You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Jack , Zhan Hua Ping" <ja...@hotmail.com> on 2005/12/30 14:58:01 UTC
SSL problem on 5.5.12
Hi,
guys,
Thank you for your time to read this & trying to help me!
I followed the instruction of SSL Howto.
my http on 80,
uncomment ssl connector, keep on 8443.
I create a selfsigned tomcat in the default keystore as required.
restart tomcat,
https://127.0.0.1:8443/
https://192.168.1.99:8443/
https://localhost:8443/
for long time, no response.
use openssl to test it:
$ openssl s_client -connect 127.0.0.1:8443 -showcerts -state -msg -tls1
CONNECTED(00000003)
SSL_connect:before/connect initialization
TLS 1.0 Handshake [length 005f], ClientHello
01 00 00 5b 03 01 43 b4 76 51 96 2a 76 74 e3 e9
b0 cf bc d8 8d bf 77 20 28 5d 52 d0 92 98 e5 4b
66 b5 9f 67 0c 34 00 00 34 00 39 00 38 00 35 00
16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00
04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00
64 00 60 00 14 00 11 00 08 00 06 00 03 01 00
SSL_connect:SSLv3 write client hello A
SSL_connect:failed in SSLv3 read server hello A
1152:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c
:534:
I attached the results when i connect to www.cibc.com with ssl.
It seems that tomcat didn't handshake with the browser.
I guess that maybe I did something wrong, I install tomcat 5.5.12 on another
machine, only put normal http on 80, and uncomment the ssl connector, and
generate a self-signed certifcate, same result: it just doesn't work.
I guess the problem might be the self-signed certificate, so I use IBM's
Keyman generate a keypair A & its selfsigned cert CA. I add CA to cacert.
then I use A to sign key pair tomcat. and import the Asigned cert into the
default keystore.
Restart tomcat, same result. check tomcat's log. I didn't see nothing. I
didn't install log4j, so only the simplest logs.
Is there anyone who can use Tomcat 5.5.12 with its SSL well?
For comparison, Here is the result when I connect it to cibc.com with ssl:
$ openssl s_client -connect www.cibc.com:443 -showcerts -state -msg -tls1
CONNECTED(00000003)
SSL_connect:before/connect initialization0 30 81 85
TLS 1.0 Handshake [length 005f], ClientHello ac
01 00 00 5b 03 01 43 b4 7e e1 d5 09 a7 45 c7 ba
1a 71 6e 9f 91 cc 64 cf 78 93 d9 c1 a9 25 46 4f
5c d2 68 df a8 f1 00 00 34 00 39 00 38 00 35 00
16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00
04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00
64 00 60 00 14 00 11 00 08 00 06 00 03 01 00 69
SSL_connect:SSLv3 write client hello Ad d6 c8 1e 7b
<<< TLS 1.0 Handshake [length 004a], ServerHello 01
02 00 00 46 03 01 00 00 18 bc 21 51 25 f0 b2 de
e8 f5 b3 95 4e 18 cc a9 38 6c 73 a2 5f 59 53 e3
c8 2b a4 eb 1d be 20 0b 86 aa 74 e0 bb 2a 41 68
b6 3c f1 bc 60 49 0c 14 9a 97 cd cb bb b2 91 09
20 71 00 6d 46 8c 1b 00 04 00 93 60 b6 a9 4b 4d
SSL_connect:SSLv3 read server hello A5c d7 fa 77 ca
<<< TLS 1.0 Handshake [length 0614], Certificate b4
0b 00 06 10 00 06 0d 00 03 cf 30 82 03 cb 30 82
03 38 a0 03 02 01 02 02 10 04 24 44 68 66 49 40
79 d5 8d 16 0d ac 84 99 21 30 0d 06 09 2a 86 48erver Certification
Authority
86 f7 0d 01 01 05 05 00 30 5f 31 0b 30 09 06 03
55 04 06 13 02 55 53 31 20 30 1e 06 03 55 04 0aificate chain
13 17 52 53 41 20 44 61 74 61 20 53 65 63 75 72
69 74 79 2c 20 49 6e 63 2e 31 2e 30 2c 06 03 55
04 0b 13 25 53 65 63 75 72 65 20 53 65 72 76 65e
72 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20
41 75 74 68 6f 72 69 74 79 30 1e 17 0d 30 35 31
31 31 38 30 30 30 30 30 30 5a 17 0d 30 36 31 31nge
31 38 32 33 35 39 35 39 5a 30 81 84 31 0b 30 09
06 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55
04 08 13 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06
03 55 04 07 14 07 54 6f 72 6f 6e 74 6f 31 2b 30
29 06 03 55 04 0a 14 22 43 61 6e 61 64 69 61 6e
20 49 6d 70 65 72 69 61 6c 20 42 61 6e 6b 20 6f
66 20 43 6f 6d 6d 65 72 63 65 31 0d 30 0b 06 03
55 04 0b 14 04 73 31 35 30 31 15 30 13 06 03 55
04 03 14 0c 77 77 77 2e 63 69 62 63 2e 63 6f 6d
30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01
05 00 03 81 8d 00 30 81 89 02 81 81 00 9c fa 27
bb c5 15 db f9 ff 22 23 bf 4b be 95 b5 84 ca ab
d8 79 34 28 06 48 e5 76 8c 0c 6d 24 0b f1 ec b5
f9 9a 3e 3e 5d ae e7 6d f4 e0 f8 3b fc 40 53 20
c0 c9 69 04 2b 9c eb e4 3f 0a 95 bc 86 65 82 e0
6a 3f 2a fa 31 31 62 5a 78 b0 dc 9f d1 d6 dc f3
05 63 1d 66 32 c0 bd 28 44 42 47 22 4c 9c a9 3f
42 0c f0 8c e9 13 6f b3 ba e3 fc 7d 50 47 92 ce
9d 32 dd 15 01 bd 32 29 78 cb b8 05 41 02 03 01
00 01 a3 82 01 64 30 82 01 60 30 09 06 03 55 1d
13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02
05 a0 30 3c 06 03 55 1d 1f 04 35 30 33 30 31 a0
2f a0 2d 86 2b 68 74 74 70 3a 2f 2f 63 72 6c 2e
76 65 72 69 73 69 67 6e 2e 63 6f 6d 2f 52 53 41
53 65 63 75 72 65 53 65 72 76 65 72 2e 63 72 6c Bank of
Commerce/OU=s150/CN=
30 44 06 03 55 1d 20 04 3d 30 3b 30 39 06 0b 60
86 48 01 86 f8 45 01 07 17 03 30 2a 30 28 06 08er Certification Authority
2b 06 01 05 05 07 02 01 16 1c 68 74 74 70 73 3a
2f 2f 77 77 77 2e 76 65 72 69 73 69 67 6e 2e 63G9w0BAQUFADBf
6f 6d 2f 72 70 61 30 1d 06 03 55 1d 25 04 16 30pdHksIEluYy4x
14 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01BdXRob3JpdHkw
05 05 07 03 02 30 34 06 08 2b 06 01 05 05 07 01GA1UEBhMCQ0Ex
01 04 28 30 26 30 24 06 08 2b 06 01 05 05 07 30pBgNVBAoUIkNh
01 86 18 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 76VBAsUBHMxNTAx
65 72 69 73 69 67 6e 2e 63 6f 6d 30 6d 06 08 2bFAAOBjQAwgYkC
06 01 05 05 07 01 0c 04 61 30 5f a1 5d a0 5b 305mj4+Xa7nbfTg
59 30 57 30 55 16 09 69 6d 61 67 65 2f 67 69 66FYx1mMsC9KERC
30 21 30 1f 30 07 06 05 2b 0e 03 02 1a 04 14 8fAAaOCAWQwggFg
e5 d3 1a 86 ac 8d 8e 6b c3 cf 80 6a d4 48 18 2cvoC2GK2h0dHA6
7b 19 2e 30 25 16 23 68 74 74 70 3a 2f 2f 6c 6fwRAYDVR0gBD0w
67 6f 2e 76 65 72 69 73 69 67 6e 2e 63 6f 6d 2fvL3d3dy52ZXJp
76 73 6c 6f 67 6f 2e 67 69 66 30 0d 06 09 2a 86FBQcDAjA0Bggr
48 86 f7 0d 01 01 05 05 00 03 7e 00 74 38 38 25lcmlzaWduLmNv
17 73 26 20 e3 4b 84 a6 a2 95 e2 33 f5 77 2b ecwITAfMAcGBSsO
d0 88 85 7a a9 19 ac 56 40 31 ac 90 6b 51 7b a6nby52ZXJpc2ln
98 3e f5 59 21 d8 e5 6a a3 cb 29 d6 f9 45 95 bfXcyYg40uEpqKV
81 d8 ef 50 6f 41 4f 96 fd 50 3d af 8a a6 b9 d6B2O9Qb0FPlv1Q
f8 8a 6b e5 32 5f 14 60 cd 70 75 88 a0 34 37 643K5ezyg3SlUbx
b7 8a 56 9b 96 14 91 c7 0e 27 85 2e 97 48 90 ca
f7 2b 97 b3 ca 0d d2 95 46 f1 57 d8 d4 d1 0b c8
44 7c 20 d0 d2 95 a0 a8 61 00 02 38 30 82 02 34er Certification Authority
30 82 01 a1 02 10 02 ad 66 7e 4e 45 fe 5e 57 6fer Certification Authority
3c 98 19 5e dd c0 30 0d 06 09 2a 86 48 86 f7 0d
01 01 02 05 00 30 5f 31 0b 30 09 06 03 55 04 06CBQAwXzELMAkG
13 02 55 53 31 20 30 1e 06 03 55 04 0a 13 17 52JbmMuMS4wLAYD
53 41 20 44 61 74 61 20 53 65 63 75 72 69 74 79yaXR5MB4XDTk0
2c 20 49 6e 63 2e 31 2e 30 2c 06 03 55 04 0b 13CVVMxIDAeBgNV
25 53 65 63 75 72 65 20 53 65 72 76 65 72 20 43TZWN1cmUgU2Vy
65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 743DQEBAQUAA4GJ
68 6f 72 69 74 79 30 1e 17 0d 39 34 31 31 30 39AUcm/jwjiioII
30 30 30 30 30 30 5a 17 0d 31 30 30 31 30 37 32+m3dM41CJVphI
33 35 39 35 39 5a 30 5f 31 0b 30 09 06 03 55 04BAAEwDQYJKoZI
06 13 02 55 53 31 20 30 1e 06 03 55 04 0a 13 17c4RKz0Vr2N6W3
52 53 41 20 44 61 74 61 20 53 65 63 75 72 69 743zV9/ZHuO3ABc
79 2c 20 49 6e 63 2e 31 2e 30 2c 06 03 55 04 0b8UA==
13 25 53 65 63 75 72 65 20 53 65 72 76 65 72 20
43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75
74 68 6f 72 69 74 79 30 81 9b 30 0d 06 09 2a 86
48 86 f7 0d 01 01 01 05 00 03 81 89 00 30 81 85ial Bank of
Commerce/OU=s150/
02 7e 00 92 ce 7a c1 ae 83 3e 5a aa 89 83 57 ac
25 01 76 0c ad ae 8e 2c 37 ce eb 35 78 64 54 03rver Certification
Authority
e5 84 40 51 c9 bf 8f 08 e2 8a 82 08 d2 16 86 37
55 e9 b1 21 02 ad 76 68 81 9a 05 a2 4b c9 4b 25
66 22 56 6c 88 07 8f f7 81 59 6d 84 07 65 70 13
71 76 3e 9b 77 4c e3 50 89 56 98 48 b9 1d a7 29ytes
1a 13 2e 4a 11 59 9c 1e 15 d5 49 54 2c 73 3a 69
82 b1 97 39 9c 6d 70 67 48 e5 dd 2d d6 c8 1e 7b
02 03 01 00 01 30 0d 06 09 2a 86 48 86 f7 0d 01
01 02 05 00 03 7e 00 65 dd 7e e1 b2 ec b0 e2 3a
e0 ec 71 46 9a 19 11 b8 d3 c7 a0 b4 03 40 26 02
3e 09 9c e1 12 b3 d1 5a f6 37 a5 b7 61 03 b6 5b
16 69 3b c6 44 08 0c 88 53 0c 6b 97 49 c7 3e 35
dc 6c b9 bb aa df 5c bb 3a 2f 93 60 b6 a9 4b 4d
f2 20 f7 cd 5f 7f 64 7b 8e dc 00 5c d7 fa 77
ca4A08A22DE1177EE235CD90BBA88DD
39 16 59 6f 0e ea d3 b5 83 7f 4d 4d 42 56 76 b4
c9 5f 04 f8 38 f8 eb d2 5f 75 5f cd 7b fc e5 8e
80 7c fc 50
F1FE908DC729CED0C7272638D30D829112034A610B5CAACBBE529F7B5FF8B21D
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority
Key-Arg : None
verify error:num=19:self signed certificate in certificate chain
verify return:0 7200 (sec)
SSL_connect:SSLv3 read server certificate Atificate in certificate chain)
<<< TLS 1.0 Handshake [length 0004], ServerHelloDone
0e 00 00 00rt [length 0002], warning close_notify
SSL_connect:SSLv3 read server done A
TLS 1.0 Handshake [length 0086], ClientKeyExchange
10 00 00 82 00 80 00 65 b0 c9 b9 32 8b 16 48 ed
47 49 46 b9 45 fa b0 b4 13 71 8d 42 c8 d0 cc d0fy
b2 5c 1d a1 54 0c 95 d1 f3 76 e4 19 a8 a5 44 33
c9 c1 dc 97 75 a9 d4 13 08 27 18 53 93 8e 77 6e
c1 03 6b 16 c2 06 a6 e2 31 4a 6b b0 a7 34 5b c8
50 fc 0f a8 61 aa 2c 1e cf a0 8d 92 a0 74 51 64
b2 90 a6 7f e0 90 63 24 2d 70 8c d3 b4 3d a6 b4ts -state -msg -tls1
d1 17 1e d3 c2 77 20 e0 24 9b de ce e4 57 08 4d
15 20 aa cf b1 d7nnect initialization
SSL_connect:SSLv3 write client key exchange Allo
TLS 1.0 ChangeCipherSpec [length 0001] 74 e3 e9
01 cf bc d8 8d bf 77 20 28 5d 52 d0 92 98 e5 4b
SSL_connect:SSLv3 write change cipher spec A0 35 00
TLS 1.0 Handshake [length 0010], Finished 05 00
14 00 00 0c 21 ad ea ec d4 1b cb 6f a7 d1 76 85
SSL_connect:SSLv3 write finished A06 00 03 01 00
SSL_connect:SSLv3 flush datant hello A
<<< TLS 1.0 ChangeCipherSpec [length 0001]llo A
01rror:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c
<<< TLS 1.0 Handshake [length 0010], Finished
14 00 00 0c 8e 0d d4 c6 9f c9 c2 2a 9d a1 a1 43
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=CA/ST=Ontario/L=Toronto/O=Canadian Imperial Bank of
Commerce/OU=s150/CN=
www.cibc.com
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
-----BEGIN CERTIFICATE-----
MIIDyzCCAzigAwIBAgIQBCREaGZJQHnVjRYNrISZITANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x
LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDUxMTE4MDAwMDAwWhcNMDYxMTE4MjM1OTU5WjCBhDELMAkGA1UEBhMCQ0Ex
EDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcUB1Rvcm9udG8xKzApBgNVBAoUIkNh
bmFkaWFuIEltcGVyaWFsIEJhbmsgb2YgQ29tbWVyY2UxDTALBgNVBAsUBHMxNTAx
FTATBgNVBAMUDHd3dy5jaWJjLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAnPonu8UV2/n/IiO/S76VtYTKq9h5NCgGSOV2jAxtJAvx7LX5mj4+Xa7nbfTg
+Dv8QFMgwMlpBCuc6+Q/CpW8hmWC4Go/KvoxMWJaeLDcn9HW3PMFYx1mMsC9KERC
RyJMnKk/QgzwjOkTb7O64/x9UEeSzp0y3RUBvTIpeMu4BUECAwEAAaOCAWQwggFg
MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6
Ly9jcmwudmVyaXNpZ24uY29tL1JTQVNlY3VyZVNlcnZlci5jcmwwRAYDVR0gBD0w
OzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJp
c2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA0Bggr
BgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNv
bTBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsO
AwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2ln
bi5jb20vdnNsb2dvLmdpZjANBgkqhkiG9w0BAQUFAAN+AHQ4OCUXcyYg40uEpqKV
4jP1dyvs0IiFeqkZrFZAMayQa1F7ppg+9Vkh2OVqo8sp1vlFlb+B2O9Qb0FPlv1Q
Pa+KprnW+Ipr5TJfFGDNcHWIoDQ3ZLeKVpuWFJHHDieFLpdIkMr3K5ezyg3SlUbx
V9jU0QvIRHwg0NKVoKhh
-----END CERTIFICATE-----
1 s:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
-----BEGIN CERTIFICATE-----
MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAwDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk0
MTEwOTAwMDAwMFoXDTEwMDEwNzIzNTk1OVowXzELMAkGA1UEBhMCVVMxIDAeBgNV
BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2Vy
dmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGbMA0GCSqGSIb3DQEBAQUAA4GJ
ADCBhQJ+AJLOesGugz5aqomDV6wlAXYMra6OLDfO6zV4ZFQD5YRAUcm/jwjiioII
0haGN1XpsSECrXZogZoFokvJSyVmIlZsiAeP94FZbYQHZXATcXY+m3dM41CJVphI
uR2nKRoTLkoRWZweFdVJVCxzOmmCsZc5nG1wZ0jl3S3WyB57AgMBAAEwDQYJKoZI
hvcNAQECBQADfgBl3X7hsuyw4jrg7HFGmhkRuNPHoLQDQCYCPgmc4RKz0Vr2N6W3
YQO2WxZpO8ZECAyIUwxrl0nHPjXcbLm7qt9cuzovk2C2qUtN8iD3zV9/ZHuO3ABc
1/p3yjkWWW8O6tO1g39NTUJWdrTJXwT4OPjr0l91X817/OWOgHz8UA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CA/ST=Ontario/L=Toronto/O=Canadian Imperial Bank of
Commerce/OU=s150/
CN=www.cibc.com
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority
---
No client certificate CA names sent
---
SSL handshake has read 1682 bytes and written 282 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
0B86AA74E0BB2A4168B63CF1BC60490C149A97CDCBBBB291092071006D468C1B
Session-ID-ctx:
Master-Key:
A5951B581E9EA39BC178655DF12D6C4AA52EE68420890EC291E7734BD05C075E
00A99C56AABA945D6EBAB0E91A1DE389
Key-Arg : None
Start Time: 1135902433
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Jack @ jackzhp@hotmail.com
_________________________________________________________________
Take charge with a pop-up guard built on patented Microsoft® SmartScreen
Technology
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN® Premium right now and get the
first two months FREE*.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org