> That looks right. I believe I have found one issue with my code. It
> will
> get a InitialDirContext with your admin user and password, before it
> is
> negotiating TLS. I have attached another ContextFactory, which will
> remove admin user, password and authentication method prior to TLS
> negotiation. After (hopefully) establishing TLS it adds those
> parameters
> back in. As with the last factory, you should select a package name
> of
> your liking.
Done, now the startup looks all fine in the log -- but tshark speaks a
different language:
r...@iris ~ # tshark host 188.40.115.116
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [SYN] Seq=0
Win=5840 Len=0 MSS=1460 TSV=1189177744 TSER=0 WS=7
0.000000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [SYN, ACK] Seq=0
Ack=1 Win=5792 Len=0 MSS=1460 TSV=97730450 TSER=1189177744 WS=7
0.000000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=1 Ack=1
Win=5888 Len=0 TSV=1189177744 TSER=97730450
0.004000 188.40.115.116 -> 188.40.115.121 LDAP extendedReq(1)
LDAP_START_TLS_OID
0.004000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [ACK] Seq=1 Ack=61
Win=5888 Len=0 TSV=97730451 TSER=1189177745
0.008000 188.40.115.121 -> 188.40.115.116 LDAP extendedResp(1)
[LDAP_START_TLS_OID responseName missing]
0.008000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=61
Ack=15 Win=5888 Len=0 TSV=1189177746 TSER=97730452
0.384000 188.40.115.116 -> 188.40.115.121 SSLv2 Client Hello
0.384000 188.40.115.121 -> 188.40.115.116 TLSv1 Server Hello, [Unreassembled
Packet [incorrect TCP checksum]]
0.384000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK]
Seq=1463 Ack=161 Win=5888 [TCP CHECKSUM INCORRECT] Len=408 TSV=97730546
TSER=1189177839
0.384000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=161
Ack=1463 Win=8832 Len=0 TSV=1189177839 TSER=97730546
0.384000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=161
Ack=1871 Win=11648 Len=0 TSV=1189177839 TSER=97730546
0.408000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=161
Ack=1871 Win=11648 Len=523 TSV=1189177846 TSER=97730546
0.448000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [ACK] Seq=1871
Ack=684 Win=6912 Len=0 TSV=97730562 TSER=1189177846
0.448000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=684
Ack=1871 Win=11648 Len=43 TSV=1189177856 TSER=97730562
0.448000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [ACK] Seq=1871
Ack=727 Win=6912 Len=0 TSV=97730562 TSER=1189177856
0.448000 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK]
Seq=1871 Ack=727 Win=6912 [TCP CHECKSUM INCORRECT] Len=43 TSV=97730562
TSER=1189177856
0.488000 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=727
Ack=1914 Win=11648 Len=0 TSV=1189177866 TSER=97730562
This means: We are (disturbingly) sending an SSLv2 Hello, we get an TLSv1
reply, and now
we're happy... Or so I blindly guess from the fact that no error or warning are
logged..
I'm still trying to make sense of the ACK, ACK, PSH/ACK -- ACK -- ACK, PS/ACK.
Anyway, then I try to login, and that's when this happens in the log:
SEVERE: An exception or error occurred in the container during the request
processing
java.lang.reflect.UndeclaredThrowableException
at $Proxy0.getAttributes(Unknown Source)
at
javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
at
org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1217)
at
org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1269)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1186)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1058)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:947)
at
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:454)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
tc.startTLS.LdapTlsContextFactory$ProxyLdapContext.invoke(LdapTlsContextFactory.java:73)
... 17 more
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such
Object]; remaining name 'uid=i.galic'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1309)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
at
javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
... 22 more
The corresponding tshark trace looks like this:
63.591308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=727
Ack=1914 Win=11648 Len=74 TSV=1189193646 TSER=97730562
63.591308 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK]
Seq=1914 Ack=801 Win=6912 [TCP CHECKSUM INCORRECT] Len=35 TSV=97746352
TSER=1189193646
63.591308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=801
Ack=1949 Win=11648 Len=0 TSV=1189193646 TSER=97746352
63.591308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [PSH, ACK] Seq=801
Ack=1949 Win=11648 Len=105 TSV=1189193646 TSER=97746352
63.591308 188.40.115.121 -> 188.40.115.116 TCP ldap > 42460 [PSH, ACK]
Seq=1949 Ack=906 Win=6912 [TCP CHECKSUM INCORRECT] Len=35 TSV=97746352
TSER=1189193646
63.635308 188.40.115.116 -> 188.40.115.121 TCP 42460 > ldap [ACK] Seq=906
Ack=1984 Win=11648 Len=0 TSV=1189193657 TSER=97746352
> > I haven't managed to get the TlsTest.java to compile.
> Why?
Because I fail at Java.
Anyway, sorry for the late reply but hell was breaking out at work. YAY
Operations \o/
I hope you didn't have your hopes up too high for this to work (as I did ;)
> Bye
> Felix
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.ga...@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
