On Fri, Jul 7, 2017 at 9:51 PM, Kevin Mango <[email protected]> wrote:
> > > -----Original Message----- > From: André Warnier (tomcat) [mailto:[email protected]] > Sent: Friday, July 7, 2017 4:14 AM > To: [email protected] > Subject: Re: Errors establishing secure connections with tomcat 8.5.15 > > 1) don't top-post > > On 07.07.2017 02:39, Guang Chao wrote: > > Sorry, the Tomcat will connect to other web applications hosted > > somewhere else in your network? Is my understanding correct? > > > > On Fri, Jul 7, 2017 at 12:38 AM, Kevin Mango <[email protected]> wrote: > > > >> Hello, > >> > >> I have been working to setup Apache Tomcat 8.5.15 to establish a > >> secure connection to web applications on our server. However I have > >> been having difficulties setting up this functionality. > >> > >> The most meaningful error we have been getting is from Firefox, > >> "Unsupported elliptic curve. Error code: SEC_ERROR_UNSUPPORTED_ > ELLIPTIC_CURVE". > >> We have setup Tomcat to fully debug javax.net, and from these logs it > >> appears that the handshake is failing at the server or client key > >> exchanges. Below is the output after reaching the server key exchange: > >> > >> ECDH ServerKeyExchange > >> Signature Algorithm SHA256withRSA > >> Server key: <key value> > >> *** ServerHelloDone > >> [write] MD5 and SHA1 hashes: len = 5073 <Large block of hex> > >> https-jsse-nio-8443-exec-3, WRITE: TLSv1.2 Handshake, length = 5073 > >> [Raw write]: length = 5078 <Large block of hex> > >> https-jsse-nio-8443-exec-1, WRITE: TLSv1.2 Handshake, length = 5073 > >> [Raw write]: length = 5078 <Large block of hex> [Raw read]: length = > >> 2 <small block of hex> <Large block of hex> > >> https-jsse-nio-8443-exec-5, READ: TLSv1.2 Alert, length = 2 > >> https-jsse-nio-8443-exec-5, RECV TLSv1.2 ALERT: fatal, > >> illegal_parameter https-jsse-nio-8443-exec-5, fatal: engine already > >> closed. Rethrowing > >> javax.net.ssl.SSLException: Received fatal alert: illegal_parameter > >> https-jsse-nio-8443-exec-5, fatal: engine already closed. Rethrowing > >> javax.net.ssl.SSLException: Received fatal alert: illegal_parameter > >> https-jsse-nio-8443-exec-5, called closeOutbound() > >> https-jsse-nio-8443-exec-5, closeOutboundInternal() > >> https-jsse-nio-8443-exec-5, SEND TLSv1.2 ALERT: warning, description > >> = close_notify https-jsse-nio-8443-exec-5, WRITE: TLSv1.2 Alert, > >> length = 2 > >> ------------------------------------------------------------ > >> ------------------------------------------------------------ > >> ------------------------------------------------------------ > >> -------------------------- > >> There isn't any error output from stderr, only standard print > statements. > >> The ciphersuite that is chosen is TLS_ECDHE_RSA_WITH_AES_128_ > GCM_SHA256. > >> Below are some details about the machine we are running tomcat on: > >> > >> Windows Server 2012 R2 64 bit > >> 16gb ram > >> 2.2ghz intel xeon cpu > >> Java 1.8.131 > >> > >> Here is the connector in our server.xml file: > >> > >> <Connector port="8443" > >> protocol="org.apache.coyote.http11.Http11NioProtocol" > >> maxThreads="200" > >> scheme="https" secure="true" SSLEnabled="true" > >> defaultSSLHostConfigName="<hostname> " > >> > > >> <SSLHostConfig > >> hostname="<hostname> " > >> protocols="TLSv1.2" > >> sslProtocol="TLSv1.2"> > >> <Certificate certificateKeystoreFile="<pfx cert location > >> and full file name>" > >> certificateKeystorePassword="<password>" > >> certificateKeystoreType="PKCS12" > >> type="RSA"/> > >> </SSLHostConfig> > >> > >> </Connector> > >> > >> Some additional notes: > >> > >> 1. The server we are running this on is internal and therefore > >> can't be accessed outside our network > >> 2. The web browser on the machine is unable to access the web > >> application locally due to our network security > >> 3. I am able to connect via http to the web apps > >> > >> Any assistance that could be provided in this matter would be greatly > >> appreciated. > >> > >> Thank you, > >> Kevin > >> > >> > > 2) One thing which you could/should try first, is to look at the Tomcat > User's list archives. > See : http://tomcat.apache.org/lists.html -> tomcat users -> archives > There is a considrable amount of correspondence there related to such > themes, and the answer you are looking for is probably already there. > --------------------------------------------------------------------- > > @Guang Chao > No the web apps are installed in the tomcat webapps folder, I am able to > access these web apps through http, but when trying to connect through > https it fails to connect with ssl errors, with Firefox's unsupported > elliptical curve error being the most meaningful. > I am not sure if I have mentioned earlier, very sorry if I already did. But how about using a reverse proxy? Could be easier to install ssl on nginx, then have nginx between your browser and tomcat? > > @André Warnier > I will look through the archive and see if I can find anything helpful. > Thank you. > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > ________________________________ > This e-mail transmission contains confidential information that is the > property of the sender. If you are not the intended recipient, you are > notified that any retention, disclosure, reproduction or distribution of > the contents of this e-mail transmission, or the taking of any action in > reliance thereon or pursuant thereto, is strictly prohibited. No warranty > is given by NYSIF that this e-mail is free of viruses, interception or > interference. NYSIF disclaims liability for any unauthorized opinion, > representation, statement, offer or contract made by the sender on behalf > of NYSIF. NYSIF's delegation of authorities, setting out who may make > representations or contract on behalf of NYSIF, is available by contacting > NYSIF at [email protected]. Jurisdiction for all actions arising out of > dealings with NYSIF shall lie only in a court of competent jurisdiction of > the State of New York > -- Guang <http://javadevnotes.com/java-left-pad-string-with-zeros-examples/>
