-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Арсений,
On 6/2/14, 10:24 AM, Арсений Зинченко wrote: > Hi. > > Faced with very odd behavior of Tomcat 7... > > Have two instances on same box - Tomcat 5.5 and Tomcat 7. > > Both have same configuration - first from 5.5: > > <Connector port="${port.https}" maxHttpHeaderSize="8192" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" > keystoreFile="conf/.ssl/tomcat.jks" keyAlias="tomcat" > keystorePass="pass" truststoreFile="conf/.ssl/trustcacerts.jks" > truststorePass="pass" /> > > Next - from 7.0: > > <Connector port="${port.https}" protocol="HTTP/1.1" > SSLEnabled="true" enableLookups="false" > disableUploadTimeout="true" scheme="https" secure="true" > clientAuth="want" sslProtocol="TLS" > keystoreFile="conf/.ssl/tomcat.jks" keyAlias="tomcat" > keystorePass="pass" truststoreFile="conf/.ssl/trustcacerts.jks" > truststorePass="pass" /> > > Also - both configured for CLIENT-CERT authentification (same > applicaion with same web.xml). > > In browser installed cert, but - when I'm trying open connection > to 7 Tomcat - I got 401 - Cannot authenticate with the provided > credentials and no authentification attempt in log: > > 10.***.***.15 - - [02/Jun/2014:17:10:31 +0300] "GET /service/ > HTTP/1.1" 401 1049 > > But connection to 5.5 - succsessfull with same browser && > certificate. > > Also, in ssldump I see that browser can't make "handshake" with 7.0 > server: > > 1 2 0.0317 (0.0308) S>C Handshake ServerHello Version 3.1 > session_id[32]= 53 8c 85 d7 cf 17 a1 45 8a 4e 64 e6 95 7f 2b f3 cb > 74 0a f3 13 40 71 e8 74 50 53 1a 00 24 a0 76 cipherSuite > TLS_DHE_DSS_WITH_AES_128_CBC_SHA compressionMethod > NULL Certificate ServerKeyExchange CertificateRequest > certificate_types rsa_sign certificate_types > dss_sign certificate_authority 30 62 31 0b 30 09 06 03 55 04 06 13 > 02 55 41 31 10 30 0e 06 03 55 04 08 13 07 55 6e 6b 6e 6f 77 6e 31 > 0d 30 0b 06 03 55 04 07 13 04 4b 69 65 76 31 0f 30 0d 06 03 55 04 > 0a 13 06 4c 75 78 6f 66 74 31 0c 30 0a 06 03 55 04 0b 13 03 4c 4d > 53 31 13 30 11 06 03 55 04 03 13 0a 61 7a 69 6e 63 68 65 6e 6b 6f > certificate_authority 30 60 31 0b 30 09 06 03 55 04 06 13 02 55 41 > 31 // and that's all > > But on 5.5 - everyting OK: > > 1 2 0.0213 (0.0195) S>C Handshake ServerHello Version 3.1 > session_id[32]= 53 8c 85 89 be 1f c5 63 e2 16 a0 a0 dc 5b aa 68 0d > 1c 8d b7 24 c5 13 0a 24 0a 66 9b 54 f4 b0 0f cipherSuite > TLS_DHE_DSS_WITH_AES_128_CBC_SHA compressionMethod > NULL Certificate ServerKeyExchange ServerHelloDone 1 3 0.0256 > (0.0042) C>S Handshake ClientKeyExchange > DiffieHellmanClientPublicValue[96]= 4a 39 5e f5 2a c1 58 13 6b 7c > 98 0b 44 d7 9a 42 bf 48 c2 6e a4 c6 6d 50 a7 89 8f 53 a4 54 92 a5 > 81 18 1b 22 63 cf c1 63 8f 36 9f d2 59 c3 3e 67 1f 4e 18 01 db f2 > 9d 07 0b 81 12 39 64 62 83 84 78 dc 36 9b 00 34 f5 34 44 2d 92 eb > d9 f6 b0 7e c4 66 d9 ad f2 bf 7f fb 07 56 eb 58 5d 58 41 2e > > What I'm doing wrong? Anything in the catalina.out or other log files in logs/* ? Are both Tomcats running on the same server? In the Tomcat 7 case, does ssldump tell you whether the S>C has hung? Can you tell if the TCP message is incomplete? Can you get a thread dump on the Tomcat 7 side? The configuration itself looks okay to me. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTjKygAAoJEBzwKT+lPKRYVJEQAKlVEFFwEyfyYFML/aArNHqb 00qGyoyzu7+mLNlZlMvP4wvuXivK13Sxy+NNJ/TqkijZ4ZlaSTx82vUBHt2HNX9J Rsq5lTL1FRHNDzHABoXwkDLj64xhJ41iBFUcdsGENJ9K9mpFtPXi3wSRsQK4eguv ynRr+f3pJwWsiPlXxWiGICV55mKGsUvSwjKzXhG6RYMpUmHeT1V7SOyOfPA73Jks GGPaDsc0tNT9K6c8NGX+c5+u0h5Af5UQn10Rcpp/22QSzfIDwq4kv1MPZ9I+TTQa l/S/L6VfVtbacUuvVMsnN15eIEQDfTVA9RoKjacG0rsrB+oqoSG0UDjFhuP8LXHx huvhim7CJcZyaNR3Ydp8Q+NFz5ON4w6tlP/APA48x6HUgAJq3DoSlFbrbJGu4HVV NgziXOdlwz7KD7yVdUckrbCsLVCFrxkBENtOUdQ5a6dp1bjPBfOcxrtPcEduvLUR mdNsoXQA8pOFBLHwIJSONBn7lSXQPBR+XCkxGJDqYzdmaykoz2OrB7aA4DqtYXCD iwA0bvwFCOOzq/DiNlLgqscQz9+sAbT7ROjCvkKpDfjJYBi7S26eNx9Gg1S39scX uAlDoRe96CQDmcitZ8Oqrn5ErKReTpbhGULn0YnHB1uL9Vxd5M8EkAI0whTQMQ5u qYcRj4u7cd24Okq8KQUd =zoKs -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org