-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Madhan,
On 6/12/20 00:57, Madhan Raj wrote: > Just attached the outputs logs and my server.xml including my > ecdsa cert. in keystoreand s_client outputs.txt file i have > attached all the required cert and keystore outputs. In-line would be better in the future. I hate having to save attachments on my own computer and then edit them just to see them. And then copy/paste to quote. > [root@sapphire-69 conf]# keytool -list -v -keystore > /usr/local/platform/.security/tomcat-ECDSA/certs/tomcat-ECDSA.keystore > -storepass iY4VjgcxNrTLp57b -storetype PKCS12 log4j:WARN No > appenders could be found for logger > (com.cisco.ciscossl.provider.ciscojce.CiscoJEnv). log4j:WARN Please > initialize the log4j system properly. log4j:WARN See > http://logging.apache.org/log4j/1.2/faq.html#noconfig for more > info. Keystore type: PKCS12 Keystore provider: JsafeJCE Could this be of interest (repeating above): > Keystore provider: JsafeJCE I didn't see certificateKeystoreProvider="JsafeJCE" in your <Certificate> configuration. Does your RSA keystore show the same keystore provider if you dump it? > [snip] [from keytool] Owner: L=blr, ST=kr, CN=sapphire-69-EC, > OU=cisco, O=infy, C=IN [snip] Signature algorithm name: > SHA384withECDSA Subject Public Key Algorithm: 384-bit EC key> > [snip] [from openssl] X509v3 Subject Alternative Name: > DNS:sapphire-69 Your CN is "sapphire-69-EC" and you have a SAN for "sapphire-69". Is that also the hostname being used to connect? > What client are you using to attempt the handshake? i am using > openssl command line utility to test Good. > What error(s) do you get with the handshake? secure negotiation > not supported That's not an error. It's one of many messages from openssl s_client: > # openssl s_client -connect localhost:443 CONNECTED(00000003) > 139656609052336:error:140790E5:SSL routines:ssl23_write:ssl > handshake failure:s23_lib.c:177: --- no peer certificate available > --- No client certificate CA names sent --- SSL handshake has read > 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported Compression: NONE Expansion: > NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher > : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK > identity: None PSK identity hint: None SRP username: None Start > Time: 1591935501 Timeout : 300 (sec) Verify return code: 0 (ok) > --- You are using "localhost". What if you use "sapphire-69"? ...although localhost:8443 seems to work with your RSA certificate. > If you configure *only* ESDSA, can you handshake? Or does ECDSA > never work? correct ECDSA never work for me. here in my case on > port 443 i hosted only ECDSA keystore and on 8443 i have hosted RSA > keystore. 8443 works like charm and 443 is down > [From your config:] <SSLHostConfig certificateVerification="none" > ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECD HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DS S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA" > > protocols="TLSv1,TLSv1.1,TLSv1.2" sessionCacheSize="10000" > sessionTimeout="1800" sslProtocol="TLS" truststoreType="PKCS12"> Note that you can't handshake using an RSA authentication with an ECDSA certificate. While those ECDHE-RSA-* ciphers in there won't hurt, they will never work and are a little confusing. What happens if you point this tool at your localhost:443 and localhost:8443 endpoints? https://github.com/ChristopherSchultz/ssltest - -chris > On Thu, Jun 11, 2020 at 1:47 PM Christopher Schultz > <ch...@christopherschultz.net > <mailto:ch...@christopherschultz.net>> wrote: > > Madhan, > > On 6/10/20 22:08, Madhan Raj wrote: >> Any insights please . > > How did you create your certificate? > > What are the details of your certificate and key? For example, > which curve are you using? How many key bits? What type of > signature on the certificate? What is the alias for that > certificate in your keystore? Does it match what you have > configured in Tomcat? Do you have a password on your keystore? Are > you setting that correctly in your <Certificate> element? (I see no > password in your posted config.) > > What client are you using to attempt the handshake? > > What error(s) do you get with the handshake? > > If you configure *only* ESDSA, can you handshake? Or does ECDSA > never work? > > You haven't give us much to go on, other than "I can't get ESDSA > to work" when it's pretty clear others can get it to work. > > -chris > >> On Thu, 4 Jun, 2020, 11:12 pm Madhan Raj, <madhanra...@gmail.com > <mailto:madhanra...@gmail.com> >> <mailto:madhanra...@gmail.com <mailto:madhanra...@gmail.com>>> >> wrote: > >> Hi Christopher, > >> Yes you correct I can only complete a handshake with RSA cert, >> not ECDSA cert. when i try to connect with ECDSA ciphers using >> s_client negotiation fails. Madhan > >> On Thu, Jun 4, 2020 at 12:41 PM Christopher Schultz >> <ch...@christopherschultz.net >> <mailto:ch...@christopherschultz.net> >> <mailto:ch...@christopherschultz.net > <mailto:ch...@christopherschultz.net>>> wrote: > >> Madhan, > >> On 6/3/20 21:08, Madhan Raj wrote: >>> OS - CentOS 7.6.1810( Core) > >>> Below connector doesn't load my EC keystore whereas it works >>> with RSA . Any insights please . > >> When you say "doesn't load", what do you mean? Possible >> reasonable responses are: > >> 1. I can only complete a handshake with RSA cert, not ECDSA cert >> 2. Error message (please post) 3. JVM crashes 4. OS crashes 5. >> Universe ends (possible, but unlikely to be reproducible) > >>> this is my connector tag in server.xml <Connector >>> SSLEnabled="true" URIEncoding="UTF-8" maxThreads="200" >>> port="443" scheme="https" secure="true" >>> protocol="org.apache.coyote.http11.Http11NioProtocol" > >> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementa t > >> > > ion" > > >> disableUploadTimeout="true" enableLookups="false" >> maxHttpHeaderSize="819 2" >>> minSpareThreads="25"> <SSLHostConfig sslProtocol="TLS" >>> certificateVerification="none" sessionTimeout="1800" >>> protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3" > >> ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:EC D > >> > > HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE- DS >> > S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA" > > >> sessionCacheSize="10000"> >>> <Certificate certificateKeyAlias="tomcat-ecdsa" > >> certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/c e > >> > > rts/tomcat-ECDSA.keystore" > > >> certificateKeystorePassword="8o8yeAH2qSJbJ2sn" >>> certificateKeystoreType="PKCS12" type="EC"/> </SSLHostConfig> >>> </Connector> > >>> tomcat start up command used :- /home/tomcat/tomcat -user >>> tomcat -home /usr/local/thirdparty/java/j2sdk -pidfile >>> /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname >>> /home/tomcat/tomcat -outfile >>> /usr/local/thirdparty/jakarta-tomcat/logs/catalina.out >>> -errfile &1 -Djdk.tls.ephemeralDHKeySize=2048 >>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources >>> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 > >> -Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/ c > >> > > onf/logging.properties > > >> - >> -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,su s > >> pe > > > nd=n >>> -XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80 >>> -Xmx1824m -Xms256m >>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager >>> >>> > >>> - -cp > >> /usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thi r > >> > > dparty/jakarta-tomcat/bin/tomcat-juli.jar > > >> - >> -Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/cat a > >> li > > > na.policy >>> -Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat >>> -Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat >>> -Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp >>> org.apache.catalina.startup.Bootstrap start' > >>> JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH >>> -Djavax.net.ssl.sessionCacheSize=10000 > >> -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust - - > >> > > certs/tomcat-trust.keystore > > >> -Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD > >> -XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat . > >> > > txt > > >> -Dsun.zip.disableMemoryMapping=true >>> -XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh >>> -XX:OnError=/home/tomcat/tomcat_diagnostics.sh >>> $TOMCAT_JAVA_OPTS > >>> Also can i have both RSA and ECDSA in a single keystore. Will >>> that work in tomcat 9? > >> Yes. You have to use two <Certificate> elements each with a >> different "type" and "certificateKeyAlias" > >>> it used to work with tomat 7 > >> It still works with Tomcat 9. > >> -chris > > > - --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > <mailto:users-unsubscr...@tomcat.apache.org> For additional > commands, e-mail: users-h...@tomcat.apache.org > <mailto:users-h...@tomcat.apache.org> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7jxjEACgkQHPApP6U8 pFjyVRAAyyAouwNf+E0reAuz7SyR/SDvadmWUcQYZyQ3GuGdM8u68oI5zkiGE9Kr y1VCPenL7I//fcTRLhrYeZ/HWnFyQoUk0hTkKoRSVYAouIikJEwasAEVj+l5c3nc SLu65E+OZPvvB4LQBK6U94S0ujhHUhdbGSksHlzKtTomNCgn3fh6JQ0qLyvyaXcE fkXGvV3fmwCfBy9lw0+96yQBB2wmE+HKiO4XvwbA/u8YCX2DAAhgGII1G4joVAp5 Bqw4gijKSZJqXXk/MQegDAEAovOSsF84LpL3aZB3y4jICExFQT7ekmkFOmD5yjkb NFpehkIWssg7cqE1Y4468PNwaQpkkrm+QHz7g+ElMQgwNVvUn/eqL2VhNPBqEJhF +T5DR0PA6BTBr0uVnTJjohl9SUrpQKQ4Umui7fMDru1FfJ9zgf0VAkBvM6YEBGtV WvHhFE+etoBtf2qwPSLSdKrm7f8MUTNr687oH2kzD0CsE2tsebgLEdcnXdv4iyLp sUxUF35/VSvV4PCvqzgFebwOZD3+bkDdIUxfvH7Sl2erZ9+oTimEBn5ukSsEJqyC +Ld1PtYkdi2ZtemS4SOFXrdChSE3TRxTH2Clccax+X2gqpGn4Y+joARPuQD+wyK2 Jm7/W007D2arJL7XM4HgtjZPgsyKoH8UnWMXWbfsAElZ+l0S2ag= =3rtX -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org