You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Luis Villa <lv...@gmail.com> on 2007/03/30 09:34:52 UTC
Problems with clientAuth
Hello all,
I' a newbie un the list, so first of all I'd like to say hello to everyone
:)
After this, I'd like to ask for help with a problem I have configuring
Tomcat for digital certifications. I've followed all the steps in the Tomcat
SSL HOWTO and my tomcat now has a secure connector in port 8443. So, I've no
error when trying to enter http://localhost:8443
The key in server.xml is the following:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="conf\.keystore"
keystorePass="changeit"/>
The problem appears when changing clientAuth to true. Then, when using
iexplorer the browser simply can't find the page (or this is what it says),
and when using firefox it warns about the certificate, but after accepting
the certification it says that 'localhost has received an unexpected or
incorrect message. Error code: -12229'. I've been googling for two days and
I can't find a clue about what is failing nor what means this error code.
I'd be very grateful if somebody can help me with this, so my boss could
stop cleaning this gun of his... :P
Thanks in advance for your help :)
Greetings!
Re: Problems with clientAuth
Posted by Luis Villa <lv...@gmail.com>.
Ok, I forgot!
I used both keytool and openssl, it seems the problem is not there as Tomcat
gives the same error with both.
Greetings!
2007/4/2, Luis Villa <lv...@gmail.com>:
>
> Hello Martin,
>
> Well, at least you are lucky Internet Explorer asks for the certificate,
> this is what it's supposed to do when using clientAuth="true". What is
> happening to me is that all works well with clientAuth = "false", when
> changing it to clientAuth="true", Firefox throws this error and IExplorer
> just can't "find" the page.
>
> About secure="true", I'm not sure what it does, I copied it from the
> Tomcat 5.5. SSL Howto :S
>
> I must confess I have no clue on how to make this work
>
>
> 2007/3/30, Martin Cavanagh < cavanagh@con-sense-group.com>:
> >
> > Hi Luis.
> >
> > I'm pretty sure I'm having exactly the same problem as you - maybe we
> > can solve it together:)
> >
> > When I enable client authentification in my config clientAuth="true" for
> > you, since your using the Java KeyStore (I'm trying to use OpenSSL),
> >
> > I get exactly the same error in Firefox! (except in German ;) )
> >
> > In Internet Explorer I get a message, that the Server requires a
> > certificate and I need to provide one and that I should select one (I
> > don't have any installed in Internet Explorer).
> >
> > Are you sure that you don't have Client Authenification turned on?
> >
> > What does the setting secure="true" actually do?
> >
> > Good luck - let me know how you go.
> >
> > Martin
> >
> > Luis Villa wrote:
> > > Hello all,
> > >
> > > I' a newbie un the list, so first of all I'd like to say hello to
> > > everyone
> > > :)
> > >
> > > After this, I'd like to ask for help with a problem I have configuring
> >
> > > Tomcat for digital certifications. I've followed all the steps in the
> > > Tomcat
> > > SSL HOWTO and my tomcat now has a secure connector in port 8443. So,
> > > I've no
> > > error when trying to enter http://localhost:8443
> > >
> > > The key in server.xml is the following:
> > >
> > > <Connector port="8443" maxHttpHeaderSize="8192"
> > > maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> > > enableLookups="false" disableUploadTimeout="true"
> > > acceptCount="100" scheme="https" secure="true"
> > > clientAuth="false" sslProtocol="TLS" keystoreFile="conf\.keystore"
> > > keystorePass="changeit"/>
> > >
> > >
> > > The problem appears when changing clientAuth to true. Then, when using
> > > iexplorer the browser simply can't find the page (or this is what it
> > > says),
> > > and when using firefox it warns about the certificate, but after
> > > accepting
> > > the certification it says that 'localhost has received an unexpected
> > or
> > > incorrect message. Error code: -12229'. I've been googling for two
> > > days and
> > > I can't find a clue about what is failing nor what means this error
> > code.
> > >
> > > I'd be very grateful if somebody can help me with this, so my boss
> > could
> > > stop cleaning this gun of his... :P
> > >
> > > Thanks in advance for your help :)
> > >
> > > Greetings!
> > >
> >
> >
> > --
> > Con-Sense-GmbH
> > __
> > _Martin Cavanagh_
> >
> > Tel.: +49541 800 83 0
> > Fax: +49541 800 83 99
> >
> > cavanagh@con-sense-group.com <ma...@con-sense-group.com>
> >
> > Con-Sense GmbH
> > Neuer Graben 25
> > 49074 Osnabrück
> > www.con-sense-group.com <http://www.con-sense-group.com>
> >
> > Geschäftsführer Eckhard Schulz
> > Amtsgericht Hildesheim HRB 3341
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
Re: Problems with clientAuth
Posted by Luis Villa <lv...@gmail.com>.
Hello Martin,
Well, at least you are lucky Internet Explorer asks for the certificate,
this is what it's supposed to do when using clientAuth="true". What is
happening to me is that all works well with clientAuth = "false", when
changing it to clientAuth="true", Firefox throws this error and IExplorer
just can't "find" the page.
About secure="true", I'm not sure what it does, I copied it from the Tomcat
5.5. SSL Howto :S
I must confess I have no clue on how to make this work
2007/3/30, Martin Cavanagh <ca...@con-sense-group.com>:
>
> Hi Luis.
>
> I'm pretty sure I'm having exactly the same problem as you - maybe we
> can solve it together:)
>
> When I enable client authentification in my config clientAuth="true" for
> you, since your using the Java KeyStore (I'm trying to use OpenSSL),
>
> I get exactly the same error in Firefox! (except in German ;) )
>
> In Internet Explorer I get a message, that the Server requires a
> certificate and I need to provide one and that I should select one (I
> don't have any installed in Internet Explorer).
>
> Are you sure that you don't have Client Authenification turned on?
>
> What does the setting secure="true" actually do?
>
> Good luck - let me know how you go.
>
> Martin
>
> Luis Villa wrote:
> > Hello all,
> >
> > I' a newbie un the list, so first of all I'd like to say hello to
> > everyone
> > :)
> >
> > After this, I'd like to ask for help with a problem I have configuring
> > Tomcat for digital certifications. I've followed all the steps in the
> > Tomcat
> > SSL HOWTO and my tomcat now has a secure connector in port 8443. So,
> > I've no
> > error when trying to enter http://localhost:8443
> >
> > The key in server.xml is the following:
> >
> > <Connector port="8443" maxHttpHeaderSize="8192"
> > maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> > enableLookups="false" disableUploadTimeout="true"
> > acceptCount="100" scheme="https" secure="true"
> > clientAuth="false" sslProtocol="TLS" keystoreFile="conf\.keystore"
> > keystorePass="changeit"/>
> >
> >
> > The problem appears when changing clientAuth to true. Then, when using
> > iexplorer the browser simply can't find the page (or this is what it
> > says),
> > and when using firefox it warns about the certificate, but after
> > accepting
> > the certification it says that 'localhost has received an unexpected or
> > incorrect message. Error code: -12229'. I've been googling for two
> > days and
> > I can't find a clue about what is failing nor what means this error
> code.
> >
> > I'd be very grateful if somebody can help me with this, so my boss could
> > stop cleaning this gun of his... :P
> >
> > Thanks in advance for your help :)
> >
> > Greetings!
> >
>
>
> --
> Con-Sense-GmbH
> __
> _Martin Cavanagh_
>
> Tel.: +49541 800 83 0
> Fax: +49541 800 83 99
>
> cavanagh@con-sense-group.com <ma...@con-sense-group.com>
>
> Con-Sense GmbH
> Neuer Graben 25
> 49074 Osnabrück
> www.con-sense-group.com <http://www.con-sense-group.com>
>
> Geschäftsführer Eckhard Schulz
> Amtsgericht Hildesheim HRB 3341
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Problems with clientAuth
Posted by Martin Cavanagh <ca...@con-sense-group.com>.
Hi Luis.
I'm pretty sure I'm having exactly the same problem as you - maybe we
can solve it together:)
When I enable client authentification in my config clientAuth="true" for
you, since your using the Java KeyStore (I'm trying to use OpenSSL),
I get exactly the same error in Firefox! (except in German ;) )
In Internet Explorer I get a message, that the Server requires a
certificate and I need to provide one and that I should select one (I
don't have any installed in Internet Explorer).
Are you sure that you don't have Client Authenification turned on?
What does the setting secure="true" actually do?
Good luck - let me know how you go.
Martin
Luis Villa wrote:
> Hello all,
>
> I' a newbie un the list, so first of all I'd like to say hello to
> everyone
> :)
>
> After this, I'd like to ask for help with a problem I have configuring
> Tomcat for digital certifications. I've followed all the steps in the
> Tomcat
> SSL HOWTO and my tomcat now has a secure connector in port 8443. So,
> I've no
> error when trying to enter http://localhost:8443
>
> The key in server.xml is the following:
>
> <Connector port="8443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" keystoreFile="conf\.keystore"
> keystorePass="changeit"/>
>
>
> The problem appears when changing clientAuth to true. Then, when using
> iexplorer the browser simply can't find the page (or this is what it
> says),
> and when using firefox it warns about the certificate, but after
> accepting
> the certification it says that 'localhost has received an unexpected or
> incorrect message. Error code: -12229'. I've been googling for two
> days and
> I can't find a clue about what is failing nor what means this error code.
>
> I'd be very grateful if somebody can help me with this, so my boss could
> stop cleaning this gun of his... :P
>
> Thanks in advance for your help :)
>
> Greetings!
>
--
Con-Sense-GmbH
__
_Martin Cavanagh_
Tel.: +49541 800 83 0
Fax: +49541 800 83 99
cavanagh@con-sense-group.com <ma...@con-sense-group.com>
Con-Sense GmbH
Neuer Graben 25
49074 Osnabrück
www.con-sense-group.com <http://www.con-sense-group.com>
Geschäftsführer Eckhard Schulz
Amtsgericht Hildesheim HRB 3341
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problems with clientAuth
Posted by Martin Cavanagh <ca...@con-sense-group.com>.
do you want to excannge conf.xml files? I'll happily try yours on my
computer........
I've had success running both OpenSSL & JavaKeystore.....
I'm running OpenSSL now, because it is supposedly considerably faster.
I'm not quite sure how to check though.....
One question though.
I have the SSLCACerticateFile property set. Awesome. It works.
Anything coming from that CA is okay, everything else isn't.
How do I do this on a per Client basis?
Thanks
Martin
Luis Villa wrote:
> Hello all !
>
> Someone can throw a little light in this problem?
>
> I am not able to solve it, and I've tried anything I've found
> searching in
> google :S
>
> Thank all!
>
> 2007/4/2, Luis Villa <lv...@gmail.com>:
>>
>> Ok, now I'm getting mad :S
>>
>> IExplorer keeps saying the page can't be found (it doesn't ask for the
>> certificate), and Firefox throws a -12271 error (I don't know if that is
>> close enought to the error you said, Antoine. Anyway, nothing has
>> changed
>> since the last 12229 error (I left the computer off in the weekend
>> because
>> it's in my workplace).
>>
>> Martin, the behavior of Tomcat in your case (I think) is correct. You
>> put
>> clientAuth="true", so you are forcing the client to send the
>> certificate to
>> allow connection. You should install a certificate in IExplorer and
>> Firefox.
>>
>>
>> Thank you, Antoine and Martin :)
>>
>>
>> 2007/4/2, Mirou, Antoine <an...@caissedesdepots.fr>:
>> >
>> > > The problem appears when changing clientAuth to true. Then, when
>> using
>> > > iexplorer the browser simply can't find the page (or this is what it
>> > > says),
>> > > and when using firefox it warns about the certificate, but after
>> > accepting
>> > > the certification it says that 'localhost has received an unexpected
>> > or
>> > > incorrect message. Error code: -12229'. I've been googling for two
>> > days
>> > > and
>> > > I can't find a clue about what is failing nor what means this error
>> > code.
>> >
>> > I guess it's a "-12227" error, and not 12229. This error appears when
>> > Firefox doesn't have any client certificate to give to the server.
>> > You should install a client certificate issued by the same CA on your
>> > browser.
>> >
>> > Regards,
>> > Antoine
>> >
>> >
>> > Afin de preserver l'environnement, merci de n'imprimer ce courriel
>> qu'en
>> > cas de necessite.
>> >
>> > Please consider the environment before printing this mail.
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To start a new topic, e-mail: users@tomcat.apache.org
>> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> > For additional commands, e-mail: users-help@tomcat.apache.org
>> >
>> >
>>
>
--
Con-Sense-GmbH
__
_Martin Cavanagh_
Tel.: +49541 800 83 0
Fax: +49541 800 83 99
cavanagh@con-sense-group.com <ma...@con-sense-group.com>
Con-Sense GmbH
Neuer Graben 25
49074 Osnabrück
www.con-sense-group.com <http://www.con-sense-group.com>
Geschäftsführer Eckhard Schulz
Amtsgericht Hildesheim HRB 3341
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problems with clientAuth
Posted by Luis Villa <lv...@gmail.com>.
Hello all !
Someone can throw a little light in this problem?
I am not able to solve it, and I've tried anything I've found searching in
google :S
Thank all!
2007/4/2, Luis Villa <lv...@gmail.com>:
>
> Ok, now I'm getting mad :S
>
> IExplorer keeps saying the page can't be found (it doesn't ask for the
> certificate), and Firefox throws a -12271 error (I don't know if that is
> close enought to the error you said, Antoine. Anyway, nothing has changed
> since the last 12229 error (I left the computer off in the weekend because
> it's in my workplace).
>
> Martin, the behavior of Tomcat in your case (I think) is correct. You put
> clientAuth="true", so you are forcing the client to send the certificate to
> allow connection. You should install a certificate in IExplorer and Firefox.
>
>
> Thank you, Antoine and Martin :)
>
>
> 2007/4/2, Mirou, Antoine <an...@caissedesdepots.fr>:
> >
> > > The problem appears when changing clientAuth to true. Then, when using
> > > iexplorer the browser simply can't find the page (or this is what it
> > > says),
> > > and when using firefox it warns about the certificate, but after
> > accepting
> > > the certification it says that 'localhost has received an unexpected
> > or
> > > incorrect message. Error code: -12229'. I've been googling for two
> > days
> > > and
> > > I can't find a clue about what is failing nor what means this error
> > code.
> >
> > I guess it's a "-12227" error, and not 12229. This error appears when
> > Firefox doesn't have any client certificate to give to the server.
> > You should install a client certificate issued by the same CA on your
> > browser.
> >
> > Regards,
> > Antoine
> >
> >
> > Afin de preserver l'environnement, merci de n'imprimer ce courriel qu'en
> > cas de necessite.
> >
> > Please consider the environment before printing this mail.
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
Re: Problems with clientAuth
Posted by Luis Villa <lv...@gmail.com>.
Ok, now I'm getting mad :S
IExplorer keeps saying the page can't be found (it doesn't ask for the
certificate), and Firefox throws a -12271 error (I don't know if that is
close enought to the error you said, Antoine. Anyway, nothing has changed
since the last 12229 error (I left the computer off in the weekend because
it's in my workplace).
Martin, the behavior of Tomcat in your case (I think) is correct. You put
clientAuth="true", so you are forcing the client to send the certificate to
allow connection. You should install a certificate in IExplorer and Firefox.
Thank you, Antoine and Martin :)
2007/4/2, Mirou, Antoine <an...@caissedesdepots.fr>:
>
> > The problem appears when changing clientAuth to true. Then, when using
> > iexplorer the browser simply can't find the page (or this is what it
> > says),
> > and when using firefox it warns about the certificate, but after
> accepting
> > the certification it says that 'localhost has received an unexpected
> or
> > incorrect message. Error code: -12229'. I've been googling for two
> days
> > and
> > I can't find a clue about what is failing nor what means this error
> code.
>
> I guess it's a "-12227" error, and not 12229. This error appears when
> Firefox doesn't have any client certificate to give to the server.
> You should install a client certificate issued by the same CA on your
> browser.
>
> Regards,
> Antoine
>
>
> Afin de preserver l'environnement, merci de n'imprimer ce courriel qu'en
> cas de necessite.
>
> Please consider the environment before printing this mail.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Problems with clientAuth
Posted by "Mirou, Antoine" <an...@caissedesdepots.fr>.
> The problem appears when changing clientAuth to true. Then, when using
> iexplorer the browser simply can't find the page (or this is what it
> says),
> and when using firefox it warns about the certificate, but after
accepting
> the certification it says that 'localhost has received an unexpected
or
> incorrect message. Error code: -12229'. I've been googling for two
days
> and
> I can't find a clue about what is failing nor what means this error
code.
I guess it's a "-12227" error, and not 12229. This error appears when
Firefox doesn't have any client certificate to give to the server.
You should install a client certificate issued by the same CA on your
browser.
Regards,
Antoine
Afin de preserver l'environnement, merci de n'imprimer ce courriel qu'en cas de necessite.
Please consider the environment before printing this mail.