You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Allen Razdow <ar...@truenum.com> on 2010/07/08 07:22:31 UTC
SSL problem
Using Tomcat 6.0.14 on an amazon EC2 server instance, trying to get SSL
working.
1) succeeded when following Tomcat doc for installing a self-signed
certificate so I know server works and can do SSL
2) tomcat gives errors on startup using a .keystore made with java keytool
by adding cert chain from go-daddy.
Here's server.xml connector being used:
<Connector protocol="HTTP/1.1" port="443" SSLEnabled="true"
keystoreFile="/root/tomcat.keystore" keystorePass="changeit"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
I proved that it is finding the tomcat.keystore by renaming and getting a
not-found error.
Running keytool -list on it reveals 3 entries:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
intermediate, Jul 8, 2010, trustedCertEntry,
Certificate fingerprint (MD5):
D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34
tomcat, Jul 8, 2010, trustedCertEntry,
Certificate fingerprint (MD5):
73:B5:1A:91:E5:F5:56:A1:10:8A:95:E1:A5:7A:0D:AF
cross, Jul 8, 2010, trustedCertEntry,
Certificate fingerprint (MD5):
82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45
After startup.sh, my catalina.out says:
javax.net.ssl.SSLException: No available certificate or key corresponds to
the SSL cipher suites which are enabled.
Anything obvious I'm missing??
Allen Razdow
founder & president
True Engineering Technology, LLC
One Broadway, Cambridge, MA 02142 USA
T: +1.617.674.2460 x101
E-mail: arazdow@truenum.com
RE: SSL problem
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Allen Razdow [mailto:arazdow@truenum.com]
> Subject: RE: SSL problem
>
> Maybe I'll just start from scratch with the latest.
Strongly recommended.
> The sigalg seems to be SHA1withRSA. I gather there is
> something like a cipher suite associated with JSEE...
It's JSSE, not JSEE. Yes, the 1.5 and 1.6 JVMs come with basic cipher capabilities. The certificates I'm using on stock 1.5 and 1.6 JVMs use SHA1withRSA without problem.
Hmmm...
Try running this program on your JVM to see all the JSSE stuff that's available.
import java.security.Provider;
import java.security.Security;
import java.util.Map;
import java.util.Set;
public class SecList {
public static void main(String args[]) {
Provider[] providers = Security.getProviders();
for (Provider p : providers) {
System.out.print(p.getName() + ", version " + p.getVersion());
System.out.println(": " + p.getInfo());
Set<Provider.Service> services = p.getServices();
for (Provider.Service s : services) {
System.out.println(" service " + s.getType() + ": " + s.getAlgorithm() + " (" + s.getClassName() + ")");
}
Set<Map.Entry<Object, Object>> entries = p.entrySet();
for (Map.Entry<Object, Object> e : entries) {
System.out.println(" property " + e.toString());
}
}
}
}
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL problem
Posted by Allen Razdow <ar...@truenum.com>.
Thanks Charles, I was offline most of today...
I'm using a public machine image from Amazon, and that was the version
given. Maybe I'll just start from scratch with the latest.
The sigalg seems to be SHA1withRSA. I gather there is something like a
cipher suite associated with JSEE...not sure how to specify one (the right
one).
JAVA VERSION:
java version "1.6.0_17"
Java(TM) SE Runtime Environment (build 1.6.0_17-b04)
I thought versions above 1.4 had JSEE installed, but maybe there are missing
pieces. I sure wish one of the cert vendors would just sell you a .keystore
file that worked!
-Allen
Verbose keytool -list -v:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: FD AC 61 32 93 6C 45 D6 E2 EE 85 5F 9A BA E7 76 ..a2.lE...._...v
0010: 99 68 CC E7 .h..
]
]
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.godaddy.com]
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://certificates.godaddy.com/repository/gdroot.crl]
]]
#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2A 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69
.*http://certifi
0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F cates.godaddy.co
0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 m/repository
]] ]
]
#7: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D2 C4 B0 D2 91 D4 4C 11 71 B3 61 CB 3D A1 FE DD ......L.q.a.=...
0010: A8 6A D4 E3 .j..
]
]
*******************************************
*******************************************
Alias name: tomcat
Creation date: Jul 8, 2010
Entry type: trustedCertEntry
Owner: CN=*.truenumbers.com, OU=Domain Control Validated,
O=*.truenumbers.com
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority,
OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.",
L=Scottsdale, ST=Arizona, C=US
Serial number: 449ec6f045efd
Valid from: Sun Jun 27 19:22:11 EDT 2010 until: Mon Jun 27 19:22:11 EDT 2011
Certificate fingerprints:
MD5: 73:B5:1A:91:E5:F5:56:A1:10:8A:95:E1:A5:7A:0D:AF
SHA1: ED:C0:D5:7D:C1:DB:BF:12:68:F9:87:99:63:1D:59:3C:75:6B:C9:84
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 22 75 BA 70 0B 1D AB BF C3 77 64 8B 70 23 35 5E "u.p.....wd.p#5^
0010: C9 AB D9 7F ....
]
]
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.godaddy.com/, accessMethod:
1.3.6.1.5.5.7.48.2
accessLocation: URIName:
http://certificates.godaddy.com/repository/gd_intermediate.crt]
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.godaddy.com/gds1-19.crl]
]]
#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114413.1.7.23.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2B 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69
.+http://certifi
0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F cates.godaddy.co
0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 2F m/repository/
]] ]
]
#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#8: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: FD AC 61 32 93 6C 45 D6 E2 EE 85 5F 9A BA E7 76 ..a2.lE...._...v
0010: 99 68 CC E7 .h..
]
]
#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.truenumbers.com
DNSName: truenumbers.com
]
*******************************************
*******************************************
Alias name: cross
Creation date: Jul 8, 2010
Entry type: trustedCertEntry
Owner: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group,
Inc.", C=US
Issuer: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/,
OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.",
L=ValiCert Validation Network
Serial number: 10d
Valid from: Tue Jun 29 13:06:20 EDT 2004 until: Sat Jun 29 13:06:20 EDT 2024
Certificate fingerprints:
MD5: 82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45
SHA1: DE:70:F4:E2:11:6F:7F:DC:E7:5F:9D:13:01:2B:7E:68:7A:3B:2C:62
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D2 C4 B0 D2 91 D4 4C 11 71 B3 61 CB 3D A1 FE DD ......L.q.a.=...
0010: A8 6A D4 E3 .j..
]
]
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.godaddy.com]
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://certificates.godaddy.com/repository/root.crl]
]]
#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 2A 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69
.*http://certifi
0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F cates.godaddy.co
0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 m/repository
]] ]
]
#7: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert
Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert
Validation Network]
SerialNumber: [ 01]
]
*******************************************
*******************************************
[root@ip-10-212-151-97 ~]#
> -----Original Message-----
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Sent: Thursday, July 08, 2010 2:41 PM
> To: Tomcat Users List
> Subject: RE: SSL problem
>
> > From: Allen Razdow [mailto:arazdow@truenum.com]
> > Subject: SSL problem
> >
> > Using Tomcat 6.0.14 on an amazon EC2 server instance
>
> Don't suppose you'd like to try this on a version that's a bit less than
> three years old? Pretty pointless to debug on something that ancient.
> Also, what JVM are you using with Tomcat?
>
> > Running keytool -list on it reveals 3 entries:
>
> Are you sure one of those is your Go Daddy certificate? (Use the -v
> option with -list to display the details.)
>
> > javax.net.ssl.SSLException: No available certificate or key
> > corresponds to the SSL cipher suites which are enabled.
>
> What signature algorithms does -list -v show for the Go Daddy certificate?
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL problem
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Allen Razdow [mailto:arazdow@truenum.com]
> Subject: SSL problem
>
> Using Tomcat 6.0.14 on an amazon EC2 server instance
Don't suppose you'd like to try this on a version that's a bit less than three years old? Pretty pointless to debug on something that ancient. Also, what JVM are you using with Tomcat?
> Running keytool -list on it reveals 3 entries:
Are you sure one of those is your Go Daddy certificate? (Use the -v option with -list to display the details.)
> javax.net.ssl.SSLException: No available certificate or key
> corresponds to the SSL cipher suites which are enabled.
What signature algorithms does -list -v show for the Go Daddy certificate?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org