You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Jean-Etienne G." <je...@voila.fr> on 2001/06/14 15:56:58 UTC
SSL handshake failure URGENT
Hello,
I get no responses for my previous mails... so maybe I did not contact the good mailing list. Please give me an start of response...
Hello,
I have a cert importation problem
here is the output of an openSSL client command [witch emulate a browser] (openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
cl_key.pem -state) :
Enter PEM pass phrase:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
1993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:453:
Can someone help me ?
Is it a way to make it work without installing apache ?
Thanks for your answer
I have this tomcat configuration :
<Connector className=3D"org.apache.tomcat.service.PoolTcpConnector">
<Parameter name=3D"handler"
value=3D"org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name=3D"port"
value=3D"8443"/>
<Parameter name=3D"socketFactory"
value=3D"org.apache.tomcat.net.SSLSocketFactory" />
<Parameter name=3D"keystore"
value=3D"/opt/tomcat-3-2-2/tomcat/conf/keystore" />
<Parameter name=3D"keypass"
value=3D"pwd_sr" />
<Parameter name=3D"clientAuth"
value=3D"true" />
</Connector>
And that are all the lines procedure I entered to make it well work
mkdir ./demoCA
echo "" > ./demoCA/index.txt
echo "01" > ./demoCA/serial
# CA
openssl req -new -out ca_req.pem -keyout ca_key.pem
#pwd:pwd_ca
#challenge_pwd:ch_ca
#company name:THE_ORG
# CLIENT
openssl req -new -out cl_req.pem -keyout cl_key.pem
#pwd:pwd_cl
#ch_pwd:ch_cl
#company name:THE_ORG
# SERVER
openssl req -new -out sr_req.pem -keyout sr_key.pem
#pwd:pwd_sr
#ch_pwd:ch_sr
#company name:THE_ORG
# CA AUTH
echo "CA AUTH : enter CA password"
openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
#pwd:pwd_ca
rm ./demoCA/index.txt
rm ./demoCA/serial
cat "" > ./demoCA/index.txt
cat "01" > ./demoCA/serial
# CLIENT AUTH BY CA
echo "CL AUTH : enter CA password"
openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf
#pwd:pwd_ca
# SERVER AUTH BY CA
echo "SR AUTH : enter CA password"
openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf
#pwd:pwd_ca
# CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der
# REMOVE PREVIOUS KEYSTORE
rm /opt/tomcat-3-2-2/tomcat/conf/keystore
# IMPORT SERVER CERT IN TOMCAT KEYSTORE
echo "IMPORT SR CERT : enter SR password"
/usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file sr_cert.der -keystore /opt/tomcat-3-2-2/tomcat/conf/keystore
#pwd:pwd_sr
# CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12
#pwd:pwd_cl
#exp_pwd:pwd_cl
# CONNECTION TO THE TOMCAT SERVER
openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state
__________________________________________________
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr
file ownerships
Posted by Rob Agar <ro...@supedo.co.uk>.
hi!
I'm running tomcat on linux. I want to start the server from a particular
account (ie not root). It has been run as root, so there are a load of
generates files that are owned by root and can't be over written by another
user.
Is it safe to /chown -R tomcat.tomcat/ the whole directory, or will this
break things?
ta
Rob (favouring heavy blunt instruments :)
### TOMCAT ERROR:
Posted by Wils <we...@econnect.com.br>.
i am use FreeBSD e like install tomcat
i installed
i receive this error in start prog.
/usr/local/etc/rc.d/tomcat.sh start
tomcat
squid# SIGSEGV 11* segmentation violation
Full thread dump:
NULL (TID:0x284730b0, sys_thread_t:0x805a800, state:R) prio=5 *current
thread*
Monitor Cache Dump:
Registered Monitor Dump:
Thread queue lock: <unowned>
Name and type hash table lock: <unowned>
String intern lock: <unowned>
JNI pinning lock: <unowned>
JNI global reference lock: <unowned>
BinClass lock: <unowned>
Class loading lock: <unowned>
Java stack lock: <unowned>
Code rewrite lock: <unowned>
Heap lock: <unowned>
Has finalization queue lock: <unowned>
Finalize me queue lock: <unowned>
Monitor IO lock: <unowned>
Child death monitor: <unowned>
Event monitor: <unowned>
I/O monitor: <unowned>
Alarm monitor: <unowned>
Memory allocation lock: <unowned>
Monitor registry: owner NULL (0x805a800, 1 entry)
Thread Alarm Q:
----- Original Message -----
From: "Jean-Etienne G." <je...@voila.fr>
To: <to...@jakarta.apache.org>
Sent: Thursday, June 14, 2001 10:56 AM
Subject: SSL handshake failure URGENT
Hello,
I get no responses for my previous mails... so maybe I did not contact the
good mailing list. Please give me an start of response...
Hello,
I have a cert importation problem
here is the output of an openSSL client command [witch emulate a browser]
(openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
cl_key.pem -state) :
Enter PEM pass phrase:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
1993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:453:
Can someone help me ?
Is it a way to make it work without installing apache ?
Thanks for your answer
I have this tomcat configuration :
<Connector className=3D"org.apache.tomcat.service.PoolTcpConnector">
<Parameter name=3D"handler"
value=3D"org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name=3D"port"
value=3D"8443"/>
<Parameter name=3D"socketFactory"
value=3D"org.apache.tomcat.net.SSLSocketFactory" />
<Parameter name=3D"keystore"
value=3D"/opt/tomcat-3-2-2/tomcat/conf/keystore" />
<Parameter name=3D"keypass"
value=3D"pwd_sr" />
<Parameter name=3D"clientAuth"
value=3D"true" />
</Connector>
And that are all the lines procedure I entered to make it well work
mkdir ./demoCA
echo "" > ./demoCA/index.txt
echo "01" > ./demoCA/serial
# CA
openssl req -new -out ca_req.pem -keyout ca_key.pem
#pwd:pwd_ca
#challenge_pwd:ch_ca
#company name:THE_ORG
# CLIENT
openssl req -new -out cl_req.pem -keyout cl_key.pem
#pwd:pwd_cl
#ch_pwd:ch_cl
#company name:THE_ORG
# SERVER
openssl req -new -out sr_req.pem -keyout sr_key.pem
#pwd:pwd_sr
#ch_pwd:ch_sr
#company name:THE_ORG
# CA AUTH
echo "CA AUTH : enter CA password"
openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
#pwd:pwd_ca
rm ./demoCA/index.txt
rm ./demoCA/serial
cat "" > ./demoCA/index.txt
cat "01" > ./demoCA/serial
# CLIENT AUTH BY CA
echo "CL AUTH : enter CA password"
openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile
ca_key.pem -config /usr/local/ssl/openssl.cnf
#pwd:pwd_ca
# SERVER AUTH BY CA
echo "SR AUTH : enter CA password"
openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile
ca_key.pem -config /usr/local/ssl/openssl.cnf
#pwd:pwd_ca
# CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der
# REMOVE PREVIOUS KEYSTORE
rm /opt/tomcat-3-2-2/tomcat/conf/keystore
# IMPORT SERVER CERT IN TOMCAT KEYSTORE
echo "IMPORT SR CERT : enter SR password"
/usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file
sr_cert.der -keystore /opt/tomcat-3-2-2/tomcat/conf/keystore
#pwd:pwd_sr
# CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12
#pwd:pwd_cl
#exp_pwd:pwd_cl
# CONNECTION TO THE TOMCAT SERVER
openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
cl_key.pem -state
__________________________________________________
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr
RE: SSL handshake failure URGENT
Posted by Rams <ra...@cmcltd.com>.
can u send ur server,client,ca certs?
Rams
+91-040-3000401 x 2162 (O)
+91-040-6313447 (R)
-----Original Message-----
From: Jean-Etienne G. [mailto:jeg_ml@voila.fr]
Sent: Thursday, June 14, 2001 7:27 PM
To: tomcat-user@jakarta.apache.org
Subject: SSL handshake failure URGENT
Hello,
I get no responses for my previous mails... so maybe I did not contact the
good mailing list. Please give me an start of response...
Hello,
I have a cert importation problem
here is the output of an openSSL client command [witch emulate a browser]
(openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
cl_key.pem -state) :
Enter PEM pass phrase:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
1993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:453:
Can someone help me ?
Is it a way to make it work without installing apache ?
Thanks for your answer
I have this tomcat configuration :
<Connector className=3D"org.apache.tomcat.service.PoolTcpConnector">
<Parameter name=3D"handler"
value=3D"org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name=3D"port"
value=3D"8443"/>
<Parameter name=3D"socketFactory"
value=3D"org.apache.tomcat.net.SSLSocketFactory" />
<Parameter name=3D"keystore"
value=3D"/opt/tomcat-3-2-2/tomcat/conf/keystore" />
<Parameter name=3D"keypass"
value=3D"pwd_sr" />
<Parameter name=3D"clientAuth"
value=3D"true" />
</Connector>
And that are all the lines procedure I entered to make it well work
mkdir ./demoCA
echo "" > ./demoCA/index.txt
echo "01" > ./demoCA/serial
# CA
openssl req -new -out ca_req.pem -keyout ca_key.pem
#pwd:pwd_ca
#challenge_pwd:ch_ca
#company name:THE_ORG
# CLIENT
openssl req -new -out cl_req.pem -keyout cl_key.pem
#pwd:pwd_cl
#ch_pwd:ch_cl
#company name:THE_ORG
# SERVER
openssl req -new -out sr_req.pem -keyout sr_key.pem
#pwd:pwd_sr
#ch_pwd:ch_sr
#company name:THE_ORG
# CA AUTH
echo "CA AUTH : enter CA password"
openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
#pwd:pwd_ca
rm ./demoCA/index.txt
rm ./demoCA/serial
cat "" > ./demoCA/index.txt
cat "01" > ./demoCA/serial
# CLIENT AUTH BY CA
echo "CL AUTH : enter CA password"
openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile
ca_key.pem -config /usr/local/ssl/openssl.cnf
#pwd:pwd_ca
# SERVER AUTH BY CA
echo "SR AUTH : enter CA password"
openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile
ca_key.pem -config /usr/local/ssl/openssl.cnf
#pwd:pwd_ca
# CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der
# REMOVE PREVIOUS KEYSTORE
rm /opt/tomcat-3-2-2/tomcat/conf/keystore
# IMPORT SERVER CERT IN TOMCAT KEYSTORE
echo "IMPORT SR CERT : enter SR password"
/usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file
sr_cert.der -keystore /opt/tomcat-3-2-2/tomcat/conf/keystore
#pwd:pwd_sr
# CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12
#pwd:pwd_cl
#exp_pwd:pwd_cl
# CONNECTION TO THE TOMCAT SERVER
openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
cl_key.pem -state
__________________________________________________
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr