You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Peter Köhler <pe...@dw.com> on 2020/01/15 10:20:05 UTC

Tomcat9.0.16 on RHEL 7: ssl and javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Dear Sirs,

i have a  alfresco 6 on tomcat 9.0.16 and java  1.8.0_212-b04 on a RHEL 7 
environment.

The  ssl connector inside server.xml is:

<Connector port="8443"  protocol="HTTP/1.1"
               URIEncoding="UTF-8"
               maxThreads="150"
               SSLEnabled="true"
               scheme="https" 
keystoreFile="/web/data/alfresco/keystore/ssl.keystore" 
keystoreType="JCEKS" keystorePass="kT9X6oe68t"
               secure="true" connectionTimeout="240000"
               clientAuth="want"
               allowUnsafeLegacyRenegotiation="true"
               truststoreFile="/web/data/alfresco/keystore/ssl.truststore" 
truststorePass="kT9X6oe68t" truststoreType="JCEKS"
 
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
               HttpHeaderSize="32768"
               debug="1"
               sslProtocol="TLS" />

I have a  tomcat-users.xml  with an entry like:

<user username="CN=Alfresco Repository, OU=Unknown, O=Alfresco Software 
Ltd., L=Maidenhead, ST=UK, C=GB" roles="repository" password="null"/>


The solr client runs on a VM with the name lmssolr12-dev . It sends a  ssl 
Certificat with an certificate common name ‘Alfresco Repository’  to the 
alfresco server


which is defined inside tomcat-users.xml .


But java in the version 1.8 don t care about the tomcat ssl configuration 
and gives me the ERROR:

Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not 
authenticated

Caused by: javax.net.ssl.SSLException: hostname in certificate didn't 
match: <lmssolr12-dev.dwelle.de> != </alfresco repository>


The java configuration inside catalina.sh is:

  JAVA_OPTS="$JAVA_OPTS -Dsun.security.ssl.allowUnsafeRenegotiation=true 
-Djavax.net.ssl.keyStore=/web/data/alfresco/keystore/ssl.keystore 
-Djavax.net.ssl.keyStorePassword=kT9X6oe68t 
-Djavax.net.ssl.keyStoreType=JCEKS 
-Djavax.net.ssl.trustStore=/web/data/alfresco/keystore/ssl.truststore 
-Djavax.net.ssl.trustStorePassword=kT9X6oe68t 
-Djavax.net.ssl.trustStoreType=JCEKS -Djavax.net.debug=ssl,handshake 
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources"


I have thought that clientAuth="want"  and    sslProtocol="TLS"  allow 
X509 authentification  over tomcat-users.xml .


What  can i do to solve that problem?

Thanks

Peter