Hi,
On 4 February 2011 22:36, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Parag,
>
> On 2/4/2011 5:04 AM, Parag Thakur wrote:
>
>> When I try to access a secure URL (e.g. /secure/foo.do) from a java
>> program using apache httpclient library (where the client is configured
>> to use "C:\keys\webserver.keystore" as the truststore and
>> "C:\keys\client.keystore" as the keystore), I get the following response
>> from the tomcat server:
>>
>> "This request requires HTTP authentication (No client certificate chain
>> in this request)."
>>
>> Tomcat's log shows the following stack trace:
>>
>> 2011-02-04 15:04:47 WARNING: #{11} [Http11NioProcessor.action] Exception
>> getting SSL attributes
>> java.lang.NullPointerException
>> at
>> org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:1
>> 50)
>
> [snip]
>
>> Oddly, the same program works if I use
>> org.apache.coyote.http11.Http11Protocol instead of
>> org.apache.coyote.http11.Http11NioProtocol.
>
> That looks like a problem. Can you build a minimal test case (nearly
> empty webapp with CLIENT-CERT authentication) and include a server.xml
> file as well as keystore and truststore that can demonstrably work in
> the BIO connector and fail in the NIO one? If so, please log this in
> Bugzilla and attach all of the above.
>
>> Secondly, for Http11Protocol, I use to be able to specify a list of
>> "ciphers" in the Connector configuration to prevent weak ciphers being
>> used. E.g.
>>
>> ciphers="TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_S
>> HA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH
>> E_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DS
>> S_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_
>> EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CB
>> C_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH
>> _RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_MD5"
>>
>> However, the same does not seem to work with the Http11NioProtocol, and
>> I get the following in tomcat's logs:
>>
>> 2011-02-04 15:09:12 SEVERE: #{11} [NioEndpoint.setSocketOptions]
>> java.lang.IllegalArgumentException: Cannot support
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers
>
> See http://markmail.org/message/zn4namfhypyxum23 for code that will show
> you what ciphers are available for your environment. Perhaps you really
> are using an unsupported cipher.
Stupid question but did the op copy the Java Cryptography Extension
(JCE) Unlimited Strength Jurisdiction
Policy Files for whatever JVM they are using?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1Mf2IACgkQ9CaO5/Lv0PBG+QCgmrd5uUAl+yaXjmd8/WknbpJE
> WQsAnjj2lr9Swn2RROocNCrb521mk3ZF
> =2+Gu
> -----END PGP SIGNATURE-----
>
--
Best Regards,
Brett Delle Grazie
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
