Author: markt
Date: Thu Dec 7 19:37:17 2006
New Revision: 483810
URL: http://svn.apache.org/viewvc?view=rev&rev=483810
Log:
Port fix for bug 41051.
Modified:
tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?view=diff&rev=483810&r1=483809&r2=483810
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Thu Dec 7 19:37:17 2006
@@ -444,23 +444,20 @@
<attributes>
<attribute name="algorithm" required="false">
- <p>The certificate encoding algorithm to be used. If not
- specified, the default value is <code>SunX509</code>.</p>
+ <p>The certificate encoding algorithm to be used. This defaults to the
Sun
+ implementation (<code>SunX509</code>). For IBM JVMs you should use the
+ value <code>IbmX509</code>. For other vendors, consult the JVM
+ documentation for the correct value.</p>
</attribute>
<attribute name="clientAuth" required="false">
<p>Set to <code>true</code> if you want the SSL stack to require a
- valid certificate chain from the client before
- accepting a connection.
- Set to <code>want</code> if you
- want the SSL stack to request a client
- Certificate, but
- not fail if one isn't presented. A <code>false</code>
+ valid certificate chain from the client before accepting a connection.
+ Set to <code>want</code> if you want the SSL stack to request a client
+ Certificate, but not fail if one isn't presented. A <code>false</code>
value (which is the default) will not require a certificate chain
- unless
- the client requests a resource protected by a security
- constraint
- that uses <code>CLIENT-CERT</code> authentication. See the
+ unless the client requests a resource protected by a security
+ constraint that uses <code>CLIENT-CERT</code> authentication. See the
<a href="../ssl-howto.html">SSL HowTo</a> for an example.</p>
</attribute>
@@ -491,6 +488,25 @@
<p>A comma seperated list of the encryption ciphers that may be used.
If not specified, then any available cipher may be used.</p>
</attribute>
+
+ <attribute name="keyAlias" required="false">
+ <p>The alias used to for the server certificate in the keystore. If not
+ specified the first key read in the keystore will be used.</p>
+ </attribute>
+
+ <attribute name="truststoreFile" required="false">
+ <p>The TrustStore file to use to validate client certificates.</p>
+ </attribute>
+
+ <attribute name="truststorePass" required="false">
+ <p>The password to access the TrustStore. This defaults to the value
+ of <code>keystorePass</code>.</p>
+ </attribute>
+
+ <attribute name="truststoreType" required="false">
+ <p>Add this element if your are using a different format for the
+ TrustStore then you are using for the KeyStore.</p>
+ </attribute>
</attributes>
Modified: tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml?view=diff&rev=483810&r1=483809&r2=483810
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/ssl-howto.xml Thu Dec 7 19:37:17 2006
@@ -183,6 +183,14 @@
via (among other things) OpenSSL and Microsoft's Key-Manager.
</p>
+<p>Each entry in a keystore is identified by an alias string. Whilst many
+keystore implmentations treat alaises in a case insensitive manner, case
+sensitive implementations are available. The <code>PKCS11</code> specification,
+for example, requires that aliases are case sensitive. To avoid issues related
+to the case sensitivity of aliaises, it is not recommended to use aliases that
+differ only in case.
+</p>
+
<p>To import an existing certificate into a JKS keystore, please read the
documentation (in your JDK documentation package) about <code>keytool</code>.
Note that openssl often adds a readable comments before the key,
<code>keytool</code>does not support that, so remove the openssl comments if
they exist before importing the key using <code>keytool</code>.
@@ -424,8 +432,8 @@
</tr>
<tr>
<td><code>keystoreType</code></td>
- <td>Add this element if using a PKCS12 keystore. The valid values are
- <code>JKS</code> and <code>PKCS12</code>.</td>
+ <td>Add this element if using a keystore type other than
+ <code>JKS</code>.</td>
</tr>
<tr>
<td><code>sslProtocol</code></td>
@@ -460,8 +468,7 @@
<tr>
<td><code>truststoreType</code></td>
<td>Add this element if your are using a different format for the
- TrustStore then you are using for the KeyStore. The valid values are
- <code>JKS</code> and <code>PKCS12</code>.</td>
+ TrustStore then you are using for the KeyStore.</td>
</tr>
<tr>
<td><code>keyAlias</code></td>
@@ -579,6 +586,20 @@
attribute on the <code><Connector></code> element in the
<a href="#Edit the Tomcat Configuration File">Tomcat configuration
file</a>. <strong>REMINDER</strong> - Passwords are case sensitive!</p>
+ </blockquote></li>
+
+<li>When Tomcat starts up, I get an exception like
+ "java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException:
No
+ available certificate or key corresponds to the SSL cipher suites which are
+ enabled."
+ <blockquote>
+ <p>A likely explanation is that Tomcat cannot find the alias for the server
+ key withinthe specified keystore. Check that the correct
+ <code>keystoreFile</code> and <code>keyAlias</code> are specified in the
+ <code><Connector></code> element in the
+ <a href="#Edit the Tomcat Configuration File">Tomcat configuration
file</a>.
+ <strong>REMINDER</strong> - <code>keyAlias</code> values may be case
+ sensitive!</p>
</blockquote></li>
</ul>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
