Hello Brett Thank you for the reply. I did install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for the JVM. Note that the same things works properly with the default connector implementation.
I will be creating a minimal web application and will file an issue. Regards, Parag -----Original Message----- From: Brett Delle Grazie [mailto:brett.dellegra...@gmail.com] Sent: Saturday, February 05, 2011 1:30 PM To: Tomcat Users List Subject: Re: Nio Connector and self signed SSL certificate giving "No client certificate chain in this request" Hi, On 4 February 2011 22:36, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Parag, > > On 2/4/2011 5:04 AM, Parag Thakur wrote: > >> When I try to access a secure URL (e.g. /secure/foo.do) from a java >> program using apache httpclient library (where the client is configured >> to use "C:\keys\webserver.keystore" as the truststore and >> "C:\keys\client.keystore" as the keystore), I get the following response >> from the tomcat server: >> >> "This request requires HTTP authentication (No client certificate chain >> in this request)." >> >> Tomcat's log shows the following stack trace: >> >> 2011-02-04 15:04:47 WARNING: #{11} [Http11NioProcessor.action] Exception >> getting SSL attributes >> java.lang.NullPointerException >> at >> org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:1 >> 50) > > [snip] > >> Oddly, the same program works if I use >> org.apache.coyote.http11.Http11Protocol instead of >> org.apache.coyote.http11.Http11NioProtocol. > > That looks like a problem. Can you build a minimal test case (nearly > empty webapp with CLIENT-CERT authentication) and include a server.xml > file as well as keystore and truststore that can demonstrably work in > the BIO connector and fail in the NIO one? If so, please log this in > Bugzilla and attach all of the above. > >> Secondly, for Http11Protocol, I use to be able to specify a list of >> "ciphers" in the Connector configuration to prevent weak ciphers being >> used. E.g. >> >> ciphers="TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_S >> HA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH >> E_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DS >> S_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_ >> EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CB >> C_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH >> _RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_MD5" >> >> However, the same does not seem to work with the Http11NioProtocol, and >> I get the following in tomcat's logs: >> >> 2011-02-04 15:09:12 SEVERE: #{11} [NioEndpoint.setSocketOptions] >> java.lang.IllegalArgumentException: Cannot support >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers > > See http://markmail.org/message/zn4namfhypyxum23 for code that will show > you what ciphers are available for your environment. Perhaps you really > are using an unsupported cipher. Stupid question but did the op copy the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for whatever JVM they are using? > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk1Mf2IACgkQ9CaO5/Lv0PBG+QCgmrd5uUAl+yaXjmd8/WknbpJE > WQsAnjj2lr9Swn2RROocNCrb521mk3ZF > =2+Gu > -----END PGP SIGNATURE----- > -- Best Regards, Brett Delle Grazie --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org