You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2016/12/01 01:51:39 UTC
Re: Unable to get SSL working on Tomcat 8.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Todd,
On 11/29/16 4:41 PM, Bartlett, Todd wrote:
> The below settings work fine on 6.0 version (no other changes Im
> aware of) Error received Failed to initialize component
> [Connector[HTTP/1.1-443
What's the rest of the error message?
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="C:\xxxx.pfx" keystorePass="xxxx"
> keystoreType="pkcs12" clientAuth="false"
> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." />
Looks okay so far. You need to post more information.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYP4IrAAoJEBzwKT+lPKRY5hAP/3thD5lk9DDd/PMAN1s+Vche
ghVnzNYryyBaqcFCFOpjUWlocWkaltV8yaWHRpkLpzvvRz1SnXVbKx7IRr5wAP6V
7qr4h8FLLubjukA/g42D8UkUmc/Q64ATPZEdKch8FszlchLqsdf1WSfp2e68k/Gg
KPBB2New3bSc4XVxC90gItOcSgq6qwZlIINEYV+f/jsOJufkjzTPF4NllS0NM9i/
XA0EgRhUQlB1Lo9QfmJquniRmNHJwcIt6A810IISaL/f0o1TxFMpqD0xdBrULD+W
169HkBIdTEvpqa3RG9tIVEEDhkW8xN4KR/Q/+WmjxnUGzffDH4AAfJkYKOxYdMzf
zFKG4ka+A5i2Qi9Z+Y87yi0fDKFsjxpA1ugeCRYpLKfTRnu2dkEGak2QRU4KpaIM
IUdql0gy71ZdyNGHj0XTzen6mUqEm0k3AL0pzTsXK0eSvpHlT0Eh981VfGAZQKlo
hs3gUFEdwNJ5xiWEil0tNtke9j8eNwPVE7jRy0QFguc6HkXmWr89DTDi/3W541Nz
ZH7iONQBPtd1fcAk0PoAxuH7ldZ9LcjxZ1tV7t3KYv4SKcD5WjTe6Cc5eVCwQwxY
47TrkSq4enCGw6BbwX+iBKt9LY4MIugpnEp8o2sxnZ56B3bxwfT29/hWmKYmlRjj
l9lZDcQlY4Q+sZhDFifa
=Op4c
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to get SSL working on Tomcat 8.5
Posted by Mark Thomas <ma...@apache.org>.
On 05/12/2016 18:33, Jim Weill wrote:
>
>
> On 12/5/2016 8:43 AM, Mark Thomas wrote:
>> On 05/12/2016 16:13, Mark Thomas wrote:
>>> On 01/12/2016 22:17, Jim Weill wrote:
>>>> sslEnabledProtocols is now just protocols for one thing. And you
>>>> have to
>>>> put your certificate stuff in an <SSLHostConfig> sub-section to the
>>>> connector now.
>>> That should not be necessary. Tomcat should handle the conversion for
>>> you under the hood.
>>>
>>> I've tested this with a JKS store but not a pkcs12 store. Let me see if
>>> there is something extra we need to do in the pkcs12 case.
>> Confirmed. This is working as expected. The following works with 8.0.x
>> and 8.5.x. I've built both from trunk but there are no relevant changes
>> since the last release of each.
>>
>> <Connector port="8443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxThreads="150"
>> SSLEnabled="true"
>> scheme="https"
>> secure="true"
>> clientAuth="false"
>> sslProtocol="TLS"
>> keystoreFile="conf/localhost-rsa.p12"
>> keystoreType="PKCS12"
>> keyPass="changeit" />
>>
>> Mark
>>
>
>
> So what might have changed with tomcat between 7.0 and 8.5 then? I
> upgraded from 7.0 to 8.5 and had to do the separate SSLHostConfig
> section and change to the more updated connector syntax when a single
> connector string as shown above used to work.
The auto-switching to use the OpenSSL encryption could be a factor.
Although any error is likely to include OpenSSL support classes in the
stack trace.
Another possibility is alias handling although that also looks to be
OpenSSL related. I've found at one case where a keystore with a single
key/cert/chain fails. I'm currently working on a patch for that. It
should make it into a release in the new year.
Tracking down the root cause is likely to involve debugging both the TLS
handshake and the TLS connector initialisation. If you are able to that,
great. If not, if you can provide a sample configuration - including
dummy keys, certs and chains - that fails that others can use to debug
then that would very helpful.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to get SSL working on Tomcat 8.5
Posted by Jim Weill <mo...@ICSI.Berkeley.EDU>.
On 12/5/2016 8:43 AM, Mark Thomas wrote:
> On 05/12/2016 16:13, Mark Thomas wrote:
>> On 01/12/2016 22:17, Jim Weill wrote:
>>> sslEnabledProtocols is now just protocols for one thing. And you have to
>>> put your certificate stuff in an <SSLHostConfig> sub-section to the
>>> connector now.
>> That should not be necessary. Tomcat should handle the conversion for
>> you under the hood.
>>
>> I've tested this with a JKS store but not a pkcs12 store. Let me see if
>> there is something extra we need to do in the pkcs12 case.
> Confirmed. This is working as expected. The following works with 8.0.x
> and 8.5.x. I've built both from trunk but there are no relevant changes
> since the last release of each.
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> clientAuth="false"
> sslProtocol="TLS"
> keystoreFile="conf/localhost-rsa.p12"
> keystoreType="PKCS12"
> keyPass="changeit" />
>
> Mark
>
So what might have changed with tomcat between 7.0 and 8.5 then? I
upgraded from 7.0 to 8.5 and had to do the separate SSLHostConfig
section and change to the more updated connector syntax when a single
connector string as shown above used to work.
jim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to get SSL working on Tomcat 8.5
Posted by Mark Thomas <ma...@apache.org>.
On 05/12/2016 16:13, Mark Thomas wrote:
> On 01/12/2016 22:17, Jim Weill wrote:
>> sslEnabledProtocols is now just protocols for one thing. And you have to
>> put your certificate stuff in an <SSLHostConfig> sub-section to the
>> connector now.
>
> That should not be necessary. Tomcat should handle the conversion for
> you under the hood.
>
> I've tested this with a JKS store but not a pkcs12 store. Let me see if
> there is something extra we need to do in the pkcs12 case.
Confirmed. This is working as expected. The following works with 8.0.x
and 8.5.x. I've built both from trunk but there are no relevant changes
since the last release of each.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="conf/localhost-rsa.p12"
keystoreType="PKCS12"
keyPass="changeit" />
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Unable to get SSL working on Tomcat 8.5
Posted by ra...@wipro.com.
It's working for me with the configuration attributes apart from your configuration :
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation". keystoreFile="certificate path" in the <Connector> element.
I couldn't succeed with the element <SSLHostConfig>
-- Ram.
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Monday, December 05, 2016 10:14 AM
To: Tomcat Users List
Subject: Re: Unable to get SSL working on Tomcat 8.5
** This mail has been sent from an external source **
On 01/12/2016 22:17, Jim Weill wrote:
> sslEnabledProtocols is now just protocols for one thing. And you have
> to put your certificate stuff in an <SSLHostConfig> sub-section to the
> connector now.
That should not be necessary. Tomcat should handle the conversion for you under the hood.
I've tested this with a JKS store but not a pkcs12 store. Let me see if there is something extra we need to do in the pkcs12 case.
Mark
> Here's how ours had to be reconfigured (on 8443 instead of 443) using
> NIO and JSSE:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
> SSLEnabled="true" protocols="TLSv1.2">
> <SSLHostConfig>
> <Certificate certificateFile="path-to-cert-file"
> certificateKeyFile="path-to-cert-keyfile" />
> </SSLHostConfig>
> </Connector>
>
> Hope this helps. The parts that are relevant to your certificate are
> in the section here:
> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_
> -_SSLHostConfig but scroll up slightly to get the instructions on how
> to use this subsection.
>
> jim
>
> On 12/1/2016 1:26 PM, Bartlett, Todd wrote:
>> Thanks for your reply, unfortunately I know very little about Tomcat
>> beyond the server.xml config below.
>> What are "hooks" and or whats been deprecated related to the below,
>> or is there a new example config for using a .pfx Keystorefile?
>>
>> <Connector port="443"
>> protocol="HTTP/1.1"
>> SSLEnabled="true"
>> maxThreads="150"
>> scheme="https"
>> secure="true"
>> keystoreFile="C:\xxxx.pfx"
>> keystorePass="xxxx"
>> keystoreType="pkcs12"
>> clientAuth="false"
>> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." />
>>
>> -----Original Message-----
>> From: Jim Weill [mailto:moondog@ICSI.Berkeley.EDU]
>> Sent: Thursday, December 01, 2016 2:38 PM
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> Subject: Re: Unable to get SSL working on Tomcat 8.5
>>
>> Are you using the 8.5 reference?
>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>
>> When we updated to 8.5, we also found things changed with the
>> connector for SSL. The above page is the current guide, and you'll
>> notice several of the hooks have been deprecated since 6.0
>>
>> jim
>>
>> On 12/1/2016 11:28 AM, Bartlett, Todd wrote:
>>> Thanks for replying, some more information.
>>>
>>> Tomcat 8.0 works fine with this configuration (Ive tested both
>>> installs on same server, same .pfx) (note no other changes anywhere,
>>> just a fresh install and modifying the server.xml) We have been
>>> using this config since 6.0 through 8.0.
>>>
>>> Something changed in 8.5, it does not seem to recognize or load the
>>> .pfx file anymore.
>>>
>>> Thanks
>>>
>>> Todd
>>>
>>> -----Original Message-----
>>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>>> Sent: Wednesday, November 30, 2016 8:52 PM
>>> To: Tomcat Users List <us...@tomcat.apache.org>
>>> Subject: Re: Unable to get SSL working on Tomcat 8.5
>>>
> Todd,
>
> On 11/29/16 4:41 PM, Bartlett, Todd wrote:
>>>>> The below settings work fine on 6.0 version (no other changes Im
>>>>> aware
>>>>> of) Error received Failed to initialize component
>>>>> [Connector[HTTP/1.1-443
> What's the rest of the error message?
>
>>>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>>>> maxThreads="150" scheme="https" secure="true"
>>>>> keystoreFile="C:\xxxx.pfx" keystorePass="xxxx"
>>>>> keystoreType="pkcs12" clientAuth="false"
>>>>> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." />
> Looks okay so far. You need to post more information.
>
> -chris
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
Re: Unable to get SSL working on Tomcat 8.5
Posted by Mark Thomas <ma...@apache.org>.
On 01/12/2016 22:17, Jim Weill wrote:
> sslEnabledProtocols is now just protocols for one thing. And you have to
> put your certificate stuff in an <SSLHostConfig> sub-section to the
> connector now.
That should not be necessary. Tomcat should handle the conversion for
you under the hood.
I've tested this with a JKS store but not a pkcs12 store. Let me see if
there is something extra we need to do in the pkcs12 case.
Mark
> Here's how ours had to be reconfigured (on 8443 instead
> of 443) using NIO and JSSE:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
> SSLEnabled="true" protocols="TLSv1.2">
> <SSLHostConfig>
> <Certificate certificateFile="path-to-cert-file"
> certificateKeyFile="path-to-cert-keyfile" />
> </SSLHostConfig>
> </Connector>
>
> Hope this helps. The parts that are relevant to your certificate are in
> the section here:
> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig
> but scroll up slightly to get the instructions on how to use this
> subsection.
>
> jim
>
> On 12/1/2016 1:26 PM, Bartlett, Todd wrote:
>> Thanks for your reply, unfortunately I know very little about Tomcat
>> beyond the server.xml config below.
>> What are "hooks" and or whats been deprecated related to the below, or
>> is there a new example config for using a .pfx Keystorefile?
>>
>> <Connector port="443"
>> protocol="HTTP/1.1"
>> SSLEnabled="true"
>> maxThreads="150"
>> scheme="https"
>> secure="true"
>> keystoreFile="C:\xxxx.pfx"
>> keystorePass="xxxx"
>> keystoreType="pkcs12"
>> clientAuth="false"
>> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." />
>>
>> -----Original Message-----
>> From: Jim Weill [mailto:moondog@ICSI.Berkeley.EDU]
>> Sent: Thursday, December 01, 2016 2:38 PM
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> Subject: Re: Unable to get SSL working on Tomcat 8.5
>>
>> Are you using the 8.5 reference?
>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>
>> When we updated to 8.5, we also found things changed with the
>> connector for SSL. The above page is the current guide, and you'll
>> notice several of the hooks have been deprecated since 6.0
>>
>> jim
>>
>> On 12/1/2016 11:28 AM, Bartlett, Todd wrote:
>>> Thanks for replying, some more information.
>>>
>>> Tomcat 8.0 works fine with this configuration (Ive tested both
>>> installs on same server, same .pfx) (note no other changes anywhere,
>>> just a fresh install and modifying the server.xml) We have been using
>>> this config since 6.0 through 8.0.
>>>
>>> Something changed in 8.5, it does not seem to recognize or load the
>>> .pfx file anymore.
>>>
>>> Thanks
>>>
>>> Todd
>>>
>>> -----Original Message-----
>>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>>> Sent: Wednesday, November 30, 2016 8:52 PM
>>> To: Tomcat Users List <us...@tomcat.apache.org>
>>> Subject: Re: Unable to get SSL working on Tomcat 8.5
>>>
> Todd,
>
> On 11/29/16 4:41 PM, Bartlett, Todd wrote:
>>>>> The below settings work fine on 6.0 version (no other changes Im
>>>>> aware
>>>>> of) Error received Failed to initialize component
>>>>> [Connector[HTTP/1.1-443
> What's the rest of the error message?
>
>>>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>>>> maxThreads="150" scheme="https" secure="true"
>>>>> keystoreFile="C:\xxxx.pfx" keystorePass="xxxx"
>>>>> keystoreType="pkcs12" clientAuth="false"
>>>>> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." />
> Looks okay so far. You need to post more information.
>
> -chris
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to get SSL working on Tomcat 8.5
Posted by Jim Weill <mo...@ICSI.Berkeley.EDU>.
sslEnabledProtocols is now just protocols for one thing. And you have to
put your certificate stuff in an <SSLHostConfig> sub-section to the
connector now. Here's how ours had to be reconfigured (on 8443 instead
of 443) using NIO and JSSE:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
SSLEnabled="true" protocols="TLSv1.2">
<SSLHostConfig>
<Certificate certificateFile="path-to-cert-file"
certificateKeyFile="path-to-cert-keyfile" />
</SSLHostConfig>
</Connector>
Hope this helps. The parts that are relevant to your certificate are in
the section here:
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig
but scroll up slightly to get the instructions on how to use this
subsection.
jim
On 12/1/2016 1:26 PM, Bartlett, Todd wrote:
> Thanks for your reply, unfortunately I know very little about Tomcat beyond the server.xml config below.
> What are "hooks" and or whats been deprecated related to the below, or is there a new example config for using a .pfx Keystorefile?
>
> <Connector port="443"
> protocol="HTTP/1.1"
> SSLEnabled="true"
> maxThreads="150"
> scheme="https"
> secure="true"
> keystoreFile="C:\xxxx.pfx"
> keystorePass="xxxx"
> keystoreType="pkcs12"
> clientAuth="false"
> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." />
>
> -----Original Message-----
> From: Jim Weill [mailto:moondog@ICSI.Berkeley.EDU]
> Sent: Thursday, December 01, 2016 2:38 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Unable to get SSL working on Tomcat 8.5
>
> Are you using the 8.5 reference?
> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>
> When we updated to 8.5, we also found things changed with the connector for SSL. The above page is the current guide, and you'll notice several of the hooks have been deprecated since 6.0
>
> jim
>
> On 12/1/2016 11:28 AM, Bartlett, Todd wrote:
>> Thanks for replying, some more information.
>>
>> Tomcat 8.0 works fine with this configuration (Ive tested both
>> installs on same server, same .pfx) (note no other changes anywhere,
>> just a fresh install and modifying the server.xml) We have been using this config since 6.0 through 8.0.
>>
>> Something changed in 8.5, it does not seem to recognize or load the .pfx file anymore.
>>
>> Thanks
>>
>> Todd
>>
>> -----Original Message-----
>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> Sent: Wednesday, November 30, 2016 8:52 PM
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> Subject: Re: Unable to get SSL working on Tomcat 8.5
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Todd,
>>
>> On 11/29/16 4:41 PM, Bartlett, Todd wrote:
>>> The below settings work fine on 6.0 version (no other changes Im
>>> aware
>>> of) Error received Failed to initialize component
>>> [Connector[HTTP/1.1-443
>> What's the rest of the error message?
>>
>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>> maxThreads="150" scheme="https" secure="true"
>>> keystoreFile="C:\xxxx.pfx" keystorePass="xxxx"
>>> keystoreType="pkcs12" clientAuth="false"
>>> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." />
>> Looks okay so far. You need to post more information.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJYP4IrAAoJEBzwKT+lPKRY5hAP/3thD5lk9DDd/PMAN1s+Vche
>> ghVnzNYryyBaqcFCFOpjUWlocWkaltV8yaWHRpkLpzvvRz1SnXVbKx7IRr5wAP6V
>> 7qr4h8FLLubjukA/g42D8UkUmc/Q64ATPZEdKch8FszlchLqsdf1WSfp2e68k/Gg
>> KPBB2New3bSc4XVxC90gItOcSgq6qwZlIINEYV+f/jsOJufkjzTPF4NllS0NM9i/
>> XA0EgRhUQlB1Lo9QfmJquniRmNHJwcIt6A810IISaL/f0o1TxFMpqD0xdBrULD+W
>> 169HkBIdTEvpqa3RG9tIVEEDhkW8xN4KR/Q/+WmjxnUGzffDH4AAfJkYKOxYdMzf
>> zFKG4ka+A5i2Qi9Z+Y87yi0fDKFsjxpA1ugeCRYpLKfTRnu2dkEGak2QRU4KpaIM
>> IUdql0gy71ZdyNGHj0XTzen6mUqEm0k3AL0pzTsXK0eSvpHlT0Eh981VfGAZQKlo
>> hs3gUFEdwNJ5xiWEil0tNtke9j8eNwPVE7jRy0QFguc6HkXmWr89DTDi/3W541Nz
>> ZH7iONQBPtd1fcAk0PoAxuH7ldZ9LcjxZ1tV7t3KYv4SKcD5WjTe6Cc5eVCwQwxY
>> 47TrkSq4enCGw6BbwX+iBKt9LY4MIugpnEp8o2sxnZ56B3bxwfT29/hWmKYmlRjj
>> l9lZDcQlY4Q+sZhDFifa
>> =Op4c
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Unable to get SSL working on Tomcat 8.5
Posted by "Bartlett, Todd" <ba...@uncw.edu>.
Thanks for your reply, unfortunately I know very little about Tomcat beyond the server.xml config below.
What are "hooks" and or whats been deprecated related to the below, or is there a new example config for using a .pfx Keystorefile?
<Connector port="443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keystoreFile="C:\xxxx.pfx"
keystorePass="xxxx"
keystoreType="pkcs12"
clientAuth="false"
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." />
-----Original Message-----
From: Jim Weill [mailto:moondog@ICSI.Berkeley.EDU]
Sent: Thursday, December 01, 2016 2:38 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Unable to get SSL working on Tomcat 8.5
Are you using the 8.5 reference?
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
When we updated to 8.5, we also found things changed with the connector for SSL. The above page is the current guide, and you'll notice several of the hooks have been deprecated since 6.0
jim
On 12/1/2016 11:28 AM, Bartlett, Todd wrote:
> Thanks for replying, some more information.
>
> Tomcat 8.0 works fine with this configuration (Ive tested both
> installs on same server, same .pfx) (note no other changes anywhere,
> just a fresh install and modifying the server.xml) We have been using this config since 6.0 through 8.0.
>
> Something changed in 8.5, it does not seem to recognize or load the .pfx file anymore.
>
> Thanks
>
> Todd
>
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Wednesday, November 30, 2016 8:52 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Unable to get SSL working on Tomcat 8.5
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Todd,
>
> On 11/29/16 4:41 PM, Bartlett, Todd wrote:
>> The below settings work fine on 6.0 version (no other changes Im
>> aware
>> of) Error received Failed to initialize component
>> [Connector[HTTP/1.1-443
> What's the rest of the error message?
>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="C:\xxxx.pfx" keystorePass="xxxx"
>> keystoreType="pkcs12" clientAuth="false"
>> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." />
> Looks okay so far. You need to post more information.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYP4IrAAoJEBzwKT+lPKRY5hAP/3thD5lk9DDd/PMAN1s+Vche
> ghVnzNYryyBaqcFCFOpjUWlocWkaltV8yaWHRpkLpzvvRz1SnXVbKx7IRr5wAP6V
> 7qr4h8FLLubjukA/g42D8UkUmc/Q64ATPZEdKch8FszlchLqsdf1WSfp2e68k/Gg
> KPBB2New3bSc4XVxC90gItOcSgq6qwZlIINEYV+f/jsOJufkjzTPF4NllS0NM9i/
> XA0EgRhUQlB1Lo9QfmJquniRmNHJwcIt6A810IISaL/f0o1TxFMpqD0xdBrULD+W
> 169HkBIdTEvpqa3RG9tIVEEDhkW8xN4KR/Q/+WmjxnUGzffDH4AAfJkYKOxYdMzf
> zFKG4ka+A5i2Qi9Z+Y87yi0fDKFsjxpA1ugeCRYpLKfTRnu2dkEGak2QRU4KpaIM
> IUdql0gy71ZdyNGHj0XTzen6mUqEm0k3AL0pzTsXK0eSvpHlT0Eh981VfGAZQKlo
> hs3gUFEdwNJ5xiWEil0tNtke9j8eNwPVE7jRy0QFguc6HkXmWr89DTDi/3W541Nz
> ZH7iONQBPtd1fcAk0PoAxuH7ldZ9LcjxZ1tV7t3KYv4SKcD5WjTe6Cc5eVCwQwxY
> 47TrkSq4enCGw6BbwX+iBKt9LY4MIugpnEp8o2sxnZ56B3bxwfT29/hWmKYmlRjj
> l9lZDcQlY4Q+sZhDFifa
> =Op4c
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to get SSL working on Tomcat 8.5
Posted by Jim Weill <mo...@ICSI.Berkeley.EDU>.
Are you using the 8.5 reference?
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
When we updated to 8.5, we also found things changed with the connector
for SSL. The above page is the current guide, and you'll notice several
of the hooks have been deprecated since 6.0
jim
On 12/1/2016 11:28 AM, Bartlett, Todd wrote:
> Thanks for replying, some more information.
>
> Tomcat 8.0 works fine with this configuration (Ive tested both installs on same server, same .pfx)
> (note no other changes anywhere, just a fresh install and modifying the server.xml)
> We have been using this config since 6.0 through 8.0.
>
> Something changed in 8.5, it does not seem to recognize or load the .pfx file anymore.
>
> Thanks
>
> Todd
>
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Wednesday, November 30, 2016 8:52 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Unable to get SSL working on Tomcat 8.5
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Todd,
>
> On 11/29/16 4:41 PM, Bartlett, Todd wrote:
>> The below settings work fine on 6.0 version (no other changes Im aware
>> of) Error received Failed to initialize component
>> [Connector[HTTP/1.1-443
> What's the rest of the error message?
>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="C:\xxxx.pfx" keystorePass="xxxx"
>> keystoreType="pkcs12" clientAuth="false"
>> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." />
> Looks okay so far. You need to post more information.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYP4IrAAoJEBzwKT+lPKRY5hAP/3thD5lk9DDd/PMAN1s+Vche
> ghVnzNYryyBaqcFCFOpjUWlocWkaltV8yaWHRpkLpzvvRz1SnXVbKx7IRr5wAP6V
> 7qr4h8FLLubjukA/g42D8UkUmc/Q64ATPZEdKch8FszlchLqsdf1WSfp2e68k/Gg
> KPBB2New3bSc4XVxC90gItOcSgq6qwZlIINEYV+f/jsOJufkjzTPF4NllS0NM9i/
> XA0EgRhUQlB1Lo9QfmJquniRmNHJwcIt6A810IISaL/f0o1TxFMpqD0xdBrULD+W
> 169HkBIdTEvpqa3RG9tIVEEDhkW8xN4KR/Q/+WmjxnUGzffDH4AAfJkYKOxYdMzf
> zFKG4ka+A5i2Qi9Z+Y87yi0fDKFsjxpA1ugeCRYpLKfTRnu2dkEGak2QRU4KpaIM
> IUdql0gy71ZdyNGHj0XTzen6mUqEm0k3AL0pzTsXK0eSvpHlT0Eh981VfGAZQKlo
> hs3gUFEdwNJ5xiWEil0tNtke9j8eNwPVE7jRy0QFguc6HkXmWr89DTDi/3W541Nz
> ZH7iONQBPtd1fcAk0PoAxuH7ldZ9LcjxZ1tV7t3KYv4SKcD5WjTe6Cc5eVCwQwxY
> 47TrkSq4enCGw6BbwX+iBKt9LY4MIugpnEp8o2sxnZ56B3bxwfT29/hWmKYmlRjj
> l9lZDcQlY4Q+sZhDFifa
> =Op4c
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Unable to get SSL working on Tomcat 8.5
Posted by "Bartlett, Todd" <ba...@uncw.edu>.
Thanks for replying, some more information.
Tomcat 8.0 works fine with this configuration (Ive tested both installs on same server, same .pfx)
(note no other changes anywhere, just a fresh install and modifying the server.xml)
We have been using this config since 6.0 through 8.0.
Something changed in 8.5, it does not seem to recognize or load the .pfx file anymore.
Thanks
Todd
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, November 30, 2016 8:52 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Unable to get SSL working on Tomcat 8.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Todd,
On 11/29/16 4:41 PM, Bartlett, Todd wrote:
> The below settings work fine on 6.0 version (no other changes Im aware
> of) Error received Failed to initialize component
> [Connector[HTTP/1.1-443
What's the rest of the error message?
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="C:\xxxx.pfx" keystorePass="xxxx"
> keystoreType="pkcs12" clientAuth="false"
> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="..." />
Looks okay so far. You need to post more information.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYP4IrAAoJEBzwKT+lPKRY5hAP/3thD5lk9DDd/PMAN1s+Vche
ghVnzNYryyBaqcFCFOpjUWlocWkaltV8yaWHRpkLpzvvRz1SnXVbKx7IRr5wAP6V
7qr4h8FLLubjukA/g42D8UkUmc/Q64ATPZEdKch8FszlchLqsdf1WSfp2e68k/Gg
KPBB2New3bSc4XVxC90gItOcSgq6qwZlIINEYV+f/jsOJufkjzTPF4NllS0NM9i/
XA0EgRhUQlB1Lo9QfmJquniRmNHJwcIt6A810IISaL/f0o1TxFMpqD0xdBrULD+W
169HkBIdTEvpqa3RG9tIVEEDhkW8xN4KR/Q/+WmjxnUGzffDH4AAfJkYKOxYdMzf
zFKG4ka+A5i2Qi9Z+Y87yi0fDKFsjxpA1ugeCRYpLKfTRnu2dkEGak2QRU4KpaIM
IUdql0gy71ZdyNGHj0XTzen6mUqEm0k3AL0pzTsXK0eSvpHlT0Eh981VfGAZQKlo
hs3gUFEdwNJ5xiWEil0tNtke9j8eNwPVE7jRy0QFguc6HkXmWr89DTDi/3W541Nz
ZH7iONQBPtd1fcAk0PoAxuH7ldZ9LcjxZ1tV7t3KYv4SKcD5WjTe6Cc5eVCwQwxY
47TrkSq4enCGw6BbwX+iBKt9LY4MIugpnEp8o2sxnZ56B3bxwfT29/hWmKYmlRjj
l9lZDcQlY4Q+sZhDFifa
=Op4c
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org