You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Pavan Kasarla <ka...@siu.edu> on 2015/05/16 04:28:02 UTC
Issue in setting up SHA2 certificate with tomcat6
Hi,
I am trying to configure SHA2 algorithm certificates with tomcat6 in centos 6. I have created a keystore of format "JKS" using keytool and imported the certificate and intermediates to the keystore. When i restart the tomcat, logs do not show any kind of errors it starts up normally but when i try to connect to host from a browser it shows the following error
my system configuration
OS : centos
tomcat 6
java1.7.x
In chrome
Version 39.0.2171.71 (64-bit)
SSL connection error
Hide detailsUnable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
In firefox it shows
Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
tomcat configuration for the certificate in server.xml
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/etc/tomcat6/xxxxx.jks"
keystorePass="xxxxxx"
clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" />
When i change the tomcat keystore with another certificates of SHA1 algorithm everything works fine.
Thanks
Pavan
Re: Issue in setting up SHA2 certificate with tomcat6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Pavan,
(Note: only a single post is necessary)
On 5/15/15 10:28 PM, Pavan Kasarla wrote:
> I am trying to configure SHA2 algorithm certificates with tomcat6
> in centos 6. I have created a keystore of format "JKS" using
> keytool and imported the certificate and intermediates to the
> keystore. When i restart the tomcat, logs do not show any kind of
> errors it starts up normally but when i try to connect to host from
> a browser it shows the following error
>
>
> my system configuration
>
> OS : centos tomcat 6
Specifically, which Tomcat version are you using?
> java1.7.x
>
> In chrome Version 39.0.2171.71 (64-bit)
>
> SSL connection error Hide detailsUnable to make a secure connection
> to the server. This may be a problem with the server, or it may be
> requiring a client authentication certificate that you don't have.
> Error code: ERR_SSL_PROTOCOL_ERROR
>
>
> In firefox it shows Cannot communicate securely with peer: no
> common encryption algorithm(s). (Error code:
> ssl_error_no_cypher_overlap)
>
> tomcat configuration for the certificate in server.xml <Connector
> port="8443" maxHttpHeaderSize="8192" maxThreads="150"
> minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
> disableUploadTimeout="true" acceptCount="100" scheme="https"
> secure="true" SSLEnabled="true"
> keystoreFile="/etc/tomcat6/xxxxx.jks" keystorePass="xxxxxx"
> clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
> />
>
> When i change the tomcat keystore with another certificates of
> SHA1 algorithm everything works fine.
So the only difference is SHA1 versus SHA2 hash on the certificate?
Java 1.7 handles both of those without a problem.
Can you try connecting to your server using OpenSSL's s_client program?
$ openssl s_client -connect hostname:443
CONNECTED(00000003)
depth=1 [cert subject]
- ---
Certificate chain
[cert chain]
- ---
Server certificate
- -----BEGIN CERTIFICATE-----
[certificate]
- -----END CERTIFICATE-----
[cert info]
- ---
No client certificate CA names sent
- ---
SSL handshake has read 3601 bytes and written 700 bytes
- ---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID:
5712CBF2C60CFB9DDD456DA9E67B1F6CDD5FDE12178266E5AB0888CF21859B8A
Session-ID-ctx:
Master-Key:
2EFB02FD1F605120E55D3C293CE9E5CE5076CBA1E286A91EB271F7D145825CE441EF2614
B9E0CB743C690DC4E45262CF
Key-Arg : None
Start Time: 1431870170
Timeout : 300 (sec)
Verify return code: 0 (ok)
- ---
^C
At the bottom, you can see the connection information that was
negotiated with the server. s_client has options to allow you to set
the protocol(s) supported, the cipher(s) supported, etc. Perhaps you
can narrow-down the problem.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVWJtvAAoJEBzwKT+lPKRY4RkP/2ffTOIT3b4XH1zZLAqUmwUt
RQ5Kl283hjPhbGqDdLhrGOUUUyANvJUTwNVGdvm4+lcgmF9HLU/wvHBodN7rQnF5
FLRGrC5qDDBdQXN+QvHrnPgEq2pXSw77ZXRNHjN+m91IXrtrbaBdMFNPGziD+xJ6
JIOv9YzgR6DPDyxmPhiWKv2/lU2VwFRhe9R4OVmSyICc27pyDxuOVrIPPvq7AJz7
mctLU0sZy741UCg4tiHXphP6ASk1aoZd8b8lRfMswMs7CI/e4QIwTUF535Pdkh0G
hht4Op+zsgDt0nesxKkheSoMmGkBaFa9e5ceTm0DXpY4RGsBme+u87vS5GF9ZsUi
uRlDgNNEaVMYn1p+zkLjrBZ6RvGpJpEpyA2+AGm24LygfOsFZwHoM89Hpr5HMRAY
uDf57CmuZE/9LaBjUSarAflxefRPb6cNSueXDnA5TVmO2d/4P52ZY5CBm+l0Egkh
YP3ojAAF/ySMpskjdPysCKg40QSwGor3pMc2cDoR2357T3syl0SuapnjuR+uoLPY
rQRDclqx9hjVYi9yGuepRSHKvlI1Hzbam9d/Go8vxk0wS2n5iTRTAs908Is9Xz0M
ZdME6e+2gtgEFU7VmZ04QazypUe+5ZlGglCHHOUF2vllKoViY9Pz39wwwMrJGJuY
Qi26dbjkau+iu/kA9/zF
=mOl8
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org