Hi all, Any insights please .
Thanks, Madhan On Thu, 4 Jun, 2020, 11:12 pm Madhan Raj, <madhanra...@gmail.com> wrote: > Hi Christopher, > > Yes you correct I can only complete a handshake with RSA cert, not ECDSA > cert. when i try to connect with ECDSA ciphers using s_client negotiation > fails. > Madhan > > On Thu, Jun 4, 2020 at 12:41 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Madhan, >> >> On 6/3/20 21:08, Madhan Raj wrote: >> > OS - CentOS 7.6.1810( Core) >> > >> > Below connector doesn't load my EC keystore whereas it works with >> > RSA . Any insights please . >> >> When you say "doesn't load", what do you mean? Possible reasonable >> responses are: >> >> 1. I can only complete a handshake with RSA cert, not ECDSA cert >> 2. Error message (please post) >> 3. JVM crashes >> 4. OS crashes >> 5. Universe ends (possible, but unlikely to be reproducible) >> >> > this is my connector tag in server.xml <Connector >> > SSLEnabled="true" URIEncoding="UTF-8" maxThreads="200" port="443" >> > scheme="https" secure="true" >> > protocol="org.apache.coyote.http11.Http11NioProtocol" >> > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementat >> ion" >> > >> > >> disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="819 >> 2" >> > minSpareThreads="25"> <SSLHostConfig sslProtocol="TLS" >> > certificateVerification="none" sessionTimeout="1800" >> > protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3" >> > ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECD >> HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DS >> S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA" >> > >> > >> sessionCacheSize="10000"> >> > <Certificate certificateKeyAlias="tomcat-ecdsa" >> > certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/ce >> rts/tomcat-ECDSA.keystore" >> > >> > >> certificateKeystorePassword="8o8yeAH2qSJbJ2sn" >> > certificateKeystoreType="PKCS12" type="EC"/> </SSLHostConfig> >> > </Connector> >> > >> > tomcat start up command used :- /home/tomcat/tomcat -user tomcat >> > -home /usr/local/thirdparty/java/j2sdk -pidfile >> > /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname >> > /home/tomcat/tomcat -outfile >> > /usr/local/thirdparty/jakarta-tomcat/logs/catalina.out -errfile &1 >> > -Djdk.tls.ephemeralDHKeySize=2048 >> > -Djava.protocol.handler.pkgs=org.apache.catalina.webresources >> > -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 >> > -Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/c >> onf/logging.properties >> > >> > >> - -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspe >> nd=n >> > -XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80 >> > -Xmx1824m -Xms256m >> > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager >> > -cp >> > /usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thir >> dparty/jakarta-tomcat/bin/tomcat-juli.jar >> > >> > >> - -Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/catali >> na.policy >> > -Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat >> > -Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat >> > -Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp >> > org.apache.catalina.startup.Bootstrap start' >> > >> > JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH >> > -Djavax.net.ssl.sessionCacheSize=10000 >> > -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust- >> certs/tomcat-trust.keystore >> > >> > >> - -Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD >> > -XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat. >> txt >> > >> > >> - -Dsun.zip.disableMemoryMapping=true >> > -XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh >> > -XX:OnError=/home/tomcat/tomcat_diagnostics.sh $TOMCAT_JAVA_OPTS >> > >> > Also can i have both RSA and ECDSA in a single keystore. Will that >> > work in tomcat 9? >> >> Yes. You have to use two <Certificate> elements each with a different >> "type" and "certificateKeyAlias" >> >> > it used to work with tomat 7 >> >> It still works with Tomcat 9. >> >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ >> >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7ZJEwACgkQHPApP6U8 >> pFg/Tg/9El60qkdMWwk6SpBiKjy0rgQEYgmdv2hkVQXmfX4uaWHZuEBDydX/xQ9L >> 3JaS+rDeM/4Z6Y7HrKqLGQ0Q+mtgWSoXohhGAqZMcsaGtdiz9oBYukRW7e0JG4Hv >> OZgmyPUifLH0kPDyrql3feLQL9TW7G998rR9+N2BsFWnyVdaHYIWt2vSu+/vak7T >> OqqNj0Wze9G8/OudKXCEQBi1ADql8XAt7hRCaQLHRcaDLEVLnULq6lgol0dV9qXM >> suzNGud9VWNUgsoNX7wZDmx2xYnvDUfOnUJSEYLfRV6zFHOJOLiKLk8GBjymLVt3 >> PEW3EXlJpq2rQo++s4tNhJGjZRR7yEGNRUO1bl/eB7O4MZrwpZyV9lmy2TN2Im5g >> LsMas3p3m87vz8ajafo9SDSZkmXmJ270dUZd8MAxxIvDSCnhw0trSTxbppgeb7p4 >> LGn/gA9igAY9S9PUKkyLocKVW9XpRg1v21WCSyifKzM7b0787e1EFx6rhxBTsZAk >> 7D7nL+0Em61LRQKaM3noDtyofEzYGoUtaRwv5gx+dCfF5huDCKvkhWxGQfAwiE/3 >> fRHCZK1la1Jn3wikApLXU6iEjXV33TmF/hAjLOPaizl90AYxR6O4pvwRKOF+9+fV >> Z4CO1ysmLK/WHTYXcpZ8/zPEo9EgXbTULU9DiDu3N6+LKrUFQcc= >> =L+y6 >> -----END PGP SIGNATURE----- >> >
