Christopher, Thanks for the help. I will log this in Bugzilla shortly.
-parag -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Saturday, February 05, 2011 4:06 AM To: Tomcat Users List Subject: Re: Nio Connector and self signed SSL certificate giving "No client certificate chain in this request" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Parag, On 2/4/2011 5:04 AM, Parag Thakur wrote: > When I try to access a secure URL (e.g. /secure/foo.do) from a java > program using apache httpclient library (where the client is configured > to use "C:\keys\webserver.keystore" as the truststore and > "C:\keys\client.keystore" as the keystore), I get the following response > from the tomcat server: > > "This request requires HTTP authentication (No client certificate chain > in this request)." > > Tomcat's log shows the following stack trace: > > 2011-02-04 15:04:47 WARNING: #{11} [Http11NioProcessor.action] Exception > getting SSL attributes > java.lang.NullPointerException > at > org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:1 > 50) [snip] > Oddly, the same program works if I use > org.apache.coyote.http11.Http11Protocol instead of > org.apache.coyote.http11.Http11NioProtocol. That looks like a problem. Can you build a minimal test case (nearly empty webapp with CLIENT-CERT authentication) and include a server.xml file as well as keystore and truststore that can demonstrably work in the BIO connector and fail in the NIO one? If so, please log this in Bugzilla and attach all of the above. > Secondly, for Http11Protocol, I use to be able to specify a list of > "ciphers" in the Connector configuration to prevent weak ciphers being > used. E.g. > > ciphers="TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_S > HA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH > E_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DS > S_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_ > EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CB > C_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH > _RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_MD5" > > However, the same does not seem to work with the Http11NioProtocol, and > I get the following in tomcat's logs: > > 2011-02-04 15:09:12 SEVERE: #{11} [NioEndpoint.setSocketOptions] > java.lang.IllegalArgumentException: Cannot support > TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers See http://markmail.org/message/zn4namfhypyxum23 for code that will show you what ciphers are available for your environment. Perhaps you really are using an unsupported cipher. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1Mf2IACgkQ9CaO5/Lv0PBG+QCgmrd5uUAl+yaXjmd8/WknbpJE WQsAnjj2lr9Swn2RROocNCrb521mk3ZF =2+Gu -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
