You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nate Rock <nr...@infinitecampus.com> on 2005/12/01 00:06:40 UTC
RE: Tomcat 5.5.12- APR Connector - SSL configuration
Thx Remy, but still not working... I did however discover why it's not working so read on...
Remy's comment about reading *all" the documentation highlights my point about the APR SSL documentation being unclear... According to the APR/SSL documentation on the Tomcat site, (and verified in the source) the only attribute that is "Required" for the connector is the SSLCertificateFile attribute so that's all I tried at first. Since the default value for SSLEngine is "off" wouldn't the SSLEngine="on" be "required" to use SSL on the connector?
I also skimmed through the attributes by reading the first sentence of the description, and when I see "Name of the SSLEngine to use." I say "I don't need an external SSL engine... On to the next attribute". It might be more clear to make a second attribute that toggles ssl on/off in the connector and one that specifies an engine other than the default.
<Connector
SSLEnable="true" (default false)?
SSLEngine="customEngineNameHere" (default none)?
/>
This makes a clear seperation from enabling SSL in the connector and a deviation from the default SSL engine. In the above mentioned suggestion the SSLEnable attribute should be a required attribute for the connector. Just my two cents, I know about the SSLEngine so I don't need the added clarification, it might also be the way that OpenSSL handles it's SSLEngine attribute, and if that's the case, something pointing out that the attribute is "required" would be super helpful.
Now that the doc discussion is over lets get to the root of the problem...
After Remy's advice I tried the SSLEngine="on" with only the SSLCertificate attribute and turned my debug level to 5 to get maximum debugging info.
<Connector port="443"
debug="5"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
SSLEngine="on"
SSLCertificateFile="c:\certs\server\server.cer"
/>
Here is what I got in the log file:
Nov 30, 2005 4:53:21 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
Nov 30, 2005 4:53:22 PM org.apache.coyote.http11.Http11AprProtocol init
SEVERE: Error initializing endpoint
java.lang.Exception: Unable to load certificate key c:\certs\server\server.cer (error:0906D06C:PEM routines:PEM_read_bio:no start line)
at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:592)
at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:115)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762)
at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
Nov 30, 2005 4:53:22 PM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed: java.lang.Exception: Unable to load certificate key c:\certs\server\server.cer (error:0906D06C:PEM routines:PEM_read_bio:no start line)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1018)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762)
at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
This makes sense because how can the server encrypt anything that matches it's public key with out having signed it with the private key? /;) So I added in the SSLCertificateFile attribute.
<Connector port="443"
debug="5"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
SSLEngine="on"
SSLCertificateFile="c:\certs\server\server.cer"
SSLCertificateKeyFile="c:\certs\server\serverKey.key"
/>
Woo Hoo!!!!! Nothing in the log file...
Nov 30, 2005 4:57:10 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
Nov 30, 2005 4:57:11 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
Nov 30, 2005 4:57:11 PM org.apache.catalina.startup.Catalina load
I then try connecting to the server using http://server/ but STILL nothing...
Not being one to be thwarted so easily (and having found and posted a code fix just yeterday for some APR connector code) I dove right into the source... It looks like the SSL implementation for the native APR connector might not be functioning as intended ;) Take a look at the code snipit below:
Lines 639-650 of the org.apache.coyote.Http11AprProtocol.java
// FIXME: SSL implementation
/*
if( proto.secure ) {
SSLSupport sslSupport=null;
if(proto.sslImplementation != null)
sslSupport = proto.sslImplementation.getSSLSupport(socket);
processor.setSSLSupport(sslSupport);
} else {
processor.setSSLSupport( null );
}
processor.setSocket( socket );
*/
Whoops...
Not knowing the intimate details of how the Tomcat/APR connectors function, I might be incorrect in my assumption, but it looks like the SSL code is in fact commented out.
Going to post a bug for this if someone doesn't do it by the time I get home... =D - cheers!
-rOcK
-----Original Message-----
From: Remy Maucherat [mailto:remy.maucherat@gmail.com]
Sent: Wednesday, November 30, 2005 4:12 PM
To: Tomcat Users List
Subject: Re: Tomcat 5.5.12- APR Connector - SSL configuration
On 11/30/05, Nate Rock <nr...@infinitecampus.com> wrote:
> All to no avail =(
Cool, but how about really reading *all* the APR documentation. For example, there's a SSLEngine attribute, also.
--
xxxxxxxxxxxxxxxxxxxxxxxxx
Rémy Maucherat
Developer & Consultant
JBoss Group (Europe) SàRL
xxxxxxxxxxxxxxxxxxxxxxxxx
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.12- APR Connector - SSL configuration
Posted by Remy Maucherat <re...@gmail.com>.
On 12/1/05, Nate Rock <nr...@infinitecampus.com> wrote:
> <Connector port="443"
> debug="5"
> maxHttpHeaderSize="8192"
> maxThreads="150"
> minSpareThreads="25"
> maxSpareThreads="75"
> enableLookups="false"
> disableUploadTimeout="true"
> acceptCount="100"
> SSLEngine="on"
> SSLCertificateFile="c:\certs\server\server.cer"
> SSLCertificateKeyFile="c:\certs\server\serverKey.key"
> />
>
> Woo Hoo!!!!! Nothing in the log file...
The proper configuration is actually something like:
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
>>>>>> scheme="https" secure="true"
SSLEngine="on"
SSLCertificateFile="${catalina.base}/conf/localhost.crt"
SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" />
I just tested again, it still works perfectly well.
--
xxxxxxxxxxxxxxxxxxxxxxxxx
Rémy Maucherat
Developer & Consultant
JBoss Group (Europe) SàRL
xxxxxxxxxxxxxxxxxxxxxxxxx
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.12- APR Connector - SSL configuration
Posted by Remy Maucherat <re...@gmail.com>.
> Lines 639-650 of the org.apache.coyote.Http11AprProtocol.java
>
> // FIXME: SSL implementation
> /*
> if( proto.secure ) {
> SSLSupport sslSupport=null;
> if(proto.sslImplementation != null)
> sslSupport = proto.sslImplementation.getSSLSupport(socket);
> processor.setSSLSupport(sslSupport);
> } else {
> processor.setSSLSupport( null );
> }
> processor.setSocket( socket );
> */
>
> Whoops...
>
> Not knowing the intimate details of how the Tomcat/APR connectors function, I might be incorrect in my assumption, but it looks like the SSL code is in fact commented out.
>
> Going to post a bug for this if someone doesn't do it by the time I get home... =D - cheers!
If you do that, I'll close it as INVALID 5 minutes later.
--
xxxxxxxxxxxxxxxxxxxxxxxxx
Rémy Maucherat
Developer & Consultant
JBoss Group (Europe) SàRL
xxxxxxxxxxxxxxxxxxxxxxxxx
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org