Thx Remy, but still not working... I did however discover why it's not working
so read on...
Remy's comment about reading *all" the documentation highlights my point about
the APR SSL documentation being unclear... According to the APR/SSL
documentation on the Tomcat site, (and verified in the source) the only
attribute that is "Required" for the connector is the SSLCertificateFile
attribute so that's all I tried at first. Since the default value for SSLEngine
is "off" wouldn't the SSLEngine="on" be "required" to use SSL on the connector?
I also skimmed through the attributes by reading the first sentence of the
description, and when I see "Name of the SSLEngine to use." I say "I don't
need an external SSL engine... On to the next attribute". It might be more
clear to make a second attribute that toggles ssl on/off in the connector and
one that specifies an engine other than the default.
<Connector
SSLEnable="true" (default false)?
SSLEngine="customEngineNameHere" (default none)?
/>
This makes a clear seperation from enabling SSL in the connector and a
deviation from the default SSL engine. In the above mentioned suggestion the
SSLEnable attribute should be a required attribute for the connector. Just my
two cents, I know about the SSLEngine so I don't need the added clarification,
it might also be the way that OpenSSL handles it's SSLEngine attribute, and if
that's the case, something pointing out that the attribute is "required" would
be super helpful.
Now that the doc discussion is over lets get to the root of the problem...
After Remy's advice I tried the SSLEngine="on" with only the SSLCertificate
attribute and turned my debug level to 5 to get maximum debugging info.
<Connector port="443"
debug="5"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
SSLEngine="on"
SSLCertificateFile="c:\certs\server\server.cer"
/>
Here is what I got in the log file:
Nov 30, 2005 4:53:21 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
Nov 30, 2005 4:53:22 PM org.apache.coyote.http11.Http11AprProtocol init
SEVERE: Error initializing endpoint
java.lang.Exception: Unable to load certificate key c:\certs\server\server.cer
(error:0906D06C:PEM routines:PEM_read_bio:no start line)
at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:592)
at
org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:115)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762)
at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
Nov 30, 2005 4:53:22 PM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed:
java.lang.Exception: Unable to load certificate key c:\certs\server\server.cer
(error:0906D06C:PEM routines:PEM_read_bio:no start line)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1018)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762)
at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
This makes sense because how can the server encrypt anything that matches it's
public key with out having signed it with the private key? /;) So I added in
the SSLCertificateFile attribute.
<Connector port="443"
debug="5"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
SSLEngine="on"
SSLCertificateFile="c:\certs\server\server.cer"
SSLCertificateKeyFile="c:\certs\server\serverKey.key"
/>
Woo Hoo!!!!! Nothing in the log file...
Nov 30, 2005 4:57:10 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
Nov 30, 2005 4:57:11 PM org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
Nov 30, 2005 4:57:11 PM org.apache.catalina.startup.Catalina load
I then try connecting to the server using http://server/ but STILL nothing...
Not being one to be thwarted so easily (and having found and posted a code fix
just yeterday for some APR connector code) I dove right into the source... It
looks like the SSL implementation for the native APR connector might not be
functioning as intended ;) Take a look at the code snipit below:
Lines 639-650 of the org.apache.coyote.Http11AprProtocol.java
// FIXME: SSL implementation
/*
if( proto.secure ) {
SSLSupport sslSupport=null;
if(proto.sslImplementation != null)
sslSupport =
proto.sslImplementation.getSSLSupport(socket);
processor.setSSLSupport(sslSupport);
} else {
processor.setSSLSupport( null );
}
processor.setSocket( socket );
*/
Whoops...
Not knowing the intimate details of how the Tomcat/APR connectors function, I
might be incorrect in my assumption, but it looks like the SSL code is in fact
commented out.
Going to post a bug for this if someone doesn't do it by the time I get home...
=D - cheers!
-rOcK
-----Original Message-----
From: Remy Maucherat [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 30, 2005 4:12 PM
To: Tomcat Users List
Subject: Re: Tomcat 5.5.12- APR Connector - SSL configuration
On 11/30/05, Nate Rock <[EMAIL PROTECTED]> wrote:
> All to no avail =(
Cool, but how about really reading *all* the APR documentation. For example,
there's a SSLEngine attribute, also.
--
xxxxxxxxxxxxxxxxxxxxxxxxx
Rémy Maucherat
Developer & Consultant
JBoss Group (Europe) SàRL
xxxxxxxxxxxxxxxxxxxxxxxxx
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
