You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ankit Shah <An...@symantec.com> on 2005/05/17 23:12:45 UTC
Re: tomcat-user Digest 16 May 2005 21:06:57 -0000 Issue 5633
Hi Peter,
You're a stunner. Thanks very much... your fix works.The file is printed
out nicely and multiple restarts doesn't mess it up.
Danke,
Ankit
tomcat-user-digest-help@jakarta.apache.org
05/16/2005 05:06 PM
Please respond to
"Tomcat Users List" <to...@jakarta.apache.org>
To
tomcat-user@jakarta.apache.org
cc
Subject
tomcat-user Digest 16 May 2005 21:06:57 -0000 Issue 5633
tomcat-user Digest 16 May 2005 21:06:57 -0000 Issue 5633
----- Message from Peter Rossbach <pr...@objektpark.de> on Mon, 16 May 2005
20:23:43 +0200 -----
To:
Tomcat Users List <to...@jakarta.apache.org>
Subject:
Re: Admin Application messes up HTTPS Connectors in server.xml
Hey Ankit,
I found the bug and hope you can test my fix at cvs head.
Thanks
Peter
Ankit Shah schrieb:
>Hi Peter,
>Thanks for your response. I double-checked to make sure that
secure="true"
>is present. Also, the admin app does write out that attribute. It is
>indeed the missing sslProtocol attribute that's the root of all problems.
>
>Here are the 2 connector elements from configs:
>
>Configured Manually. Works fine:
>
> <Connector port="1443"
> maxThreads="15" minSpareThreads="5" maxSpareThreads="10"
> enableLookups="false" disableUploadTimeout="true"
>maxKeepAliveRequests="1"
> acceptCount="10" debug="0" scheme="https" secure="true"
> keystorePass="mypassword"
> keystoreFile="c:\path\to\certificate\file"
> clientAuth="false" sslProtocol="TLS" />
>
>Saved by Admin App: Breaks
> <Connector port="1443" scheme="https" secure="true"
> keystoreFile="c:\path\to\certificate\file" keystorePass="mypassword"
> maxSpareThreads="10" debug="0" maxThreads="15"
>maxKeepAliveRequests="1" minSpareThreads="5
> clientAuth="false" acceptCount="10" />
>
>To fix the above so that it works:
> <Connector port="1443" scheme="https" secure="true"
> keystoreFile="c:\path\to\certificate\file" keystorePass="mypassword"
> maxSpareThreads="10" debug="0" maxThreads="15"
>maxKeepAliveRequests="1" minSpareThreads="5
> clientAuth="false" acceptCount="10" sslProtocol="TLS" />
>
>Note that secure="true" is printed out by the admin app
>
>I have been investigating the source code to track the file that is doing
>the job of saving the connector configuration to disk. It should be one
of
>the files belonging to the storeconfig.jar classes. As a stop-gap
>arrangement i might tweak the code to force printing that attribute and
>over-ride all checks for just that attribute. (Messy ... but it will work
>until a more thorough investigation is done. Everyone knows how deadlines
>go ... ;) )
>
>Thanks again,
>Ankit
>
>
>
>
>
>
>
>
>
>tomcat-user-digest-help@jakarta.apache.org
>05/15/2005 06:55 PM
>Please respond to
>"Tomcat Users List" <to...@jakarta.apache.org>
>
>
>To
>tomcat-user@jakarta.apache.org
>cc
>
>Subject
>tomcat-user Digest 15 May 2005 22:55:08 -0000 Issue 5626
>
>---- Message from Peter Rossbach <pr...@objektpark.de> on Sun, 15 May 2005
>20:16:01 +0200 -----
>To:
>Tomcat Users List <to...@jakarta.apache.org>
>Subject:
>Re: Admin Application messes up HTTPS Connectors in server.xml
>
>Hey Ankit,
>
>can it be that you forget the secure="true" attribute at your https
>connector?
>
>I have look inside Http11Protocol code and find this:
>
> public void setProtocol( String k ) {
> setSecure(true);
> setAttribute("protocol", k);
> }
>
>The sslProtocol="TLS" is the default and the StoreConfig
>handler delete all defaults before saving.
>This is really a bad side effect, but with correct secure attribute
>setting it works for me!
>
>This https config is also documented at:
>
>http://jakarta.apache.org/tomcat/tomcat-5.5-doc/ssl-howto.html
>
>When problem still exists, please send your working and breaking
>Connector element config from server.xml
>
>Thanks
>Peter
>
>Ankit Shah schrieb:
>
>
>
>>Hi,
>>The Tomcat admin utility doesn't save the HTTPS connectors properly. It
>>misses out the 'sslProtocol' attribute and this results in the failed
>>connector. Does anyone have a fix around this?
>>
>>The following is the current state of our server:
>>Tomcat 5.5.9 with 1.4.2 compatibility add-on.
>>JRE version 1.4.2_05
>>
>>My Tests and results:
>>About certificates:
>> We are using our own keytool generated unsigned certificates.
>>Everytime i point firefox to the admin app, it will present the
>>certificate for my approval. I temporarily accept the certificate for my
>>session.
>>
>>1. Install tomcat, configure an HTTPS connector
>> Run the admin app and change a parameter (acceptCount in my case:
>>
>>
>
>
>
>>raised it from 8 to 10) and click Save and then Commit Changes
>>
>> Restart tomcat. Restart Firefox. Pointing the browser to the
>>
>>
>admin
>
>
>>app homepage will not load anything.
>> No Certificate presented!!
>>
>>2. Manually did a diff on server.xml and server.xml.<backup> . The
>>difference is the missing 'sslProtocol' attribute. The docs say this
>>attribute is optional, but that doesn't seem like the case. Added the
>>attribute manually
>> sslProtocol="TLS"
>>
>> Restart Tomcat. Restart Firefox. Certificate presented. Admin App
>>
>>
>
>
>
>>Homepage Loaded.
>>
>>3. By seeing the server.xml written out by Admin app, it is clear that
>>only attributes with non-default values are written out.
>> From the admin app, set SSL Protocol field's value to SSL. Save.
>>Commit Changes
>>
>> Restart Tomcat. Restart Firefox. NO Certificate Presented. Admin
>>App homepage NOT loaded.
>>
>> In server.xml - sslProtocol attribute is NOT written out.
>>
>>I also inspected the logs (Generated by Log4J and logging level set to
>>debug)
>>
>>Upon save:
>> bean is updated with sslProtocol's new value
>>Upon Commit:
>> the list of attributes for the connector doesn't have sslProtocol
>>
>>
>
>
>
>>as one of the attributes that will be written out
>>
>>Can you help me how i can make admin application available for Tomcat
>>administration by the assigned administrators? What fixes will be
needed.
>>
>>
>
>
>
>>If there are any known get-arounds for this.
>>
>>Thanks in advance for all your help and appreciate your patience in
>>reading through my email.
>>
>>Ankit
>>PS: I can mail you the log files if you want (I have about 11 of them,
>>each is 10M). Thanks once again
>>
>>
>>
>>
>>