How to make to Apache-Tomcat 6.0.13 to support all of SSLv2/SSLv3 and TLS protocols

[Suresh Kumar J]

Hi!

Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the
snippet of the server.xml config:
----------------------------
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
              keystoreFile="conf/my-key-store" keystorePass="abcd"/>
----------------------------

The https connection(TLS based) works fine with IE6.0/7.x and FireFox
2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with
the default settings. When I try to connect(https on 443) to Apache
Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1 window:
-------------------------------------------
Secure Connection Failed
An error occurred during a connection to 10.xx.xx.xx
Cannot communicate securely with peer: no common encryption algorithm(s):
(Error code: ssl_error_no_cypher_overlap)
-------------------------------------------

Have observed the following error in the Catalina.out file:
--------------------------------------------------
Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
SEVERE: Socket accept failed
Throwable occurred: java.net.SocketException: SSL handshake error
javax.net.ssl.SSLException: INTERNAL ERROR
       at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)
       at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
       at java.lang.Thread.run(Thread.java:657)
--------------------------------------------------

In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is
disabled) in the browser security settings. The web-server is correctly
configured for secured http on TLS. Earlier with Firefox2.0.x, it was
working fine. Also checked with Linux version of FireFox3.0.1 and the
TLS connection is working fine.

When I tried to analysis the packets capture of the browser/web-server
communication via "WireShark/Ethereal" tools, I observed that the
FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL
handshake negotiations. As my Tomcat webserver is configured for TLS, it
doesn't seem to understand the SSLv2 record layer format, eventually
errors out with "javax.net.ssl.SSLException: INTERNAL ERROR.

Since SSLv2 is generally considered to be a weaker protocol than SSLv3
and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record
protocol, also SSLv2 is disabled by default. On Redhat Linux, the same
FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)" for
security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 Record
Layer(Client Hello)" which seems to fine. Am able to launch the https
webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on
FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL
handshake negotiations. Tomcat works well with TLS protocol, but when
the browser uses SSLv2 then it fails.

I tried changing the "sslProtocol" attribute in the "Connector" element
in conf/server.xml file and when the Tomcat couldn't start. Observed the
following error in catalina.out:
--------------------------------------
Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
Throwable occurred: java.io.IOException: SSLContext SSL implementation
not found
       at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
       at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125)
       at
org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
       at
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
       at
org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
       at
org.apache.catalina.core.StandardService.initialize(StandardService.java:677)
       at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:792)
       at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
       at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
       at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java)
       at java.lang.reflect.Method.invoke(Method.java:317)
       at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
       at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
--------------------------------------

Does Tomcat 6.0.x supports SSL implementation?. Is it possible to make
the Tomcat to understand both SSL and TLS protocols so that all the
browsers are supported. It seems to be critical to make the application
I use the certificate in the format of PKCS12, created via openssl tool.

Did anyone else face similar kind of problem in this regard.

Thanks,
Suresh



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]