Sal, Thanks again.
When I connect using port 8443 or 443, or using the FQDN or the IP address, I get the same response from the s_client request. The reason I am using port 8443 is so I don't have to have root running the tomcat instance. My understanding was that you had to be root to allocate ports under 1024. Just to have that extra little bit of security we have a user 'tomcat' that runs the tomcat instances. I didn't want to have to specify the port number in URLs, and we had some problems with people who weren't able to connect out through their company's firewall on port 8443, so we wanted to make it appear that they were connecting on port 443, but really be using 8443. So, when I connect in a browser, I use https://webui.ashland.edu Don -- Don Prezioso Director of Administrative I.T. Ashland University Ashland, Ohio -----Original Message----- From: Crypto Sal [mailto:crypto....@gmail.com] Sent: Tuesday, August 25, 2009 11:28 PM To: Tomcat Users List Subject: Re: SSL with multiple Tomcat instances Don, No problem. You're seeing valid output and yes a Root certificate is self-signed. As per the TLS protocol, it's optional and doesn't need to be there for things to function. What's strange is it's the same output as the "webadvisor" instance, outside of the FQDN entries of course. When you connect in browsers are you using.... https://webui.ashland.edu or are you using https://webui.ashland.edu:8443? (I realize you state that you have iptables running to redirect traffic, but you shouldn't really need to do that, unless you have something dire need for Tomcat to be on anything but 443) I'm curious to see what 443's output is. Could you also use s_client to connect to both the FQDN and the IP (using port 443 and 8443), so that we can rule out a DNS issue? --Sal On 08/25/2009 10:49 AM, Don Prezioso wrote: > Sal, > > Thanks so much for the reply. I think the server.xml reference is correct. > Here is the connector segment from that instance: > > <Connector port="8443" address="172.18.19.16" > maxThreads="600" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="conf/webui.keystore"/> > > We are using 8443 instead of 443 and have iptables set up to reroute any > outside traffic that comes in on 443 to 8443. The other instance uses > 172.18.19.15 and the default keystore (~/.keystore). > > As far as I can tell, that is all working OK. > > Here is what I get from the command "openssl s_client -connect > webui.ashland.edu:8443": > > CONNECTED(00000003) > depth=2 /C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad > CA/OU=Certificaciones/CN=IPS SERVIDORES/emailaddress=...@mail.ips.es > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=Ohio/L=Ashland/O=Ashland University/OU=Administrative > IT/CN=webui.ashland.edu > i:/C=ES/ST=Barcelona/L=Barcelona/O=IPS Certification Authority > s.l./o=gene...@ipsca.com C.I.F. B-B62210695/OU=ipsCA CLASEA1 Certification > Authority/CN=ipsCA CLASEA1 Certification > Authority/emailaddress=gene...@ipsca.com > 1 s:/C=ES/ST=Barcelona/L=Barcelona/O=IPS Certification Authority > s.l./o=gene...@ipsca.com C.I.F. B-B62210695/OU=ipsCA CLASEA1 Certification > Authority/CN=ipsCA CLASEA1 Certification > Authority/emailaddress=gene...@ipsca.com > i:/C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad > CA/OU=Certificaciones/CN=IPS SERVIDORES/emailaddress=...@mail.ips.es > 2 s:/C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad > CA/OU=Certificaciones/CN=IPS SERVIDORES/emailaddress=...@mail.ips.es > i:/C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad > CA/OU=Certificaciones/CN=IPS SERVIDORES/emailaddress=...@mail.ips.es > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIGMzCCBZygAwIBAgIDExqhMA0GCSqGSIb3DQEBBQUAMIIBEjELMAkGA1UEBhMC > RVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMSkwJwYD > VQQKEyBJUFMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgcy5sLjEuMCwGA1UEChQl > Z2VuZXJhbEBpcHNjYS5jb20gQy5JLkYuICBCLUI2MjIxMDY5NTEuMCwGA1UECxMl > aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMl > aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GCSqGSIb3 > DQEJARYRZ2VuZXJhbEBpcHNjYS5jb20wHhcNMDkwODIwMDczNDQ0WhcNMTEwODIw > MDczNDQ0WjCBgzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBE9oaW8xEDAOBgNVBAcT > B0FzaGxhbmQxGzAZBgNVBAoTEkFzaGxhbmQgVW5pdmVyc2l0eTEaMBgGA1UECxMR > QWRtaW5pc3RyYXRpdmUgSVQxGjAYBgNVBAMTEXdlYnVpLmFzaGxhbmQuZWR1MIGf > MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDBbiTihyoSVlDyVkIoMu97eZxKJrv > e0SvdhRO5JIG9O5ov82Pa4NtE2xYPvjMOk20ffEs76m/pAUz3CLao4UxjjpfhxNp > 1Y2gQc+0u22R6pPmaPHk2hUEBTCGdHaCVHJ0LwFb+mN4lnZg1dntM7KouKMBGAiV > AL9HzMAtoRjiQQIDAQABo4IDITCCAx0wCQYDVR0TBAIwADARBglghkgBhvhCAQEE > BAMCBkAwCwYDVR0PBAQDAgP4MBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQW > BBQwuRGoE8SxdjtLQPKJoHffiYQeizAfBgNVHSMEGDAWgBQOB2DUOckbW12QeyPI > 0jSdSppGOTAJBgNVHREEAjAAMBwGA1UdEgQVMBOBEWdlbmVyYWxAaXBzY2EuY29t > MHIGCWCGSAGG+EIBDQRlFmNPcmdhbml6YXRpb24gSW5mb3JtYXRpb24gTk9UIFZB > TElEQVRFRC4gQ0xBU0VBMSBTZXJ2ZXIgQ2VydGlmaWNhdGUgaXNzdWVkIGJ5IGh0 > dHBzOi8vd3d3Lmlwc2NhLmNvbS8wLwYJYIZIAYb4QgECBCIWIGh0dHBzOi8vd3d3 > Lmlwc2NhLmNvbS9pcHNjYTIwMDIvMEMGCWCGSAGG+EIBBAQ2FjRodHRwczovL3d3 > dy5pcHNjYS5jb20vaXBzY2EyMDAyL2lwc2NhMjAwMkNMQVNFQTEuY3JsMEYGCWCG > SAGG+EIBAwQ5FjdodHRwczovL3d3dy5pcHNjYS5jb20vaXBzY2EyMDAyL3Jldm9j > YXRpb25DTEFTRUExLmh0bWw/MEMGCWCGSAGG+EIBBwQ2FjRodHRwczovL3d3dy5p > cHNjYS5jb20vaXBzY2EyMDAyL3JlbmV3YWxDTEFTRUExLmh0bWw/MEEGCWCGSAGG > +EIBCAQ0FjJodHRwczovL3d3dy5pcHNjYS5jb20vaXBzY2EyMDAyL3BvbGljeUNM > QVNFQTEuaHRtbDCBgwYDVR0fBHwwejA5oDegNYYzaHR0cDovL3d3dy5pcHNjYS5j > b20vaXBzY2EyMDAyL2lwc2NhMjAwMkNMQVNFQTEuY3JsMD2gO6A5hjdodHRwOi8v > d3d3YmFjay5pcHNjYS5jb20vaXBzY2EyMDAyL2lwc2NhMjAwMkNMQVNFQTEuY3Js > MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuaXBzY2Eu > Y29tLzANBgkqhkiG9w0BAQUFAAOBgQBWxO6m/tvgkW9Ig55akiS9qeUA9pAmPv3O > nvNnVOuEkaEFJTBKHRbV1QfijXg2Dnj8oQymSaDO7uZAJ6+anvuZCyySBDNzKDDq > FCeMTYPGwaatm7pzCpEB624pFSTh7lTRaXVkWm8H6MAqrnUOCKduwxxwkd99Hc6M > rsRvZa8n7Q== > -----END CERTIFICATE----- > subject=/C=US/ST=Ohio/L=Ashland/O=Ashland University/OU=Administrative > IT/CN=webui.ashland.edu > issuer=/C=ES/ST=Barcelona/L=Barcelona/O=IPS Certification Authority > s.l./o=gene...@ipsca.com C.I.F. B-B62210695/OU=ipsCA CLASEA1 Certification > Authority/CN=ipsCA CLASEA1 Certification > Authority/emailaddress=gene...@ipsca.com > --- > No client certificate CA names sent > --- > SSL handshake has read 4351 bytes and written 332 bytes > --- > New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA > Server public key is 1024 bit > SSL-Session: > Protocol : TLSv1 > Cipher : EDH-RSA-DES-CBC3-SHA > Session-ID: > 4A93F78D22EC7D121452193F531141E5E54860B0FCCC566D5A462F5D5ADC7CAD > Session-ID-ctx: > Master-Key: > AE497F11ACFA4088628F39AFCD30CD04A3F4EA0FAE7C4423338C3AEE22C40F791C6DC110A73F0082FC7870140BDA4560 > Key-Arg : None > Krb5 Principal: None > Start Time: 1251211149 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain) > --- > > The certificate chain appears to be correct, but I'm not sure about the few > lines before it: > depth=2 /C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad > CA/OU=Certificaciones/CN=IPS SERVIDORES/emailaddress=...@mail.ips.es > verify error:num=19:self signed certificate in certificate chain > verify return:0 > > Isn't the root certificate supposed to be self-signed? I get the same message > when I run the command against webadvisor.ashland.edu (the other instance) > which doesn't appear to have the same problem. > > Don > > -- > Don Prezioso > Director of Administrative I.T. > Ashland University > Ashland, Ohio > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org