SSL Handshake failure

[Davis, Jeremy]

I setup a tomcat 3.3.1 system, with the ssl connector, JSSE, generated cert
and keystore, per documentation.

Every time I attempt to hit https://theserver:8443/ we get the below in the
console window for tomcat...

PoolTcpEndpoint: Handshake failed
javax.net.ssl.SSLException: bad handshake record MAC
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.OutputStream.write(OutputStream.java:56)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at
org.apache.tomcat.util.net.JSSESocketFactory.handshake(JSSESocketFactory.jav
a:270)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:479)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:516)
at java.lang.Thread.run(Thread.java:479)
ThreadPool: Caught exception executing
[EMAIL PROTECTED], terminating thread
java.lang.NullPointerException
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:498)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:516)
at java.lang.Thread.run(Thread.java:479)

Jeremy Davis
Senior Support Analyst
BPI Marketplace Integration
614.760.8941
1.800.436.8726 - Support Line


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL Handshake failure

[Richard Priestley]

Hi, 

On Friday 19 April 2002 3:47 pm, you wrote:
> Tomcat will not work with my imported Verisign certificate. Following is
> the debug output I get when I try to connect. Can anyone interpret this?
>
> Thanks in advance
>
> [read] MD5 and SHA1 hashes:  len = 3
> : ...
> [read] MD5 and SHA1 hashes:  len = 43
> : 
> 0010: 
> 0020: 
> HttpProcessor[8443][4], READ:  SSL v2, contentType = 22, translated length
> = 53
> *** ClientHello, v3.0
> RandomCookie:  GMT: 0 bytes = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 225,
> 89, 6, 40, 32, 38, 91, 62, 222, 23, 130, 66, 234, 101, 158, 2 }
> Session ID:  {}
> Cipher Suites:  { 0, 100, 0, 98, 0, 3, 0, 6, 0, 99 }
> Compression Methods:  { 0 }
> ***
> %% Created:  [Session-2, SSL_NULL_WITH_NULL_NULL]
> HttpProcessor[8443][4], SEND SSL v3.0 ALERT:  fatal, description =
> handshake_failure
> HttpProcessor[8443][4], WRITE:  SSL v3.0 Alert, length = 2

This is just a quick off the wall suggestion.  Is it because the two hosts 
can't agree on a common cipher suite?  The session seems to be created with a 
load of null algorithms.   This is usually because some browsers can only 
deal with RSA keys in your certificates, e.g. IE 5.5 and Netscape 4.x. and 
JSSE only has DSA keys/certs to play with.  Sorry I couldn't be more help.

Regards,
Richard

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

SSL Handshake failure

[Todd Lekan]

Tomcat will not work with my imported Verisign certificate. Following is the
debug output I get when I try to connect. Can anyone interpret this? 
 
Thanks in advance
 
[read] MD5 and SHA1 hashes:  len = 3
: ...
[read] MD5 and SHA1 hashes:  len = 43
: 
0010: 
0020: 
HttpProcessor[8443][4], READ:  SSL v2, contentType = 22, translated length =
53
*** ClientHello, v3.0
RandomCookie:  GMT: 0 bytes = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 225, 89,
6, 40, 32, 38, 91, 62, 222, 23, 130, 66, 234, 101, 158, 2 }
Session ID:  {}
Cipher Suites:  { 0, 100, 0, 98, 0, 3, 0, 6, 0, 99 }
Compression Methods:  { 0 }
***
%% Created:  [Session-2, SSL_NULL_WITH_NULL_NULL]
HttpProcessor[8443][4], SEND SSL v3.0 ALERT:  fatal, description =
handshake_failure
HttpProcessor[8443][4], WRITE:  SSL v3.0 Alert, length = 2
 
Todd Lekan
 
 
 
 

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

RE: SSL handshake failure URGENT

[Gomez Henri]

> I use Linux RedHat 7, but it seems that SSL options was not taken in
> account with default launching of httpd (with httpd start) so I made
> first some modifications of httpd conf (specially putting on comment
> the
>  tags to make it taken in account, and made some
> mistakes
> maybe cause httpd will not launch now :-)

On Redhat 7.0 you didn't have to use my apache-mod_ssl since you
allready have a apache built with mod_ssl. May be only to install
mod_ssl.

> I (true)hope so that the packages I download from your site are the
> good
> ones (tomcat-3.2.2-1.noarch.rpm and
> apache-mod_ssl-1.3.20.2.8.4-2.i386.rpm) even if I was surprised that
> apache-mod_ssl-1.3.19.2.8.3-1.i386.rpm was bigger (1.6M) than the next
> version apache-mod_ssl-1.3.20.2.8.4-2.i386.rpm (879k)
> 
> I will give you wedensday the next episod of my
> SSL/Linux/tomcat/apache
> adventure.
> 
> > PS: Did you have a Linux boxes, I've packaged easy to use 
> > RPM which will let you install apache-mod_ssl, tomcat and 
> > mod_jk in less than 30 mins
> > 
> > http://www.falsehope.com/ftp-site/home/gomez/apache-mod_ssl/
> > http://www.falsehope.com/ftp-site/home/gomez/tomcat/
> > 
> > Redhat 7.0/7.1 users allready have a Apache using mod_ssl
> > 
> > -
> > Henri Gomez ___[_]
> > EMAIL : [EMAIL PROTECTED](. .) 
> > PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> > PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 
> > 
> > 
> > 
> > >-Original Message-
> > >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> > >Sent: Monday, June 18, 2001 11:41 AM
> > >To: [EMAIL PROTECTED]
> > >Subject: RE: SSL handshake failure URGENT
> > >
> > >
> > >I would try to do that following a document you wrote about 
> > >SSL via apache, but I was a little lost in your indication
> > >(for example some Jk... directives are not recognized, 
> > >[JkExtractSSL, ...] ) and I don't have a mod_jk.so module to load)
> > >
> > >> Could you try the server cert on apache/SSL or Apache-mod_ssl
> > >> and see if it works ?
> > >> 
> > >> 
> > >> 
> > >> -
> > >> Henri Gomez ___[_]
> > >> EMAIL : [EMAIL PROTECTED]    (. .) 
> > >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> > >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 
> > >> 
> > >> 
> > >> 
> > >> >-Original Message-
> > >> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> > >> >Sent: Monday, June 18, 2001 10:05 AM
> > >> >To: [EMAIL PROTECTED]
> > >> >Subject: RE: SSL handshake failure URGENT
> > >> >
> > >> >
> > >> >
> > >> >Of sure, there it is.
> > >> >
> > >> >
> > >> >> Could you retry with openssl s_client in full debug mode ?
> > >> >> 
> > >> >> -
> > >> >> Henri Gomez ___[_]
> > >> >> EMAIL : [EMAIL PROTECTED](. .) 
> > >> >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> > >> >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 
> > >> >> 
> > >> >> 
> > >> >> 
> > >> >> >-Original Message-
> > >> >> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> > >> >> >Sent: Friday, June 15, 2001 12:21 PM
> > >> >> >To: [EMAIL PROTECTED]
> > >> >> >Subject: RE: SSL handshake failure URGENT
> > >> >> >
> > >> >> >
> > >> >> >So, every seems to be well configured, but I always get this
> > >> >> >handshake error, what could be the problem in that case ?
> > >> >> >
> > >> >> ># openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem 
> > >> >> >-key cl_key.pem -state 
> > >> >> >Enter PEM pass phrase:
> > >> >> >CONNECTED(0003)
> > >> >> >SSL_connect:before/connect initialization
> > >> >> >SSL_connect:SSLv2/v3 write client hello A
> > >> >> >SSL3 alert read:fatal:handshake failure
> > >> >> >SSL_connect:error in SSLv2/v3 read server hello A
> > >>

RE: SSL handshake failure URGENT

[Phillip Kuzma \(Support\)]

 smime.p7m

RE: SSL handshake failure URGENT

[Jean-Etienne G.]

The rpm installation of apache (1.3.20) failed cause it claims openssl >= 0.9.6 (that 
I installed) and cause there are a lot of conflicts with previous version of apache 
(1.3.12)
I am not a big afficionados of Linux fine configuration and tuning but I am compelled 
to work on this plateform. Do you have a magic (rpm or not) package that I just may 
click on to auto configurate and update the components I already have ?


> PS: Did you have a Linux boxes, I've packaged easy to use
> RPM which will let you install apache-mod_ssl, tomcat and
> mod_jk in less than 30 mins

> http://www.falsehope.com/ftp-site/home/gomez/apache-mod_ssl/
> http://www.falsehope.com/ftp-site/home/gomez/tomcat/
>
> Redhat 7.0/7.1 users allready have a Apache using mod_ssl
>
> -
> Henri Gomez ___[_]
> EMAIL : [EMAIL PROTECTED](. .)
> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
>
>
>
> >-Original Message-
> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> >Sent: Monday, June 18, 2001 11:41 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: SSL handshake failure URGENT
> >
> >
> >I would try to do that following a document you wrote about
> >SSL via apache, but I was a little lost in your indication
> >(for example some Jk... directives are not recognized,
> >[JkExtractSSL, ...] ) and I don't have a mod_jk.so module to load)
> >
> >> Could you try the server cert on apache/SSL or Apache-mod_ssl
> >> and see if it works ?
> >>
> >>
> >>
> >> -
> >> Henri Gomez ___[_]
> >> EMAIL : [EMAIL PROTECTED](. .)
> >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
> >>
> >>
> >>
> >> >-Original Message-
> >> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> >> >Sent: Monday, June 18, 2001 10:05 AM
> >> >To: [EMAIL PROTECTED]
> >> >Subject: RE: SSL handshake failure URGENT
> >> >
> >> >
> >> >
> >> >Of sure, there it is.
> >> >
> >> >
> >> >> Could you retry with openssl s_client in full debug mode ?
> >> >>
> >> >> -
> >> >> Henri Gomez ___[_]
> >> >> EMAIL : [EMAIL PROTECTED](. .)
> >> >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> >> >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
> >> >>
> >> >>
> >> >>
> >> >> >-Original Message-
> >> >> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> >> >> >Sent: Friday, June 15, 2001 12:21 PM
> >> >> >To: [EMAIL PROTECTED]
> >> >> >Subject: RE: SSL handshake failure URGENT
> >> >> >
> >> >> >
> >> >> >So, every seems to be well configured, but I always get this
> >> >> >handshake error, what could be the problem in that case ?
> >> >> >
> >> >> ># openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem
> >> >> >-key cl_key.pem -state
> >> >> >Enter PEM pass phrase:
> >> >> >CONNECTED(0003)
> >> >> >SSL_connect:before/connect initialization
> >> >> >SSL_connect:SSLv2/v3 write client hello A
> >> >> >SSL3 alert read:fatal:handshake failure
> >> >> >SSL_connect:error in SSLv2/v3 read server hello A
> >> >> >
> >> >> >
> >> >> >> >ok now it's done, but same error
> >> >> >> >HandShake Failure
> >> >> >> >
> >> >> >> >I made the new server request, the new server certification,
> >> >> >> >the new server x509 conversion, and the new server
> >into tomcat
> >> >> >> >keystore importation
> >> >> >> >
> >> >> >> >(I send you the new server certificate)
> >> >> >> >
> >> >> >> >must we also replace to CN of the client ? (I didn't do it)
> >> >> >> >maybe the CN of the CA ?
> >> >> >> >
> >> >> >> CN of you client could be what you want
> >> >> >>
> >> >> >> >
> >> >> >> >> The probl

AW: SSL handshake failure URGENT

[Thomas Bezdicek]

hi,
try to start apache with httpd startssl instead

regards, tom

> -Ursprüngliche Nachricht-
> Von: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> Gesendet: Montag, 18. Juni 2001 18:22
> An: [EMAIL PROTECTED]
> Betreff: RE: SSL handshake failure URGENT
>
>
> ok, thanks Henri and Tim
>
> I use Linux RedHat 7, but it seems that SSL options was not taken
> in account with default launching of httpd (with httpd start) so
> I made first some modifications of httpd conf (specially putting
> on comment the  tags to make it taken in account,
> and made some mistakes maybe cause httpd will not launch now :-)
>
> I (true)hope so that the packages I download from your site are
> the good ones (tomcat-3.2.2-1.noarch.rpm and
> apache-mod_ssl-1.3.20.2.8.4-2.i386.rpm) even if I was surprised
> that apache-mod_ssl-1.3.19.2.8.3-1.i386.rpm was bigger (1.6M)
> than the next version apache-mod_ssl-1.3.20.2.8.4-2.i386.rpm (879k)
>
> I will give you wedensday the next episod of my
> SSL/Linux/tomcat/apache adventure.
>
> > PS: Did you have a Linux boxes, I've packaged easy to use
> > RPM which will let you install apache-mod_ssl, tomcat and
> > mod_jk in less than 30 mins
> >
> > http://www.falsehope.com/ftp-site/home/gomez/apache-mod_ssl/
> > http://www.falsehope.com/ftp-site/home/gomez/tomcat/
> >
> > Redhat 7.0/7.1 users allready have a Apache using mod_ssl
> >
> > -
> > Henri Gomez ___[_]
> > EMAIL : [EMAIL PROTECTED](. .)
> > PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> > PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
> >
> >
> >
> > >-Original Message-
> > >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> > >Sent: Monday, June 18, 2001 11:41 AM
> > >To: [EMAIL PROTECTED]
> > >Subject: RE: SSL handshake failure URGENT
> > >
> > >
> > >I would try to do that following a document you wrote about
> > >SSL via apache, but I was a little lost in your indication
> > >(for example some Jk... directives are not recognized,
> > >[JkExtractSSL, ...] ) and I don't have a mod_jk.so module to load)
> > >
> > >> Could you try the server cert on apache/SSL or Apache-mod_ssl
> > >> and see if it works ?
> > >>
> > >>
> > >>
> > >> -
> > >> Henri Gomez ___[_]____
> > >> EMAIL : [EMAIL PROTECTED](. .)
> > >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> > >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
> > >>
> > >>
> > >>
> > >> >-Original Message-
> > >> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> > >> >Sent: Monday, June 18, 2001 10:05 AM
> > >> >To: [EMAIL PROTECTED]
> > >> >Subject: RE: SSL handshake failure URGENT
> > >> >
> > >> >
> > >> >
> > >> >Of sure, there it is.
> > >> >
> > >> >
> > >> >> Could you retry with openssl s_client in full debug mode ?
> > >> >>
> > >> >> -
> > >> >> Henri Gomez ___[_]
> > >> >> EMAIL : [EMAIL PROTECTED](. .)
> > >> >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> > >> >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
> > >> >>
> > >> >>
> > >> >>
> > >> >> >-Original Message-
> > >> >> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> > >> >> >Sent: Friday, June 15, 2001 12:21 PM
> > >> >> >To: [EMAIL PROTECTED]
> > >> >> >Subject: RE: SSL handshake failure URGENT
> > >> >> >
> > >> >> >
> > >> >> >So, every seems to be well configured, but I always get this
> > >> >> >handshake error, what could be the problem in that case ?
> > >> >> >
> > >> >> ># openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem
> > >> >> >-key cl_key.pem -state
> > >> >> >Enter PEM pass phrase:
> > >> >> >CONNECTED(0003)
> > >> >> >SSL_connect:before/connect initialization
> > >> >> >SSL_connect:SSLv2/v3 write client hello A
> > >> >> >SSL3 alert read:fatal:handshake failure
> > >

RE: SSL handshake failure URGENT

[Jean-Etienne G.]

ok, thanks Henri and Tim

I use Linux RedHat 7, but it seems that SSL options was not taken in account with 
default launching of httpd (with httpd start) so I made first some modifications of 
httpd conf (specially putting on comment the  tags to make it taken in 
account, and made some mistakes maybe cause httpd will not launch now :-)

I (true)hope so that the packages I download from your site are the good ones 
(tomcat-3.2.2-1.noarch.rpm and apache-mod_ssl-1.3.20.2.8.4-2.i386.rpm) even if I was 
surprised that apache-mod_ssl-1.3.19.2.8.3-1.i386.rpm was bigger (1.6M) than the next 
version apache-mod_ssl-1.3.20.2.8.4-2.i386.rpm (879k)

I will give you wedensday the next episod of my SSL/Linux/tomcat/apache adventure.

> PS: Did you have a Linux boxes, I've packaged easy to use
> RPM which will let you install apache-mod_ssl, tomcat and
> mod_jk in less than 30 mins
>
> http://www.falsehope.com/ftp-site/home/gomez/apache-mod_ssl/
> http://www.falsehope.com/ftp-site/home/gomez/tomcat/
>
> Redhat 7.0/7.1 users allready have a Apache using mod_ssl
>
> -
> Henri Gomez ___[_]
> EMAIL : [EMAIL PROTECTED](. .)
> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
>
>
>
> >-Original Message-
> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> >Sent: Monday, June 18, 2001 11:41 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: SSL handshake failure URGENT
> >
> >
> >I would try to do that following a document you wrote about
> >SSL via apache, but I was a little lost in your indication
> >(for example some Jk... directives are not recognized,
> >[JkExtractSSL, ...] ) and I don't have a mod_jk.so module to load)
> >
> >> Could you try the server cert on apache/SSL or Apache-mod_ssl
> >> and see if it works ?
> >>
> >>
> >>
> >> -
> >> Henri Gomez ___[_]
> >> EMAIL : [EMAIL PROTECTED](. .)
> >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
> >>
> >>
> >>
> >> >-Original Message-
> >> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> >> >Sent: Monday, June 18, 2001 10:05 AM
> >> >To: [EMAIL PROTECTED]
> >> >Subject: RE: SSL handshake failure URGENT
> >> >
> >> >
> >> >
> >> >Of sure, there it is.
> >> >
> >> >
> >> >> Could you retry with openssl s_client in full debug mode ?
> >> >>
> >> >> -
> >> >> Henri Gomez ___[_]
> >> >> EMAIL : [EMAIL PROTECTED](. .)
> >> >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> >> >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
> >> >>
> >> >>
> >> >>
> >> >> >-Original Message-
> >> >> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> >> >> >Sent: Friday, June 15, 2001 12:21 PM
> >> >> >To: [EMAIL PROTECTED]
> >> >> >Subject: RE: SSL handshake failure URGENT
> >> >> >
> >> >> >
> >> >> >So, every seems to be well configured, but I always get this
> >> >> >handshake error, what could be the problem in that case ?
> >> >> >
> >> >> ># openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem
> >> >> >-key cl_key.pem -state
> >> >> >Enter PEM pass phrase:
> >> >> >CONNECTED(0003)
> >> >> >SSL_connect:before/connect initialization
> >> >> >SSL_connect:SSLv2/v3 write client hello A
> >> >> >SSL3 alert read:fatal:handshake failure
> >> >> >SSL_connect:error in SSLv2/v3 read server hello A
> >> >> >
> >> >> >
> >> >> >> >ok now it's done, but same error
> >> >> >> >HandShake Failure
> >> >> >> >
> >> >> >> >I made the new server request, the new server certification,
> >> >> >> >the new server x509 conversion, and the new server
> >into tomcat
> >> >> >> >keystore importation
> >> >> >> >
> >> >> >> >(I send you the new server certificate)
> >> >> >> >
> >> >> >> >must we also replace to CN of the client ? (I didn'

RE: SSL handshake failure URGENT

[GOMEZ Henri]

If you use Apache-mod_ssl (apache with mod_ssl), you didn't
need to do anything in mod_jk.conf since it's default config
is for Apache + mod_ssl.

PS: Did you have a Linux boxes, I've packaged easy to use 
RPM which will let you install apache-mod_ssl, tomcat and 
mod_jk in less than 30 mins

http://www.falsehope.com/ftp-site/home/gomez/apache-mod_ssl/
http://www.falsehope.com/ftp-site/home/gomez/tomcat/

Redhat 7.0/7.1 users allready have a Apache using mod_ssl

-
Henri Gomez ___[_]
EMAIL : [EMAIL PROTECTED](. .) 
PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 



>-Original Message-
>From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
>Sent: Monday, June 18, 2001 11:41 AM
>To: [EMAIL PROTECTED]
>Subject: RE: SSL handshake failure URGENT
>
>
>I would try to do that following a document you wrote about 
>SSL via apache, but I was a little lost in your indication
>(for example some Jk... directives are not recognized, 
>[JkExtractSSL, ...] ) and I don't have a mod_jk.so module to load)
>
>> Could you try the server cert on apache/SSL or Apache-mod_ssl
>> and see if it works ?
>> 
>> 
>> 
>> -
>> Henri Gomez ___[_]
>> EMAIL : [EMAIL PROTECTED](. .) 
>> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
>> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 
>> 
>> 
>> 
>> >-Original Message-----
>> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
>> >Sent: Monday, June 18, 2001 10:05 AM
>> >To: [EMAIL PROTECTED]
>> >Subject: RE: SSL handshake failure URGENT
>> >
>> >
>> >
>> >Of sure, there it is.
>> >
>> >
>> >> Could you retry with openssl s_client in full debug mode ?
>> >> 
>> >> -
>> >> Henri Gomez ___[_]
>> >> EMAIL : [EMAIL PROTECTED](. .) 
>> >> PGP KEY : 697ECEDD    ...oOOo..(_)..oOOo...
>> >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 
>> >> 
>> >> 
>> >> 
>> >> >-Original Message-
>> >> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
>> >> >Sent: Friday, June 15, 2001 12:21 PM
>> >> >To: [EMAIL PROTECTED]
>> >> >Subject: RE: SSL handshake failure URGENT
>> >> >
>> >> >
>> >> >So, every seems to be well configured, but I always get this
>> >> >handshake error, what could be the problem in that case ?
>> >> >
>> >> ># openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem 
>> >> >-key cl_key.pem -state 
>> >> >Enter PEM pass phrase:
>> >> >CONNECTED(0003)
>> >> >SSL_connect:before/connect initialization
>> >> >SSL_connect:SSLv2/v3 write client hello A
>> >> >SSL3 alert read:fatal:handshake failure
>> >> >SSL_connect:error in SSLv2/v3 read server hello A
>> >> >
>> >> >
>> >> >> >ok now it's done, but same error
>> >> >> >HandShake Failure
>> >> >> >
>> >> >> >I made the new server request, the new server certification, 
>> >> >> >the new server x509 conversion, and the new server 
>into tomcat 
>> >> >> >keystore importation
>> >> >> >
>> >> >> >(I send you the new server certificate)
>> >> >> >
>> >> >> >must we also replace to CN of the client ? (I didn't do it)
>> >> >> >maybe the CN of the CA ?
>> >> >> >
>> >> >> CN of you client could be what you want
>> >> >> 
>> >> >> >
>> >> >> >> The problem is in the CN of the server cert :
>> >> >> >> 
>> >> >> >> replace CN=server by CN=thehostname !!!
>> >> >> >> 
>> >> >> >> Certificate:
>> >> >> >> Data:
>> >> >> >> Version: 3 (0x2)
>> >> >> >> Serial Number: 2 (0x2)
>> >> >> >> Signature Algorithm: md5WithRSAEncryption
>> >> >> >> Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, 
>> >> >> >OU=UNIT, CN=ca
>> &g

RE: SSL handshake failure URGENT

[Tim O'Neil]

At 02:41 AM 6/18/2001, you wrote:
>I would try to do that following a document you wrote about SSL via 
>apache, but I was a little lost in your indication
>(for example some Jk... directives are not recognized, [JkExtractSSL, ...] 
>) and I don't have a mod_jk.so module to load)

I know that a real (or non-test) cert works
with Apache/tomcat. There's documentation on
the Apache site for using mod_ssl, and also
search the net for more info. I don't have
the urls handy, but I was able to mine the net
for urls to some good info on using ssl with
Apache, Tomcat, and others. Also, I was never
able to get Tomcat standalone to use a real cert.

RE: SSL handshake failure URGENT

[Jean-Etienne G.]

I would try to do that following a document you wrote about SSL via apache, but I was 
a little lost in your indication
(for example some Jk... directives are not recognized, [JkExtractSSL, ...] ) and I 
don't have a mod_jk.so module to load)

> Could you try the server cert on apache/SSL or Apache-mod_ssl
> and see if it works ?
>
>
>
> -
> Henri Gomez ___[_]
> EMAIL : [EMAIL PROTECTED](. .)
> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
>
>
>
> >-Original Message-
> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> >Sent: Monday, June 18, 2001 10:05 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: SSL handshake failure URGENT
> >
> >
> >
> >Of sure, there it is.
> >
> >
> >> Could you retry with openssl s_client in full debug mode ?
> >>
> >> -
> >> Henri Gomez ___[_]
> >> EMAIL : [EMAIL PROTECTED](. .)
> >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
> >>
> >>
> >>
> >> >-Original Message-
> >> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> >> >Sent: Friday, June 15, 2001 12:21 PM
> >> >To: [EMAIL PROTECTED]
> >> >Subject: RE: SSL handshake failure URGENT
> >> >
> >> >
> >> >So, every seems to be well configured, but I always get this
> >> >handshake error, what could be the problem in that case ?
> >> >
> >> ># openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem
> >> >-key cl_key.pem -state
> >> >Enter PEM pass phrase:
> >> >CONNECTED(0003)
> >> >SSL_connect:before/connect initialization
> >> >SSL_connect:SSLv2/v3 write client hello A
> >> >SSL3 alert read:fatal:handshake failure
> >> >SSL_connect:error in SSLv2/v3 read server hello A
> >> >
> >> >
> >> >> >ok now it's done, but same error
> >> >> >HandShake Failure
> >> >> >
> >> >> >I made the new server request, the new server certification,
> >> >> >the new server x509 conversion, and the new server into tomcat
> >> >> >keystore importation
> >> >> >
> >> >> >(I send you the new server certificate)
> >> >> >
> >> >> >must we also replace to CN of the client ? (I didn't do it)
> >> >> >maybe the CN of the CA ?
> >> >> >
> >> >> CN of you client could be what you want
> >> >>
> >> >> >
> >> >> >> The problem is in the CN of the server cert :
> >> >> >>
> >> >> >> replace CN=server by CN=thehostname !!!
> >> >> >>
> >> >> >> Certificate:
> >> >> >> Data:
> >> >> >> Version: 3 (0x2)
> >> >> >> Serial Number: 2 (0x2)
> >> >> >> Signature Algorithm: md5WithRSAEncryption
> >> >> >> Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG,
> >> >> >OU=UNIT, CN=ca
> >> >> >> Validity
> >> >> >> Not Before: Jun 14 08:47:55 2001 GMT
> >> >> >> Not After : Jun 14 08:47:55 2002 GMT
> >> >> >> Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server
> >> >> >> Subject Public Key Info:
> >> >> >> Public Key Algorithm: rsaEncryption
> >> >> >> RSA Public Key: (1024 bit)
> >> >> >> Modulus (1024 bit):
> >> >> >>
> >00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1:
> >> >> >>
> >f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49:
> >> >> >>
> >12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da:
> >> >> >>
> >a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33:
> >> >> >>
> >a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9:
> >> >> >>
> >85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95:
> >> >> >>
> >6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a:
> >> >> >>
> >e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38:
> >> >

RE: SSL handshake failure URGENT

[GOMEZ Henri]

Could you try the server cert on apache/SSL or Apache-mod_ssl
and see if it works ?



-
Henri Gomez ___[_]
EMAIL : [EMAIL PROTECTED](. .) 
PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 



>-Original Message-
>From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
>Sent: Monday, June 18, 2001 10:05 AM
>To: [EMAIL PROTECTED]
>Subject: RE: SSL handshake failure URGENT
>
>
>
>Of sure, there it is.
>
>
>> Could you retry with openssl s_client in full debug mode ?
>> 
>> -
>> Henri Gomez ___[_]
>> EMAIL : [EMAIL PROTECTED](. .) 
>> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
>> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 
>> 
>> 
>> 
>> >-Original Message-
>> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
>> >Sent: Friday, June 15, 2001 12:21 PM
>> >To: [EMAIL PROTECTED]
>> >Subject: RE: SSL handshake failure URGENT
>> >
>> >
>> >So, every seems to be well configured, but I always get this
>> >handshake error, what could be the problem in that case ?
>> >
>> ># openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem 
>> >-key cl_key.pem -state 
>> >Enter PEM pass phrase:
>> >CONNECTED(0003)
>> >SSL_connect:before/connect initialization
>> >SSL_connect:SSLv2/v3 write client hello A
>> >SSL3 alert read:fatal:handshake failure
>> >SSL_connect:error in SSLv2/v3 read server hello A
>> >
>> >
>> >> >ok now it's done, but same error
>> >> >HandShake Failure
>> >> >
>> >> >I made the new server request, the new server certification, 
>> >> >the new server x509 conversion, and the new server into tomcat 
>> >> >keystore importation
>> >> >
>> >> >(I send you the new server certificate)
>> >> >
>> >> >must we also replace to CN of the client ? (I didn't do it)
>> >> >maybe the CN of the CA ?
>> >> >
>> >> CN of you client could be what you want
>> >> 
>> >> >
>> >> >> The problem is in the CN of the server cert :
>> >> >> 
>> >> >> replace CN=server by CN=thehostname !!!
>> >> >> 
>> >> >> Certificate:
>> >> >> Data:
>> >> >> Version: 3 (0x2)
>> >> >> Serial Number: 2 (0x2)
>> >> >> Signature Algorithm: md5WithRSAEncryption
>> >> >> Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, 
>> >> >OU=UNIT, CN=ca
>> >> >> Validity
>> >> >> Not Before: Jun 14 08:47:55 2001 GMT
>> >> >> Not After : Jun 14 08:47:55 2002 GMT
>> >> >> Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server
>> >> >> Subject Public Key Info:
>> >> >> Public Key Algorithm: rsaEncryption
>> >> >> RSA Public Key: (1024 bit)
>> >> >> Modulus (1024 bit):
>> >> >> 
>00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1:
>> >> >> 
>f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49:
>> >> >> 
>12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da:
>> >> >> 
>a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33:
>> >> >> 
>a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9:
>> >> >> 
>85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95:
>> >> >> 
>6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a:
>> >> >> 
>e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38:
>> >> >> 3b:c3:9f:ac:e3:5e:77:cb:7b
>> >> >> Exponent: 65537 (0x10001)
>> >> >> X509v3 extensions:
>> >> >> X509v3 Basic Constraints: 
>> >> >> CA:FALSE
>> >> >> Netscape Comment: 
>> >> >> OpenSSL Generated Certificate
>> >> >> X509v3 Subject Key Identifier: 
>> >> >> 
>> >> >44:

RE: SSL handshake failure URGENT

[Jean-Etienne G.]

Of sure, there it is.


> Could you retry with openssl s_client in full debug mode ?
>
> -
> Henri Gomez ___[_]
> EMAIL : [EMAIL PROTECTED](. .)
> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
>
>
>
> >-Original Message-
> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> >Sent: Friday, June 15, 2001 12:21 PM
> >To: [EMAIL PROTECTED]
> >Subject: RE: SSL handshake failure URGENT
> >
> >
> >So, every seems to be well configured, but I always get this
> >handshake error, what could be the problem in that case ?
> >
> ># openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem
> >-key cl_key.pem -state
> >Enter PEM pass phrase:
> >CONNECTED(0003)
> >SSL_connect:before/connect initialization
> >SSL_connect:SSLv2/v3 write client hello A
> >SSL3 alert read:fatal:handshake failure
> >SSL_connect:error in SSLv2/v3 read server hello A
> >
> >
> >> >ok now it's done, but same error
> >> >HandShake Failure
> >> >
> >> >I made the new server request, the new server certification,
> >> >the new server x509 conversion, and the new server into tomcat
> >> >keystore importation
> >> >
> >> >(I send you the new server certificate)
> >> >
> >> >must we also replace to CN of the client ? (I didn't do it)
> >> >maybe the CN of the CA ?
> >> >
> >> CN of you client could be what you want
> >>
> >> >
> >> >> The problem is in the CN of the server cert :
> >> >>
> >> >> replace CN=server by CN=thehostname !!!
> >> >>
> >> >> Certificate:
> >> >> Data:
> >> >> Version: 3 (0x2)
> >> >> Serial Number: 2 (0x2)
> >> >> Signature Algorithm: md5WithRSAEncryption
> >> >> Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG,
> >> >OU=UNIT, CN=ca
> >> >> Validity
> >> >> Not Before: Jun 14 08:47:55 2001 GMT
> >> >> Not After : Jun 14 08:47:55 2002 GMT
> >> >> Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server
> >> >> Subject Public Key Info:
> >> >> Public Key Algorithm: rsaEncryption
> >> >> RSA Public Key: (1024 bit)
> >> >> Modulus (1024 bit):
> >> >> 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1:
> >> >> f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49:
> >> >> 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da:
> >> >> a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33:
> >> >> a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9:
> >> >> 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95:
> >> >> 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a:
> >> >> e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38:
> >> >> 3b:c3:9f:ac:e3:5e:77:cb:7b
> >> >> Exponent: 65537 (0x10001)
> >> >> X509v3 extensions:
> >> >> X509v3 Basic Constraints:
> >> >> CA:FALSE
> >> >> Netscape Comment:
> >> >> OpenSSL Generated Certificate
> >> >> X509v3 Subject Key Identifier:
> >> >>
> >> >44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E
> >> >> X509v3 Authority Key Identifier:
> >> >>
> >> >> keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31
> >> >>
> >> >> DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca
> >> >> serial:00
> >> >>
> >> >> Signature Algorithm: md5WithRSAEncryption
> >> >> 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06:
> >> >> 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2:
> >> >> 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f:
> >> >> be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82:
> >> >> 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64:
> >> >> b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52:
> >> >> 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6:
> >> >> 20:a8
> >> >>
> >> >>
> >> >>
> >> >> -
> >> >> Henri Gomez ___[_]
> >> >> EMAIL : [EMAIL PROTECTED](. .)
> >> >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> >> >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
> >> >>
> >> >
> >> >
> >> >__
> >> >Voila vous propose une boite aux lettres gratuite sur Voila Mail:
> >> >http://mail.voila.fr
> >> >
> >> >
> >>
> >
> >__
> >Voila vous propose une boite aux lettres gratuite sur Voila Mail:
> >http://mail.voila.fr
> >
> >
> >
>


__
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr


 error2.txt

RE: SSL handshake failure URGENT

[Jean-Etienne G.]

> Could you retry with openssl s_client in full debug mode ?

Here it is, for me it's like chinese :

[arcade2]# openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem 
-state -debug
Enter PEM pass phrase:
CONNECTED(0003)
SSL_connect:before/connect initialization
write to 08156A30 [08157E98] (124 bytes => 124 (0x7C))
 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00   .zQ... .
0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04   .f..
0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00   ...e..d.
0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00   .c..b..a..`.
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ..@.
0050 - 00 00 06 00 00 03 04 00-80 02 00 80 61 bf 17 f2   a...
0060 - 3c c8 5d 69 0a 5c d9 28-e6 9c fe 89 bc 0b 53 13   <.]i.\.(..S.
0070 - 63 4d 3e 55 27 4d 38 86-5c 78 a8 e2   cM>U'M8.\x..
SSL_connect:SSLv2/v3 write client hello A
read from 08156A30 [0815D3F8] (7 bytes => 7 (0x7))
 - 15 03 01 00 02 02 28  ..(
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
1754:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure:s23_clnt.c:453:



> Could you retry with openssl s_client in full debug mode ?
>
> -
> Henri Gomez ___[_]
> EMAIL : [EMAIL PROTECTED](. .)
> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
>
>
>
> >-Original Message-
> >From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> >Sent: Friday, June 15, 2001 12:21 PM
> >To: [EMAIL PROTECTED]
> >Subject: RE: SSL handshake failure URGENT
> >
> >
> >So, every seems to be well configured, but I always get this
> >handshake error, what could be the problem in that case ?
> >
> ># openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem
> >-key cl_key.pem -state
> >Enter PEM pass phrase:
> >CONNECTED(0003)
> >SSL_connect:before/connect initialization
> >SSL_connect:SSLv2/v3 write client hello A
> >SSL3 alert read:fatal:handshake failure
> >SSL_connect:error in SSLv2/v3 read server hello A
> >
> >
> >> >ok now it's done, but same error
> >> >HandShake Failure
> >> >
> >> >I made the new server request, the new server certification,
> >> >the new server x509 conversion, and the new server into tomcat
> >> >keystore importation
> >> >
> >> >(I send you the new server certificate)
> >> >
> >> >must we also replace to CN of the client ? (I didn't do it)
> >> >maybe the CN of the CA ?
> >> >
> >> CN of you client could be what you want
> >>
> >> >
> >> >> The problem is in the CN of the server cert :
> >> >>
> >> >> replace CN=server by CN=thehostname !!!
> >> >>
> >> >> Certificate:
> >> >> Data:
> >> >> Version: 3 (0x2)
> >> >> Serial Number: 2 (0x2)
> >> >> Signature Algorithm: md5WithRSAEncryption
> >> >> Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG,
> >> >OU=UNIT, CN=ca
> >> >> Validity
> >> >> Not Before: Jun 14 08:47:55 2001 GMT
> >> >> Not After : Jun 14 08:47:55 2002 GMT
> >> >> Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server
> >> >> Subject Public Key Info:
> >> >> Public Key Algorithm: rsaEncryption
> >> >> RSA Public Key: (1024 bit)
> >> >> Modulus (1024 bit):
> >> >> 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1:
> >> >> f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49:
> >> >> 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da:
> >> >> a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33:
> >> >> a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9:
> >> >> 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95:
> >> >> 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a:
> >> >> e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38:
> >> >> 3b:c3:9f:ac:e3:5e:77:cb:7b
> >> >> Exponent: 65537 (0x10001)
> >> >> X509v3 extensions:
> >&

RE: SSL handshake failure URGENT

[GOMEZ Henri]

Could you retry with openssl s_client in full debug mode ?

-
Henri Gomez ___[_]
EMAIL : [EMAIL PROTECTED](. .) 
PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 



>-Original Message-
>From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
>Sent: Friday, June 15, 2001 12:21 PM
>To: [EMAIL PROTECTED]
>Subject: RE: SSL handshake failure URGENT
>
>
>So, every seems to be well configured, but I always get this
>handshake error, what could be the problem in that case ?
>
># openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem 
>-key cl_key.pem -state 
>Enter PEM pass phrase:
>CONNECTED(0003)
>SSL_connect:before/connect initialization
>SSL_connect:SSLv2/v3 write client hello A
>SSL3 alert read:fatal:handshake failure
>SSL_connect:error in SSLv2/v3 read server hello A
>
>
>> >ok now it's done, but same error
>> >HandShake Failure
>> >
>> >I made the new server request, the new server certification, 
>> >the new server x509 conversion, and the new server into tomcat 
>> >keystore importation
>> >
>> >(I send you the new server certificate)
>> >
>> >must we also replace to CN of the client ? (I didn't do it)
>> >maybe the CN of the CA ?
>> >
>> CN of you client could be what you want
>> 
>> >
>> >> The problem is in the CN of the server cert :
>> >> 
>> >> replace CN=server by CN=thehostname !!!
>> >> 
>> >> Certificate:
>> >> Data:
>> >> Version: 3 (0x2)
>> >> Serial Number: 2 (0x2)
>> >> Signature Algorithm: md5WithRSAEncryption
>> >> Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, 
>> >OU=UNIT, CN=ca
>> >> Validity
>> >> Not Before: Jun 14 08:47:55 2001 GMT
>> >> Not After : Jun 14 08:47:55 2002 GMT
>> >> Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server
>> >> Subject Public Key Info:
>> >> Public Key Algorithm: rsaEncryption
>> >> RSA Public Key: (1024 bit)
>> >> Modulus (1024 bit):
>> >> 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1:
>> >> f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49:
>> >> 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da:
>> >> a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33:
>> >> a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9:
>> >> 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95:
>> >> 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a:
>> >> e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38:
>> >> 3b:c3:9f:ac:e3:5e:77:cb:7b
>> >> Exponent: 65537 (0x10001)
>> >> X509v3 extensions:
>> >> X509v3 Basic Constraints: 
>> >> CA:FALSE
>> >> Netscape Comment: 
>> >> OpenSSL Generated Certificate
>> >> X509v3 Subject Key Identifier: 
>> >> 
>> >44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E
>> >> X509v3 Authority Key Identifier: 
>> >>  
>> >> keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31
>> >>  
>> >> DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca
>> >> serial:00
>> >> 
>> >> Signature Algorithm: md5WithRSAEncryption
>> >> 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06:
>> >> 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2:
>> >> 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f:
>> >> be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82:
>> >> 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64:
>> >> b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52:
>> >> 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6:
>> >> 20:a8
>> >> 
>> >> 
>> >> 
>> >> -
>> >> Henri Gomez ___[_]
>> >> EMAIL : [EMAIL PROTECTED](. .) 
>> >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
>> >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 
>> >> 
>> >
>> >
>> >__
>> >Voila vous propose une boite aux lettres gratuite sur Voila Mail:
>> >http://mail.voila.fr
>> >
>> >
>> 
>
>__
>Voila vous propose une boite aux lettres gratuite sur Voila Mail:
>http://mail.voila.fr
>
>
>

RE: SSL handshake failure URGENT

[Jean-Etienne G.]

So, every seems to be well configured, but I always get this
handshake error, what could be the problem in that case ?

# openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state
Enter PEM pass phrase:
CONNECTED(0003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A


> >ok now it's done, but same error
> >HandShake Failure
> >
> >I made the new server request, the new server certification,
> >the new server x509 conversion, and the new server into tomcat
> >keystore importation
> >
> >(I send you the new server certificate)
> >
> >must we also replace to CN of the client ? (I didn't do it)
> >maybe the CN of the CA ?
> >
> CN of you client could be what you want
>
> >
> >> The problem is in the CN of the server cert :
> >>
> >> replace CN=server by CN=thehostname !!!
> >>
> >> Certificate:
> >> Data:
> >> Version: 3 (0x2)
> >> Serial Number: 2 (0x2)
> >> Signature Algorithm: md5WithRSAEncryption
> >> Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG,
> >OU=UNIT, CN=ca
> >> Validity
> >> Not Before: Jun 14 08:47:55 2001 GMT
> >> Not After : Jun 14 08:47:55 2002 GMT
> >> Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server
> >> Subject Public Key Info:
> >> Public Key Algorithm: rsaEncryption
> >> RSA Public Key: (1024 bit)
> >> Modulus (1024 bit):
> >> 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1:
> >> f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49:
> >> 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da:
> >> a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33:
> >> a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9:
> >> 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95:
> >> 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a:
> >> e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38:
> >> 3b:c3:9f:ac:e3:5e:77:cb:7b
> >> Exponent: 65537 (0x10001)
> >> X509v3 extensions:
> >> X509v3 Basic Constraints:
> >> CA:FALSE
> >> Netscape Comment:
> >> OpenSSL Generated Certificate
> >> X509v3 Subject Key Identifier:
> >>
> >44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E
> >> X509v3 Authority Key Identifier:
> >>
> >> keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31
> >>
> >> DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca
> >> serial:00
> >>
> >> Signature Algorithm: md5WithRSAEncryption
> >> 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06:
> >> 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2:
> >> 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f:
> >> be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82:
> >> 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64:
> >> b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52:
> >> 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6:
> >> 20:a8
> >>
> >>
> >>
> >> -
> >> Henri Gomez ___[_]
> >> EMAIL : [EMAIL PROTECTED](. .)
> >> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> >> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
> >>
> >
> >
> >__
> >Voila vous propose une boite aux lettres gratuite sur Voila Mail:
> >http://mail.voila.fr
> >
> >
>

__
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr

RE: SSL handshake failure URGENT

[GOMEZ Henri]

>ok now it's done, but same error
>HandShake Failure
>
>I made the new server request, the new server certification, 
>the new server x509 conversion, and the new server into tomcat 
>keystore importation
>
>(I send you the new server certificate)
>
>must we also replace to CN of the client ? (I didn't do it)
>maybe the CN of the CA ?
>
CN of you client could be what you want

>
>> The problem is in the CN of the server cert :
>> 
>> replace CN=server by CN=thehostname !!!
>> 
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 2 (0x2)
>> Signature Algorithm: md5WithRSAEncryption
>> Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, 
>OU=UNIT, CN=ca
>> Validity
>> Not Before: Jun 14 08:47:55 2001 GMT
>> Not After : Jun 14 08:47:55 2002 GMT
>> Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> RSA Public Key: (1024 bit)
>> Modulus (1024 bit):
>> 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1:
>> f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49:
>> 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da:
>> a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33:
>> a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9:
>> 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95:
>> 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a:
>> e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38:
>> 3b:c3:9f:ac:e3:5e:77:cb:7b
>> Exponent: 65537 (0x10001)
>> X509v3 extensions:
>> X509v3 Basic Constraints: 
>> CA:FALSE
>> Netscape Comment: 
>> OpenSSL Generated Certificate
>> X509v3 Subject Key Identifier: 
>> 
>44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E
>> X509v3 Authority Key Identifier: 
>>  
>> keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31
>>  
>> DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca
>> serial:00
>> 
>> Signature Algorithm: md5WithRSAEncryption
>> 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06:
>> 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2:
>> 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f:
>> be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82:
>> 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64:
>> b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52:
>> 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6:
>> 20:a8
>> 
>> 
>> 
>> -
>> Henri Gomez ___[_]
>> EMAIL : [EMAIL PROTECTED](. .) 
>> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
>> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 
>> 
>
>
>__
>Voila vous propose une boite aux lettres gratuite sur Voila Mail:
>http://mail.voila.fr
>
>

Re: SSL handshake failure URGENT

[Harish kumar AP]

Hi All,

I would like to use Tomcat 3.2.2 (Servlet and Jsp engine), with Zeus Web Server 3.3.8. 
I need know how to configure Tomcat with Zeus web server. If
some body provide me some link or information, would be of great help.


Thanks in advance.

Regards
-Harish

RE: SSL handshake failure URGENT

[Jean-Etienne G.]

ok now it's done, but same error
HandShake Failure

I made the new server request, the new server certification, the new server x509 
conversion, and the new server into tomcat keystore importation

(I send you the new server certificate)

must we also replace to CN of the client ? (I didn't do it)
maybe the CN of the CA ?



> The problem is in the CN of the server cert :
>
> replace CN=server by CN=thehostname !!!
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 2 (0x2)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca
> Validity
> Not Before: Jun 14 08:47:55 2001 GMT
> Not After : Jun 14 08:47:55 2002 GMT
> Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1:
> f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49:
> 12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da:
> a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33:
> a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9:
> 85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95:
> 6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a:
> e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38:
> 3b:c3:9f:ac:e3:5e:77:cb:7b
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> 44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E
> X509v3 Authority Key Identifier:
>
> keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31
>
> DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca
> serial:00
>
> Signature Algorithm: md5WithRSAEncryption
> 05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06:
> 97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2:
> 28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f:
> be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82:
> 7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64:
> b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52:
> 94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6:
> 20:a8
>
>
>
> -
> Henri Gomez ___[_]
> EMAIL : [EMAIL PROTECTED](. .)
> PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
>


__
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr


 sr_cert_new.pem

RE: SSL handshake failure URGENT

[GOMEZ Henri]

The problem is in the CN of the server cert :

replace CN=server by CN=thehostname !!!

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FR, ST=France, L=Genvilliers, O=THE_ORG, OU=UNIT, CN=ca
Validity
Not Before: Jun 14 08:47:55 2001 GMT
Not After : Jun 14 08:47:55 2002 GMT
Subject: C=FR, ST=France, O=THE_ORG, OU=UNIT, CN=server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f2:bc:0c:53:78:d3:08:85:b3:e1:70:7c:a8:d1:
f1:64:49:37:e0:83:48:ac:5c:18:51:93:fd:31:49:
12:24:3a:57:13:e0:3a:97:25:ee:29:f5:16:f2:da:
a7:fc:84:89:f6:50:53:2c:09:2a:a9:f5:91:b8:33:
a5:ec:2f:16:07:b8:bf:60:01:06:aa:cc:be:fd:a9:
85:04:22:25:2b:16:4d:49:b4:11:bc:0a:68:1c:95:
6c:a6:ad:8c:f4:ef:30:11:41:6e:cf:3b:ca:a6:6a:
e9:1b:bf:41:28:b0:5e:c8:03:8c:cb:22:ce:80:38:
3b:c3:9f:ac:e3:5e:77:cb:7b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: 
CA:FALSE
Netscape Comment: 
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: 
44:3C:48:E2:82:B6:77:02:B1:90:84:D3:B0:CD:0C:18:6E:81:9F:7E
X509v3 Authority Key Identifier: 
 
keyid:85:64:41:58:57:5F:91:5E:E1:A7:85:6B:CB:B7:F4:03:C4:F9:A8:31
 
DirName:/C=FR/ST=France/L=Genvilliers/O=THE_ORG/OU=UNIT/CN=ca
serial:00

Signature Algorithm: md5WithRSAEncryption
05:0a:10:ec:dd:04:9e:8d:bb:98:2d:82:8f:c5:a0:f7:6b:06:
97:52:c0:a2:c0:f2:25:8c:81:41:a5:80:f2:1e:72:da:a5:d2:
28:df:44:77:0f:6b:df:9a:1e:06:c7:83:6a:7d:40:89:96:1f:
be:f5:2b:b2:fc:4c:91:a9:0c:89:e8:00:37:d5:a1:ab:a8:82:
7b:92:d9:ba:e9:1b:57:3d:32:62:96:ba:29:1d:3f:9b:83:64:
b8:92:37:74:16:4d:3f:be:bf:cf:25:70:03:05:06:de:d2:52:
94:ff:6a:fc:0c:32:ef:aa:ab:63:6d:e1:77:56:fc:3f:32:c6:
20:a8



-
Henri Gomez ___[_]
EMAIL : [EMAIL PROTECTED](. .) 
PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 

RE: SSL handshake failure URGENT

[Jean-Etienne G.]

Here they are
(all the files I have generated with these openssl commands)

> can u send ur server,client,ca certs?
>
> Rams
> +91-040-3000401 x 2162 (O)
> +91-040-6313447 (R)
>
>
> -Original Message-
> From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 14, 2001 7:27 PM
> To: [EMAIL PROTECTED]
> Subject: SSL handshake failure URGENT
>
>
> Hello,
>
>  I get no responses for my previous mails... so maybe I did not contact the
> good mailing list. Please give me an start of response...
>
>  Hello,
>  I have a cert importation problem
>
>  here is the output of an openSSL client command [witch emulate a browser]
> (openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
>  cl_key.pem -state) :
>
>  Enter PEM pass phrase:
>  CONNECTED(0003)
>  SSL_connect:before/connect initialization
>  SSL_connect:SSLv2/v3 write client hello A
>  SSL3 alert read:fatal:handshake failure
>  SSL_connect:error in SSLv2/v3 read server hello A
>  1993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure:s23_clnt.c:453:
>
>  Can someone help me ?
>  Is it a way to make it work without installing apache ?
>  Thanks for your answer
>
>
>
>
>  I have this tomcat configuration :
>
>
>  
>value=3D"org.apache.tomcat.service.http.HttpConnectionHandler"/>
>value=3D"8443"/>
>value=3D"org.apache.tomcat.net.SSLSocketFactory" />
>value=3D"/opt/tomcat-3-2-2/tomcat/conf/keystore" />
>value=3D"pwd_sr" />
>value=3D"true" />
>  
>
>
>  And that are all the lines procedure I entered to make it well work
>
>  mkdir ./demoCA
>  echo "" > ./demoCA/index.txt
>  echo "01" > ./demoCA/serial
>
>  # CA
>  openssl req -new -out ca_req.pem -keyout ca_key.pem
>  #pwd:pwd_ca
>  #challenge_pwd:ch_ca
>  #company name:THE_ORG
>
>  # CLIENT
>  openssl req -new -out cl_req.pem -keyout cl_key.pem
>  #pwd:pwd_cl
>  #ch_pwd:ch_cl
>  #company name:THE_ORG
>  # SERVER
>  openssl req -new -out sr_req.pem -keyout sr_key.pem
>  #pwd:pwd_sr
>  #ch_pwd:ch_sr
>  #company name:THE_ORG
>  # CA AUTH
>  echo "CA AUTH : enter CA password"
>  openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
>  #pwd:pwd_ca
>  rm ./demoCA/index.txt
>  rm ./demoCA/serial
>  cat "" > ./demoCA/index.txt
>  cat "01" > ./demoCA/serial
>
>  # CLIENT AUTH BY CA
>  echo "CL AUTH : enter CA password"
>  openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile
> ca_key.pem -config /usr/local/ssl/openssl.cnf
>  #pwd:pwd_ca
>
>  # SERVER AUTH BY CA
>  echo "SR AUTH : enter CA password"
>  openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile
> ca_key.pem -config /usr/local/ssl/openssl.cnf
>  #pwd:pwd_ca
>
>  # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
>  openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der
>
>  # REMOVE PREVIOUS KEYSTORE
>  rm /opt/tomcat-3-2-2/tomcat/conf/keystore
>
>  # IMPORT SERVER CERT IN TOMCAT KEYSTORE
>  echo "IMPORT SR CERT : enter SR password"
>  /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file
> sr_cert.der -keystore /opt/tomcat-3-2-2/tomcat/conf/keystore
>  #pwd:pwd_sr
>
>  # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
>  echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
>  openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12
>  #pwd:pwd_cl
>  #exp_pwd:pwd_cl
>
>  # CONNECTION TO THE TOMCAT SERVER
>  openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
> cl_key.pem -state
> __
> Voila vous propose une boite aux lettres gratuite sur Voila Mail:
> http://mail.voila.fr
>
>
>


__
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr


 certs.zip

RE: SSL handshake failure URGENT

[Rams]

can u send ur server,client,ca certs?

Rams
+91-040-3000401 x 2162 (O)
+91-040-6313447 (R)


-Original Message-
From: Jean-Etienne G. [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 14, 2001 7:27 PM
To: [EMAIL PROTECTED]
Subject: SSL handshake failure URGENT


Hello,

 I get no responses for my previous mails... so maybe I did not contact the
good mailing list. Please give me an start of response...

 Hello,
 I have a cert importation problem

 here is the output of an openSSL client command [witch emulate a browser]
(openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
 cl_key.pem -state) :

 Enter PEM pass phrase:
 CONNECTED(0003)
 SSL_connect:before/connect initialization
 SSL_connect:SSLv2/v3 write client hello A
 SSL3 alert read:fatal:handshake failure
 SSL_connect:error in SSLv2/v3 read server hello A
 1993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:453:

 Can someone help me ?
 Is it a way to make it work without installing apache ?
 Thanks for your answer




 I have this tomcat configuration :


 
 
 
 
 
 
 
 


 And that are all the lines procedure I entered to make it well work

 mkdir ./demoCA
 echo "" > ./demoCA/index.txt
 echo "01" > ./demoCA/serial

 # CA
 openssl req -new -out ca_req.pem -keyout ca_key.pem
 #pwd:pwd_ca
 #challenge_pwd:ch_ca
 #company name:THE_ORG

 # CLIENT
 openssl req -new -out cl_req.pem -keyout cl_key.pem
 #pwd:pwd_cl
 #ch_pwd:ch_cl
 #company name:THE_ORG
 # SERVER
 openssl req -new -out sr_req.pem -keyout sr_key.pem
 #pwd:pwd_sr
 #ch_pwd:ch_sr
 #company name:THE_ORG
 # CA AUTH
 echo "CA AUTH : enter CA password"
 openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
 #pwd:pwd_ca
 rm ./demoCA/index.txt
 rm ./demoCA/serial
 cat "" > ./demoCA/index.txt
 cat "01" > ./demoCA/serial

 # CLIENT AUTH BY CA
 echo "CL AUTH : enter CA password"
 openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile
ca_key.pem -config /usr/local/ssl/openssl.cnf
 #pwd:pwd_ca

 # SERVER AUTH BY CA
 echo "SR AUTH : enter CA password"
 openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile
ca_key.pem -config /usr/local/ssl/openssl.cnf
 #pwd:pwd_ca

 # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
 openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der

 # REMOVE PREVIOUS KEYSTORE
 rm /opt/tomcat-3-2-2/tomcat/conf/keystore

 # IMPORT SERVER CERT IN TOMCAT KEYSTORE
 echo "IMPORT SR CERT : enter SR password"
 /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file
sr_cert.der -keystore /opt/tomcat-3-2-2/tomcat/conf/keystore
 #pwd:pwd_sr

 # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
 echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
 openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12
 #pwd:pwd_cl
 #exp_pwd:pwd_cl

 # CONNECTION TO THE TOMCAT SERVER
 openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
cl_key.pem -state
__
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr

RE: SSL handshake failure URGENT

[GOMEZ Henri]

>First, thanks to have taken the time to help me :)
>But I fear I didn't understand the answer :(
>where must I enter the same name as what ?
>
>example : I am under Linux, the hostname is "thehostname"
>is that that you call server name, or is it a name that you 
>enter in the server.xml file (if yes with witch tag ?)

if your server is thehostname you respond that when 
openssl ask the COMMON NAME is SERVER CERT GENERATION :

>> > # SERVER
>> > openssl req -new -out sr_req.pem -keyout sr_key.pem
>> > #pwd:pwd_sr
>> > #ch_pwd:ch_sr
>> > #company name:THE_ORG 


>And where must I enter the same name as the servername ?
>what field of witch openSSL command ?
>
>Thanks for your answer !
>
> JEG
>
>> > # CA
>> > openssl req -new -out ca_req.pem -keyout ca_key.pem
>> > #pwd:pwd_ca
>> > #challenge_pwd:ch_ca
>> > #company name:THE_ORG
>> >
>> > # CLIENT
>> > openssl req -new -out cl_req.pem -keyout cl_key.pem
>> > #pwd:pwd_cl
>> > #ch_pwd:ch_cl
>> > #company name:THE_ORG 
>> > # SERVER
>> > openssl req -new -out sr_req.pem -keyout sr_key.pem
>> > #pwd:pwd_sr
>> > #ch_pwd:ch_sr
>> > #company name:THE_ORG 
>> > # CA AUTH 
>> > echo "CA AUTH : enter CA password"
>> > openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
>> > #pwd:pwd_ca
>> > rm ./demoCA/index.txt
>> > rm ./demoCA/serial
>> > cat "" > ./demoCA/index.txt
>> > cat "01" > ./demoCA/serial 
>> >
>> > # CLIENT AUTH BY CA 
>> > echo "CL AUTH : enter CA password"
>> > openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem 
>> >-keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf
>> > #pwd:pwd_ca
>> >
>> > # SERVER AUTH BY CA 
>> > echo "SR AUTH : enter CA password"
>> > openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem 
>> >-keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf
>> > #pwd:pwd_ca
>> >
>> > # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
>> > openssl x509 -inform PEM -in sr_cert.pem -outform DER -out 
>sr_cert.der
>> >
>> > # REMOVE PREVIOUS KEYSTORE
>> > rm /opt/tomcat-3-2-2/tomcat/conf/keystore
>> >
>> > # IMPORT SERVER CERT IN TOMCAT KEYSTORE
>> > echo "IMPORT SR CERT : enter SR password"
>> > /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias 
>> >tomcat -file sr_cert.der -keystore 
>> >/opt/tomcat-3-2-2/tomcat/conf/keystore
>> > #pwd:pwd_sr
>> >
>> > # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
>> > echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
>> > openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out 
>> >cl_cert.p12
>> > #pwd:pwd_cl
>> > #exp_pwd:pwd_cl
>> >
>> > # CONNECTION TO THE TOMCAT SERVER
>> > openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem 
>> >-key cl_key.pem -state
>
>
>__
>Voila vous propose une boite aux lettres gratuite sur Voila Mail:
>http://mail.voila.fr
>
>
>

RE: SSL handshake failure URGENT

[Jean-Etienne G.]

> Did you set correctly the SERVER Common Name ?
> It must match the server name (ie: mybecane.com)

First, thanks to have taken the time to help me :)
But I fear I didn't understand the answer :(
where must I enter the same name as what ?

example : I am under Linux, the hostname is "thehostname"
is that that you call server name, or is it a name that you enter in the server.xml 
file (if yes with witch tag ?)

And where must I enter the same name as the servername ?
what field of witch openSSL command ?

Thanks for your answer !

 JEG

> > # CA
> > openssl req -new -out ca_req.pem -keyout ca_key.pem
> > #pwd:pwd_ca
> > #challenge_pwd:ch_ca
> > #company name:THE_ORG
> >
> > # CLIENT
> > openssl req -new -out cl_req.pem -keyout cl_key.pem
> > #pwd:pwd_cl
> > #ch_pwd:ch_cl
> > #company name:THE_ORG
> > # SERVER
> > openssl req -new -out sr_req.pem -keyout sr_key.pem
> > #pwd:pwd_sr
> > #ch_pwd:ch_sr
> > #company name:THE_ORG
> > # CA AUTH
> > echo "CA AUTH : enter CA password"
> > openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
> > #pwd:pwd_ca
> > rm ./demoCA/index.txt
> > rm ./demoCA/serial
> > cat "" > ./demoCA/index.txt
> > cat "01" > ./demoCA/serial
> >
> > # CLIENT AUTH BY CA
> > echo "CL AUTH : enter CA password"
> > openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem
> >-keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf
> > #pwd:pwd_ca
> >
> > # SERVER AUTH BY CA
> > echo "SR AUTH : enter CA password"
> > openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem
> >-keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf
> > #pwd:pwd_ca
> >
> > # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
> > openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der
> >
> > # REMOVE PREVIOUS KEYSTORE
> > rm /opt/tomcat-3-2-2/tomcat/conf/keystore
> >
> > # IMPORT SERVER CERT IN TOMCAT KEYSTORE
> > echo "IMPORT SR CERT : enter SR password"
> > /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias
> >tomcat -file sr_cert.der -keystore
> >/opt/tomcat-3-2-2/tomcat/conf/keystore
> > #pwd:pwd_sr
> >
> > # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
> > echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
> > openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out
> >cl_cert.p12
> > #pwd:pwd_cl
> > #exp_pwd:pwd_cl
> >
> > # CONNECTION TO THE TOMCAT SERVER
> > openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem
> >-key cl_key.pem -state


__
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr

RE: SSL handshake failure URGENT

[GOMEZ Henri]

Did you set correctly the SERVER Common Name ?
It must match the server name (ie: mybecane.com)

> # CA
> openssl req -new -out ca_req.pem -keyout ca_key.pem
> #pwd:pwd_ca
> #challenge_pwd:ch_ca
> #company name:THE_ORG
>
> # CLIENT
> openssl req -new -out cl_req.pem -keyout cl_key.pem
> #pwd:pwd_cl
> #ch_pwd:ch_cl
> #company name:THE_ORG 
> # SERVER
> openssl req -new -out sr_req.pem -keyout sr_key.pem
> #pwd:pwd_sr
> #ch_pwd:ch_sr
> #company name:THE_ORG 
> # CA AUTH 
> echo "CA AUTH : enter CA password"
> openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
> #pwd:pwd_ca
> rm ./demoCA/index.txt
> rm ./demoCA/serial
> cat "" > ./demoCA/index.txt
> cat "01" > ./demoCA/serial 
>
> # CLIENT AUTH BY CA 
> echo "CL AUTH : enter CA password"
> openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem 
>-keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf
> #pwd:pwd_ca
>
> # SERVER AUTH BY CA 
> echo "SR AUTH : enter CA password"
> openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem 
>-keyfile ca_key.pem -config /usr/local/ssl/openssl.cnf
> #pwd:pwd_ca
>
> # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
> openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der
>
> # REMOVE PREVIOUS KEYSTORE
> rm /opt/tomcat-3-2-2/tomcat/conf/keystore
>
> # IMPORT SERVER CERT IN TOMCAT KEYSTORE
> echo "IMPORT SR CERT : enter SR password"
> /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias 
>tomcat -file sr_cert.der -keystore 
>/opt/tomcat-3-2-2/tomcat/conf/keystore
> #pwd:pwd_sr
>
> # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
> echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
> openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out 
>cl_cert.p12
> #pwd:pwd_cl
> #exp_pwd:pwd_cl
>
> # CONNECTION TO THE TOMCAT SERVER
> openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem 
>-key cl_key.pem -state
>__
>Voila vous propose une boite aux lettres gratuite sur Voila Mail:
>http://mail.voila.fr
>
>
>

SSL handshake failure URGENT

[Jean-Etienne G.]

Hello,

 I get no responses for my previous mails... so maybe I did not contact the good 
mailing list. Please give me an start of response...

 Hello,
 I have a cert importation problem

 here is the output of an openSSL client command [witch emulate a browser] (openssl 
s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key
 cl_key.pem -state) :

 Enter PEM pass phrase:
 CONNECTED(0003)
 SSL_connect:before/connect initialization
 SSL_connect:SSLv2/v3 write client hello A
 SSL3 alert read:fatal:handshake failure
 SSL_connect:error in SSLv2/v3 read server hello A
 1993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure:s23_clnt.c:453:

 Can someone help me ?
 Is it a way to make it work without installing apache ?
 Thanks for your answer




 I have this tomcat configuration :


 
 
 
 
 
 
 
 


 And that are all the lines procedure I entered to make it well work

 mkdir ./demoCA
 echo "" > ./demoCA/index.txt
 echo "01" > ./demoCA/serial

 # CA
 openssl req -new -out ca_req.pem -keyout ca_key.pem
 #pwd:pwd_ca
 #challenge_pwd:ch_ca
 #company name:THE_ORG

 # CLIENT
 openssl req -new -out cl_req.pem -keyout cl_key.pem
 #pwd:pwd_cl
 #ch_pwd:ch_cl
 #company name:THE_ORG
 # SERVER
 openssl req -new -out sr_req.pem -keyout sr_key.pem
 #pwd:pwd_sr
 #ch_pwd:ch_sr
 #company name:THE_ORG
 # CA AUTH
 echo "CA AUTH : enter CA password"
 openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
 #pwd:pwd_ca
 rm ./demoCA/index.txt
 rm ./demoCA/serial
 cat "" > ./demoCA/index.txt
 cat "01" > ./demoCA/serial

 # CLIENT AUTH BY CA
 echo "CL AUTH : enter CA password"
 openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile ca_key.pem 
-config /usr/local/ssl/openssl.cnf
 #pwd:pwd_ca

 # SERVER AUTH BY CA
 echo "SR AUTH : enter CA password"
 openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile ca_key.pem 
-config /usr/local/ssl/openssl.cnf
 #pwd:pwd_ca

 # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
 openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der

 # REMOVE PREVIOUS KEYSTORE
 rm /opt/tomcat-3-2-2/tomcat/conf/keystore

 # IMPORT SERVER CERT IN TOMCAT KEYSTORE
 echo "IMPORT SR CERT : enter SR password"
 /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file sr_cert.der 
-keystore /opt/tomcat-3-2-2/tomcat/conf/keystore
 #pwd:pwd_sr

 # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
 echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
 openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12
 #pwd:pwd_cl
 #exp_pwd:pwd_cl

 # CONNECTION TO THE TOMCAT SERVER
 openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state
__
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr

SSL handshake failure

[[EMAIL PROTECTED]]

Hello,
 I have a cert importation problem

 here is the output of an openSSL command (openssl s_client -connect 127.0.0.1:8443 
-cert cl_cert.pem -key cl_key.pem -state) :

 Enter PEM pass phrase:
 CONNECTED(0003)
 SSL_connect:before/connect initialization
 SSL_connect:SSLv2/v3 write client hello A
 SSL3 alert read:fatal:handshake failure
 SSL_connect:error in SSLv2/v3 read server hello A
 1993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure:s23_clnt.c:453:

 Can someone help me ?
 Is it a way to make it work without installing apache ?
 Thanks for your answer




 I have this tomcat configuration :


 
 
 
 
 
 
 
 


 And that are all the lines procedure I entered to make it well work

 mkdir ./demoCA
 echo "" > ./demoCA/index.txt
 echo "01" > ./demoCA/serial

 # CA
 openssl req -new -out ca_req.pem -keyout ca_key.pem
 #pwd:pwd_ca
 #challenge_pwd:ch_ca
 #company name:THE_ORG

 # CLIENT
 openssl req -new -out cl_req.pem -keyout cl_key.pem
 #pwd:pwd_cl
 #ch_pwd:ch_cl
 #company name:THE_ORG
 # SERVER
 openssl req -new -out sr_req.pem -keyout sr_key.pem
 #pwd:pwd_sr
 #ch_pwd:ch_sr
 #company name:THE_ORG
 # CA AUTH
 echo "CA AUTH : enter CA password"
 openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
 #pwd:pwd_ca
 rm ./demoCA/index.txt
 rm ./demoCA/serial
 cat "" > ./demoCA/index.txt
 cat "01" > ./demoCA/serial

 # CLIENT AUTH BY CA
 echo "CL AUTH : enter CA password"
 openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile ca_key.pem 
-config /usr/local/ssl/openssl.cnf
 #pwd:pwd_ca

 # SERVER AUTH BY CA
 echo "SR AUTH : enter CA password"
 openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile ca_key.pem 
-config /usr/local/ssl/openssl.cnf
 #pwd:pwd_ca

 # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
 openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der

 # REMOVE PREVIOUS KEYSTORE
 rm /opt/tomcat-3-2-2/tomcat/conf/keystore

 # IMPORT SERVER CERT IN TOMCAT KEYSTORE
 echo "IMPORT SR CERT : enter SR password"
 /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file sr_cert.der 
-keystore /opt/tomcat-3-2-2/tomcat/conf/keystore
 #pwd:pwd_sr

 # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
 echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
 openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12
 #pwd:pwd_cl
 #exp_pwd:pwd_cl

 # CONNECTION TO THE TOMCAT SERVER
 openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state

__
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr

SSL handshake failure

[[EMAIL PROTECTED]]

 Hello,

I get no response for my previous mail... so maybe I did not contact the good mailing 
list. Please give me an start of response...

 Hello,
 I have a cert importation problem

 here is the output of an openSSL client command [witch emulate a browser] (openssl 
s_client -connect 127.0.0.1:8443 -cert cl_cert.pem  -key cl_key.pem -state) :

 Enter PEM pass phrase:
 CONNECTED(0003)
 SSL_connect:before/connect initialization
 SSL_connect:SSLv2/v3 write client hello A
 SSL3 alert read:fatal:handshake failure
 SSL_connect:error in SSLv2/v3 read server hello A
 1993:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure:s23_clnt.c:453:

 Can someone help me ?
 Is it a way to make it work without installing apache ?
 Thanks for your answer




 I have this tomcat configuration :


 
 
 
 
 
 
 
 


 And that are all the lines procedure I entered to make it well work

 mkdir ./demoCA
 echo "" > ./demoCA/index.txt
 echo "01" > ./demoCA/serial

 # CA
 openssl req -new -out ca_req.pem -keyout ca_key.pem
 #pwd:pwd_ca
 #challenge_pwd:ch_ca
 #company name:THE_ORG

 # CLIENT
 openssl req -new -out cl_req.pem -keyout cl_key.pem
 #pwd:pwd_cl
 #ch_pwd:ch_cl
 #company name:THE_ORG
 # SERVER
 openssl req -new -out sr_req.pem -keyout sr_key.pem
 #pwd:pwd_sr
 #ch_pwd:ch_sr
 #company name:THE_ORG
 # CA AUTH
 echo "CA AUTH : enter CA password"
 openssl req -x509 -in ca_req.pem -key ca_key.pem -out ca_cert.pem
 #pwd:pwd_ca
 rm ./demoCA/index.txt
 rm ./demoCA/serial
 cat "" > ./demoCA/index.txt
 cat "01" > ./demoCA/serial

 # CLIENT AUTH BY CA
 echo "CL AUTH : enter CA password"
 openssl ca -cert ca_cert.pem -in cl_req.pem -out cl_cert.pem -keyfile ca_key.pem 
-config /usr/local/ssl/openssl.cnf
 #pwd:pwd_ca

 # SERVER AUTH BY CA
 echo "SR AUTH : enter CA password"
 openssl ca -cert ca_cert.pem -in sr_req.pem -out sr_cert.pem -keyfile ca_key.pem 
-config /usr/local/ssl/openssl.cnf
 #pwd:pwd_ca

 # CONVERT SERVER AUTH FROM PEM FORMAT TO DER FORMAT
 openssl x509 -inform PEM -in sr_cert.pem -outform DER -out sr_cert.der

 # REMOVE PREVIOUS KEYSTORE
 rm /opt/tomcat-3-2-2/tomcat/conf/keystore

 # IMPORT SERVER CERT IN TOMCAT KEYSTORE
 echo "IMPORT SR CERT : enter SR password"
 /usr/java/jdk1.3/bin/keytool -import -v -trustcacerts -alias tomcat -file sr_cert.der 
-keystore /opt/tomcat-3-2-2/tomcat/conf/keystore
 #pwd:pwd_sr

 # CONVERTING CLIENT CERT INTO NETSCAPE PKCS12 FORMAT
 echo "CL CERT CONVERSION : PEM -> P12 : enter CL passwd"
 openssl pkcs12 -in cl_cert.pem -inkey cl_key.pem -export -out cl_cert.p12
 #pwd:pwd_cl
 #exp_pwd:pwd_cl

 # CONNECTION TO THE TOMCAT SERVER
 openssl s_client -connect 127.0.0.1:8443 -cert cl_cert.pem -key cl_key.pem -state

__
Voila vous propose une boite aux lettres gratuite sur Voila Mail:
http://mail.voila.fr

RE: ssl handshake failure

[Phillip Gibb]

but I am using a windows pc (for development purposes), so I don't have
Apache running. Later I am going over to linux.

-Original Message-
From: Tim O'Neil [mailto:[EMAIL PROTECTED]]
Sent: 05 June 2001 05:39
To: [EMAIL PROTECTED]
Subject: Re: ssl handshake failure


When it happened to me the cause (non-specifically, I
didn't spend a lot of time investigating it) was
because I was trying to use a regular (or not self-signed)
cert. I solved the problem by switching to Apache +
Tomcat as a platform. I personally found the combo much
easier ssl enable than Tomcat alone.

At 03:39 PM 6/5/2001 +0200, you wrote:
>Hi,
>
>reading further into the Java Secure Socket Extention I found a usfull
>command "-Djavax.net.debug=all", while I appending to the line in
tomcat.bat
>that starts the server.
>The result is a lot of information, it tells me further what my error
>actually is:
>i.e a handshake failure
>
>here is the screen dump :
>
>[read] MD5 and SHA1 hashes:  len = 3
>: 01 03 01   ...
>[read] MD5 and SHA1 hashes:  len = 67
>: 00 2D 00 00 00 10 8F 80   01 80 00 03 80 00 01 81  .-..
>0010: 00 01 81 00 03 82 00 01   00 00 64 00 00 62 00 00  ..d..b..
>0020: 03 00 00 06 83 00 04 84   28 40 02 00 80 04 00 80  (@..
>0030: 00 00 63 D5 76 DE 3D 71   3A 61 49 18 69 E3 70 AF  ..c.v.=q:aI.i.p.
>0040: 66 81 32   f.2
>Thread-20, READ:  SSL v2, contentType = 22, translated length = 53
>*** ClientHello, v3.1
>RandomCookie:  GMT: 0 bytes = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 213,
>118, 222, 61, 113
>, 58, 97, 73, 24, 105, 227, 112, 175, 102, 129, 50 }
>Session ID:  {}
>Cipher Suites:  { 0, 100, 0, 98, 0, 3, 0, 6, 0, 99 }
>Compression Methods:  { 0 }
>***
>%% Created:  [Session-2, SSL_NULL_WITH_NULL_NULL]
>Thread-20, SEND SSL v3.1 ALERT:  fatal, description = handshake_failure
>Thread-20, WRITE:  SSL v3.1 Alert, length = 2
>2001-06-05 03:32:49 - Ctx(  ): 400 R( /) null
>2001-06-05 03:32:49 - Ctx(  ): IOException in: R( /) Socket closed
>
>does anyone have an idea as to why this is and maybe how I can overcome
>this?
>
>Phill

Re: ssl handshake failure

[Tim O'Neil]

When it happened to me the cause (non-specifically, I
didn't spend a lot of time investigating it) was
because I was trying to use a regular (or not self-signed)
cert. I solved the problem by switching to Apache +
Tomcat as a platform. I personally found the combo much
easier ssl enable than Tomcat alone.

At 03:39 PM 6/5/2001 +0200, you wrote:
>Hi,
>
>reading further into the Java Secure Socket Extention I found a usfull
>command "-Djavax.net.debug=all", while I appending to the line in tomcat.bat
>that starts the server.
>The result is a lot of information, it tells me further what my error
>actually is:
>i.e a handshake failure
>
>here is the screen dump :
>
>[read] MD5 and SHA1 hashes:  len = 3
>: 01 03 01   ...
>[read] MD5 and SHA1 hashes:  len = 67
>: 00 2D 00 00 00 10 8F 80   01 80 00 03 80 00 01 81  .-..
>0010: 00 01 81 00 03 82 00 01   00 00 64 00 00 62 00 00  ..d..b..
>0020: 03 00 00 06 83 00 04 84   28 40 02 00 80 04 00 80  (@..
>0030: 00 00 63 D5 76 DE 3D 71   3A 61 49 18 69 E3 70 AF  ..c.v.=q:aI.i.p.
>0040: 66 81 32   f.2
>Thread-20, READ:  SSL v2, contentType = 22, translated length = 53
>*** ClientHello, v3.1
>RandomCookie:  GMT: 0 bytes = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 213,
>118, 222, 61, 113
>, 58, 97, 73, 24, 105, 227, 112, 175, 102, 129, 50 }
>Session ID:  {}
>Cipher Suites:  { 0, 100, 0, 98, 0, 3, 0, 6, 0, 99 }
>Compression Methods:  { 0 }
>***
>%% Created:  [Session-2, SSL_NULL_WITH_NULL_NULL]
>Thread-20, SEND SSL v3.1 ALERT:  fatal, description = handshake_failure
>Thread-20, WRITE:  SSL v3.1 Alert, length = 2
>2001-06-05 03:32:49 - Ctx(  ): 400 R( /) null
>2001-06-05 03:32:49 - Ctx(  ): IOException in: R( /) Socket closed
>
>does anyone have an idea as to why this is and maybe how I can overcome
>this?
>
>Phill

ssl handshake failure

[Phillip Gibb]

Hi,

reading further into the Java Secure Socket Extention I found a usfull
command "-Djavax.net.debug=all", while I appending to the line in tomcat.bat
that starts the server.
The result is a lot of information, it tells me further what my error
actually is:
i.e a handshake failure

here is the screen dump :

[read] MD5 and SHA1 hashes:  len = 3
: 01 03 01   ...
[read] MD5 and SHA1 hashes:  len = 67
: 00 2D 00 00 00 10 8F 80   01 80 00 03 80 00 01 81  .-..
0010: 00 01 81 00 03 82 00 01   00 00 64 00 00 62 00 00  ..d..b..
0020: 03 00 00 06 83 00 04 84   28 40 02 00 80 04 00 80  (@..
0030: 00 00 63 D5 76 DE 3D 71   3A 61 49 18 69 E3 70 AF  ..c.v.=q:aI.i.p.
0040: 66 81 32   f.2
Thread-20, READ:  SSL v2, contentType = 22, translated length = 53
*** ClientHello, v3.1
RandomCookie:  GMT: 0 bytes = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 213,
118, 222, 61, 113
, 58, 97, 73, 24, 105, 227, 112, 175, 102, 129, 50 }
Session ID:  {}
Cipher Suites:  { 0, 100, 0, 98, 0, 3, 0, 6, 0, 99 }
Compression Methods:  { 0 }
***
%% Created:  [Session-2, SSL_NULL_WITH_NULL_NULL]
Thread-20, SEND SSL v3.1 ALERT:  fatal, description = handshake_failure
Thread-20, WRITE:  SSL v3.1 Alert, length = 2
2001-06-05 03:32:49 - Ctx(  ): 400 R( /) null
2001-06-05 03:32:49 - Ctx(  ): IOException in: R( /) Socket closed

does anyone have an idea as to why this is and maybe how I can overcome
this?

Phill