Re: BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.
On 10/9/17, 2:19 PM, Christopher Schultz (Tomcat List guru) wrote (with regard to a "ciphers" clause in a connector tag): . . . You need to list everything. . . . Ok. I really didn't need a command-line tool (thanks, though, on behalf of whoever actually does end up needing one); just an example, and I found one at https://tinyurl.com/y9aqpkvm Based on that example, I then pulled up the "Configured ciphers per connector" page on the TC 8.5 server, and copied and pasted all of them into a new ciphers clause on my connector tag, and then copied and pasted TLS_RSA_WITH_AES_256_CBC_SHA in at the end, from a copy of the SSLInfo output. After restarting Tomcat, "TLS_RSA_WITH_AES_256_CBC_SHA" appeared in the "Configured ciphers" page, and the AS/400 was able to access the server. Thanks, Messrs. Schultz, Kreuser, Thomas of the Tomcat List, and Messrs Stone and Klement of the HTTPAPI List. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ISAPI and IIS 10 Logging Issue
I'm having this very same issue with one slight difference. I have six Windows 2016 servers and logging works correctly on two of them. I've gone through nearly everything I can think of to determine what is different about the two boxes that work and have hit a wall. I have even done a full compare of the Windows directory to no avail. The two boxes that do work have two additional Windows Updates which I can't get to apply to the four boxes that don't work: KB4013418 and KB3211320. When I try to install those updates on the boxes that don't work, I get "Update not applicable", likely because those updates are superseded by KB4035631, which is also installed on all six boxes. -- Sent from: http://tomcat.10.x6.nabble.com/Tomcat-User-f1968778.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat SSL issue
John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Monday, October 9, 2017 4:49 PM To: Tomcat Users List Subject: Re: Tomcat SSL issue On 10/9/2017 10:01 AM, John Ellis wrote: > > I posted questions about this a couple of weeks ago I think it was. I > have been trying to get Tomcat running on a secure port with a valid > SSL certificate. We finally got version 9.0.0.M20 setup successfully > on port 9443 and I can go to that IP:port and get a Tomcat webpage but > when I go through all the steps using the keytool commands to submit a > certificate (we use Cacert.org) and try to plug that certificate into > the mix it doesnt work. I still get an error message telling me that > I will have to create an exception to go to that IP address and port. > Last Friday I even deleted the certificate and all the keystore file, > etc. and got the same exact error. So it appears that Tomcat is not > seeing the certificate at all since I get the same error about having > to add an exception whether or not I have a valid certificate in place > on the server. > > The lines we added to the server.xml file to get the secure port > working are- > > > maxThreads="150" scheme="https" secure="true" > > clientAuth="false" sslProtocol="TLS" > > keystoreFile="/home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jk s" > >keystorePass="changeit" /> > > John Ellis > >Terence I have tried putting my name in where it asks for the "first and last name" part of filling out the certificate info but when I do that the Cacert.org website says I have to authenticate the actual internal IP address of this server and there is no way to do that that I know of. Thanks, Hi, John- Is it a browser that's displaying the error message and requesting that you create an exception to continue? If so, have you looked at the additional information to determine what problems the browser has detected with the certificate? -Terence Bandoian http://www.tmbsw.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enforcing server preference for cipher suites
2017-10-09 19:31 GMT+03:00 Harish Krishnan : > Hi All, > > Need your expert input here. > Not sure what I am doing wrong, but I cannot get this server preference > cipher suites feature working. > > My setup: > Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute) > Latest Java 1.8 build. > > No matter what value I set to this attribute (true OR false OR undefined > which is by default), I always see the Clients preference picked. > As an example, if clients order is ABCDEF, and servers order is DEFABC, no > matter what value I set to this useServerCipherSuitesOrder attribute, always > the order selected is ABC... It should work when running on Java 8. Maybe try debugging e.g. with breakpoint in org.apache.tomcat.util.compat.Jre8Compat setUseServerCipherSuitesOrder() https://wiki.apache.org/tomcat/FAQ/Developing#Debugging Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enforcing server preference for cipher suites
Thanks for the response, Peter. The client is not doing anything other than a simple https connection to tomcat. The cipher sites used by the client is the default JRE 1.8 cipher suites. I have not configured or requesting for any particular cipher suite when connecting to Tomcat. During the handshake, a particular cipher is automatically selected after the client server negotiation. The question I have is, the cipher that is automatically selected, is in the client preference order and not tomcat order as per the attribute useServerCipherSuitesOrder setting. Are we on same page? Sent from my iPhone > On Oct 9, 2017, at 11:51 PM, Peter Kreuser wrote: > > Harish, > > >> Am 10.10.2017 um 00:00 schrieb Harish Krishnan : >> >> Thanks for the response, Chris. >> >> Below are my answers in order. >> To keep the response as short as possible, i have not included the ciphers >> list in the connector - >> >> a) Tomcat 7.0.79 (will be updating to 7.0.82) >> b) JRE 1.80_144 >> c) Our connector configuration is below. >> d) We are using NIO. >> e) I am using a simple java client that makes TLS connection to our tomcat >> on below port. I am capturing the SSL handshake. >> The way i tested the client preference is: Lets take the same example i >> gave in my first email i.e. clients preference is ABCDEF and the tomcat >> servers preference is DEFABC with *useServerCipherSuitesOrder* set to true. >> During the 1st handshake connection, "A" cipher suite was chosen. I removed >> "A" from my tomcat connector, restarted the service, and did the connection >> test again. >> "B" was chosen during this 2nd handshake. Same test was continued and >> observed that CDEF were chosen next in order. >> I am expecting DEFABC as the order of preference as per the >> *useServerCipherSuitesOrder* setting. > I believe that there is a misunderstanding. Your simple client does not seem > to handle the situation correctly (even not at all). > I think if you request cipher B you will get B. > > Please check with a ssl-tool like sslyze or testssl.sh. If your site is > available on the internet, you could try ssllabs.com. > > The settings seem to be OK, unless I do not see an incorrect formatting on my > phone. > > HTH, > > Peter > >> Let me know if i am missing anything or is my understanding is incorrect. >> >> > id="orion.server.https" >> acceptCount="100" >> *useServerCipherSuitesOrder*="true" >> ciphers="we have around 20 cipher suites listed..." >> clientAuth="want" >> >> compressableMimeType="text/html,text/xml,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json" >> compression="on" >> compressionMinSize="2048" >> disableUploadTimeout="true" >> enableLookups="false" >> keystoreFile="keystore/xyz" >> keystorePass="" >> maxConnections="500" >> maxHttpHeaderSize="8192" >> maxKeepAliveRequests="500" >> maxThreads="250" >> minSpareThreads="25" >> noCompressionUserAgents="gozilla, traviata" >> port="8443" >> processorCache="500" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> scheme="https" >> secure="true" >> server="Undefined" >> sessionCacheSize="400" >> SSLEnabled="true" >> sslProtocol="TLS" >> sslEnabledProtocols="TLSv1.1, TLSv1.2" >> truststoreFile="keystore/xyz" >> truststorePass="" >> truststoreType="jks" >> URIEncoding="UTF-8" /> >> >> >> On Mon, Oct 9, 2017 at 2:06 PM, Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA256 >>> >>> Harish, >>> On 10/9/17 12:31 PM, Harish Krishnan wrote: Need your expert input here. Not sure what I am doing wrong, but I cannot get this server preference cipher suites feature working. My setup: Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute) Latest Java 1.8 build. No matter what value I set to this attribute (true OR false OR undefined which is by default), I always see the Clients preference picked. As an example, if clients order is ABCDEF, and servers order is DEFABC, no matter what value I set to this useServerCipherSuitesOrder attribute, always the order selected is ABC... >>> >>> What exact version of Tomcat are you using? >>> What exact version of Java are you using? >>> >>> Please post your configuration, minus any secrets. >>> >>> Do you know if you are using the BIO, NIO, or APR connector? >>> >>> How are you determining client-preference? >>> >>> - -chris >>> -BEGIN PGP SIGNATURE- >>> Comment: GPGTools
FW: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection
Hello, Any help is appreciated on this issue. Thank you, Vamsi Gali -Original Message- From: Gali, Vamsi A Sent: Thursday, October 05, 2017 12:03 PM To: 'Tomcat Users List' Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection Hello, I just realized that I didn’t provide the environment info & following are the details: Tomcat: apache-tomcat-7.0.75 IHS: HIS v8.5.5.x OS: RHEL We have IHS→mod_proxy(on IHS) → Tomcat. I know that IHS isn’t the suggested webserver to use with Tomcat but it’s in use. [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection When Tomcat is accessed through webserver url, it throws ‘500’ with the following stack on the IHS Error log: [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS: fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2419): proxy: HTTPS: connection complete to TOMCAT-IP:PORT (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake Failed, Could not establish SSL proxy connection. [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60] [13789] SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent fatal alert [level 2 (fatal), description 40 (handshake_failure)] [TOMCAT-IP:PORT -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] [7fa404014a60] Handshake transcript: [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]gsksslDissector_8Bits [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]gsksslDissector_8Bits [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]03 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] random [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]gsksslDissector_32Bits [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]9xx [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]gsksslDissector_Opaque [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]Length: 28 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]1x 62 xx B3 1F 44 xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y.. [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]x1 91 19 08 25 xx DC xx E1 xx 20 xx %..o.9 x [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx 00 xx 00 xx 00 xx 00 xx ..V/.5 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 00 . [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extensions [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extension Count: 0 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] end handshake transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy: HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2 -- What’s done: IHS & Tomcat keystores contain required signers for proper communication. During the troubleshooting, I even added IHS server cert as a signer into Tomcat keystore and vice-versa but cannot get rid of this error. Also, tried restricting both IHS & Tomcat to use TLSv1 but no success. Has anyone ran into similar issues? Or ever tried Tomcat with IHS using mod_proxy module? Thank you, Vamsi Gali This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to
RE: Tomcat SSL issue
John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Monday, October 9, 2017 4:49 PM To: Tomcat Users List Subject: Re: Tomcat SSL issue On 10/9/2017 10:01 AM, John Ellis wrote: > > I posted questions about this a couple of weeks ago I think it was. I > have been trying to get Tomcat running on a secure port with a valid > SSL certificate. We finally got version 9.0.0.M20 setup successfully > on port 9443 and I can go to that IP:port and get a Tomcat webpage but > when I go through all the steps using the keytool commands to submit a > certificate (we use Cacert.org) and try to plug that certificate into > the mix it doesnt work. I still get an error message telling me that > I will have to create an exception to go to that IP address and port. > Last Friday I even deleted the certificate and all the keystore file, > etc. and got the same exact error. So it appears that Tomcat is not > seeing the certificate at all since I get the same error about having > to add an exception whether or not I have a valid certificate in place > on the server. > > The lines we added to the server.xml file to get the secure port > working are- > > > maxThreads="150" scheme="https" secure="true" > > clientAuth="false" sslProtocol="TLS" > > keystoreFile="/home/tomcat9.0.0.M20/apache-tomcat-9.0.0.M20/conf/keystore.jk s" > >keystorePass="changeit" /> > > John Ellis > >Thanks for the reply Terence. Yes I get the message about needing to create a security exception when I first try to open the Tomcat webpage on the secure port of 9443. I have deleted the certificate and supporting files off of the server as I was going to start over with a new certificate. I believe the error said something about not being able to verify the certificate. I think the main issue is that this is just an internal server here in our office running RHEL 6. It is not setup as a web server and it just has the name of "cowboy" (given that name by my boss) so it is hard to figure out what to call the "First and last name" part when I am creating the CSR to send to Cacert.org. I can't just use the name "cowboy" as I don't have any way to validate that. Have you ever run into situations like this? As I said before I am not a programmer or developer or anything like that. My background was in computer hardware for over 25 years until I took this position after being laid off from what was formerly WebMD. We installed systems in dr's offices, etc. Any light you could shed on this would be great! Thanks Hi, John- Is it a browser that's displaying the error message and requesting that you create an exception to continue? If so, have you looked at the additional information to determine what problems the browser has detected with the certificate? -Terence Bandoian http://www.tmbsw.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: ISAPI and IIS 10 Logging Issue
- On 06/10/17 22:42, Mark Thomas wrote: > On 06/10/17 16:27, Mark Thomas wrote: >>> On 10.05.2017 8:54, Thomas, Michael wrote: >>> >>> Unfortunately I am not getting much traction with Microsoft. From the IIS >>> forum, it looks like they are pointing the finger in the direction of the >>> "third-party" that is writing the module. >> >> That is consistent with my experience with MS support. Looks like you'll need to go back to MS support. > I'll look at the IIS API docs next week and see if there is something > different we should be doing in IIS 10 compared to 8.5 and earlier. I can't find anything in the IIS API docs that indicates that this has changed in IIS 10 / Windows Server 2016. I've added some debug logging and I see the following: HttpFilterProc gets called with SF_NOTIFY_LOG The JK code sees the original path [/jakarta/isapi_redirect.dll] and replaces it with the correct one - [/examples/] in my case. The JK code sees the original [] query string and replaces it with the correct one - [foo=bar] in my case. Given that this works as expected in Windows Server 2012 with exactly the same code AND that no API changes (that I can find) are documented for IIS 10 AND that debug logging shows that the expected calls are taking place AND the IIS log is not updated, all the evidence we have at the moment points squarely to an IIS 10 bug (or possibly an undocumented IIS 10 API). Sorry it wasn't better news. Mark - Thanks for looking into this! I am SO glad that I am not the only one with this issue! I am not really sure how to open up a support case with Microsoft. I will give it a shot though and see how it goes. -Mike The preceding message (including attachments) is covered by the Electronic Communication Privacy Act, 18 U.S.C. sections 2510-2512, is intended only for the person or entity to which it is addressed, and may contain information that is confidential, protected by attorney-client or other privilege, or otherwise protected from disclosure by law. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error and destroy the original message and all copies.
request for beginner's documentation on start troubleshooting
Hello I 'm quite new to tomcat and just spent one whole day because tomcat 8.5.23 was freezing at startup for about 15 minutes !!! on a virtual private server on debian (while it used to work perfectly last week). 1) it was really difficult to know where was the problem because after 15 minutes the application worked perfectly, and there was no particular error in the log 2) it was difficult to change the log level, the page http://tomcat.apache.org/tomcat-8.5-doc/setup.html does not mention how to change the logging level. The page http://tomcat.apache.org/tomcat-8.5-doc/logging.html seems too complex and written for advanced users 3) after setting log FINE I found that Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [580,051] milliseconds. Documentation for this problem is far far away in https://wiki.apache.org/tomcat/HowTo/FasterStartUp, and this page does not tell where to put the Java Option for tomcat So my suggestions are: - create a beginer's documentation separate from full feature documentation, which is too difficult to read for beginners - explain some important settings, but not everything, only important things like port 8080 in conf/server.xml, environment variables etc. - explicitely advise people to change CATALINA_OPTS=-Djava.security.egd=file:/dev/urandom to avoid starting hard problems on linux - explain how to build a very simple jsp application, what is the meaning of WEB-INF , META-INF and what to put inside - explain how deployement works in simple configuration where there is one application only. - add a download sample app that works everywhere with one JSP and one Servlet for instance. thanks. -- Riccardo Cohen +33 6 09 83 64 49 E5Group http://www.5flow.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org