You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Peter Köhler <pe...@dw.com> on 2020/01/15 10:20:05 UTC
Tomcat9.0.16 on RHEL 7: ssl and javax.net.ssl.SSLPeerUnverifiedException: peer
not authenticated
Dear Sirs,
i have a alfresco 6 on tomcat 9.0.16 and java 1.8.0_212-b04 on a RHEL 7
environment.
The ssl connector inside server.xml is:
<Connector port="8443" protocol="HTTP/1.1"
URIEncoding="UTF-8"
maxThreads="150"
SSLEnabled="true"
scheme="https"
keystoreFile="/web/data/alfresco/keystore/ssl.keystore"
keystoreType="JCEKS" keystorePass="kT9X6oe68t"
secure="true" connectionTimeout="240000"
clientAuth="want"
allowUnsafeLegacyRenegotiation="true"
truststoreFile="/web/data/alfresco/keystore/ssl.truststore"
truststorePass="kT9X6oe68t" truststoreType="JCEKS"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
HttpHeaderSize="32768"
debug="1"
sslProtocol="TLS" />
I have a tomcat-users.xml with an entry like:
<user username="CN=Alfresco Repository, OU=Unknown, O=Alfresco Software
Ltd., L=Maidenhead, ST=UK, C=GB" roles="repository" password="null"/>
The solr client runs on a VM with the name lmssolr12-dev . It sends a ssl
Certificat with an certificate common name ‘Alfresco Repository’ to the
alfresco server
which is defined inside tomcat-users.xml .
But java in the version 1.8 don t care about the tomcat ssl configuration
and gives me the ERROR:
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not
authenticated
Caused by: javax.net.ssl.SSLException: hostname in certificate didn't
match: <lmssolr12-dev.dwelle.de> != </alfresco repository>
The java configuration inside catalina.sh is:
JAVA_OPTS="$JAVA_OPTS -Dsun.security.ssl.allowUnsafeRenegotiation=true
-Djavax.net.ssl.keyStore=/web/data/alfresco/keystore/ssl.keystore
-Djavax.net.ssl.keyStorePassword=kT9X6oe68t
-Djavax.net.ssl.keyStoreType=JCEKS
-Djavax.net.ssl.trustStore=/web/data/alfresco/keystore/ssl.truststore
-Djavax.net.ssl.trustStorePassword=kT9X6oe68t
-Djavax.net.ssl.trustStoreType=JCEKS -Djavax.net.debug=ssl,handshake
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources"
I have thought that clientAuth="want" and sslProtocol="TLS" allow
X509 authentification over tomcat-users.xml .
What can i do to solve that problem?
Thanks
Peter