You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Savitha Akella <sa...@gmail.com> on 2011/08/25 18:53:03 UTC
SSL issue
Hi,
We have enabled SSL for the web services hosted on Tomcat. As part of the
configuration changes we have modified the server.xml to make changes to the
"connector" element.
We have given the "trustStorePass" value to point to a keystore which has
only the certificate for our web services. Ofcourse the clientAuth parameter
is set to true.
The problem we are facing is even though the client is prompted for the
certificate, the client is authenticated with any certificate instead of
authenticating with the intended one.
Any help is highly appreciated.
Thanks,
Savitha
Re: SSL issue
Posted by Marvin Addison <ma...@gmail.com>.
If you've got the container to request and accept a client cert, the
connector configuration is likely correct and it's an SSL trust
problem. Please post the output of the following command:
keytool -list -keystore
D:/users/apache-tomcat-7.0.11/keystore/trust.keystore -storePass
changeit
Also, please post some evidence that the client is sending the cert
you think it is. OpenSSL s_client is a good choice if you don't
already have a good tool for SSL troubleshooting.
M
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL issue
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Savitha,
I sent prematurely.
On 8/26/2011 11:24 AM, Christopher Schultz wrote:
> SSLVerifyDepth="4" />
How long are your certificate chains? If they are longer than 4, then
you might not be checking up the chain far enough to get to your
trusted certificates.
You might want to check out this thread from the archives. I was
trying to do something slightly different, but there is good
information in there:
http://markmail.org/thread/ri3w5w444ynwsatt
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5Xu54ACgkQ9CaO5/Lv0PCYiwCcD4WRGcaHq1BNnjVB4U8pVkGe
fuEAoLDP1kTtCStCXo1pfx9gvK77tjSs
=YrGe
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL issue
Posted by Crypto Sal <cr...@gmail.com>.
On 08/26/2011 11:24 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Savitha,
>
> On 8/25/2011 7:01 PM, Savitha Akella wrote:
>> <Connector protocol="org.apache.coyote.http11.Http11Protocol"
>> port="443" maxThreads="150" scheme="https" secure="true"
>> SSLEnabled="true"
> Okay.
>
>> keystoreFile="d:/users/apache-tomcat-7.0.11/keystore/key.keystore"
>> keyAlias="keyalias" keyPass="changeit"
> Okay.
>> clientAuth="true"
>> truststoreFile="D:/users/apache-tomcat-7.0.11/keystore/trust.keystore"
>>
>>
> truststorePass="changeit"
>> SSLVerifyClient="require"
> Okay.
>
>> sslProtocol="TLS"
> Should probably be "SSLProtocol", but might not matter. Also, "TLS" is
> not a documented valid value for this attribute.
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
Kindly double-check your data. I see that its the default and doesn't
need to be defined but is probably defined for clarity.
>> SSLEngine="on"
> SSLEngine is not a recognized attribute.
>
It is for the Listener container. This would turn on/off APR. Seems like
a simple mistake.
>> SSLVerifyDepth="4" />
>>
>> Regards, Savitha On Thu, Aug 25, 2011 at 11:46 AM, Christopher
>> Schultz< chris@christopherschultz.net> wrote:
>>
>> Savitha,
>>
>> On 8/25/2011 12:53 PM, Savitha Akella wrote:
>>>>> We have given the "trustStorePass" value to point to a
>>>>> keystore which has only the certificate for our web
>>>>> services.
>> Do you mean "truststoreFile"?
>>
>>>>> Of course the clientAuth parameter is set to true.
>> Good.
>>
>> Can you post your<Connector> configuration for us? Remember to
>> remove any passwords from it.
>>
>> -chris
>>> ---------------------------------------------------------------------
>>>
>>>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk5Xur0ACgkQ9CaO5/Lv0PC4sACgraqr86G+o/CQ4m4pfn7SRoVy
> NkYAoJhi4pR9EVYbeXbEEcYdSAgJ28+b
> =jKq/
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL issue
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Savitha,
On 8/25/2011 7:01 PM, Savitha Akella wrote:
> <Connector protocol="org.apache.coyote.http11.Http11Protocol"
> port="443" maxThreads="150" scheme="https" secure="true"
> SSLEnabled="true"
Okay.
> keystoreFile="d:/users/apache-tomcat-7.0.11/keystore/key.keystore"
> keyAlias="keyalias" keyPass="changeit"
Okay.
> clientAuth="true"
> truststoreFile="D:/users/apache-tomcat-7.0.11/keystore/trust.keystore"
>
>
truststorePass="changeit"
> SSLVerifyClient="require"
Okay.
> sslProtocol="TLS"
Should probably be "SSLProtocol", but might not matter. Also, "TLS" is
not a documented valid value for this attribute.
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
> SSLEngine="on"
SSLEngine is not a recognized attribute.
> SSLVerifyDepth="4" />
>
> Regards, Savitha On Thu, Aug 25, 2011 at 11:46 AM, Christopher
> Schultz < chris@christopherschultz.net> wrote:
>
> Savitha,
>
> On 8/25/2011 12:53 PM, Savitha Akella wrote:
>>>> We have given the "trustStorePass" value to point to a
>>>> keystore which has only the certificate for our web
>>>> services.
>
> Do you mean "truststoreFile"?
>
>>>> Of course the clientAuth parameter is set to true.
>
> Good.
>
> Can you post your <Connector> configuration for us? Remember to
> remove any passwords from it.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5Xur0ACgkQ9CaO5/Lv0PC4sACgraqr86G+o/CQ4m4pfn7SRoVy
NkYAoJhi4pR9EVYbeXbEEcYdSAgJ28+b
=jKq/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL issue
Posted by Savitha Akella <sa...@gmail.com>.
here is the connector configuration:
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
clientAuth="true" port="443" SSLEnabled="true" maxThreads="150"
scheme="https" secure="true" keyAlias="keyalias"
keystoreFile="d:/users/apache-tomcat-7.0.11/keystore/key.keystore"
keyPass="changeit"
truststoreFile="D:/users/apache-tomcat-7.0.11/keystore/trust.keystore"
truststorePass="changeit" SSLVerifyClient="require" SSLEngine="on"
SSLVerifyDepth="4" sslProtocol="TLS" />
Regards,
Savitha
On Thu, Aug 25, 2011 at 11:46 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Savitha,
>
> On 8/25/2011 12:53 PM, Savitha Akella wrote:
> > We have given the "trustStorePass" value to point to a keystore
> > which has only the certificate for our web services.
>
> Do you mean "truststoreFile"?
>
> > Of course the clientAuth parameter is set to true.
>
> Good.
>
> Can you post your <Connector> configuration for us? Remember to remove
> any passwords from it.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk5WmHMACgkQ9CaO5/Lv0PA2XQCgpY+rTQ2nxtRKbwC1ZDV4CRac
> gKgAnjldGl78sHuhDF/AFWsUD+grHfIc
> =Z82E
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: SSL issue
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Savitha,
On 8/25/2011 12:53 PM, Savitha Akella wrote:
> We have given the "trustStorePass" value to point to a keystore
> which has only the certificate for our web services.
Do you mean "truststoreFile"?
> Of course the clientAuth parameter is set to true.
Good.
Can you post your <Connector> configuration for us? Remember to remove
any passwords from it.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5WmHMACgkQ9CaO5/Lv0PA2XQCgpY+rTQ2nxtRKbwC1ZDV4CRac
gKgAnjldGl78sHuhDF/AFWsUD+grHfIc
=Z82E
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org