to do the following (a) create a certificate authority and self sign server and client certificates using openssl and keytool (b) import the keytool keystore into tomcat (c) verify the certificate chaing using openssl verify (which does work and returns ok for all 3 certificates) (d) have client Authorization on – with it off tomcat ssl works just fine, when its turned on I get this error so far I have been following the steps listed in this tomcat user group message http://marc.info/?l=tomcat-user&m=106293430225790&w=2

but get this message from openssl s_client -cert c:sslclientclient.pem -CAfile c:sslcaca.pem -connect localhost:443

3772:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:.ssls3_pkt.c:1061:SSL alert number 46 3772:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.ssls23_lib.c:188:

and these messages from firefox (after importing the certificate) initially ‘sslv3 alert certificate unknown’ , then just ‘SSL peer was not expecting a handshake message it received’ after a few tries

does anyone know how to do this or has anyone done this before, thanks for you help in advance

Our environment:

Unix Solaris 5.9 Tomcat 6.0.26 JVM 1.6.20

Our application runs in two frameworks. One uses https one does not. I am trying to configure the tomcat connectors to work but when I get it working in one framework it does not work in the other.

*I have been told we do not need to ‘handle’ SSL totally as this is handled by our load balancers. Not sure what these means*.

For example: In one framework we’ll get permission denied errors and the other will work. If we change things around the opposite occurs but instead of permission errors we get invalid certificate error.

The tomcat documentation on connectors does not describe the options very well.

The above connectors work with the http framework but gives me the “mixed content warning” in IE because some requests are http and some https.

It’s obvious I have not worked with SSL very much. Any help would be greatly appreciated.

Regards,

John Ranaudo

Are you using openssl libs? Do you want a dso? http://www.issociate.de/board/post/44936/Compiling_mod_ssl_as_a_DSO.html

On Thu, Jun 24, 2010 at 2:44 PM, Audrey Lee wrote:

A clue:

http://mail-archives.apache.org/mod_mbox/httpd-dev/200901.mbox/%3C495EB674.1050309@kippdata.de%3E

It works for me on Solaris. Those symbols (without the leading underscore) are referenced indeed by ab.c, but they should be in your libcrypto (BIO*) resp. libssl (SSL*).

Are you sure, that the libraries libcrypto and libssl can be found? Are they in /Users/minfrin/src/apache/sandbox/crypto/nss-3.12/mozilla/dist/Darwin9.4.0_OPT.OBJ/lib?

Which version of OpenSSL do you use (I use 0.9.8i)? Can you see the symbols in the libs (check with “nm”)?

Me, I tried this:

Thu Jun 24 14:36 /pt/tmp/httpd-2.2.15 maco$ Thu Jun 24 14:36 /pt/tmp/httpd-2.2.15 maco$ Thu Jun 24 14:36 /pt/tmp/httpd-2.2.15 maco$ Thu Jun 24 14:36 /pt/tmp/httpd-2.2.15 maco$ find /usr/lib /opt/local/lib -name ‘*crypto*’ -print | xargs grep _BIO_set_callback Binary file /opt/local/lib/libcrypto.0.9.8.dylib matches Binary file /opt/local/lib/libcrypto.a matches Binary file /opt/local/lib/libcrypto.dylib matches Thu Jun 24 14:37 /pt/tmp/httpd-2.2.15 maco$ Thu Jun 24 14:37 /pt/tmp/httpd-2.2.15 maco$ Thu Jun 24 14:37 /pt/tmp/httpd-2.2.15 maco$ find /usr/lib /opt/local/lib -name ‘*ssl*’ -print | xargs grep

Google returns a lot of hits on:

Undefined symbols _BIO_set_callback_arg

On 6/24/10, Audrey Lee wrote: