You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Francisco Queiros Pinto <fr...@computing-services.oxford.ac.uk> on 2002/09/27 19:57:25 UTC

SSL Broken in 4.1.12?

Hi,

I've just upgraded Tomcat 4.1.10 to 4.1.12.
When trying a secure connection, the browser asks me to
accept the server certificate and seems to achieve it.
However, contrary to the previous version, now the server
generates the following error:

---- (catalina.out) ----
WARNING: Exception getting SSL attributes
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
         at 
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275)
         at 
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.java:118)
...
----

To see if there was anything wrong with the old certificate
I've created a new certificate and started tomcat again.
However, as previously, the browser still seems to open a
secure connection with the server, but the server error still
persists.

Is this a bug or a feature related with a security vulnerability
in the previous version?

Anyone had similar problems?
Regards,


-- 
Francisco


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: SSL Broken in 4.1.12?

Posted by Bill Barker <re...@verizon.net>.

If you are not using client-cert auth, this is just a useless waste of
log-space (e.g. debugging statements that weren't removed).  If you can
waste the space, then you can safely ignore the warnings.  Replacing
tomcat-util.jar from the nightly (This is a pretty stable package, so not
much risk) will fix the logs.    If you are using client-cert auth with
Coyote, then you must upgrade the jar file, since it is broken in 4.1.12
with Coyote unless you are using 'clientAuth="true"'.

"Francisco Queiros Pinto" <fr...@computing-services.oxford.ac.uk>
wrote in message news:3D949C05.3090804@computing-services.oxford.ac.uk...
> Hi,
>
> I've just upgraded Tomcat 4.1.10 to 4.1.12.
> When trying a secure connection, the browser asks me to
> accept the server certificate and seems to achieve it.
> However, contrary to the previous version, now the server
> generates the following error:
>
> ---- (catalina.out) ----
> WARNING: Exception getting SSL attributes
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>          at
>
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
75)
>          at
>
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
ava:118)
> ...
> ----
>
> To see if there was anything wrong with the old certificate
> I've created a new certificate and started tomcat again.
> However, as previously, the browser still seems to open a
> secure connection with the server, but the server error still
> persists.
>
> Is this a bug or a feature related with a security vulnerability
> in the previous version?
>
> Anyone had similar problems?
> Regards,
>
>
> --
> Francisco





--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: SSL Broken in 4.1.12?

Posted by Alexey Lischinsky <oa...@directvinternet.com>.

Maybe I'm wrong, but try to check the connector settings in
$CATALINA_HOME/conf/server.xml for SSL.

I have the following:
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="7443" [skip] scheme="https" secure="true">
  <Factory className="[skip]" clientAuth="false" keystorePass="[skip]"
protocol="TLS"/>
</Connector>

in Factory element clientAuth attribute should be false, or server will need
client certificate.

Good luck!
Alexey.

----- Original Message -----
From: "Francisco Queiros Pinto"
<fr...@computing-services.oxford.ac.uk>
To: <to...@jakarta.apache.org>
Sent: Friday, September 27, 2002 10:57 AM
Subject: SSL Broken in 4.1.12?


> Hi,
>
> I've just upgraded Tomcat 4.1.10 to 4.1.12.
> When trying a secure connection, the browser asks me to
> accept the server certificate and seems to achieve it.
> However, contrary to the previous version, now the server
> generates the following error:
>
> ---- (catalina.out) ----
> WARNING: Exception getting SSL attributes
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>          at
>
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
75)
>          at
>
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
ava:118)
> ...
> ----
>
> To see if there was anything wrong with the old certificate
> I've created a new certificate and started tomcat again.
> However, as previously, the browser still seems to open a
> secure connection with the server, but the server error still
> persists.
>
> Is this a bug or a feature related with a security vulnerability
> in the previous version?
>
> Anyone had similar problems?
> Regards,
>
>
> --
> Francisco
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: SSL Broken in 4.1.12?

Posted by Brad Plies <pl...@yahoo.com>.

I hate being one that says "works for me!", but it
does.  However, I did have a momentary problem too
after I upgraded from 4.0.4 to 4.1.12, but that was
because I forgot to copy a /keys directory.

Never have witnessed that backtrace before, it almost
looks like there is a requirement that the client
authenticates via SSL?  Personal certs?

--- Francisco Queiros Pinto
<fr...@computing-services.oxford.ac.uk>
wrote:
> Hi,
> 
> I've just upgraded Tomcat 4.1.10 to 4.1.12.
> When trying a secure connection, the browser asks me
> to
> accept the server certificate and seems to achieve
> it.
> However, contrary to the previous version, now the
> server
> generates the following error:
> 
> ---- (catalina.out) ----
> WARNING: Exception getting SSL attributes
> javax.net.ssl.SSLPeerUnverifiedException: peer not
> authenticated
>          at 
>
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275)
>          at 
>
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.java:118)
> ...
> ----
> 
> To see if there was anything wrong with the old
> certificate
> I've created a new certificate and started tomcat
> again.
> However, as previously, the browser still seems to
> open a
> secure connection with the server, but the server
> error still
> persists.
> 
> Is this a bug or a feature related with a security
> vulnerability
> in the previous version?
> 
> Anyone had similar problems?
> Regards,
> 
> 
> -- 
> Francisco
> 
> 
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> 


__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>