You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Peter Rader <p....@gmx.net> on 2020/01/13 12:25:13 UTC
TC8 -> TC9 KeyAlias SSL not supported?
I recently moved from T8 to T9 to use PKI.
My keystore contains multiple CAs.
I had to modify the ssl-connector from
org.apache.coyote.http11.Http11Protocol
to
org.apache.coyote.http11.Http11NioProtocol
Unfortunately the attribute "keyAlias" seems to not be supported in the NIO anymore.
SSL is not valid anymore because the wrong keyAlias is choosen.
Any ideas how to select the correct key?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Aw: Re: TC8 -> TC9 KeyAlias SSL not supported?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Peter,
On 1/13/20 9:20 AM, Peter Rader wrote:
>>> I recently moved from T8 to T9 to use PKI.
>>
>> Exact versions?
>
> T8 = 8.5.50.0 on amazon-corretto-8.232.09.1-linux-x64 T9 = 9.0.30.0
> on amazon-corretto-8.232.09.1-linux-x64
>
>>
>>> My keystore contains multiple CAs.
>>>
>>> I had to modify the ssl-connector from
>>> org.apache.coyote.http11.Http11Protocol to
>>> org.apache.coyote.http11.Http11NioProtocol
>>
>> Full Connector configurations (with sensitive data masked)?
>
> TC8= <Connector port="443" keyAlias="XXX"
> protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"
> secure="true" SSLEnabled="true" keystoreFile="XXXX"
> keystorePass="XXXXX" sslProtocol="TLS" clientAuth="want"
> truststoreFile="XXXX" truststorePass="XXXXX" />
>
> TC9= <Connector port="443" keyAlias="XXX"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> scheme="https" secure="true" SSLEnabled="true" keystoreFile="XXXX"
> keystorePass="XXXXX" sslProtocol="TLS" clientAuth="want"
> truststoreFile="XXXX" truststorePass="XXXXX" />
>
> Masks: - XXX keystore CA - XXXX keystore or truststore - XXXXX
> password for keystore/truststore
Can you find what you are looking for here?
<Connector ...>
<SSLHostConfig <-- HERE
</Connector>
?
http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_S
SLHostConfig
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4chpgACgkQHPApP6U8
pFh7KxAAuUrtbKTF2C6TulfX33GJXUO8DButpRGWbbJW0tmoBf3dqUJgnxNBml7v
B5dKzjobTrZrBXNjTjT6hYr2uzOCg7y+0RwnG+7yqVR++9AAPpYBUltdLw6sX/TQ
homQqwB6eckqj8/i/gjkbzHns2iGgv79/1PqgW6DUz6KINwi4JZHEG7ouDp61Rjr
8iW8q0/zix5VJsWpHL5z6rui2Wu4OPwvZ+Ae7vpHCXqr/QpXzekD1umgFrlEeLff
/WliL3LaumX0xoryluVtY2HhkV2VztKfZoyGOVXmMQUbr74Fzi3BL3ruuAgyMMYi
YsqXAYurduMHyyae7nZCFnvvaVOyyeIgMHVURCc51AeGMuCSifaXgwVVu55miEXB
WRDN+zEi9mCpV74txJMrWqFtJRm6oq6/SM2DcgKpOKTrAy2riwY+IthDQL+PEmal
PuvcjKa+anJ7UmAB2B/OE/trwJTjTgmWMPLhzJLO8I4/v1fN3Tq/wEgiJuIWkdFu
Rv8aPR7dv+eud392twBL4ig687sPDCeARXDf3yruU4pW5lC9gTT28H5RdRkSDyEN
ddUdEWC61qXvOIfGO1fJUQjwTneWT6FCTGUpfYQiA5PWSoG+FCbDvUObPO8Gdi+N
e46I4ewADKZRXY7Sy9VJVFsHMQWsYWCjieL0rey/zZFrkqs9Tyo=
=ygQr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Aw: Re: TC8 -> TC9 KeyAlias SSL not supported?
Posted by Mark Thomas <ma...@apache.org>.
On 13/01/2020 14:20, Peter Rader wrote:
>>> I recently moved from T8 to T9 to use PKI.
>>
>> Exact versions?
>
> T8 = 8.5.50.0 on amazon-corretto-8.232.09.1-linux-x64
> T9 = 9.0.30.0 on amazon-corretto-8.232.09.1-linux-x64
>
>>
>>> My keystore contains multiple CAs.
>>>
>>> I had to modify the ssl-connector from
>>> org.apache.coyote.http11.Http11Protocol
>>> to
>>> org.apache.coyote.http11.Http11NioProtocol
>>
>> Full Connector configurations (with sensitive data masked)?
>
> TC8=
> <Connector port="443" keyAlias="XXX" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" SSLEnabled="true" keystoreFile="XXXX" keystorePass="XXXXX" sslProtocol="TLS" clientAuth="want" truststoreFile="XXXX" truststorePass="XXXXX" />
>
> TC9=
> <Connector port="443" keyAlias="XXX" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" SSLEnabled="true" keystoreFile="XXXX" keystorePass="XXXXX" sslProtocol="TLS" clientAuth="want" truststoreFile="XXXX" truststorePass="XXXXX" />
This is not possible. The first configuration is for the BIO connector.
This connector was not present in 8.5.x. Might you have been using 8.0.x?
keyAlias should still work in 9.0.x. It might be case-sensitive.
Do you have the Tomcat Native library installed and configured?
The extra plumbing we have added to allow users to swap seamlessly
between JSSE and OpenSSL has created a few bugs. If you can re-create
the issue with a set of test keys and certificates that you can share
with the developers, we can take a closer look.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Aw: Re: TC8 -> TC9 KeyAlias SSL not supported?
Posted by Peter Rader <p....@gmx.net>.
> > I recently moved from T8 to T9 to use PKI.
>
> Exact versions?
T8 = 8.5.50.0 on amazon-corretto-8.232.09.1-linux-x64
T9 = 9.0.30.0 on amazon-corretto-8.232.09.1-linux-x64
>
> > My keystore contains multiple CAs.
> >
> > I had to modify the ssl-connector from
> > org.apache.coyote.http11.Http11Protocol
> > to
> > org.apache.coyote.http11.Http11NioProtocol
>
> Full Connector configurations (with sensitive data masked)?
TC8=
<Connector port="443" keyAlias="XXX" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" SSLEnabled="true" keystoreFile="XXXX" keystorePass="XXXXX" sslProtocol="TLS" clientAuth="want" truststoreFile="XXXX" truststorePass="XXXXX" />
TC9=
<Connector port="443" keyAlias="XXX" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" SSLEnabled="true" keystoreFile="XXXX" keystorePass="XXXXX" sslProtocol="TLS" clientAuth="want" truststoreFile="XXXX" truststorePass="XXXXX" />
Masks:
- XXX keystore CA
- XXXX keystore or truststore
- XXXXX password for keystore/truststore
>
> Mark
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Aw: Re: TC8 -> TC9 KeyAlias SSL not supported?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Peter,
On 1/13/20 10:48 AM, Peter Rader wrote:
>> Peter,
>>
>> Can you find what you are looking for here?
>>
>> <Connector ...> <SSLHostConfig <-- HERE </Connector>
>>
>> ?
>
> No! There is no such node or any similar content. And there simply
> can not be such a node because all the connector-xml-nodes are
> self-closing as you might have already noticed. AFAIK I should not
> create this SSLHostConfig because it is created automatically
> somehow according to the deprecated xml-node "keyAlias" (see:
> https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_
- -_Connector_-_NIO_and_NIO2_(deprecated)
> )!
I'm sorry I wasn't being clear: I was suggesting that you look at the
SSLHostConfig documentation and convert your configuration into one
which DOES contain an SSLHostConfig element.
You are correct, you should not need to create such a node but if it
solves your problem and side-steps a potential bug in Tomcat then
adding it ... well, solves your problem.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4cxK8ACgkQHPApP6U8
pFgerQ/7BqKo1IbQQ12fPnF7nEJkML2WQLDtJrzcBu+pJeIy9T8oShv30IZmnoGT
JJ3u5DD0d8/aUJSQHK62VxSxAaUC/ZdGqJmkyf0kZNZ4xrmc8okuk9tDPbxpLmx8
d9qJ2e/b11EmLEHJWY92aIQKWfGS+tAcKkyoow4qQ4LT/0EfTur/nSgN2U8lAj+r
8NWNhGzjg3M7p8ZCCLVFgVNyCU2Imw3NDmrPSrtPehvq0t8+01DmfGrQm6r6Ogzo
XNf8hl+EPSfH+dV6OlpP4fa+jqPeWlc338CsG8DPvMyC+MW8ILPU9qLQmc3qhHRr
cRIoWChx0mS3ia+7C+ijVZdvj0dDn9WHDUi5qr1LjiEoHubBt0P0u16F1HNv1C7/
WaJSSoYctPzmbe4RvLoQzmlpvmC8iQ7GCcNbSLPhh+bWXiqI1G7y26H5F5jT4cr5
5SYWOm3Nm/wA5WKG+nn7El9xxX86wQ19zNS9gYE+CI69OHInxxNklHKBqafDDgrt
yhvnhZS1LOIPIo8T87JjOLYPZGG+43JE0RnG/og1hllpWV+laJQz4VpDxQuog3FB
0/OCU/qc9yP6rHwSo6VFdIdspU7zRgjYA9Jgv83IM0hWYgspMhYelD5JqyN8E4Mf
N4cl+mhta41cjI+oje8CJaVbU3xn62Ki8HvOEVj7YGrGN9M1apU=
=tdIJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Aw: Re: TC8 -> TC9 KeyAlias SSL not supported?
Posted by Peter Rader <p....@gmx.net>.
> Peter,
>
> Can you find what you are looking for here?
>
> <Connector ...>
> <SSLHostConfig <-- HERE
> </Connector>
>
> ?
No! There is no such node or any similar content. And there simply can not be such a node because all the connector-xml-nodes are self-closing as you might have already noticed. AFAIK I should not create this SSLHostConfig because it is created automatically somehow according to the deprecated xml-node "keyAlias" (see: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2_(deprecated) )!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TC8 -> TC9 KeyAlias SSL not supported?
Posted by Mark Thomas <ma...@apache.org>.
On 13/01/2020 12:25, Peter Rader wrote:
> I recently moved from T8 to T9 to use PKI.
Exact versions?
> My keystore contains multiple CAs.
>
> I had to modify the ssl-connector from
> org.apache.coyote.http11.Http11Protocol
> to
> org.apache.coyote.http11.Http11NioProtocol
Full Connector configurations (with sensitive data masked)?
Mark
>
> Unfortunately the attribute "keyAlias" seems to not be supported in the NIO anymore.
>
> SSL is not valid anymore because the wrong keyAlias is choosen.
>
> Any ideas how to select the correct key?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org