Hi! Am running the Apache Tomcat (v6.0.13) on Redhat Linux. Below is the snippet of the server.xml config: ---------------------------- <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" keystoreFile="conf/my-key-store" keystorePass="abcd"/> ----------------------------
The https connection(TLS based) works fine with IE6.0/7.x and FireFox 2.0.x. But am having issues with the FireFox 3.0.1 on Windows XP with the default settings. When I try to connect(https on 443) to Apache Tomcat (v6.0.14), I get the following error on the FireFox 3.0.1 window: ------------------------------------------- Secure Connection Failed An error occurred during a connection to 10.xx.xx.xx Cannot communicate securely with peer: no common encryption algorithm(s): (Error code: ssl_error_no_cypher_overlap) ------------------------------------------- Have observed the following error in the Catalina.out file: -------------------------------------------------- Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed Throwable occurred: java.net.SocketException: SSL handshake error javax.net.ssl.SSLException: INTERNAL ERROR at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310) at java.lang.Thread.run(Thread.java:657) -------------------------------------------------- In the FireFox 3.0.1, both SSL3.0 and TLS1.0 are enabled(and SSLv2 is disabled) in the browser security settings. The web-server is correctly configured for secured http on TLS. Earlier with Firefox2.0.x, it was working fine. Also checked with Linux version of FireFox3.0.1 and the TLS connection is working fine. When I tried to analysis the packets capture of the browser/web-server communication via "WireShark/Ethereal" tools, I observed that the FireFox3.0 on Windows uses "SSLv2 Record layer(Client Hello)" for SSL handshake negotiations. As my Tomcat webserver is configured for TLS, it doesn't seem to understand the SSLv2 record layer format, eventually errors out with "javax.net.ssl.SSLException: INTERNAL ERROR. Since SSLv2 is generally considered to be a weaker protocol than SSLv3 and TLS, am not sure why FireFox3.0.1 on Windows uses SSLv2 Record protocol, also SSLv2 is disabled by default. On Redhat Linux, the same FF3.0.1(firefox-3.0.1-1.el5) uses "TLSv1 Record Layer(Client Hello)" for security negotiations. The FireFox v2.0.x on Windows uses "SSLv3 Record Layer(Client Hello)" which seems to fine. Am able to launch the https webpages on IE6.x and IE7.x and also FireFox2.0. The only issue is on FireFox3.0 which uses "SSLv2 Record layer(Client Hello)" for SSL handshake negotiations. Tomcat works well with TLS protocol, but when the browser uses SSLv2 then it fails. I tried changing the "sslProtocol" attribute in the "Connector" element in conf/server.xml file and when the Tomcat couldn't start. Observed the following error in catalina.out: -------------------------------------- Aug 29, 2008 3:10:18 PM org.apache.coyote.http11.Http11Protocol init SEVERE: Error initializing endpoint Throwable occurred: java.io.IOException: SSLContext SSL implementation not found at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125) at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496) at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177) at org.apache.catalina.connector.Connector.initialize(Connector.java:1059) at org.apache.catalina.core.StandardService.initialize(StandardService.java:677) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:792) at org.apache.catalina.startup.Catalina.load(Catalina.java:518) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at java.lang.reflect.VMReflection.invokeMethod(VMReflection.java) at java.lang.reflect.Method.invoke(Method.java:317) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) -------------------------------------- Does Tomcat 6.0.x supports SSL implementation?. Is it possible to make the Tomcat to understand both SSL and TLS protocols so that all the browsers are supported. It seems to be critical to make the application I use the certificate in the format of PKCS12, created via openssl tool. Did anyone else face similar kind of problem in this regard. Thanks, Suresh --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]