Hi Chris,
Thanks for responding to my question!
I don't have an EV cert, it's just a standard cert signed by Equifax. I
have similar certs working on other servers. Again, it's the upgrade
from one java to another that seems to cause the problem - running java
1.5, I don't have this issue.
But, this may be a case of me getting away with something under 1.5 that
I wouldn't be able to get away with under 1.6.
The two keys in the keystore currently look like:
$ keytool -list -keystore /path/to/keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
root, Sep 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): [...]
tomcat, Sep 29, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): [...]
... is this wrong?
Thanks again for writing back, I really appreciate it.
Christopher Schultz <ch...@christopherschultz.net> wrote:
Firefox, but not Safari or IE, will report on https connections:
Secure Connection Error
An error occurred during a connection to mysite.com:8443.
Peer reports it experienced an internal error.
(Error code: ssl_error_internal_error_alert)
What kind of certificate is it? Self-Signed? Signed by a real CA? One of
those new-fangled EV certs?
If it's an EV cert, then you need not one but /two/ intermediate certs
to be installed in your keystore and provided to the client during the
SSL handshake.
my original message was:
Hey everyone -
I'm stuck on Tomcat 5.5.26 to support a specific application. This is a Solaris
9 server with no Apache - tomcat is handling its own webserving. We're hoping
to upgrade the JDK. I can use JDK-1.5.0_21 successfully. When I start tomcat
with JDK-1.6.0_16, I get one specific issue...
Firefox, but not Safari or IE, will report on https connections:
Secure Connection Error
An error occurred during a connection to mysite.com:8443.
Peer reports it experienced an internal error.
(Error code: ssl_error_internal_error_alert)
Weirdly, there is no error in any error log when this happens.
I think this might be a configuration error on my part. Here's our SSL conf
stanza:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/path/to/my/keystore"
keystorePass="somePass" />
... I notice that in other people's configs, they have a specific reference to
a TrustStore. I have the CA certs imported into the keystore, though, and I'm
using this config on other servers, with other versions of tomcat, other
versions of the JDK, etc. (However, those are all linux servers.) I'm
especially suspicious about this possibility because lately there have been
other Firefox https bugs (like the Flash uploader bug) that ultimately have to
do with verifying the certificate authority. Adding in a truststore doesn't
seem to help, but maybe i r doin it wrong.
Thanks for any references or wild speculation you can provide.
- Nada
(p.s. if you're curious about the Flash uploader bug, see e.g.:
http://bugs.adobe.com/jira/browse/FP-201
http://bugs.adobe.com/jira/browse/FP-226
https://bugs.adobe.com/jira/browse/SDK-13196
http://swfupload.org/forum/generaldiscussion/347 )
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
