RE: SSL handshake failure URGENT
I use Linux RedHat 7, but it seems that SSL options was not taken in account with default launching of httpd (with httpd start) so I made first some modifications of httpd conf (specially putting on comment the ifDefine SSL tags to make it taken in account, and made some mistakes maybe cause httpd will not launch now :-) On Redhat 7.0 you didn't have to use my apache-mod_ssl since you allready have a apache built with mod_ssl. May be only to install mod_ssl. I (true)hope so that the packages I download from your site are the good ones (tomcat-3.2.2-1.noarch.rpm and apache-mod_ssl-1.3.20.2.8.4-2.i386.rpm) even if I was surprised that apache-mod_ssl-1.3.19.2.8.3-1.i386.rpm was bigger (1.6M) than the next version apache-mod_ssl-1.3.20.2.8.4-2.i386.rpm (879k) I will give you wedensday the next episod of my SSL/Linux/tomcat/apache adventure. PS: Did you have a Linux boxes, I've packaged easy to use RPM which will let you install apache-mod_ssl, tomcat and mod_jk in less than 30 mins http://www.falsehope.com/ftp-site/home/gomez/apache-mod_ssl/ http://www.falsehope.com/ftp-site/home/gomez/tomcat/ Redhat 7.0/7.1 users allready have a Apache using mod_ssl - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 11:41 AM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT I would try to do that following a document you wrote about SSL via apache, but I was a little lost in your indication (for example some Jk... directives are not recognized, [JkExtractSSL, ...] ) and I don't have a mod_jk.so module to load) Could you try the server cert on apache/SSL or Apache-mod_ssl and see if it works ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 10:05 AM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT Of sure, there it is. Could you retry with openssl s_client in full debug mode ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Friday, June 15, 2001 12:21 PM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT So, every seems to be well configured, but I always get this handshake error, what could be the problem in that case ? # openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? CN of you client could be what you want The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5
RE: SSL handshake failure URGENT
Of sure, there it is. Could you retry with openssl s_client in full debug mode ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Friday, June 15, 2001 12:21 PM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT So, every seems to be well configured, but I always get this handshake error, what could be the problem in that case ? # openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? CN of you client could be what you want The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E X509v3 Authority Key Identifier: keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31 DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca serial:00 Signature Algorithm: md5WithRSAEncryption 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06: 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2: 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f: be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82: 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64: b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52: 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6: 20:a8 - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr error2.txt
RE: SSL handshake failure URGENT
Could you try the server cert on apache/SSL or Apache-mod_ssl and see if it works ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 10:05 AM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT Of sure, there it is. Could you retry with openssl s_client in full debug mode ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Friday, June 15, 2001 12:21 PM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT So, every seems to be well configured, but I always get this handshake error, what could be the problem in that case ? # openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? CN of you client could be what you want The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E X509v3 Authority Key Identifier: keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31 DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca serial:00 Signature Algorithm: md5WithRSAEncryption 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06: 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2: 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f: be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82: 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64: b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52: 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6: 20:a8 - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr
RE: SSL handshake failure URGENT
I would try to do that following a document you wrote about SSL via apache, but I was a little lost in your indication (for example some Jk... directives are not recognized, [JkExtractSSL, ...] ) and I don't have a mod_jk.so module to load) Could you try the server cert on apache/SSL or Apache-mod_ssl and see if it works ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 10:05 AM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT Of sure, there it is. Could you retry with openssl s_client in full debug mode ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Friday, June 15, 2001 12:21 PM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT So, every seems to be well configured, but I always get this handshake error, what could be the problem in that case ? # openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? CN of you client could be what you want The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E X509v3 Authority Key Identifier: keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31 DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca serial:00 Signature Algorithm: md5WithRSAEncryption 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06: 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2: 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f: be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82: 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64: b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52: 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6: 20:a8 - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http
RE: SSL handshake failure URGENT
At 02:41 AM 6/18/2001, you wrote: I would try to do that following a document you wrote about SSL via apache, but I was a little lost in your indication (for example some Jk... directives are not recognized, [JkExtractSSL, ...] ) and I don't have a mod_jk.so module to load) I know that a real (or non-test) cert works with Apache/tomcat. There's documentation on the Apache site for using mod_ssl, and also search the net for more info. I don't have the urls handy, but I was able to mine the net for urls to some good info on using ssl with Apache, Tomcat, and others. Also, I was never able to get Tomcat standalone to use a real cert.
RE: SSL handshake failure URGENT
If you use Apache-mod_ssl (apache with mod_ssl), you didn't need to do anything in mod_jk.conf since it's default config is for Apache + mod_ssl. PS: Did you have a Linux boxes, I've packaged easy to use RPM which will let you install apache-mod_ssl, tomcat and mod_jk in less than 30 mins http://www.falsehope.com/ftp-site/home/gomez/apache-mod_ssl/ http://www.falsehope.com/ftp-site/home/gomez/tomcat/ Redhat 7.0/7.1 users allready have a Apache using mod_ssl - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 11:41 AM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT I would try to do that following a document you wrote about SSL via apache, but I was a little lost in your indication (for example some Jk... directives are not recognized, [JkExtractSSL, ...] ) and I don't have a mod_jk.so module to load) Could you try the server cert on apache/SSL or Apache-mod_ssl and see if it works ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 10:05 AM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT Of sure, there it is. Could you retry with openssl s_client in full debug mode ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Friday, June 15, 2001 12:21 PM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT So, every seems to be well configured, but I always get this handshake error, what could be the problem in that case ? # openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? CN of you client could be what you want The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E X509v3 Authority Key Identifier: keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31 DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca serial:00 Signature Algorithm: md5WithRSAEncryption 05:0a:10
RE: SSL handshake failure URGENT
ok, thanks Henri and Tim I use Linux RedHat 7, but it seems that SSL options was not taken in account with default launching of httpd (with httpd start) so I made first some modifications of httpd conf (specially putting on comment the ifDefine SSL tags to make it taken in account, and made some mistakes maybe cause httpd will not launch now :-) I (true)hope so that the packages I download from your site are the good ones (tomcat-3.2.2-1.noarch.rpm and apache-mod_ssl-1.3.20.2.8.4-2.i386.rpm) even if I was surprised that apache-mod_ssl-1.3.19.2.8.3-1.i386.rpm was bigger (1.6M) than the next version apache-mod_ssl-1.3.20.2.8.4-2.i386.rpm (879k) I will give you wedensday the next episod of my SSL/Linux/tomcat/apache adventure. PS: Did you have a Linux boxes, I've packaged easy to use RPM which will let you install apache-mod_ssl, tomcat and mod_jk in less than 30 mins http://www.falsehope.com/ftp-site/home/gomez/apache-mod_ssl/ http://www.falsehope.com/ftp-site/home/gomez/tomcat/ Redhat 7.0/7.1 users allready have a Apache using mod_ssl - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 11:41 AM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT I would try to do that following a document you wrote about SSL via apache, but I was a little lost in your indication (for example some Jk... directives are not recognized, [JkExtractSSL, ...] ) and I don't have a mod_jk.so module to load) Could you try the server cert on apache/SSL or Apache-mod_ssl and see if it works ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 10:05 AM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT Of sure, there it is. Could you retry with openssl s_client in full debug mode ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Friday, June 15, 2001 12:21 PM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT So, every seems to be well configured, but I always get this handshake error, what could be the problem in that case ? # openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? CN of you client could be what you want The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL
RE: SSL handshake failure URGENT
The rpm installation of apache (1.3.20) failed cause it claims openssl = 0.9.6 (that I installed) and cause there are a lot of conflicts with previous version of apache (1.3.12) I am not a big afficionados of Linux fine configuration and tuning but I am compelled to work on this plateform. Do you have a magic (rpm or not) package that I just may click on to auto configurate and update the components I already have ? PS: Did you have a Linux boxes, I've packaged easy to use RPM which will let you install apache-mod_ssl, tomcat and mod_jk in less than 30 mins http://www.falsehope.com/ftp-site/home/gomez/apache-mod_ssl/ http://www.falsehope.com/ftp-site/home/gomez/tomcat/ Redhat 7.0/7.1 users allready have a Apache using mod_ssl - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 11:41 AM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT I would try to do that following a document you wrote about SSL via apache, but I was a little lost in your indication (for example some Jk... directives are not recognized, [JkExtractSSL, ...] ) and I don't have a mod_jk.so module to load) Could you try the server cert on apache/SSL or Apache-mod_ssl and see if it works ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Monday, June 18, 2001 10:05 AM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT Of sure, there it is. Could you retry with openssl s_client in full debug mode ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Friday, June 15, 2001 12:21 PM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT So, every seems to be well configured, but I always get this handshake error, what could be the problem in that case ? # openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? CN of you client could be what you want The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E X509v3 Authority Key Identifier: keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31 DirName:/C=FR/ST=France/L=Genvilliers/O
RE: SSL handshake failure URGENT
smime.p7m
RE: SSL handshake failure URGENT
Did you set correctly the SERVER Common Name ? It must match the server name (ie: mybecane.com) First, thanks to have taken the time to help me :) But I fear I didn't understand the answer :( where must I enter the same name as what ? example : I am under Linux, the hostname is thehostname is that that you call server name, or is it a name that you enter in the server.xml file (if yes with witch tag ?) And where must I enter the same name as the servername ? what field of witch openSSL command ? Thanks for your answer ! JEG # CA openssl req -new -out ca_req.pem -keyout ca_key.pem #pwd:pwd_ca #challenge_pwd:ch_ca #company name:THE_ORG # CLIENT openssl req -new -out cl_req.pem -keyout cl_key.pem #pwd:pwd_cl #ch_pwd:ch_cl #company name:THE_ORG # SERVER openssl req -new -out sr_req.pem -keyout sr_key.pem #pwd:pwd_sr #ch_pwd:ch_sr #company name:THE_ORG # CA AUTH echo CA AUTH : enter CA password openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem #pwd:pwd_ca rm ./demoCA/index.txt rm ./demoCA/serial cat ./demoCA/index.txt cat 01 ./demoCA/serial # CLIENT AUTH BY CA echo CL AUTH : enter CA password openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf #pwd:pwd_ca # SERVER AUTH BY CA echo SR AUTH : enter CA password openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf #pwd:pwd_ca # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der # REMOVE PREVIOUS KEYSTORE rm /opt/tomcat-3-2-2/tomcat/conf/keystore # IMPORT SERVER CERT IN TOMCAT KEYSTORE echo IMPORT SR CERT : enter SR password /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file sr_cert.der -keystore /opt/tomcat-3-2-2/tomcat/conf/keystore #pwd:pwd_sr # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT echo CL CERT CONVERSION : PEM - P12 : enter CL passwd openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12 #pwd:pwd_cl #exp_pwd:pwd_cl # CONNECTION TO THE TOMCAT SERVER openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr
RE: SSL handshake failure URGENT
First, thanks to have taken the time to help me :) But I fear I didn't understand the answer :( where must I enter the same name as what ? example : I am under Linux, the hostname is thehostname is that that you call server name, or is it a name that you enter in the server.xml file (if yes with witch tag ?) if your server is thehostname you respond that when openssl ask the COMMON NAME is SERVER CERT GENERATION : # SERVER openssl req -new -out sr_req.pem -keyout sr_key.pem #pwd:pwd_sr #ch_pwd:ch_sr #company name:THE_ORG And where must I enter the same name as the servername ? what field of witch openSSL command ? Thanks for your answer ! JEG # CA openssl req -new -out ca_req.pem -keyout ca_key.pem #pwd:pwd_ca #challenge_pwd:ch_ca #company name:THE_ORG # CLIENT openssl req -new -out cl_req.pem -keyout cl_key.pem #pwd:pwd_cl #ch_pwd:ch_cl #company name:THE_ORG # SERVER openssl req -new -out sr_req.pem -keyout sr_key.pem #pwd:pwd_sr #ch_pwd:ch_sr #company name:THE_ORG # CA AUTH echo CA AUTH : enter CA password openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem #pwd:pwd_ca rm ./demoCA/index.txt rm ./demoCA/serial cat ./demoCA/index.txt cat 01 ./demoCA/serial # CLIENT AUTH BY CA echo CL AUTH : enter CA password openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf #pwd:pwd_ca # SERVER AUTH BY CA echo SR AUTH : enter CA password openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf #pwd:pwd_ca # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der # REMOVE PREVIOUS KEYSTORE rm /opt/tomcat-3-2-2/tomcat/conf/keystore # IMPORT SERVER CERT IN TOMCAT KEYSTORE echo IMPORT SR CERT : enter SR password /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file sr_cert.der -keystore /opt/tomcat-3-2-2/tomcat/conf/keystore #pwd:pwd_sr # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT echo CL CERT CONVERSION : PEM - P12 : enter CL passwd openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12 #pwd:pwd_cl #exp_pwd:pwd_cl # CONNECTION TO THE TOMCAT SERVER openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr
RE: SSL handshake failure URGENT
can u send ur server,client,ca certs? Rams +91-040-3000401 x 2162 (O) +91-040-6313447 (R) -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 14, 2001 7:27 PM To: [EMAIL PROTECTED] Subject: SSL handshake failure URGENT Hello, I get no responses for my previous mails... so maybe I did not contact the good mailing list. Please give me an start of response... Hello, I have a cert importation problem here is the output of an openSSL client command [witch emulate a browser] (openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state) : Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 1993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:453: Can someone help me ? Is it a way to make it work without installing apache ? Thanks for your answer I have this tomcat configuration : Connector className=3Dorg.apache.tomcat.service.PoolTcpConnector Parameter name=3Dhandler value=3Dorg.apache.tomcat.service.http.HttpConnectionHandler/ Parameter name=3Dport value=3D8443/ Parameter name=3DsocketFactory value=3Dorg.apache.tomcat.net.SSLSocketFactory / Parameter name=3Dkeystore value=3D/opt/tomcat-3-2-2/tomcat/conf/keystore / Parameter name=3Dkeypass value=3Dpwd_sr / Parameter name=3DclientAuth value=3Dtrue / /Connector And that are all the lines procedure I entered to make it well work mkdir ./demoCA echo ./demoCA/index.txt echo 01 ./demoCA/serial # CA openssl req -new -out ca_req.pem -keyout ca_key.pem #pwd:pwd_ca #challenge_pwd:ch_ca #company name:THE_ORG # CLIENT openssl req -new -out cl_req.pem -keyout cl_key.pem #pwd:pwd_cl #ch_pwd:ch_cl #company name:THE_ORG # SERVER openssl req -new -out sr_req.pem -keyout sr_key.pem #pwd:pwd_sr #ch_pwd:ch_sr #company name:THE_ORG # CA AUTH echo CA AUTH : enter CA password openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem #pwd:pwd_ca rm ./demoCA/index.txt rm ./demoCA/serial cat ./demoCA/index.txt cat 01 ./demoCA/serial # CLIENT AUTH BY CA echo CL AUTH : enter CA password openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf #pwd:pwd_ca # SERVER AUTH BY CA echo SR AUTH : enter CA password openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf #pwd:pwd_ca # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der # REMOVE PREVIOUS KEYSTORE rm /opt/tomcat-3-2-2/tomcat/conf/keystore # IMPORT SERVER CERT IN TOMCAT KEYSTORE echo IMPORT SR CERT : enter SR password /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file sr_cert.der -keystore /opt/tomcat-3-2-2/tomcat/conf/keystore #pwd:pwd_sr # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT echo CL CERT CONVERSION : PEM - P12 : enter CL passwd openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12 #pwd:pwd_cl #exp_pwd:pwd_cl # CONNECTION TO THE TOMCAT SERVER openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr
RE: SSL handshake failure URGENT
Here they are (all the files I have generated with these openssl commands) can u send ur server,client,ca certs? Rams +91-040-3000401 x 2162 (O) +91-040-6313447 (R) -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 14, 2001 7:27 PM To: [EMAIL PROTECTED] Subject: SSL handshake failure URGENT Hello, I get no responses for my previous mails... so maybe I did not contact the good mailing list. Please give me an start of response... Hello, I have a cert importation problem here is the output of an openSSL client command [witch emulate a browser] (openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state) : Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 1993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:453: Can someone help me ? Is it a way to make it work without installing apache ? Thanks for your answer I have this tomcat configuration : Connector className=3Dorg.apache.tomcat.service.PoolTcpConnector Parameter name=3Dhandler value=3Dorg.apache.tomcat.service.http.HttpConnectionHandler/ Parameter name=3Dport value=3D8443/ Parameter name=3DsocketFactory value=3Dorg.apache.tomcat.net.SSLSocketFactory / Parameter name=3Dkeystore value=3D/opt/tomcat-3-2-2/tomcat/conf/keystore / Parameter name=3Dkeypass value=3Dpwd_sr / Parameter name=3DclientAuth value=3Dtrue / /Connector And that are all the lines procedure I entered to make it well work mkdir ./demoCA echo ./demoCA/index.txt echo 01 ./demoCA/serial # CA openssl req -new -out ca_req.pem -keyout ca_key.pem #pwd:pwd_ca #challenge_pwd:ch_ca #company name:THE_ORG # CLIENT openssl req -new -out cl_req.pem -keyout cl_key.pem #pwd:pwd_cl #ch_pwd:ch_cl #company name:THE_ORG # SERVER openssl req -new -out sr_req.pem -keyout sr_key.pem #pwd:pwd_sr #ch_pwd:ch_sr #company name:THE_ORG # CA AUTH echo CA AUTH : enter CA password openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem #pwd:pwd_ca rm ./demoCA/index.txt rm ./demoCA/serial cat ./demoCA/index.txt cat 01 ./demoCA/serial # CLIENT AUTH BY CA echo CL AUTH : enter CA password openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf #pwd:pwd_ca # SERVER AUTH BY CA echo SR AUTH : enter CA password openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf #pwd:pwd_ca # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der # REMOVE PREVIOUS KEYSTORE rm /opt/tomcat-3-2-2/tomcat/conf/keystore # IMPORT SERVER CERT IN TOMCAT KEYSTORE echo IMPORT SR CERT : enter SR password /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file sr_cert.der -keystore /opt/tomcat-3-2-2/tomcat/conf/keystore #pwd:pwd_sr # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT echo CL CERT CONVERSION : PEM - P12 : enter CL passwd openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12 #pwd:pwd_cl #exp_pwd:pwd_cl # CONNECTION TO THE TOMCAT SERVER openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr certs.zip
RE: SSL handshake failure URGENT
The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E X509v3 Authority Key Identifier: keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31 DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca serial:00 Signature Algorithm: md5WithRSAEncryption 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06: 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2: 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f: be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82: 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64: b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52: 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6: 20:a8 - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
RE: SSL handshake failure URGENT
ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E X509v3 Authority Key Identifier: keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31 DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca serial:00 Signature Algorithm: md5WithRSAEncryption 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06: 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2: 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f: be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82: 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64: b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52: 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6: 20:a8 - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr sr_cert_new.pem
Re: SSL handshake failure URGENT
Hi All, I would like to use Tomcat 3.2.2 (Servlet and Jsp engine), with Zeus Web Server 3.3.8. I need know how to configure Tomcat with Zeus web server. If some body provide me some link or information, would be of great help. Thanks in advance. Regards -Harish
RE: SSL handshake failure URGENT
ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? CN of you client could be what you want The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E X509v3 Authority Key Identifier: keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31 DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca serial:00 Signature Algorithm: md5WithRSAEncryption 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06: 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2: 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f: be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82: 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64: b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52: 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6: 20:a8 - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr
RE: SSL handshake failure URGENT
So, every seems to be well configured, but I always get this handshake error, what could be the problem in that case ? # openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? CN of you client could be what you want The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E X509v3 Authority Key Identifier: keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31 DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca serial:00 Signature Algorithm: md5WithRSAEncryption 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06: 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2: 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f: be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82: 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64: b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52: 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6: 20:a8 - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr
RE: SSL handshake failure URGENT
Could you retry with openssl s_client in full debug mode ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Friday, June 15, 2001 12:21 PM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT So, every seems to be well configured, but I always get this handshake error, what could be the problem in that case ? # openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? CN of you client could be what you want The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E X509v3 Authority Key Identifier: keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31 DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca serial:00 Signature Algorithm: md5WithRSAEncryption 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06: 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2: 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f: be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82: 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64: b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52: 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6: 20:a8 - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr
RE: SSL handshake failure URGENT
Could you retry with openssl s_client in full debug mode ? Here it is, for me it's like chinese : [arcade2]# openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state -debug Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization write to 08156A30 [08157E98] (124 bytes = 124 (0x7C)) - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .zQ... . 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04 .f.. 0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00 ...e..d. 0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00 .c..b..a..`. 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ..@. 0050 - 00 00 06 00 00 03 04 00-80 02 00 80 61 bf 17 f2 a... 0060 - 3c c8 5d 69 0a 5c d9 28-e6 9c fe 89 bc 0b 53 13 .]i.\.(..S. 0070 - 63 4d 3e 55 27 4d 38 86-5c 78 a8 e2 cMU'M8.\x.. SSL_connect:SSLv2/v3 write client hello A read from 08156A30 [0815D3F8] (7 bytes = 7 (0x7)) - 15 03 01 00 02 02 28 ..( SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 1754:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:453: Could you retry with openssl s_client in full debug mode ? - Henri Gomez ___[_] EMAIL : [EMAIL PROTECTED](. .) PGP KEY : 697ECEDD...oOOo..(_)..oOOo... PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 -Original Message- From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]] Sent: Friday, June 15, 2001 12:21 PM To: [EMAIL PROTECTED] Subject: RE: SSL handshake failure URGENT So, every seems to be well configured, but I always get this handshake error, what could be the problem in that case ? # openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state Enter PEM pass phrase: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A ok now it's done, but same error HandShake Failure I made the new server request, the new server certification, the new server x509 conversion, and the new server into tomcat keystore importation (I send you the new server certificate) must we also replace to CN of the client ? (I didn't do it) maybe the CN of the CA ? CN of you client could be what you want The problem is in the CN of the server cert : replace CN=server by CN=thehostname !!! Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca Validity Not Before: Jun 14 08:47:55 2001 GMT Not After : Jun 14 08:47:55 2002 GMT Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1: f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49: 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da: a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33: a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9: 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95: 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a: e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38: 3b:c3:9f:ac:e3:5e:77:cb:7b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E X509v3 Authority Key Identifier: keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31 DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca serial:00 Signature Algorithm: md5WithRSAEncryption 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06: 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2: 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f: be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82: 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64: b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52: 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6: 20:a8 - Henri Gomez ___[_] EMAIL : [EMAIL
RE: SSL handshake failure URGENT
Did you set correctly the SERVER Common Name ? It must match the server name (ie: mybecane.com) # CA openssl req -new -out ca_req.pem -keyout ca_key.pem #pwd:pwd_ca #challenge_pwd:ch_ca #company name:THE_ORG # CLIENT openssl req -new -out cl_req.pem -keyout cl_key.pem #pwd:pwd_cl #ch_pwd:ch_cl #company name:THE_ORG # SERVER openssl req -new -out sr_req.pem -keyout sr_key.pem #pwd:pwd_sr #ch_pwd:ch_sr #company name:THE_ORG # CA AUTH echo CA AUTH : enter CA password openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem #pwd:pwd_ca rm ./demoCA/index.txt rm ./demoCA/serial cat ./demoCA/index.txt cat 01 ./demoCA/serial # CLIENT AUTH BY CA echo CL AUTH : enter CA password openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf #pwd:pwd_ca # SERVER AUTH BY CA echo SR AUTH : enter CA password openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf #pwd:pwd_ca # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der # REMOVE PREVIOUS KEYSTORE rm /opt/tomcat-3-2-2/tomcat/conf/keystore # IMPORT SERVER CERT IN TOMCAT KEYSTORE echo IMPORT SR CERT : enter SR password /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file sr_cert.der -keystore /opt/tomcat-3-2-2/tomcat/conf/keystore #pwd:pwd_sr # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT echo CL CERT CONVERSION : PEM - P12 : enter CL passwd openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12 #pwd:pwd_cl #exp_pwd:pwd_cl # CONNECTION TO THE TOMCAT SERVER openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state __ Voila vous propose une boite aux lettres gratuite sur Voila Mail: http://mail.voila.fr
