You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stu Smith <st...@gmail.com> on 2015/03/05 08:23:07 UTC
Tomcat Maven plugin failure: tries to use a TLSv1 handshake with a
TLSv1.2 server.
Hello,
I'm using the tomcat maven plugin to deploy to an SSL-enabled host. I've
pointed maven at copy of the keystore used on the tomcat server itself, so
all the keys should be there. Also, I enabled java.net.ssl.debug=all, and
confirmed the public key, intermediate cert, and CA cert are loaded. Yet,
with TLSv1.2 on the server, the handshake failed at this point:
0070: 00 17 00 01 00 03 00 13 00 15 00 06 00 07 00 09 ................
0080: 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E 00 0F ................
0090: 00 10 00 11 00 02 00 12 00 04 00 05 00 14 00 08 ................
00A0: 00 16 00 0B 00 02 01 00 ........
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
I really had no idea how to interrupt the error - it's a bit ambiguous.
I took a wild guess that maybe it was because it was trying TLSv1, and
enabled 1.1 and 1 on the server - and it appeared to fix the error.
So as best as I can tell, even thought tomcat 7 supports TLSv1, the tomcat
maven plugin does not. I think?
My two main questions would be:
- is there a better way to debug this issue?
- is there a way to enabled TLSv1.2 support in the tomcat maven plugin?
The maven plugin is version 2.2, maven is 3.0.4 The server is tomcat 7.
My certs being loaded:
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure
Digital Certificate Signing, O=StartCom Ltd., C=IL
Issuer: CN=StartCom Certification Authority, OU=Secure Digital
Certificate Signing, O=StartCom Ltd., C=IL
Algorithm: RSA; Serial number: 0x19
Valid from Wed Oct 24 13:54:17 PDT 2007 until Tue Oct 24 13:54:17 PDT 2017
adding as trusted cert:
Subject: EMAILADDRESS=shareplaylearn.com@domainsbyproxy.com, CN=
www.shareplaylearn.com, C=US
Issuer: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure
Digital Certificate Signing, O=StartCom Ltd., C=IL
Algorithm: RSA; Serial number: 0x51a8eec8d76a0
Valid from Sat Jan 24 20:46:45 PST 2015 until Mon Jan 25 21:43:15 PST 2016
adding as trusted cert:
Subject: CN=StartCom Certification Authority, OU=Secure Digital
Certificate Signing, O=StartCom Ltd., C=IL
Issuer: CN=StartCom Certification Authority, OU=Secure Digital
Certificate Signing, O=StartCom Ltd., C=IL
Algorithm: RSA; Serial number: 0x1
Valid from Sun Sep 17 12:46:36 PDT 2006 until Wed Sep 17 12:46:36 PDT 2036
There are some notes about unsupported ciphers.. but it doesn't look like
it's the ones the client is requesting anyways:
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure
Digital Certificate Signing, O=StartCom Ltd., C=IL
Issuer: CN=StartCom Certification Authority, OU=Secure Digital
Certificate Signing, O=StartCom Ltd., C=IL
Algorithm: RSA; Serial number: 0x19
Valid from Wed Oct 24 13:54:17 PDT 2007 until Tue Oct 24 13:54:17 PDT 2017
adding as trusted cert:
Subject: EMAILADDRESS=shareplaylearn.com@domainsbyproxy.com, CN=
www.shareplaylearn.com, C=US
Issuer: CN=StartCom Class 1 Primary Intermediate Server CA, OU=Secure
Digital Certificate Signing, O=StartCom Ltd., C=IL
Algorithm: RSA; Serial number: 0x51a8eec8d76a0
Valid from Sat Jan 24 20:46:45 PST 2015 until Mon Jan 25 21:43:15 PST 2016
adding as trusted cert:
Subject: CN=StartCom Certification Authority, OU=Secure Digital
Certificate Signing, O=StartCom Ltd., C=IL
Issuer: CN=StartCom Certification Authority, OU=Secure Digital
Certificate Signing, O=StartCom Ltd., C=IL
Algorithm: RSA; Serial number: 0x1
Valid from Sun Sep 17 12:46:36 PDT 2006 until Wed Sep 17 12:46:36 PDT 2036
Re: Tomcat Maven plugin failure: tries to use a TLSv1 handshake with
a TLSv1.2 server.
Posted by Stu Smith <st...@gmail.com>.
Hello Chris,
With maven, I am using:
java -version
java version "1.7.0_55"
OpenJDK Runtime Environment (IcedTea 2.4.7) (7u55-2.4.7-1ubuntu1~0.13.10.1)
OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode)
On the server,
java version "1.7.0_65"
OpenJDK Runtime Environment (IcedTea 2.5.1) (7u65-2.5.1-4ubuntu1~0.14.04.2)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)
The tomcat configuration that works (password fields elided):
<Connector
protocol="HTTP/1.1"
port="443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/etc/shareplaylearn.jks"
keyAlias="shareplaylearn"
keystorePass="[password]"
keyPass="[password]"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1,TLSv1.1"
/>
The one that does not work:
<Connector
protocol="HTTP/1.1"
port="443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/etc/shareplaylearn.jks"
keyAlias="shareplaylearn"
keystorePass="[password]"
keyPass="[password]"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2"
/>
(Exactly the same, except more protocols enabled on sslEnabledProtocols)
I can try to run the tool, but not tonight! Thanks!
Also, given the only difference between working/not working is enabled
protocol...... I'm not totally sure what we're looking for.
I guess maybe to see what ciphers are enabled?
The site, while neither beautiful nor functional, does support ssl
correctly in all the browsers I've tested (even on my gingerbread phone):
https://www.shareplaylearn.com/#/share
I do have it working, and I was a bit frustrated last night - so I'm a
little happier now - but still, it would be really nice to the plugin
support 1.2.. even nicer it if was smart enough to look for the CA certs in
the standard locations, and "just work" (or something close to that) like a
browser. I've used HttpComponents HttpClient fairly often fairly recently,
and the most recent stable version seems to handle ssl just fine,
defaulting to the jvm cacert, etc.. no mavenrc necessary... which is one
reason why I was little bit confused by the maven plugin behavior.
Hope that doesn't sound too whiny - just explaining the POV - I do
appreciate the help!
Take care,
-stu
On Thu, Mar 5, 2015 at 8:34 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Stu,
>
> On 3/5/15 2:23 AM, Stu Smith wrote:
> > Hello,
> >
> > I'm using the tomcat maven plugin to deploy to an SSL-enabled host.
> > I've pointed maven at copy of the keystore used on the tomcat
> > server itself, so all the keys should be there. Also, I enabled
> > java.net.ssl.debug=all, and confirmed the public key, intermediate
> > cert, and CA cert are loaded. Yet, with TLSv1.2 on the server, the
> > handshake failed at this point:
> >
> > 0070: 00 17 00 01 00 03 00 13 00 15 00 06 00 07 00 09
> > ................ 0080: 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E
> > 00 0F ................ 0090: 00 10 00 11 00 02 00 12 00 04 00 05
> > 00 14 00 08 ................ 00A0: 00 16 00 0B 00 02 01 00
> > ........ [Raw read]: length = 5 0000: 15 03 01 00 02
> > ..... [Raw read]: length = 2 0000: 02 28
> > .( main, READ: TLSv1 Alert, length = 2 main, RECV TLSv1 ALERT:
> > fatal, handshake_failure main, called closeSocket() main, handling
> > exception: javax.net.ssl.SSLHandshakeException: Received fatal
> > alert: handshake_failure main, called close() main, called
> > closeInternal(true)
> >
> > I really had no idea how to interrupt the error - it's a bit
> > ambiguous.
> >
> > I took a wild guess that maybe it was because it was trying TLSv1,
> > and enabled 1.1 and 1 on the server - and it appeared to fix the
> > error.
> >
> > So as best as I can tell, even thought tomcat 7 supports TLSv1, the
> > tomcat maven plugin does not. I think?
>
> What's the configuration of Tomcat's <Connector>(s) in both the
> working and non-working example? What version of the JVM is in use?
>
> > My two main questions would be:
> >
> > - is there a better way to debug this issue? - is there a way to
> > enabled TLSv1.2 support in the tomcat maven plugin?
> >
> > The maven plugin is version 2.2, maven is 3.0.4 The server is
> > tomcat 7.
>
> What about the JVM being used with Maven?
>
> Can you try running this tool against your server?
> http://markmail.org/thread/tz4z44nfjl7sy2lj
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJU+IWnAAoJEBzwKT+lPKRYwDIP/27+p8e6NAdn7qodRKO+WRlr
> ofecmUEk2OIxDz3V3NXMa6ZPBBkpnvEJ0snd8WuXDuLUjqsfy4SZpTnWuV2cx5Vh
> V84JJAnRN2aH3MIm9X+Qi8X4msrdmWg2ZBmU4yf+rNOuX9Uz1OO2kic9kBjRa/WF
> R7sZj4NUrdBag9d4WKCGt7gmUvFVSrmWmEAjof2fi/5FsSyqhT4Jue/J76RDIrGH
> HmRQXBrLyngUqExrVGlCbzQegPvpziBNX0P8mqlSZZ90BCEHm1eB7m4dsR3/wTAD
> 0o1Y2cOrWbgWt34pUiSDudX77p4/ENXDpusZ3rje2b7s278C9c5l2NVUJLyLO6uz
> mQNc6rJL8jzMAA6wsDMeOWlHCwjMS7EJ5mlB2teH8EVIG1V1LvJrmqVSC0GWKDz4
> jMVMw/dG6cGEUPPt15uVX6PVDvRPHd54eZoFy/UDNeMhhg9e+6bRcHlV8UmtcOlb
> ZKNtp2TA+8cdpszvab/e6t84v9e78Iwd7k4Vhl+xqXPkVngVnr9zG2PXJq2PxDNj
> niSPIP3oQd9A7W4ctFr0A+u60ASIvWiottN69Yv0ku25Z00e3swXO3Q3OMEmymvk
> qFsVHP2FK9ARBJEQbpHAOgh3Vsg0Ttx6EnwkSztMQ2augYkUSNeR+qw1ORos82M1
> cNilBEoJd3EdyeAijff0
> =Z+h2
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat Maven plugin failure: tries to use a TLSv1 handshake with a
TLSv1.2 server.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Stu,
On 3/5/15 2:23 AM, Stu Smith wrote:
> Hello,
>
> I'm using the tomcat maven plugin to deploy to an SSL-enabled host.
> I've pointed maven at copy of the keystore used on the tomcat
> server itself, so all the keys should be there. Also, I enabled
> java.net.ssl.debug=all, and confirmed the public key, intermediate
> cert, and CA cert are loaded. Yet, with TLSv1.2 on the server, the
> handshake failed at this point:
>
> 0070: 00 17 00 01 00 03 00 13 00 15 00 06 00 07 00 09
> ................ 0080: 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E
> 00 0F ................ 0090: 00 10 00 11 00 02 00 12 00 04 00 05
> 00 14 00 08 ................ 00A0: 00 16 00 0B 00 02 01 00
> ........ [Raw read]: length = 5 0000: 15 03 01 00 02
> ..... [Raw read]: length = 2 0000: 02 28
> .( main, READ: TLSv1 Alert, length = 2 main, RECV TLSv1 ALERT:
> fatal, handshake_failure main, called closeSocket() main, handling
> exception: javax.net.ssl.SSLHandshakeException: Received fatal
> alert: handshake_failure main, called close() main, called
> closeInternal(true)
>
> I really had no idea how to interrupt the error - it's a bit
> ambiguous.
>
> I took a wild guess that maybe it was because it was trying TLSv1,
> and enabled 1.1 and 1 on the server - and it appeared to fix the
> error.
>
> So as best as I can tell, even thought tomcat 7 supports TLSv1, the
> tomcat maven plugin does not. I think?
What's the configuration of Tomcat's <Connector>(s) in both the
working and non-working example? What version of the JVM is in use?
> My two main questions would be:
>
> - is there a better way to debug this issue? - is there a way to
> enabled TLSv1.2 support in the tomcat maven plugin?
>
> The maven plugin is version 2.2, maven is 3.0.4 The server is
> tomcat 7.
What about the JVM being used with Maven?
Can you try running this tool against your server?
http://markmail.org/thread/tz4z44nfjl7sy2lj
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJU+IWnAAoJEBzwKT+lPKRYwDIP/27+p8e6NAdn7qodRKO+WRlr
ofecmUEk2OIxDz3V3NXMa6ZPBBkpnvEJ0snd8WuXDuLUjqsfy4SZpTnWuV2cx5Vh
V84JJAnRN2aH3MIm9X+Qi8X4msrdmWg2ZBmU4yf+rNOuX9Uz1OO2kic9kBjRa/WF
R7sZj4NUrdBag9d4WKCGt7gmUvFVSrmWmEAjof2fi/5FsSyqhT4Jue/J76RDIrGH
HmRQXBrLyngUqExrVGlCbzQegPvpziBNX0P8mqlSZZ90BCEHm1eB7m4dsR3/wTAD
0o1Y2cOrWbgWt34pUiSDudX77p4/ENXDpusZ3rje2b7s278C9c5l2NVUJLyLO6uz
mQNc6rJL8jzMAA6wsDMeOWlHCwjMS7EJ5mlB2teH8EVIG1V1LvJrmqVSC0GWKDz4
jMVMw/dG6cGEUPPt15uVX6PVDvRPHd54eZoFy/UDNeMhhg9e+6bRcHlV8UmtcOlb
ZKNtp2TA+8cdpszvab/e6t84v9e78Iwd7k4Vhl+xqXPkVngVnr9zG2PXJq2PxDNj
niSPIP3oQd9A7W4ctFr0A+u60ASIvWiottN69Yv0ku25Z00e3swXO3Q3OMEmymvk
qFsVHP2FK9ARBJEQbpHAOgh3Vsg0Ttx6EnwkSztMQ2augYkUSNeR+qw1ORos82M1
cNilBEoJd3EdyeAijff0
=Z+h2
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org