You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Suresh Kumar J <su...@gmail.com> on 2008/08/30 00:55:40 UTC
How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3
and TLS protocols
Hi!
Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
snippet of the server.xml config:
----------------------------
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
keystoreFile="conf/my-key-store" keystorePass="abcd"/>
----------------------------
The https connection(TLS based) works fine with IE6.0/7.x and FireFox
2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with
the default settings. When I try to connect(https on 443) to Apache
Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1 window:
-------------------------------------------
Secure Connection Failed
An error occurred during a connection to 10.xx.xx.xx
Cannot communicate securely with peer: no common encryption algorithm(s):
(Error code: ssl_error_no_cypher_overlap)
-------------------------------------------
Have observed the following error in the Catalina.out file:
--------------------------------------------------
Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
SEVERE: Socket accept failed
Throwable occurred: java.net.SocketException: SSL handshake error
javax.net.ssl.SSLException: INTERNAL ERROR
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)
at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
at java.lang.Thread.run(Thread.java:657)
--------------------------------------------------
In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is
disabled) in the browser security settings. The web-server is correctly
configured for secured http on TLS. Earlier with Firefox2.0.x, it was
working fine. Also checked with Linux version of FireFox3.0.1 and the
TLS connection is working fine.
When I tried to analysis the packets capture of the browser/web-server
communication via "WireShark/Ethereal" tools, I observed that the
FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL
handshake negotiations. As my Tomcat webserver is configured for TLS, it
doesn't seem to understand the SSLv2 record layer format, eventually
errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
Since SSLv2 is generally considered to be a weaker protocol than SSLv3
and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
protocol, also SSLv2 is disabled by default. On Redhat Linux, the same
FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)" for
security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 Record
Layer(Client Hello)" which seems to fine. Am able to launch the https
webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on
FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
handshake negotiations. Tomcat works well with TLS protocol, but when
the browser uses SSLv2 then it fails.
I tried changing the "sslProtocol" attribute in the "Connector" element
in conf/server.xml file and when the Tomcat couldn't start. Observed the
following error in catalina.out:
--------------------------------------
Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
Throwable occurred: java.io.IOException: SSLContext SSL implementation
not found
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125)
at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
at
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:677)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:792)
at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
at java.lang.reflect.Method.invoke(Method.java:317)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
--------------------------------------
Does Tomcat 6.0.x supports SSL implementation?. Is it possible to make
the Tomcat to understand both SSL and TLS protocols so that all the
browsers are supported. It seems to be critical to make the application
I use the certificate in the format of PKCS12, created via openssl tool.
Did anyone else face similar kind of problem in this regard.
Thanks,
Suresh
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols
Posted by Gregor Schneider <rc...@googlemail.com>.
On Wed, Sep 3, 2008 at 8:20 AM, Suresh Kumar J <su...@gmail.com> wrote:
> Am runing Harmony JRE in this case. Is this error related to Harmony JRE or
> Tomcat?.
Suresh, sorry, but unfortunately my cristal ball is not available...
Try it with the original SUN JDK - Not JRE and see if it works.
I have to apologize for the hint "ALL" since "all" (notice that it's
all small letters) only is available only in the https-connector when
using APR (Apache Portable Runtime).
However, maybe this piece from the docs gives you an idea:
============
The encryption/decryption protocol to be used on this socket. It is
not recommended to change this value if you are using Sun's JVM. It is
reported that IBM's 1.4.1 implementation of the TLS protocol is not
compatible with some popular browsers. In this case, use the value
SSL.
============
(http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html)
Seems some JDKs might have a problem with SSL.
Therefore, again, try SUN's original JDK.
Gregor
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and
TLS protocols
Posted by bh...@aol.com.
This is surely an issue with Harmony JRE as it does not have the
implementation that you are looking for. Switch to Sun JRE and
re-verify.
-----Original Message-----
From: Suresh Kumar J <su...@gmail.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Wed, 3 Sep 2008 11:50 am
Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of
SSLv2/SSLv3 and TLS protocols
Haven't yet tried with Sun JRE.
When I try setting the sslProtocol="ALL" in server.xml, the tomcat
error'd out the following in catalina.out:
----------------------------------------------------
SEVERE: Error starting endpoint
Throwable occurred: java.io.IOException: SSLContext ALL implementation
not found
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
java:394)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
Factory.java:125)
at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
at
org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:515)
at
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:204)
at
org.apache.catalina.connector.Connector.start(Connector.java:1132)
at
org.apache.catalina.core.StandardService.start(StandardService.java:531)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at
org.apache.catalina.startup.Catalina.start(Catalina.java:566)
at
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
at java.lang.reflect.Method.invoke(Method.java:317)
at
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Sep 2, 2008 11:17:49 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
Throwable occurred: LifecycleException: service.getName(): "Catalina";
Protocol handler start failed: java.io.IOException: SSLContext ALL
implementation not found
at
org.apache.catalina.connector.Connector.start(Connector.java:1139)
at
org.apache.catalina.core.StandardService.start(StandardService.java:531)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at
org.apache.catalina.startup.Catalina.start(Catalina.java:566)
at
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
at java.lang.reflect.Method.invoke(Method.java:317)
at
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
----------------------------------------------------
Am runing Harmony JRE in this case. Is this error related to Harmony
JRE
or Tomcat?.
Thanks,
Suresh
Gregor Schneider wrote:
> Suresh,
>
> I guess no one is having the same problem like what you're having.
>
> As a first guess, within your connector I'd change
>
> clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
>
> to
>
> clientAuth="false" sslProtocol="ALL" keystoreType="PKCS12"
>
> 2nd, I'd have a look how it behaves with Sun's original JDK
>
> If all that failes (what would puzzle me since you're the first to
> have this problem), I'd give OpenSSL a try:
>
> I'm running Tomcat 5.5 on Debian using APR with OpenSSL, and this is
> my Connector working like charm, even with the latest version of
> Firefox:
>
> <Connector port="443"
> address="xx.xxx.xxx.xx"
> maxHttpHeaderSize="8192"
> maxThreads="150"
> minSpareThreads="25"
> maxSpareThreads="75"
> enableLookups="false"
> disableUploadTimeout="true"
> acceptCount="100"
> scheme="https"
> secure="true"
> SSLEngine="on"
> SSLCertificateFile="/home/tomcat/www/certs/some.crt"
>
SSLCertificateKeyFile="/home/tomcat/www/certs/some.key" />
>
> HTH
>
> Gregor
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3
and TLS protocols
Posted by Suresh Kumar J <su...@gmail.com>.
Haven't yet tried with Sun JRE.
When I try setting the sslProtocol="ALL" in server.xml, the tomcat
error'd out the following in catalina.out:
----------------------------------------------------
SEVERE: Error starting endpoint
Throwable occurred: java.io.IOException: SSLContext ALL implementation
not found
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125)
at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
at
org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:515)
at
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:204)
at
org.apache.catalina.connector.Connector.start(Connector.java:1132)
at
org.apache.catalina.core.StandardService.start(StandardService.java:531)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:566)
at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
at java.lang.reflect.Method.invoke(Method.java:317)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Sep 2, 2008 11:17:49 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
Throwable occurred: LifecycleException: service.getName(): "Catalina";
Protocol handler start failed: java.io.IOException: SSLContext ALL
implementation not found
at
org.apache.catalina.connector.Connector.start(Connector.java:1139)
at
org.apache.catalina.core.StandardService.start(StandardService.java:531)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:566)
at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
at java.lang.reflect.Method.invoke(Method.java:317)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
----------------------------------------------------
Am runing Harmony JRE in this case. Is this error related to Harmony JRE
or Tomcat?.
Thanks,
Suresh
Gregor Schneider wrote:
> Suresh,
>
> I guess no one is having the same problem like what you're having.
>
> As a first guess, within your connector I'd change
>
> clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
>
> to
>
> clientAuth="false" sslProtocol="ALL" keystoreType="PKCS12"
>
> 2nd, I'd have a look how it behaves with Sun's original JDK
>
> If all that failes (what would puzzle me since you're the first to
> have this problem), I'd give OpenSSL a try:
>
> I'm running Tomcat 5.5 on Debian using APR with OpenSSL, and this is
> my Connector working like charm, even with the latest version of
> Firefox:
>
> <Connector port="443"
> address="xx.xxx.xxx.xx"
> maxHttpHeaderSize="8192"
> maxThreads="150"
> minSpareThreads="25"
> maxSpareThreads="75"
> enableLookups="false"
> disableUploadTimeout="true"
> acceptCount="100"
> scheme="https"
> secure="true"
> SSLEngine="on"
> SSLCertificateFile="/home/tomcat/www/certs/some.crt"
> SSLCertificateKeyFile="/home/tomcat/www/certs/some.key" />
>
> HTH
>
> Gregor
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols
Posted by Gregor Schneider <rc...@googlemail.com>.
Suresh,
I guess no one is having the same problem like what you're having.
As a first guess, within your connector I'd change
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
to
clientAuth="false" sslProtocol="ALL" keystoreType="PKCS12"
2nd, I'd have a look how it behaves with Sun's original JDK
If all that failes (what would puzzle me since you're the first to
have this problem), I'd give OpenSSL a try:
I'm running Tomcat 5.5 on Debian using APR with OpenSSL, and this is
my Connector working like charm, even with the latest version of
Firefox:
<Connector port="443"
address="xx.xxx.xxx.xx"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
SSLEngine="on"
SSLCertificateFile="/home/tomcat/www/certs/some.crt"
SSLCertificateKeyFile="/home/tomcat/www/certs/some.key" />
HTH
Gregor
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3
and TLS protocols
Posted by Suresh Kumar J <su...@gmail.com>.
The issue turns out to be that the Apache-Tomcat is not able to handle
the full set of cipher suites implemented in the latest FireFox v3.0.1.
When I try to the establish the https connection, the tomcat server
seems to choke with the set of cipher suites negotiated by the FireFox
browser and eventually errors out with the error:
java.net.SocketException: SSL handshake error
javax.net.ssl.SSLException: INTERNAL ERROR
I had to disable the following cipher suites in the FireFox (v3.0.1)
browser via the "about:config" option:
security.ssl3.dhe_dss_camellia_128_sha
security.ssl3.dhe_dss_camellia_256_sha
security.ssl3.dhe_rsa_camellia_128_sha
security.ssl3.dhe_rsa_camellia_256_sha
security.ssl3.rsa_camellia_128_sha
security.ssl3.rsa_camellia_256_sha
Wonder if anybody else has encountered this issue while using Tomcat
server with the FireFox browser.
Thanks,
Suresh
Suresh Kumar J wrote:
> Hi!
>
> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
> snippet of the server.xml config:
> ----------------------------
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
> keystoreFile="conf/my-key-store" keystorePass="abcd"/>
> ----------------------------
>
> The https connection(TLS based) works fine with IE6.0/7.x and FireFox
> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with
> the default settings. When I try to connect(https on 443) to Apache
> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1 window:
> -------------------------------------------
> Secure Connection Failed
> An error occurred during a connection to 10.xx.xx.xx
> Cannot communicate securely with peer: no common encryption algorithm(s):
> (Error code: ssl_error_no_cypher_overlap)
> -------------------------------------------
>
> Have observed the following error in the Catalina.out file:
> --------------------------------------------------
> Aug 29, 2008 2:52:52 PM
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
> SEVERE: Socket accept failed
> Throwable occurred: java.net.SocketException: SSL handshake error
> javax.net.ssl.SSLException: INTERNAL ERROR
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
> at java.lang.Thread.run(Thread.java:657)
> --------------------------------------------------
>
> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is
> disabled) in the browser security settings. The web-server is correctly
> configured for secured http on TLS. Earlier with Firefox2.0.x, it was
> working fine. Also checked with Linux version of FireFox3.0.1 and the
> TLS connection is working fine.
>
> When I tried to analysis the packets capture of the browser/web-server
> communication via "WireShark/Ethereal" tools, I observed that the
> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL
> handshake negotiations. As my Tomcat webserver is configured for TLS, it
> doesn't seem to understand the SSLv2 record layer format, eventually
> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
>
> Since SSLv2 is generally considered to be a weaker protocol than SSLv3
> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
> protocol, also SSLv2 is disabled by default. On Redhat Linux, the same
> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)" for
> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 Record
> Layer(Client Hello)" which seems to fine. Am able to launch the https
> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on
> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
> handshake negotiations. Tomcat works well with TLS protocol, but when
> the browser uses SSLv2 then it fails.
>
> I tried changing the "sslProtocol" attribute in the "Connector" element
> in conf/server.xml file and when the Tomcat couldn't start. Observed the
> following error in catalina.out:
> --------------------------------------
> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
> SEVERE: Error initializing endpoint
> Throwable occurred: java.io.IOException: SSLContext SSL implementation
> not found
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
> at
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
> at
> org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
> at
> org.apache.catalina.core.StandardService.initialize(StandardService.java:677)
>
> at
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:792)
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
> at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
> at java.lang.reflect.Method.invoke(Method.java:317)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> --------------------------------------
>
> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to make
> the Tomcat to understand both SSL and TLS protocols so that all the
> browsers are supported. It seems to be critical to make the application
> I use the certificate in the format of PKCS12, created via openssl tool.
>
> Did anyone else face similar kind of problem in this regard.
>
> Thanks,
> Suresh
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3
and TLS protocols
Posted by Suresh Kumar J <su...@gmail.com>.
no, I wanted to use an opensource JRE in this case.
The issue I was trying to put forward is that Tomcat 6.0.13 errors out
with the following error when the FireFox3.0.1 browser tries to send a
'SSLv2 Record Layer - Client Hello' message.
--------------------------------------------------
Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
SEVERE: Socket accept failed
Throwable occurred: java.net.SocketException: SSL handshake error
javax.net.ssl.SSLException: INTERNAL ERROR
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket Factory.java:150)
at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
at java.lang.Thread.run(Thread.java:657)
--------------------------------------------------
But the same Tomcat 6.0.13 server is able to successfully handle the
'SSLv2 Record Layer - Client Hello' message coming from the IE6.0
browser. There doesn't seem to be any difference in message format of
the 'SSLv2 Record Layer' sent by FF and IE browsers.
Any help in narrowing down the issues would be appreciated.
Thanks,
Suresh
bhooshanpandit@aol.com wrote:
> Then it's most likely an issue with harmony JRE (I think it doesn't
> provide an SSLContext implementation that you are looking for i.e. SSL).
>
> Have you tried Sun JRE??
>
>
> -----Original Message-----
> From: Suresh Kumar J <su...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Mon, 1 Sep 2008 11:26 am
> Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of
> SSLv2/SSLv3 and TLS protocols
>
>
>
>
>
>
>
>
>
> Am having the Apache Harmony JRE.
>
>
> bhooshanpandit@aol.com wrote:
>
>> What JRE / JDK are you using with Tomcat 6.0.13?
>
>>
>
>> -----Original Message-----
>
>> From: Suresh Kumar J <su...@gmail.com>
>
>> To: Tomcat Users List <us...@tomcat.apache.org>
>
>> Sent: Sat, 30 Aug 2008 10:16 pm
>
>> Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of
>> SSLv2/SSLv3 and TLS protocols
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>> I tried changing the "sslProtocol" attribute in conf/server.xml to
> "SSL"
>
>> and but Tomcat couldn't start.
>
>>
>
>> Observed the following error in catalina.out:
>
>>
>
>> --------------------------------------
>
>>
>
>> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
>>
>
>> SEVERE: Error initializing endpoint
>
>>
>
>> Throwable occurred: java.io.IOException: SSLContext SSL
> implementation
>
>>
>
>> not found
>
>>
>
>> at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
>
>
>> java:394)
>
>>
>
>> at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
>
>
>> Factory.java:125)
>
>>
>
>> at
>
>>
>
>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
>>
>
>> at
>
>>
>
>> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
>>
>
>> at
>
>>
>
>>
> org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
>>
>
>> at
>
>>
>
>>
> org.apache.catalina.core.StandardService.initialize(StandardService.java:
>
>
>> 677)
>
>>
>
>> at
>
>>
>
>>
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
>
>
>> 2)
>
>>
>
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
>>
>
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
>>
>
>> at
> java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
>>
>
>> at java.lang.reflect.Method.invoke(Method.java:317)
>
>>
>
>> at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
>>
>
>> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
>>
>
>> --------------------------------------
>
>>
>
>>
>
>> Another question is that how do I make Tomcat to recognize both
>
>> SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some
>
>> browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase.
>
>> Tomcat doesn't seems to recognize SSLv2 messages and errors out with
> the
>
>> following message:
>
>>
>
>> --------------------------------------------------
>
>>
>
>> Aug 29, 2008 2:52:52 PM
>> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
>>
>
>> SEVERE: Socket accept failed
>
>>
>
>> Throwable occurred: java.net.SocketException: SSL handshake error
>
>>
>
>> javax.net.ssl.SSLException: INTERNAL ERROR
>
>>
>
>> at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
>
>
>> Factory.java:150)
>
>>
>
>> at
>
>>
>
>>
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
>>
>
>>
>
>> at java.lang.Thread.run(Thread.java:657)
>
>>
>
>> --------------------------------------------------
>
>>
>
>>
>
>> Any inputs would be appreciated.
>
>>
>
>>
>
>> Thanks,
>
>>
>
>> Suresh
>
>>
>
>>
>
>> bhooshanpandit@aol.com wrote:
>
>>
>
>>>>> I tried changing the "sslProtocol" attribute in the "Connector"
>
>>> element
>
>>
>
>>>>> in conf/server.xml file and when the Tomcat couldn't start.
>> Observed
>
>>> the
>
>>
>
>>>>> following error in catalina.out:
>
>>
>
>>>
>
>>
>
>>> what value did you specify for sslProtocol. I tried using SSL and it
>
>>> worked.
>
>>
>
>>>
>
>>
>
>>> -----Original Message-----
>
>>
>
>>> From: Suresh Kumar J <su...@gmail.com>
>
>>
>
>>> To: users@tomcat.apache.org
>
>>
>
>>> Sent: Sat, 30 Aug 2008 4:25 am
>
>>
>
>>> Subject: How to make to Apache-Tomcat 6.0.13 to support all of
>
>>> SSLv2/SSLv3 and TLS protocols
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Hi!
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
>
>>
>
>>>
>
>>
>
>>> snippet of the server.xml config:
>
>>
>
>>>
>
>>
>
>>> ----------------------------
>
>>
>
>>>
>
>>
>
>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>
>>
>
>>>
>
>>
>
>>> maxThreads="150" scheme="https" secure="true"
>
>>
>
>>>
>
>>
>
>>> clientAuth="false" sslProtocol="TLS"
>> keystoreType="PKCS12"
>
>>
>
>>>
>
>>
>
>>> keystoreFile="conf/my-key-store" keystorePass="abcd"/>
>
>>
>
>>>
>
>>
>
>>> ----------------------------
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> The https connection(TLS based) works fine with IE6.0/7.x and
> FireFox
>
>>
>
>>>
>
>>
>
>>> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP
> with
>
>>
>
>>>
>
>>
>
>>> the default settings. When I try to connect(https on 443) to Apache
>
>>
>
>>>
>
>>
>
>>> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1
>> window:
>
>>
>
>>>
>
>>
>
>>> -------------------------------------------
>
>>
>
>>>
>
>>
>
>>> Secure Connection Failed
>
>>
>
>>>
>
>>
>
>>> An error occurred during a connection to 10.xx.xx.xx
>
>>
>
>>>
>
>>
>
>>> Cannot communicate securely with peer: no common encryption
>> algorithm(s):
>
>>
>
>>>
>
>>
>
>>> (Error code: ssl_error_no_cypher_overlap)
>
>>
>
>>>
>
>>
>
>>> -------------------------------------------
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Have observed the following error in the Catalina.out file:
>
>>
>
>>>
>
>>
>
>>> --------------------------------------------------
>
>>
>
>>>
>
>>
>
>>> Aug 29, 2008 2:52:52 PM
>
>>> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
>>
>
>>>
>
>>
>
>>> SEVERE: Socket accept failed
>
>>
>
>>>
>
>>
>
>>> Throwable occurred: java.net.SocketException: SSL handshake error
>
>>
>
>>>
>
>>
>
>>> javax.net.ssl.SSLException: INTERNAL ERROR
>
>>
>
>>>
>
>>
>
>>> at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
>
>
>>
>
>>
>
>>> Factory.java:150)
>
>>
>
>>>
>
>>
>
>>> at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> at java.lang.Thread.run(Thread.java:657)
>
>>
>
>>>
>
>>
>
>>> --------------------------------------------------
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2
> is
>
>>
>
>>>
>
>>
>
>>> disabled) in the browser security settings. The web-server is
>> correctly
>
>>
>
>>>
>
>>
>
>>> configured for secured http on TLS. Earlier with Firefox2.0.x, it
> was
>
>>
>
>>>
>
>>
>
>>> working fine. Also checked with Linux version of FireFox3.0.1 and
> the
>
>>
>
>>>
>
>>
>
>>> TLS connection is working fine.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> When I tried to analysis the packets capture of the
>> browser/web-server
>
>>
>
>>>
>
>>
>
>>> communication via "WireShark/Ethereal" tools, I observed that the
>
>>
>
>>>
>
>>
>
>>> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for
> SSL
>
>>
>
>>>
>
>>
>
>>> handshake negotiations. As my Tomcat webserver is configured for
> TLS,
>> it
>
>>
>
>>>
>
>>
>
>>> doesn't seem to understand the SSLv2 record layer format, eventually
>
>>
>
>>>
>
>>
>
>>> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Since SSLv2 is generally considered to be a weaker protocol than
>> SSLv3
>
>>
>
>>>
>
>>
>
>>> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
>
>>
>
>>>
>
>>
>
>>> protocol, also SSLv2 is disabled by default. On Redhat Linux, the
>> same
>
>>
>
>>>
>
>>
>
>>> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)"
>> for
>
>>
>
>>>
>
>>
>
>>> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3
>> Record
>
>>
>
>>>
>
>>
>
>>> Layer(Client Hello)" which seems to fine. Am able to launch the
> https
>
>>
>
>>>
>
>>
>
>>> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is
> on
>
>>
>
>>>
>
>>
>
>>> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
>
>>
>
>>>
>
>>
>
>>> handshake negotiations. Tomcat works well with TLS protocol, but
> when
>
>>
>
>>>
>
>>
>
>>> the browser uses SSLv2 then it fails.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> I tried changing the "sslProtocol" attribute in the "Connector"
>> element
>
>>
>
>>>
>
>>
>
>>> in conf/server.xml file and when the Tomcat couldn't start. Observed
>> the
>
>>
>
>>>
>
>>
>
>>> following error in catalina.out:
>
>>
>
>>>
>
>>
>
>>> --------------------------------------
>
>>
>
>>>
>
>>
>
>>> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
>>
>
>>>
>
>>
>
>>> SEVERE: Error initializing endpoint
>
>>
>
>>>
>
>>
>
>>> Throwable occurred: java.io.IOException: SSLContext SSL
>> implementation
>
>>
>
>>>
>
>>
>
>>> not found
>
>>
>
>>>
>
>>
>
>>> at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
>
>
>>
>
>>
>
>>> java:394)
>
>>
>
>>>
>
>>
>
>>> at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
>
>
>>
>
>>
>
>>> Factory.java:125)
>
>>
>
>>>
>
>>
>
>>> at
>
>>
>
>>>
>
>>
>
>>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
>>
>
>>>
>
>>
>
>>> at
>
>>
>
>>>
>
>>
>
>>>
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
>>
>
>>>
>
>>
>
>>> at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
>>
>
>>>
>
>>
>
>>> at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.catalina.core.StandardService.initialize(StandardService.java:
>
>
>>
>
>>
>
>>> 677)
>
>>
>
>>>
>
>>
>
>>> at
>
>>
>
>>>
>
>>
>
>>>
>
>>
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
>
>
>>
>
>>
>
>>> 2)
>
>>
>
>>>
>
>>
>
>>> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
>>
>
>>>
>
>>
>
>>> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
>>
>
>>>
>
>>
>
>>> at
>> java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
>>
>
>>>
>
>>
>
>>> at java.lang.reflect.Method.invoke(Method.java:317)
>
>>
>
>>>
>
>>
>
>>> at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
>>
>
>>>
>
>>
>
>>> at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
>>
>
>>>
>
>>
>
>>> --------------------------------------
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to
>> make
>
>>
>
>>>
>
>>
>
>>> the Tomcat to understand both SSL and TLS protocols so that all the
>
>>
>
>>>
>
>>
>
>>> browsers are supported. It seems to be critical to make the
>> application
>
>>
>
>>>
>
>>
>
>>> I use the certificate in the format of PKCS12, created via openssl
>> tool.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Did anyone else face similar kind of problem in this regard.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Thanks,
>
>>
>
>>>
>
>>
>
>>> Suresh
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
> ---------------------------------------------------------------------
>
>>
>
>>>
>
>>
>
>>> To start a new topic, e-mail: users@tomcat.apache.org
>
>>
>
>>>
>
>>
>
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>>
>
>>>
>
>>
>
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
> ________________________________________________________________________
>
>>
>
>>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
> ---------------------------------------------------------------------
>
>>
>
>>> To start a new topic, e-mail: users@tomcat.apache.org
>
>>
>
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>>
>
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>>>
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>>
>
>> To start a new topic, e-mail: users@tomcat.apache.org
>
>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>>
>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
> ________________________________________________________________________
>
>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>> To start a new topic, e-mail: users@tomcat.apache.org
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>
> ---------------------------------------------------------------------
>
> To start a new topic, e-mail: users@tomcat.apache.org
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
>
>
> ________________________________________________________________________
> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and
TLS protocols
Posted by bh...@aol.com.
Then it's most likely an issue with harmony JRE (I think it doesn't
provide an SSLContext implementation that you are looking for i.e. SSL).
Have you tried Sun JRE??
-----Original Message-----
From: Suresh Kumar J <su...@gmail.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Mon, 1 Sep 2008 11:26 am
Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of
SSLv2/SSLv3 and TLS protocols
Am having the Apache Harmony JRE.
bhooshanpandit@aol.com wrote:
> What JRE / JDK are you using with Tomcat 6.0.13?
>
> -----Original Message-----
> From: Suresh Kumar J <su...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sat, 30 Aug 2008 10:16 pm
> Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of
> SSLv2/SSLv3 and TLS protocols
>
>
>
>
>
>
>
>
>
>
> I tried changing the "sslProtocol" attribute in conf/server.xml to
"SSL"
> and but Tomcat couldn't start.
>
> Observed the following error in catalina.out:
>
> --------------------------------------
>
> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
> SEVERE: Error initializing endpoint
>
> Throwable occurred: java.io.IOException: SSLContext SSL
implementation
>
> not found
>
> at
>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
> java:394)
>
> at
>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
> Factory.java:125)
>
> at
>
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
> at
>
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
> at
>
>
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
> at
>
>
org.apache.catalina.core.StandardService.initialize(StandardService.java:
> 677)
>
> at
>
>
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
> 2)
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
> at
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
> at java.lang.reflect.Method.invoke(Method.java:317)
>
> at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
> at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
> --------------------------------------
>
>
> Another question is that how do I make Tomcat to recognize both
> SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some
> browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase.
> Tomcat doesn't seems to recognize SSLv2 messages and errors out with
the
> following message:
>
> --------------------------------------------------
>
> Aug 29, 2008 2:52:52 PM
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
> SEVERE: Socket accept failed
>
> Throwable occurred: java.net.SocketException: SSL handshake error
>
> javax.net.ssl.SSLException: INTERNAL ERROR
>
> at
>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
> Factory.java:150)
>
> at
>
>
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
> at java.lang.Thread.run(Thread.java:657)
>
> --------------------------------------------------
>
>
> Any inputs would be appreciated.
>
>
> Thanks,
>
> Suresh
>
>
> bhooshanpandit@aol.com wrote:
>
>>>> I tried changing the "sslProtocol" attribute in the "Connector"
>> element
>
>>>> in conf/server.xml file and when the Tomcat couldn't start.
> Observed
>> the
>
>>>> following error in catalina.out:
>
>>
>
>> what value did you specify for sslProtocol. I tried using SSL and it
>> worked.
>
>>
>
>> -----Original Message-----
>
>> From: Suresh Kumar J <su...@gmail.com>
>
>> To: users@tomcat.apache.org
>
>> Sent: Sat, 30 Aug 2008 4:25 am
>
>> Subject: How to make to Apache-Tomcat 6.0.13 to support all of
>> SSLv2/SSLv3 and TLS protocols
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>> Hi!
>
>>
>
>>
>
>> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
>
>>
>
>> snippet of the server.xml config:
>
>>
>
>> ----------------------------
>
>>
>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>
>>
>
>> maxThreads="150" scheme="https" secure="true"
>
>>
>
>> clientAuth="false" sslProtocol="TLS"
> keystoreType="PKCS12"
>
>>
>
>> keystoreFile="conf/my-key-store" keystorePass="abcd"/>
>
>>
>
>> ----------------------------
>
>>
>
>>
>
>> The https connection(TLS based) works fine with IE6.0/7.x and
FireFox
>
>>
>
>> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP
with
>
>>
>
>> the default settings. When I try to connect(https on 443) to Apache
>
>>
>
>> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1
> window:
>
>>
>
>> -------------------------------------------
>
>>
>
>> Secure Connection Failed
>
>>
>
>> An error occurred during a connection to 10.xx.xx.xx
>
>>
>
>> Cannot communicate securely with peer: no common encryption
> algorithm(s):
>
>>
>
>> (Error code: ssl_error_no_cypher_overlap)
>
>>
>
>> -------------------------------------------
>
>>
>
>>
>
>> Have observed the following error in the Catalina.out file:
>
>>
>
>> --------------------------------------------------
>
>>
>
>> Aug 29, 2008 2:52:52 PM
>> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
>>
>
>> SEVERE: Socket accept failed
>
>>
>
>> Throwable occurred: java.net.SocketException: SSL handshake error
>
>>
>
>> javax.net.ssl.SSLException: INTERNAL ERROR
>
>>
>
>> at
>
>>
>
>>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
>
>
>> Factory.java:150)
>
>>
>
>> at
>
>>
>
>>
>
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
>>
>
>>
>
>> at java.lang.Thread.run(Thread.java:657)
>
>>
>
>> --------------------------------------------------
>
>>
>
>>
>
>> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2
is
>
>>
>
>> disabled) in the browser security settings. The web-server is
> correctly
>
>>
>
>> configured for secured http on TLS. Earlier with Firefox2.0.x, it
was
>
>>
>
>> working fine. Also checked with Linux version of FireFox3.0.1 and
the
>
>>
>
>> TLS connection is working fine.
>
>>
>
>>
>
>> When I tried to analysis the packets capture of the
> browser/web-server
>
>>
>
>> communication via "WireShark/Ethereal" tools, I observed that the
>
>>
>
>> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for
SSL
>
>>
>
>> handshake negotiations. As my Tomcat webserver is configured for
TLS,
> it
>
>>
>
>> doesn't seem to understand the SSLv2 record layer format, eventually
>
>>
>
>> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
>
>>
>
>>
>
>> Since SSLv2 is generally considered to be a weaker protocol than
> SSLv3
>
>>
>
>> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
>
>>
>
>> protocol, also SSLv2 is disabled by default. On Redhat Linux, the
> same
>
>>
>
>> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)"
> for
>
>>
>
>> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3
> Record
>
>>
>
>> Layer(Client Hello)" which seems to fine. Am able to launch the
https
>
>>
>
>> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is
on
>
>>
>
>> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
>
>>
>
>> handshake negotiations. Tomcat works well with TLS protocol, but
when
>
>>
>
>> the browser uses SSLv2 then it fails.
>
>>
>
>>
>
>> I tried changing the "sslProtocol" attribute in the "Connector"
> element
>
>>
>
>> in conf/server.xml file and when the Tomcat couldn't start. Observed
> the
>
>>
>
>> following error in catalina.out:
>
>>
>
>> --------------------------------------
>
>>
>
>> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
>>
>
>> SEVERE: Error initializing endpoint
>
>>
>
>> Throwable occurred: java.io.IOException: SSLContext SSL
> implementation
>
>>
>
>> not found
>
>>
>
>> at
>
>>
>
>>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
>
>
>> java:394)
>
>>
>
>> at
>
>>
>
>>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
>
>
>> Factory.java:125)
>
>>
>
>> at
>
>>
>
>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
>>
>
>> at
>
>>
>
>>
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
>>
>
>> at
>
>>
>
>>
>
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
>>
>
>> at
>
>>
>
>>
>
org.apache.catalina.core.StandardService.initialize(StandardService.java:
>
>
>> 677)
>
>>
>
>> at
>
>>
>
>>
>
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
>
>
>> 2)
>
>>
>
>> at
org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
>>
>
>> at
org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
>>
>
>> at
> java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
>>
>
>> at java.lang.reflect.Method.invoke(Method.java:317)
>
>>
>
>> at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
>>
>
>> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
>>
>
>> --------------------------------------
>
>>
>
>>
>
>> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to
> make
>
>>
>
>> the Tomcat to understand both SSL and TLS protocols so that all the
>
>>
>
>> browsers are supported. It seems to be critical to make the
> application
>
>>
>
>> I use the certificate in the format of PKCS12, created via openssl
> tool.
>
>>
>
>>
>
>> Did anyone else face similar kind of problem in this regard.
>
>>
>
>>
>
>> Thanks,
>
>>
>
>> Suresh
>
>>
>
>>
>
>>
>
>>
>
>>
---------------------------------------------------------------------
>
>>
>
>> To start a new topic, e-mail: users@tomcat.apache.org
>
>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>>
>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
________________________________________________________________________
>
>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>>
>
>>
>
>>
---------------------------------------------------------------------
>
>> To start a new topic, e-mail: users@tomcat.apache.org
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>
> ---------------------------------------------------------------------
>
> To start a new topic, e-mail: users@tomcat.apache.org
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
>
>
>
________________________________________________________________________
> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3
and TLS protocols
Posted by Suresh Kumar J <su...@gmail.com>.
Am having the Apache Harmony JRE.
bhooshanpandit@aol.com wrote:
> What JRE / JDK are you using with Tomcat 6.0.13?
>
> -----Original Message-----
> From: Suresh Kumar J <su...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Sat, 30 Aug 2008 10:16 pm
> Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of
> SSLv2/SSLv3 and TLS protocols
>
>
>
>
>
>
>
>
>
>
> I tried changing the "sslProtocol" attribute in conf/server.xml to "SSL"
> and but Tomcat couldn't start.
>
> Observed the following error in catalina.out:
>
> --------------------------------------
>
> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
> SEVERE: Error initializing endpoint
>
> Throwable occurred: java.io.IOException: SSLContext SSL implementation
>
> not found
>
> at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
> java:394)
>
> at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
> Factory.java:125)
>
> at
>
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
> at
>
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
> at
>
> org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
> at
>
> org.apache.catalina.core.StandardService.initialize(StandardService.java:
> 677)
>
> at
>
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
> 2)
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
> at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
> at java.lang.reflect.Method.invoke(Method.java:317)
>
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
> --------------------------------------
>
>
> Another question is that how do I make Tomcat to recognize both
> SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some
> browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase.
> Tomcat doesn't seems to recognize SSLv2 messages and errors out with the
> following message:
>
> --------------------------------------------------
>
> Aug 29, 2008 2:52:52 PM
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
> SEVERE: Socket accept failed
>
> Throwable occurred: java.net.SocketException: SSL handshake error
>
> javax.net.ssl.SSLException: INTERNAL ERROR
>
> at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
> Factory.java:150)
>
> at
>
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
> at java.lang.Thread.run(Thread.java:657)
>
> --------------------------------------------------
>
>
> Any inputs would be appreciated.
>
>
> Thanks,
>
> Suresh
>
>
> bhooshanpandit@aol.com wrote:
>
>>>> I tried changing the "sslProtocol" attribute in the "Connector"
>> element
>
>>>> in conf/server.xml file and when the Tomcat couldn't start.
> Observed
>> the
>
>>>> following error in catalina.out:
>
>>
>
>> what value did you specify for sslProtocol. I tried using SSL and it
>> worked.
>
>>
>
>> -----Original Message-----
>
>> From: Suresh Kumar J <su...@gmail.com>
>
>> To: users@tomcat.apache.org
>
>> Sent: Sat, 30 Aug 2008 4:25 am
>
>> Subject: How to make to Apache-Tomcat 6.0.13 to support all of
>> SSLv2/SSLv3 and TLS protocols
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>> Hi!
>
>>
>
>>
>
>> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
>
>>
>
>> snippet of the server.xml config:
>
>>
>
>> ----------------------------
>
>>
>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>
>>
>
>> maxThreads="150" scheme="https" secure="true"
>
>>
>
>> clientAuth="false" sslProtocol="TLS"
> keystoreType="PKCS12"
>
>>
>
>> keystoreFile="conf/my-key-store" keystorePass="abcd"/>
>
>>
>
>> ----------------------------
>
>>
>
>>
>
>> The https connection(TLS based) works fine with IE6.0/7.x and FireFox
>
>>
>
>> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with
>
>>
>
>> the default settings. When I try to connect(https on 443) to Apache
>
>>
>
>> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1
> window:
>
>>
>
>> -------------------------------------------
>
>>
>
>> Secure Connection Failed
>
>>
>
>> An error occurred during a connection to 10.xx.xx.xx
>
>>
>
>> Cannot communicate securely with peer: no common encryption
> algorithm(s):
>
>>
>
>> (Error code: ssl_error_no_cypher_overlap)
>
>>
>
>> -------------------------------------------
>
>>
>
>>
>
>> Have observed the following error in the Catalina.out file:
>
>>
>
>> --------------------------------------------------
>
>>
>
>> Aug 29, 2008 2:52:52 PM
>> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
>>
>
>> SEVERE: Socket accept failed
>
>>
>
>> Throwable occurred: java.net.SocketException: SSL handshake error
>
>>
>
>> javax.net.ssl.SSLException: INTERNAL ERROR
>
>>
>
>> at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
>
>
>> Factory.java:150)
>
>>
>
>> at
>
>>
>
>>
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
>>
>
>>
>
>> at java.lang.Thread.run(Thread.java:657)
>
>>
>
>> --------------------------------------------------
>
>>
>
>>
>
>> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is
>
>>
>
>> disabled) in the browser security settings. The web-server is
> correctly
>
>>
>
>> configured for secured http on TLS. Earlier with Firefox2.0.x, it was
>
>>
>
>> working fine. Also checked with Linux version of FireFox3.0.1 and the
>
>>
>
>> TLS connection is working fine.
>
>>
>
>>
>
>> When I tried to analysis the packets capture of the
> browser/web-server
>
>>
>
>> communication via "WireShark/Ethereal" tools, I observed that the
>
>>
>
>> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL
>
>>
>
>> handshake negotiations. As my Tomcat webserver is configured for TLS,
> it
>
>>
>
>> doesn't seem to understand the SSLv2 record layer format, eventually
>
>>
>
>> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
>
>>
>
>>
>
>> Since SSLv2 is generally considered to be a weaker protocol than
> SSLv3
>
>>
>
>> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
>
>>
>
>> protocol, also SSLv2 is disabled by default. On Redhat Linux, the
> same
>
>>
>
>> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)"
> for
>
>>
>
>> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3
> Record
>
>>
>
>> Layer(Client Hello)" which seems to fine. Am able to launch the https
>
>>
>
>> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on
>
>>
>
>> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
>
>>
>
>> handshake negotiations. Tomcat works well with TLS protocol, but when
>
>>
>
>> the browser uses SSLv2 then it fails.
>
>>
>
>>
>
>> I tried changing the "sslProtocol" attribute in the "Connector"
> element
>
>>
>
>> in conf/server.xml file and when the Tomcat couldn't start. Observed
> the
>
>>
>
>> following error in catalina.out:
>
>>
>
>> --------------------------------------
>
>>
>
>> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
>>
>
>> SEVERE: Error initializing endpoint
>
>>
>
>> Throwable occurred: java.io.IOException: SSLContext SSL
> implementation
>
>>
>
>> not found
>
>>
>
>> at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
>
>
>> java:394)
>
>>
>
>> at
>
>>
>
>>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
>
>
>> Factory.java:125)
>
>>
>
>> at
>
>>
>
>> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
>>
>
>> at
>
>>
>
>> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
>>
>
>> at
>
>>
>
>>
> org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
>>
>
>> at
>
>>
>
>>
> org.apache.catalina.core.StandardService.initialize(StandardService.java:
>
>
>> 677)
>
>>
>
>> at
>
>>
>
>>
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
>
>
>> 2)
>
>>
>
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
>>
>
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
>>
>
>> at
> java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
>>
>
>> at java.lang.reflect.Method.invoke(Method.java:317)
>
>>
>
>> at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
>>
>
>> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
>>
>
>> --------------------------------------
>
>>
>
>>
>
>> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to
> make
>
>>
>
>> the Tomcat to understand both SSL and TLS protocols so that all the
>
>>
>
>> browsers are supported. It seems to be critical to make the
> application
>
>>
>
>> I use the certificate in the format of PKCS12, created via openssl
> tool.
>
>>
>
>>
>
>> Did anyone else face similar kind of problem in this regard.
>
>>
>
>>
>
>> Thanks,
>
>>
>
>> Suresh
>
>>
>
>>
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>>
>
>> To start a new topic, e-mail: users@tomcat.apache.org
>
>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>>
>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
> ________________________________________________________________________
>
>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>> To start a new topic, e-mail: users@tomcat.apache.org
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>>
>
>
> ---------------------------------------------------------------------
>
> To start a new topic, e-mail: users@tomcat.apache.org
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
>
>
> ________________________________________________________________________
> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and
TLS protocols
Posted by bh...@aol.com.
What JRE / JDK are you using with Tomcat 6.0.13?
-----Original Message-----
From: Suresh Kumar J <su...@gmail.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Sat, 30 Aug 2008 10:16 pm
Subject: Re: How to make to Apache-Tomcat 6.0.13 to support all of
SSLv2/SSLv3 and TLS protocols
I tried changing the "sslProtocol" attribute in conf/server.xml to
"SSL"
and but Tomcat couldn't start.
Observed the following error in catalina.out:
--------------------------------------
Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
Throwable occurred: java.io.IOException: SSLContext SSL implementation
not found
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
java:394)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
Factory.java:125)
at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
at
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:
677)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
2)
at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
at
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
at java.lang.reflect.Method.invoke(Method.java:317)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
--------------------------------------
Another question is that how do I make Tomcat to recognize both
SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some
browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase.
Tomcat doesn't seems to recognize SSLv2 messages and errors out with
the
following message:
--------------------------------------------------
Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor
run
SEVERE: Socket accept failed
Throwable occurred: java.net.SocketException: SSL handshake error
javax.net.ssl.SSLException: INTERNAL ERROR
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
Factory.java:150)
at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
at java.lang.Thread.run(Thread.java:657)
--------------------------------------------------
Any inputs would be appreciated.
Thanks,
Suresh
bhooshanpandit@aol.com wrote:
>>> I tried changing the "sslProtocol" attribute in the "Connector"
> element
>>> in conf/server.xml file and when the Tomcat couldn't start.
Observed
> the
>>> following error in catalina.out:
>
> what value did you specify for sslProtocol. I tried using SSL and it
> worked.
>
> -----Original Message-----
> From: Suresh Kumar J <su...@gmail.com>
> To: users@tomcat.apache.org
> Sent: Sat, 30 Aug 2008 4:25 am
> Subject: How to make to Apache-Tomcat 6.0.13 to support all of
> SSLv2/SSLv3 and TLS protocols
>
>
>
>
>
>
>
>
>
> Hi!
>
>
> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
>
> snippet of the server.xml config:
>
> ----------------------------
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>
> maxThreads="150" scheme="https" secure="true"
>
> clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12"
>
> keystoreFile="conf/my-key-store" keystorePass="abcd"/>
>
> ----------------------------
>
>
> The https connection(TLS based) works fine with IE6.0/7.x and FireFox
>
> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with
>
> the default settings. When I try to connect(https on 443) to Apache
>
> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1
window:
>
> -------------------------------------------
>
> Secure Connection Failed
>
> An error occurred during a connection to 10.xx.xx.xx
>
> Cannot communicate securely with peer: no common encryption
algorithm(s):
>
> (Error code: ssl_error_no_cypher_overlap)
>
> -------------------------------------------
>
>
> Have observed the following error in the Catalina.out file:
>
> --------------------------------------------------
>
> Aug 29, 2008 2:52:52 PM
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
> SEVERE: Socket accept failed
>
> Throwable occurred: java.net.SocketException: SSL handshake error
>
> javax.net.ssl.SSLException: INTERNAL ERROR
>
> at
>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
> Factory.java:150)
>
> at
>
>
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
> at java.lang.Thread.run(Thread.java:657)
>
> --------------------------------------------------
>
>
> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is
>
> disabled) in the browser security settings. The web-server is
correctly
>
> configured for secured http on TLS. Earlier with Firefox2.0.x, it was
>
> working fine. Also checked with Linux version of FireFox3.0.1 and the
>
> TLS connection is working fine.
>
>
> When I tried to analysis the packets capture of the
browser/web-server
>
> communication via "WireShark/Ethereal" tools, I observed that the
>
> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL
>
> handshake negotiations. As my Tomcat webserver is configured for TLS,
it
>
> doesn't seem to understand the SSLv2 record layer format, eventually
>
> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
>
>
> Since SSLv2 is generally considered to be a weaker protocol than
SSLv3
>
> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
>
> protocol, also SSLv2 is disabled by default. On Redhat Linux, the
same
>
> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)"
for
>
> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3
Record
>
> Layer(Client Hello)" which seems to fine. Am able to launch the https
>
> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on
>
> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
>
> handshake negotiations. Tomcat works well with TLS protocol, but when
>
> the browser uses SSLv2 then it fails.
>
>
> I tried changing the "sslProtocol" attribute in the "Connector"
element
>
> in conf/server.xml file and when the Tomcat couldn't start. Observed
the
>
> following error in catalina.out:
>
> --------------------------------------
>
> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
> SEVERE: Error initializing endpoint
>
> Throwable occurred: java.io.IOException: SSLContext SSL
implementation
>
> not found
>
> at
>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
> java:394)
>
> at
>
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
> Factory.java:125)
>
> at
>
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
> at
>
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
> at
>
>
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
> at
>
>
org.apache.catalina.core.StandardService.initialize(StandardService.java:
> 677)
>
> at
>
>
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
> 2)
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
> at
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
> at java.lang.reflect.Method.invoke(Method.java:317)
>
> at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
> at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
> --------------------------------------
>
>
> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to
make
>
> the Tomcat to understand both SSL and TLS protocols so that all the
>
> browsers are supported. It seems to be critical to make the
application
>
> I use the certificate in the format of PKCS12, created via openssl
tool.
>
>
> Did anyone else face similar kind of problem in this regard.
>
>
> Thanks,
>
> Suresh
>
>
>
>
> ---------------------------------------------------------------------
>
> To start a new topic, e-mail: users@tomcat.apache.org
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
>
>
>
________________________________________________________________________
> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3
and TLS protocols
Posted by Suresh Kumar J <su...@gmail.com>.
I tried changing the "sslProtocol" attribute in conf/server.xml to "SSL"
and but Tomcat couldn't start.
Observed the following error in catalina.out:
--------------------------------------
Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
Throwable occurred: java.io.IOException: SSLContext SSL implementation
not found
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125)
at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
at
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:677)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:792)
at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
at java.lang.reflect.Method.invoke(Method.java:317)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
--------------------------------------
Another question is that how do I make Tomcat to recognize both
SSLv2/SSLv3/TLS1.0 messages for secured communication. Since some
browsers like Firefox3.0.1 use SSLv2 for initial SSL handshake phase.
Tomcat doesn't seems to recognize SSLv2 messages and errors out with the
following message:
--------------------------------------------------
Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
SEVERE: Socket accept failed
Throwable occurred: java.net.SocketException: SSL handshake error
javax.net.ssl.SSLException: INTERNAL ERROR
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)
at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
at java.lang.Thread.run(Thread.java:657)
--------------------------------------------------
Any inputs would be appreciated.
Thanks,
Suresh
bhooshanpandit@aol.com wrote:
>>> I tried changing the "sslProtocol" attribute in the "Connector"
> element
>>> in conf/server.xml file and when the Tomcat couldn't start. Observed
> the
>>> following error in catalina.out:
>
> what value did you specify for sslProtocol. I tried using SSL and it
> worked.
>
> -----Original Message-----
> From: Suresh Kumar J <su...@gmail.com>
> To: users@tomcat.apache.org
> Sent: Sat, 30 Aug 2008 4:25 am
> Subject: How to make to Apache-Tomcat 6.0.13 to support all of
> SSLv2/SSLv3 and TLS protocols
>
>
>
>
>
>
>
>
>
> Hi!
>
>
> Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
>
> snippet of the server.xml config:
>
> ----------------------------
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>
> maxThreads="150" scheme="https" secure="true"
>
> clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
>
> keystoreFile="conf/my-key-store" keystorePass="abcd"/>
>
> ----------------------------
>
>
> The https connection(TLS based) works fine with IE6.0/7.x and FireFox
>
> 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with
>
> the default settings. When I try to connect(https on 443) to Apache
>
> Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1 window:
>
> -------------------------------------------
>
> Secure Connection Failed
>
> An error occurred during a connection to 10.xx.xx.xx
>
> Cannot communicate securely with peer: no common encryption algorithm(s):
>
> (Error code: ssl_error_no_cypher_overlap)
>
> -------------------------------------------
>
>
> Have observed the following error in the Catalina.out file:
>
> --------------------------------------------------
>
> Aug 29, 2008 2:52:52 PM
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>
> SEVERE: Socket accept failed
>
> Throwable occurred: java.net.SocketException: SSL handshake error
>
> javax.net.ssl.SSLException: INTERNAL ERROR
>
> at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
> Factory.java:150)
>
> at
>
> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>
>
> at java.lang.Thread.run(Thread.java:657)
>
> --------------------------------------------------
>
>
> In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is
>
> disabled) in the browser security settings. The web-server is correctly
>
> configured for secured http on TLS. Earlier with Firefox2.0.x, it was
>
> working fine. Also checked with Linux version of FireFox3.0.1 and the
>
> TLS connection is working fine.
>
>
> When I tried to analysis the packets capture of the browser/web-server
>
> communication via "WireShark/Ethereal" tools, I observed that the
>
> FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL
>
> handshake negotiations. As my Tomcat webserver is configured for TLS, it
>
> doesn't seem to understand the SSLv2 record layer format, eventually
>
> errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
>
>
> Since SSLv2 is generally considered to be a weaker protocol than SSLv3
>
> and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
>
> protocol, also SSLv2 is disabled by default. On Redhat Linux, the same
>
> FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)" for
>
> security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 Record
>
> Layer(Client Hello)" which seems to fine. Am able to launch the https
>
> webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on
>
> FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
>
> handshake negotiations. Tomcat works well with TLS protocol, but when
>
> the browser uses SSLv2 then it fails.
>
>
> I tried changing the "sslProtocol" attribute in the "Connector" element
>
> in conf/server.xml file and when the Tomcat couldn't start. Observed the
>
> following error in catalina.out:
>
> --------------------------------------
>
> Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
>
> SEVERE: Error initializing endpoint
>
> Throwable occurred: java.io.IOException: SSLContext SSL implementation
>
> not found
>
> at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
> java:394)
>
> at
>
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
> Factory.java:125)
>
> at
>
> org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
>
> at
>
> org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
>
> at
>
> org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
>
> at
>
> org.apache.catalina.core.StandardService.initialize(StandardService.java:
> 677)
>
> at
>
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
> 2)
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>
> at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
>
> at java.lang.reflect.Method.invoke(Method.java:317)
>
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
>
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
>
> --------------------------------------
>
>
> Does Tomcat 6.0.x supports SSL implementation?. Is it possible to make
>
> the Tomcat to understand both SSL and TLS protocols so that all the
>
> browsers are supported. It seems to be critical to make the application
>
> I use the certificate in the format of PKCS12, created via openssl tool.
>
>
> Did anyone else face similar kind of problem in this regard.
>
>
> Thanks,
>
> Suresh
>
>
>
>
> ---------------------------------------------------------------------
>
> To start a new topic, e-mail: users@tomcat.apache.org
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
>
>
> ________________________________________________________________________
> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and
TLS protocols
Posted by bh...@aol.com.
>> I tried changing the "sslProtocol" attribute in the "Connector"
element
>> in conf/server.xml file and when the Tomcat couldn't start. Observed
the
>>following error in catalina.out:
what value did you specify for sslProtocol. I tried using SSL and it
worked.
-----Original Message-----
From: Suresh Kumar J <su...@gmail.com>
To: users@tomcat.apache.org
Sent: Sat, 30 Aug 2008 4:25 am
Subject: How to make to Apache-Tomcat 6.0.13 to support all of
SSLv2/SSLv3 and TLS protocols
Hi!
Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
snippet of the server.xml config:
----------------------------
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12"
keystoreFile="conf/my-key-store" keystorePass="abcd"/>
----------------------------
The https connection(TLS based) works fine with IE6.0/7.x and FireFox
2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with
the default settings. When I try to connect(https on 443) to Apache
Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1
window:
-------------------------------------------
Secure Connection Failed
An error occurred during a connection to 10.xx.xx.xx
Cannot communicate securely with peer: no common encryption
algorithm(s):
(Error code: ssl_error_no_cypher_overlap)
-------------------------------------------
Have observed the following error in the Catalina.out file:
--------------------------------------------------
Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor
run
SEVERE: Socket accept failed
Throwable occurred: java.net.SocketException: SSL handshake error
javax.net.ssl.SSLException: INTERNAL ERROR
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
Factory.java:150)
at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
at java.lang.Thread.run(Thread.java:657)
--------------------------------------------------
In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is
disabled) in the browser security settings. The web-server is correctly
configured for secured http on TLS. Earlier with Firefox2.0.x, it was
working fine. Also checked with Linux version of FireFox3.0.1 and the
TLS connection is working fine.
When I tried to analysis the packets capture of the browser/web-server
communication via "WireShark/Ethereal" tools, I observed that the
FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL
handshake negotiations. As my Tomcat webserver is configured for TLS,
it
doesn't seem to understand the SSLv2 record layer format, eventually
errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.
Since SSLv2 is generally considered to be a weaker protocol than SSLv3
and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
protocol, also SSLv2 is disabled by default. On Redhat Linux, the same
FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)"
for
security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 Record
Layer(Client Hello)" which seems to fine. Am able to launch the https
webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on
FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
handshake negotiations. Tomcat works well with TLS protocol, but when
the browser uses SSLv2 then it fails.
I tried changing the "sslProtocol" attribute in the "Connector" element
in conf/server.xml file and when the Tomcat couldn't start. Observed
the
following error in catalina.out:
--------------------------------------
Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
Throwable occurred: java.io.IOException: SSLContext SSL implementation
not found
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.
java:394)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocket
Factory.java:125)
at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
at
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:
677)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:79
2)
at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
at
java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
at java.lang.reflect.Method.invoke(Method.java:317)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
--------------------------------------
Does Tomcat 6.0.x supports SSL implementation?. Is it possible to make
the Tomcat to understand both SSL and TLS protocols so that all the
browsers are supported. It seems to be critical to make the application
I use the certificate in the format of PKCS12, created via openssl
tool.
Did anyone else face similar kind of problem in this regard.
Thanks,
Suresh
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org