DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40680>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40680 Summary: SSL issue with X509 own signed certs but same in pkcs12 work Product: Tomcat 5 Version: 5.5.17 Platform: Other OS/Version: Windows XP Status: NEW Severity: major Priority: P2 Component: Unknown AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] When using self signed certificates, I get no problem to get SSL connections with Tomcat. Then I tried using the certificate I already used in Apache (and that worked well). This certificate has been signed by my own CA, which I created with CA.pl from OpenSSL. This certificate is server.cert and is PEM encrypted. Here is what I did : 1) Make a X509 valid certificate : openssl x509 -in server.cert -out serverx509.pem 2) import the certificate in a keystore : keytool -import -keystore c:\ssl\.keystore -alias tomcat -file serverx509.pem (password is "changeit" as expected by Tomcat) The import is OK, I get a correct .keystore file which I can read with : keytool -list -keystore c:\ssl\.keystore 4) Configure Tomcat in server.xml : <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="c:\ssl\.keystore" /> 5) Launch Tomcat : Tomcat launches but catalina.xxx.log tells me : 4 oct. 2006 17:11:41 org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin;.;C:\WINDOWS\System32;C:\WINDOWS;C:\Perl\bin\;C:\Program Files\Windows Resource Kits\Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Fichiers communs\GTK\2.0\bin;C:\informix\bin;c:\OpenSSL\bin;C:\Program Files\Java\jre1.5.0_09\bin 4 oct. 2006 17:11:41 org.apache.coyote.http11.Http11BaseProtocol init INFO: Initialisation de Coyote HTTP/1.1 sur http-8081 4 oct. 2006 17:11:42 org.apache.coyote.http11.Http11BaseProtocol init INFO: Initialisation de Coyote HTTP/1.1 sur http-8443 4 oct. 2006 17:11:42 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1472 ms 4 oct. 2006 17:11:42 org.apache.catalina.core.StandardService start INFO: Démarrage du service Catalina 4 oct. 2006 17:11:42 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.17 4 oct. 2006 17:11:42 org.apache.catalina.core.StandardHost start INFO: XML validation disabled 4 oct. 2006 17:11:44 org.apache.catalina.startup.HostConfig deployWAR INFO: Déploiement de l'archive standard-examples.war de l'application web 4 oct. 2006 17:11:45 org.apache.catalina.startup.HostConfig deployWAR INFO: Déploiement de l'archive PharmaJ.war de l'application web 4 oct. 2006 17:11:46 org.apache.coyote.http11.Http11BaseProtocol start INFO: Démarrage de Coyote HTTP/1.1 sur http-8081 4 oct. 2006 17:11:46 org.apache.coyote.http11.Http11BaseProtocol start INFO: Démarrage de Coyote HTTP/1.1 sur http-8443 4 oct. 2006 17:11:46 org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket GRAVE: Le point de contact [SSL: ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] a ignoré l'exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Unknown Source) 4 oct. 2006 17:11:46 org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket ATTENTION: Réinitialisation du ServerSocket [...] And I can't get a ssl connection of course I've been working on it hard for several days and then found a post on a mail list, which suggested to use pkcs12 keystore instead. So, here is what I did : 6) Create a pkcs12 from the already existing server.cert (the same file as used above !) : openssl pkcs12 -export -in server.cert -out keystore.p12 -inkey server.key -name "Certificat Serveur Tomcat" move keystore.p12 c:\ssl\ 7) Configure Tomcat to use a pkcs12 keystore : <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreType= "PKCS12" keystoreFile="c:\ssl\keystore.p12" /> 8) Launch Tomcat : It works ! Here is the catalina.xxx.log : 4 oct. 2006 17:30:05 org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin;.;C:\WINDOWS\System32;C:\WINDOWS;C:\Perl\bin\;C:\Program Files\Windows Resource Kits\Tools\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Fichiers communs\GTK\2.0\bin;C:\informix\bin;c:\OpenSSL\bin;C:\Program Files\Java\jre1.5.0_09\bin 4 oct. 2006 17:30:05 org.apache.coyote.http11.Http11BaseProtocol init INFO: Initialisation de Coyote HTTP/1.1 sur http-8081 4 oct. 2006 17:30:05 org.apache.coyote.http11.Http11BaseProtocol init INFO: Initialisation de Coyote HTTP/1.1 sur http-8443 4 oct. 2006 17:30:05 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1673 ms 4 oct. 2006 17:30:06 org.apache.catalina.core.StandardService start INFO: Démarrage du service Catalina 4 oct. 2006 17:30:06 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.17 4 oct. 2006 17:30:06 org.apache.catalina.core.StandardHost start INFO: XML validation disabled 4 oct. 2006 17:30:08 org.apache.catalina.startup.HostConfig deployWAR INFO: Déploiement de l'archive standard-examples.war de l'application web 4 oct. 2006 17:30:08 org.apache.catalina.startup.HostConfig deployWAR INFO: Déploiement de l'archive PharmaJ.war de l'application web 4 oct. 2006 17:30:09 org.apache.coyote.http11.Http11BaseProtocol start INFO: Démarrage de Coyote HTTP/1.1 sur http-8081 4 oct. 2006 17:30:09 org.apache.coyote.http11.Http11BaseProtocol start INFO: Démarrage de Coyote HTTP/1.1 sur http-8443 4 oct. 2006 17:30:09 org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8010 4 oct. 2006 17:30:09 org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/30 config=null 4 oct. 2006 17:30:10 org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource 4 oct. 2006 17:30:10 org.apache.catalina.startup.Catalina start INFO: Server startup in 4186 ms And I can access Tomcat in SSL mode with https://localhost:8443/ (the certificate popup prompts and so on). So, only the file format change from x509 to pcks12 and this makes Tomcat accept the cert, why ? Note this occurs on Win XP and I haven't tested it on Linux platform. -- Arnaud -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
