You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jan Eldenmalm <ja...@eldenmalm.com> on 2007/02/13 04:11:16 UTC

Tomcat 5.5.20 SSL "no errors" not working

Hello,

I have configured tomcat  (5.5.20 on a windows server 2003)  to use SSL 
on port 443 on a specific IP, using a java keystore file:

    <Connector address="88.208.211.112" port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="conf/ssl/obsid.key" keystorePass="******"  />

Additionally I have verified that the redirect port settings are ok:

    <Connector address="88.208.211.112" port="80"               
maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="true" redirectPort="443" acceptCount="100"
               connectionTimeout="10000" disableUploadTimeout="true" />

When starting tomcat i get no erros in any logs:

Feb 13, 2007 2:28:41 AM org.apache.coyote.ajp.AjpAprProtocol init
INFO: Initializing Coyote AJP/1.3 on ajp-127.0.0.1-8009
Feb 13, 2007 2:28:41 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 875 ms
Feb 13, 2007 2:28:42 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Feb 13, 2007 2:28:42 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.20
Feb 13, 2007 2:28:42 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Feb 13, 2007 2:28:42 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Feb 13, 2007 2:28:43 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Feb 13, 2007 2:28:43 AM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-88.208.211.111-80
Feb 13, 2007 2:28:43 AM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-88.208.211.112-80
Feb 13, 2007 2:28:43 AM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-88.208.211.112-443
Feb 13, 2007 2:28:43 AM org.apache.coyote.ajp.AjpAprProtocol start
INFO: Starting Coyote AJP/1.3 on ajp-127.0.0.1-8009
Feb 13, 2007 2:28:43 AM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Feb 13, 2007 2:28:44 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2093 ms

as you can try your self..... https://www.obsid.net does not resond 
properly...where as http://www.obsid.net does - the https responds 
somewhat though....

In my search for a solution - I even tried setting the keystoreFile and 
keystore PAss URL to an "absolute" url - and to a "wrong" url - neither 
makes it work - nor create any error logs.

       keystoreFile="conf/junkinexistentfolder/ssl/obsid.key" 
keystorePass="somethingwrong"  />

Never the less - if I remove the connector from server.xml - the log no 
longer specifies that it started the connector .. it does not show this 
anymore:
Feb 13, 2007 2:28:43 AM org.apache.coyote.http11.Http11AprProtocol start
INFO: Starting Coyote HTTP/1.1 on http-88.208.211.112-443

I have checked the firewall - and if I remove the accept rule for 443  - 
I get no response what so ever - so I presume that the firewall settings 
are OK. ( I also tried connecting to localhost - which gives the same 
"bad" connection that returns nothing...but seems open.... and my 
external portscanners say that the port is open - my conclusion....it's 
open.

I have tested the keystore files on my development machine - and it 
works like a dream..... instantly.... ( I created the keystore file on 
this development machine - and imported the certs, intermediary certs 
and root certs on this development machine )

I have checked he windows event log - and it contains nothing related to 
tomcat, nor any port conflicts or other things even remotely connected 
to a web server or network connections...

Any insights into where to start looking for the problem would be much 
appreciated.


// Jan