-----Original Message-----
From: Siddhi Borkar [mailto:siddhi_bor...@persistent.co.in]
Sent: 06 March 2013 15:12
To: Tomcat Users List
Subject: RE: Error configuring tomcat with ssl certificates
Thanks Brijesh,
The certificate that I am using is RSA based certificate, I tried listing the
RSA based ciphers in the server the xml, however it still gave me the same
error.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/tmp/.keystore" keystorePass="changeit" enableLookups="false"
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"
clientAuth="false" sslProtocol="TLS" />
Any idea what else could be going wrong?
Thanks,
Siddhi
Hi Siddhi,
You can check your keystore type. If it is not JKS, then you need to specify
the keyStoreType also in the connector definition.
-Brijesh
-----Original Message-----
From: Brijesh Deo [mailto:b...@sonicwall.com]
Sent: Wednesday, March 06, 2013 12:25 PM
To: Tomcat Users List
Subject: RE: Error configuring tomcat with ssl certificates
-----Original Message-----
From: Siddhi Borkar [mailto:siddhi_bor...@persistent.co.in]
Sent: 06 March 2013 12:15
To: users@tomcat.apache.org
Subject: Error configuring tomcat with ssl certificates
Hi,
I need help configuring tomcat 6 will ssl certificates. I have been provided
with the following
cacert.pem
prvkey.key
and sslcert.crt
I tried the following steps:
1) Generated a keystore using java keytool and the certificate file using
the following command.
keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore
keystore
2) Added the .pem file to the keystore
keytool -import -trustcacerts -alias root -file
cacert.pem-keystore keystore
3) Start the tomcat server
4) After starting the server, the following error was seen in the logs.
Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.io.IOException: jsse.invalid_ssl_conf
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1107)
at
org.apache.catalina.core.StandardService.start(StandardService.java:531)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: javax.net.ssl.SSLException: No available certificate or key
corresponds to the SSL cipher suites which are enabled.
at
sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)
at
sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)
... 15 more
Can someone help on this?
Thanks
Siddhi,
You might want to check your ciphers attribute value in the Connector
definition in server.xml file. Generally, the list of ciphers that you include
here are based upon the type of your certificate. If you have RSA based
certificate, you need to enlist RSA based ciphers (ones with _RSA in the cipher
suite name) and similarly for DSA based certificate you should have
corresponding cipher suites (ones with _DSS in the cipher suite names). May be
you have this mismatched and that is the problem.
The other way round would be to generate or use a certificate based upon the
cipher suites that you want or are supported in your ciphers attribute value.
Brijesh Deo
Dell | SonicWALL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the
property of Persistent Systems Ltd. It is intended only for the use of the
individual or entity to which it is addressed. If you are not the intended
recipient, you are not authorized to read, retain, copy, print, distribute or
use this message. If you have received this communication in error, please
notify the sender and delete all copies of this message. Persistent Systems
Ltd. does not accept any liability for virus infected mails.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
