Re: strange ssl tomcat response

2006-12-14 Thread Tsirkin Evgeny 

I have did yet another try,now on windows machine .
The same problem!
Here are the steps to reproduce :
[1] Do a regular (vanilla) installation of tomcat (Linux and Windows i have
already tried) .
[2] Setup ssl:
Uncomment the ssl setup in server.xml create a key with the following:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
or
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
(taken from tomcat's manual)
add the keystorePass and keystoreFile to server.xml
start the tomcat and test if the ssl works .
[3] Try this in browser:
http://localhost:8443 (note the http not the https)
or
telnet localhost 8443
Note that the telnet should be done from a terminal that can show binary
output.
(rxvt,xterm will NOT do,for me gnome terminal and cmd on windows worked).
in the telnet session you will get a connection type something ,hit ENTER
and you will get
strange bits in the response.
If you are doing this in browser it will just try to download those bits
(Mozilla) or show it
on the screen (IE).
I am pretty sure that this is NOT valid behaviour.
I have tried all this on :
tomcat 5.5.20
java 1.5.0_09
and
same tomcat
java 1.5.0_06
Both Linux and Windows .
Now I am pretty sure this is a tomcat problem ,not sure which versions.
I need somebody except me to reproduce this before asking developers.
Anybody?
Thanks.
P.S. Hassan could you please do this ?Just try it with firefox/ie and other
terminal?
Evgeny.

Re: strange ssl tomcat response

2006-12-14 Thread Martin Heiden 
Hi!

 http://localhost:8443 (note the http not the https)
 I am pretty sure that this is NOT valid behaviour.

Why do you think so? I that tomcat will initialise the SSL
negotiation. Client and Server have to exchange the keys. If you do
not tell the browser that it has to do this negotiation (you tell it
that it is a http connection not https!) it just wants to display the
machine readable initialisation of the SSL negotiation.

I tried the same on a Websphere-Server over here and it behaves the
same way as tomcat.

It's pretty valid!

regards

  Martin.






-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: strange ssl tomcat response

2006-12-14 Thread Tsirkin Evgeny 

On 12/14/06, Martin Heiden [EMAIL PROTECTED] wrote:


It's pretty valid!



I don't think so.Just checked out the TLS rfc and found this (TLS ver. 1.0):

These goals are achieved by the handshake protocol, which can be
  summarized as follows: The client sends a client hello message to
  which the server must respond with a server hello message, or else a
  fatal error will occur and the connection will fail. The client hello
  and server hello are used to establish security enhancement
  capabilities between client and server. The client hello and server
  hello establish the following attributes: Protocol Version, Session
  ID, Cipher Suite, and Compression Method. Additionally, two random
  values are generated and exchanged: ClientHello.random and
  ServerHello.random.

As i see this if the client does not sends a hello message then server
should drop the
connection .So,if i am pointing my browser to ssl port using http scheme
,the connection
should be dropped.
I think that most (non-java at least) servers works this way just try to
telnet to ssl port of
say gmail ,you get nothing.
I of course could be wrong,and that is for developers to decide .However
what i am
looking to be sure of, is that the strange bits are actually the server
hello and not
a bug/not cleaned buffer/security problem.
However ,if i understand correctly you can reproduce my results?
Is that right ?Do you use the same version of tomcat ?JVM?
Thanks for response.
Evgeny.



regards

Martin.






-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: strange ssl tomcat response

2006-12-14 Thread Hassan Schroeder 

Yes, trying this (http://localhost:8443) with FF results in a prompt to
download a BIN file, which turns out to be:

prompt od -a ldlepaov\(2\).bin
000 nak etx soh nul stx stx  nl
007

I'll leave interpretation of the correctness of that to you :-)

--
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: strange ssl tomcat response

2006-12-14 Thread Andrew Friebel 
Thanks Chuck.

It is clear that I am still a little behind the times.

Regards,
Andrew
-Original Message-
From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] 
Sent: Thursday, 14 December 2006 1:23 PM
To: Tomcat Users List
Subject: RE: strange ssl tomcat response

 From: Andrew Friebel [mailto:[EMAIL PROTECTED] 
 Subject: RE: strange ssl tomcat response
 
 This is going to seem like a dumb question, but are you 
 running the SDK or RTE with tomcat?  You need to be
 running the SDK.

Your information is out of date, as a cursory look at the 5.5 docs would
tell you.  5.5 runs quite happily on a JRE, since it no longer uses the
javac compiler classes from tools.jar (which is the only part of the SDK
that older levels required).

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: strange ssl tomcat response

2006-12-13 Thread Caldarale, Charles R 
 From: Tsirkin Evgeny [mailto:[EMAIL PROTECTED] 
 Subject: strange ssl tomcat response
 
 Hope this will not be posted twice.

If you don't provide basic information, it will have to be.

1) What version of Tomcat?
2) What JVM (vendor and level)?
3) What OS?
4) Do you have APR installed?  (SSL is configured quite differently with
APR.)

 Service name=Catalina
   Connector port=8443 maxHttpHeaderSize=8192
snip
 clientAuth=false sslProtocol=SSL

Note the following from the doc:

sslProtocol: The encryption/decryption protocol to be used on this
socket. It is not recommended to change this value if you are using
Sun's JVM. It is reported that IBM's 1.4.1 implementation of the TLS
protocol is not compatible with some popular browsers. In this case, use
the value SSL.

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Whether or not the above is applicable depends on the basics you didn't
tell us.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: strange ssl tomcat response

2006-12-13 Thread Tsirkin Evgeny 

Thanks for the reply!
Sorry for not providing basic information.
This is tomcat 5.5 with sun's
java version 1.5.0_09
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b03)
Java HotSpot(TM) Server VM (build 1.5.0_09-b03, mixed mode)
Running on Linux Suse (but i have installed it manually getting apache's
tomcat
not SuSe's one which pretty old).
About APR: I really don't know if it is installed however this is manually
compiled
apache and as i already mantioned manually installed tomcat ,so i guess - it
is not.
If you tell me how to check this i will know for sure.
Thanks for the answer!
Hope you will be able to help me.
Evgeny.

On 12/13/06, Caldarale, Charles R [EMAIL PROTECTED] wrote:


 From: Tsirkin Evgeny [mailto:[EMAIL PROTECTED]
 Subject: strange ssl tomcat response

 Hope this will not be posted twice.



My first post did not work ,so i was afraid that i am posting twice.

If you don't provide basic information, it will have to be.


1) What version of Tomcat?
2) What JVM (vendor and level)?
3) What OS?
4) Do you have APR installed?  (SSL is configured quite differently with
APR.)

 Service name=Catalina
   Connector port=8443 maxHttpHeaderSize=8192
snip
 clientAuth=false sslProtocol=SSL

Note the following from the doc:

sslProtocol: The encryption/decryption protocol to be used on this
socket. It is not recommended to change this value if you are using
Sun's JVM. It is reported that IBM's 1.4.1 implementation of the TLS
protocol is not compatible with some popular browsers. In this case, use
the value SSL.

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Whether or not the above is applicable depends on the basics you didn't
tell us.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: strange ssl tomcat response

2006-12-13 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Evgeny,

Tsirkin Evgeny wrote:
 I have setted up a tomcat to listen to ssl on 8443 port. When i use
 url https://myhost:8443/ everything works fine.
 
 However when pointing my browser to http://myhost:8443/ I am getting
 strange response.

What did you expect? When you try to use HTTP to communicate with an
HTTPS service, it's simply not going to work.

Why would you try to use an http:// URL instead of https:// ?

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFgCPp9CaO5/Lv0PARAt4cAJ4u7iBDaFlPRDDuDo9jGoV+vhKdXACeMNIX
rfk6cIcGUgSOxJ90jbNdENs=
=3X5A
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: strange ssl tomcat response

2006-12-13 Thread Tsirkin Evgeny 

I don't expect it to work .
I expect to return either 404 , 500 http status (maybe any other) or nothing
.
try this:
telnet mail.google.com 443
You will get a connection however NOTHING will be returned .
Now ,I am trying ssl connection to tomcat :
telnet myhost 8443
And getting the strange bits.
^U^C etc...
I don't think that is valid .So ,since i don't (currenttly) think that this
a tomcat problem - i think that this a problem in my setup,
i am trying to get help to fix it.
Basically that can be checked in a very simple manner:
try to setup ssl for a tomcat and then telnet to it (8443 port).
Do you get any response?
[1] If no that is problem in my configuration (and please help me correct it
I will resend it if needed),
[2] If yes that is a problem in tomcat.
I will be very thankfull if you could help me in this.
(I will try it myself when i got a machine to do it).
As for why did i do that on the first place:
I am trying to setup a production server and a bit worried about security.
Thanks for response .
Evgeny.


On 12/13/06, Christopher Schultz [EMAIL PROTECTED] wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Evgeny,

Tsirkin Evgeny wrote:
 I have setted up a tomcat to listen to ssl on 8443 port. When i use
 url https://myhost:8443/ everything works fine.

 However when pointing my browser to http://myhost:8443/ I am getting
 strange response.

What did you expect? When you try to use HTTP to communicate with an
HTTPS service, it's simply not going to work.

Why would you try to use an http:// URL instead of https:// ?

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFgCPp9CaO5/Lv0PARAt4cAJ4u7iBDaFlPRDDuDo9jGoV+vhKdXACeMNIX
rfk6cIcGUgSOxJ90jbNdENs=
=3X5A
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: strange ssl tomcat response

2006-12-13 Thread Hassan Schroeder 

On 12/13/06, Tsirkin Evgeny [EMAIL PROTECTED] wrote:


Basically that can be checked in a very simple manner:
try to setup ssl for a tomcat and then telnet to it (8443 port).
Do you get any response?


Just tried on a 5.5.9 non-APR system -- no response :-)


[1] If no that is problem in my configuration


The Connector on the test system above is configured with
   sslProtocol=TLS
so you might consider Chuck's suggestion for starters...

--
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: strange ssl tomcat response

2006-12-13 Thread Tsirkin Evgeny 

On TLS i am getting the same result.
How do i check for an APR existens ?
Chuck suggested that this is the problem.
However I don't know where to look .
I am using 5.5.20 could that be a problem?
Thanks.
Evgeny.

On 12/13/06, Hassan Schroeder [EMAIL PROTECTED] wrote:


On 12/13/06, Tsirkin Evgeny [EMAIL PROTECTED] wrote:

 Basically that can be checked in a very simple manner:
 try to setup ssl for a tomcat and then telnet to it (8443 port).
 Do you get any response?

Just tried on a 5.5.9 non-APR system -- no response :-)

 [1] If no that is problem in my configuration

The Connector on the test system above is configured with
sslProtocol=TLS
so you might consider Chuck's suggestion for starters...

--
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: strange ssl tomcat response

2006-12-13 Thread Tsirkin Evgeny 

Hassan ,just a thought:
when connecting via telnet  i am first getting  an empty  response
typing in some character and  only then i am getting the bits.
Is that what you tried?
-
telnet localhost 8443
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
kfglfkmvlf

Connection closed by foreign host.
-
The strange response bits are what i got here just befor Connection
closed.
Thanks again.
Evgeny.

On 12/13/06, Tsirkin Evgeny [EMAIL PROTECTED] wrote:


On TLS i am getting the same result.
How do i check for an APR existens ?
Chuck suggested that this is the problem.
However I don't know where to look .
I am using 5.5.20 could that be a problem?
Thanks.
Evgeny.

On 12/13/06, Hassan Schroeder [EMAIL PROTECTED] wrote:

 On 12/13/06, Tsirkin Evgeny [EMAIL PROTECTED] wrote:

  Basically that can be checked in a very simple manner:
  try to setup ssl for a tomcat and then telnet to it (8443 port).
  Do you get any response?

 Just tried on a 5.5.9 non-APR system -- no response :-)

  [1] If no that is problem in my configuration

 The Connector on the test system above is configured with
 sslProtocol=TLS
 so you might consider Chuck's suggestion for starters...

 --
 Hassan Schroeder  [EMAIL PROTECTED]

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

Re: strange ssl tomcat response

2006-12-13 Thread Hassan Schroeder 

On 12/13/06, Tsirkin Evgeny [EMAIL PROTECTED] wrote:


when connecting via telnet  i am first getting  an empty  response
typing in some character and  only then i am getting the bits.



The strange response bits are what i got here just befor Connection
closed.


No, if I enter something after the Escape character is '^]'. line the
result is a blank line and connection closed.

--
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: strange ssl tomcat response

2006-12-13 Thread Caldarale, Charles R 
 From: Tsirkin Evgeny [mailto:[EMAIL PROTECTED] 
 Subject: Re: strange ssl tomcat response
 
 How do i check for an APR existens ?

Since this is a Linux box and you did not explicitly build and install
it, it's extremely unlikely that you have it.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: strange ssl tomcat response

2006-12-13 Thread Tsirkin Evgeny 

OK.I have done another try :
I tried a clean installation of tomcat with a default config (just
uncommented
the ssl lines).
The same problem.
So,that could be a problem in
[1] this particular version :
tomcat 5.5.20
java version 1.5.0_09
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b03)
Java HotSpot(TM) Server VM (build 1.5.0_09-b03, mixed mode)
Linux SuSe
[2] my machine (firewall?).
Does anybody have similar to my installation (or can easily create one)
and help me out here.
I need to check if this particular version of tomcat (jvm) when set up for
ssl
response with strange bits when telneting to the ssl port.
Anybody please?
Evgeny.

On 12/13/06, Caldarale, Charles R [EMAIL PROTECTED] wrote:


 From: Tsirkin Evgeny [mailto:[EMAIL PROTECTED]
 Subject: Re: strange ssl tomcat response

 How do i check for an APR existens ?

Since this is a Linux box and you did not explicitly build and install
it, it's extremely unlikely that you have it.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: strange ssl tomcat response

2006-12-13 Thread Hassan Schroeder 

On 12/13/06, Tsirkin Evgeny [EMAIL PROTECTED] wrote:


tomcat 5.5.20

I remembered I had a vanilla install of 5.5.20 not yet in use, so I
uncommented the https connector and created a keystore

java version 1.5.0_09

/me == 1.5.0_06 on this machine

Linux SuSe

/me == SuSE 10.0

So, pretty close :-)

I need to check if this particular version of tomcat (jvm) when set up for
ssl
response with strange bits when telneting to the ssl port.


... and same as before, only a blank line response/close connection.

FWIW!
--
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: strange ssl tomcat response

2006-12-13 Thread Andrew Friebel 
Hassan,
Your emails refer to the use of the Java Runtime environment.
This is going to seem like a dumb question, but are you running the SDK
or RTE with tomcat?  You need to be running the SDK.

I am pretty sure that tomcat wont start without the SDK, but worth
double checking.

Regards,
Andrew

-Original Message-
From: Hassan Schroeder [mailto:[EMAIL PROTECTED] 
Sent: Thursday, 14 December 2006 7:38 AM
To: Tomcat Users List
Subject: Re: strange ssl tomcat response

On 12/13/06, Tsirkin Evgeny [EMAIL PROTECTED] wrote:

 tomcat 5.5.20
I remembered I had a vanilla install of 5.5.20 not yet in use, so I
uncommented the https connector and created a keystore
 java version 1.5.0_09
/me == 1.5.0_06 on this machine
 Linux SuSe
/me == SuSE 10.0

So, pretty close :-)
 I need to check if this particular version of tomcat (jvm) when set up
for
 ssl
 response with strange bits when telneting to the ssl port.

... and same as before, only a blank line response/close connection.

FWIW!
-- 
Hassan Schroeder  [EMAIL PROTECTED]


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: strange ssl tomcat response

2006-12-13 Thread Caldarale, Charles R 
 From: Andrew Friebel [mailto:[EMAIL PROTECTED] 
 Subject: RE: strange ssl tomcat response
 
 This is going to seem like a dumb question, but are you 
 running the SDK or RTE with tomcat?  You need to be
 running the SDK.

Your information is out of date, as a cursory look at the 5.5 docs would
tell you.  5.5 runs quite happily on a JRE, since it no longer uses the
javac compiler classes from tools.jar (which is the only part of the SDK
that older levels required).

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]