-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter,
On 12/22/16 12:52 PM, Peter Wallis wrote: > Ahh! changed the server.xml entries to 8443 tried: openssl s_client > -connect 192.168.1.149:8443 and got: CONNECTED(00000003) > 3074541192:error:140790E5SSL routhines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:177: --- no peer certificate available --- No > client certificate CA names sent --- SSL handshake has read 0 bytes > and written 295 bytes --- New, (NONE), Cipher is (ONE) Secure > Renegotiation IS NOT supported Compression: NONE Expansion: NONE > --- > > That might mean something (note I retyped it from a ssh connection > after a stiff drink so there may be typos) Perfect. The problem is that openssl s_clinent defaults to an SSLv2 "hello" handshake and not a TLS handshake, which is more appropriate in this day and age. Try this: $ openssl s_client -tls1 -connect 192.168.1.149:8443 - -chris > On 22 December 2016 at 16:27, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Peter, > > On 12/22/16 11:03 AM, Peter Wallis wrote: >>>> Hi Christopher, re 443 on *nix; yes, set AUTHBIND='yes' in >>>> /etc/defaults/tomcat8 > > Okay. Are you sure you've got that configured properly? Try > changing port 443 to 8443 in server.xml and bouncing Tomcat. Let's > try to solve one problem at a time. > >>>> re openssl s_client -connect on a different machine; it times >>>> out >>>> >>>> Did have a thought -- one that might not be obvious to you >>>> experts -- I am serving that page via No-IP dynamic dns. >>>> Their support people are "cagey" about whether this works or >>>> not (they don't answer the question and suggest I buy an >>>> upgraded service) I believe people who know what they are >>>> doing just run their own dns using unbound? If that makes no >>>> sense, please ignore; I don't know what I'm talking about but >>>> it seems we are looking for something I've done that is >>>> weird. > > Let's try this: what's the actual IP address of your pi? > 192.168.0.10 or somesuch? > > Change your port from 443 -> 8443 and then try this: > > $ openssl s_client -connect 192.168.0.10:8443 > > If that connects and shows the cert, then your TLS configuration > is correct. It will complain about the hostname (IP address) not > matching the cert's CN, but that's okay). > > Since you have lots of moving parts, let's find out what's working > first and then fix whatever problems remain. > > -chris > >>>> On 22 December 2016 at 15:38, Christopher Schultz < >>>> ch...@christopherschultz.net> wrote: >>>> >>>> Peter, >>>> >>>> On 12/22/16 2:43 AM, Peter Wallis wrote: >>>>>>> Hi Christopher, so it seems I have done something >>>>>>> exceptional :-) Thanks for taking a look... >>>>>>> >>>>>>> <Connector port="443" >>>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>>>>> maxThreads="150" SSLEnabled="true" scheme="https" >>>>>>> secure="true" keystoreFile="/home/peter/.keystore" >>>>>>> alias="tomcat" keystorePass="changeit" >>>>>>> clientAuth="false" sslProtocol="TLS" /> >>>> >>>> This looks fine except for one thing: you are using port 443 >>>> on a *NIX system which requires you to either run as root >>>> (bad) or make other arrangements. Have you made such >>>> arrangements? >>>> >>>>>>> Keystore type: JKS Keystore provider: SUN >>>>>>> >>>>>>> Your keystore contains 2 entries >>>>>>> >>>>>>> Alias name: gandi Creation date: 21-Dec-2016 Entry >>>>>>> type: trustedCertEntry >>>> >>>> Okay, that's your CA. >>>> >>>>>>> Alias name: tomcat Creation date: 21-Dec-2016 Entry >>>>>>> type: trustedCertEntry >>>> >>>> Okay, that's presumably your server's cert. >>>> >>>>>>> Owner: CN=alexa.proseco.co.uk, OU=Gandi Standard SSL, >>>>>>> OU=Domain Control Validated >>>> >>>> If that's your site name (alexa.proseco.co.uk) this looks >>>> good. >>>> >>>> What happens if you do this from the outside (e.g. not on the >>>> pi itself) : >>>> >>>> $ openssl s_client -connect alexa.proseco.co.uk:443 >>>> >>>> -chris >>>>> >>>>> ------------------------------------------------------------------ - --- >>>>> >>>>> > >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: >>>>> users-h...@tomcat.apache.org >>>>> >>>>> >>>> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYXB5uAAoJEBzwKT+lPKRY+ZYP/1faZ00ji63QXmcx4aKC/6IM F++ivxg+QaDivCcPmQn4oYKYXyy/Yhq0eEvj7EyyQ0OVEEqJv5f/WwpW1uOEmz5E Lx8KI+ZNwQiDRy2VqSUkhUV09sodDVanX2BCpY0VGfy8fbtRHJfZbcTf3xUH+j/D ofeG7NbuWIrD8NRLvL4wPRv2jDhkLMPQ5tw6JcghLFkMS6/CzOELS4UpaMlI1Iel nYBFlFpL8e+c0r6OU+jiwBMnn1sOuqe96mxN8gj9O7QJ0wlXZocoTOf/AptPWI08 NlZ5L1R2jfKT7ZInMSDVw4PNTYLUMiZV24YYCccS3X4qR+tCPWrahU1yb4npyuOI srWRJBMNXyeedIo6UO8bVHdnZGSs3NsmSnXAXuBAGtpuAqW+Mw6R9YPvQ4OC5eJR bva7AlJ19n8qJQRItWZPTWLOZKlBMz/BOqV1TedVZDjiZonHLhMwJTBiRipKH4ay tu3W9sa0rYGrOIDH5spwdve3AXqwRDlUccs9VtGhxRAalpwWSP+nZHMgyUGYm8sV lYdU6tMXJIPGGzeBPh3POPKTylG6WCYPm7MHW55TIEO0woUKyPdZGjSDraB6stKU +anWglr5snrcdFcmiCdKZikpz3vdDBc9vpimMhEWqDmjhs5M1RqlHnwfdPGoElJF N40qXw5NkfyZZ+/jQrds =ljgn -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
