02.06.2014 19:56, Christopher Schultz пишет:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Арсений,
On 6/2/14, 10:24 AM, Арсений Зинченко wrote:
Hi.
Faced with very odd behavior of Tomcat 7...
Have two instances on same box - Tomcat 5.5 and Tomcat 7.
Both have same configuration - first from 5.5:
<Connector port="${port.https}" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" acceptCount="100"
scheme="https" secure="true" clientAuth="want" sslProtocol="TLS"
keystoreFile="conf/.ssl/tomcat.jks" keyAlias="tomcat"
keystorePass="pass" truststoreFile="conf/.ssl/trustcacerts.jks"
truststorePass="pass" />
Next - from 7.0:
<Connector port="${port.https}" protocol="HTTP/1.1"
SSLEnabled="true" enableLookups="false"
disableUploadTimeout="true" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="conf/.ssl/tomcat.jks" keyAlias="tomcat"
keystorePass="pass" truststoreFile="conf/.ssl/trustcacerts.jks"
truststorePass="pass" />
Also - both configured for CLIENT-CERT authentification (same
applicaion with same web.xml).
In browser installed cert, but - when I'm trying open connection
to 7 Tomcat - I got 401 - Cannot authenticate with the provided
credentials and no authentification attempt in log:
10.***.***.15 - - [02/Jun/2014:17:10:31 +0300] "GET /service/
HTTP/1.1" 401 1049
But connection to 5.5 - succsessfull with same browser &&
certificate.
Also, in ssldump I see that browser can't make "handshake" with 7.0
server:
1 2 0.0317 (0.0308) S>C Handshake ServerHello Version 3.1
session_id[32]= 53 8c 85 d7 cf 17 a1 45 8a 4e 64 e6 95 7f 2b f3 cb
74 0a f3 13 40 71 e8 74 50 53 1a 00 24 a0 76 cipherSuite
TLS_DHE_DSS_WITH_AES_128_CBC_SHA compressionMethod
NULL Certificate ServerKeyExchange CertificateRequest
certificate_types rsa_sign certificate_types
dss_sign certificate_authority 30 62 31 0b 30 09 06 03 55 04 06 13
02 55 41 31 10 30 0e 06 03 55 04 08 13 07 55 6e 6b 6e 6f 77 6e 31
0d 30 0b 06 03 55 04 07 13 04 4b 69 65 76 31 0f 30 0d 06 03 55 04
0a 13 06 4c 75 78 6f 66 74 31 0c 30 0a 06 03 55 04 0b 13 03 4c 4d
53 31 13 30 11 06 03 55 04 03 13 0a 61 7a 69 6e 63 68 65 6e 6b 6f
certificate_authority 30 60 31 0b 30 09 06 03 55 04 06 13 02 55 41
31 // and that's all
But on 5.5 - everyting OK:
1 2 0.0213 (0.0195) S>C Handshake ServerHello Version 3.1
session_id[32]= 53 8c 85 89 be 1f c5 63 e2 16 a0 a0 dc 5b aa 68 0d
1c 8d b7 24 c5 13 0a 24 0a 66 9b 54 f4 b0 0f cipherSuite
TLS_DHE_DSS_WITH_AES_128_CBC_SHA compressionMethod
NULL Certificate ServerKeyExchange ServerHelloDone 1 3 0.0256
(0.0042) C>S Handshake ClientKeyExchange
DiffieHellmanClientPublicValue[96]= 4a 39 5e f5 2a c1 58 13 6b 7c
98 0b 44 d7 9a 42 bf 48 c2 6e a4 c6 6d 50 a7 89 8f 53 a4 54 92 a5
81 18 1b 22 63 cf c1 63 8f 36 9f d2 59 c3 3e 67 1f 4e 18 01 db f2
9d 07 0b 81 12 39 64 62 83 84 78 dc 36 9b 00 34 f5 34 44 2d 92 eb
d9 f6 b0 7e c4 66 d9 ad f2 bf 7f fb 07 56 eb 58 5d 58 41 2e
What I'm doing wrong?
Anything in the catalina.out or other log files in logs/* ?
Are both Tomcats running on the same server?
In the Tomcat 7 case, does ssldump tell you whether the S>C has hung?
Can you tell if the TCP message is incomplete? Can you get a thread
dump on the Tomcat 7 side?
The configuration itself looks okay to me.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTjKygAAoJEBzwKT+lPKRYVJEQAKlVEFFwEyfyYFML/aArNHqb
00qGyoyzu7+mLNlZlMvP4wvuXivK13Sxy+NNJ/TqkijZ4ZlaSTx82vUBHt2HNX9J
Rsq5lTL1FRHNDzHABoXwkDLj64xhJ41iBFUcdsGENJ9K9mpFtPXi3wSRsQK4eguv
ynRr+f3pJwWsiPlXxWiGICV55mKGsUvSwjKzXhG6RYMpUmHeT1V7SOyOfPA73Jks
GGPaDsc0tNT9K6c8NGX+c5+u0h5Af5UQn10Rcpp/22QSzfIDwq4kv1MPZ9I+TTQa
l/S/L6VfVtbacUuvVMsnN15eIEQDfTVA9RoKjacG0rsrB+oqoSG0UDjFhuP8LXHx
huvhim7CJcZyaNR3Ydp8Q+NFz5ON4w6tlP/APA48x6HUgAJq3DoSlFbrbJGu4HVV
NgziXOdlwz7KD7yVdUckrbCsLVCFrxkBENtOUdQ5a6dp1bjPBfOcxrtPcEduvLUR
mdNsoXQA8pOFBLHwIJSONBn7lSXQPBR+XCkxGJDqYzdmaykoz2OrB7aA4DqtYXCD
iwA0bvwFCOOzq/DiNlLgqscQz9+sAbT7ROjCvkKpDfjJYBi7S26eNx9Gg1S39scX
uAlDoRe96CQDmcitZ8Oqrn5ErKReTpbhGULn0YnHB1uL9Vxd5M8EkAI0whTQMQ5u
qYcRj4u7cd24Okq8KQUd
=zoKs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Hi, Chris.
Thanks for replay and sorry spending your time - there was my error in
server.xml - include ojdbc Realm in wrong place (our from Host element).
I think so... Because I made a lot of experiments today trying fix it...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
