-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Alexandre,
On 1/14/15 1:18 PM, Alexandre Lima wrote: > On 13 January 2015 at 18:20, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Alexandre, > > On 1/13/15 2:41 PM, Alexandre Lima wrote: >>>> On 13 January 2015 at 16:11, Christopher Schultz < >>>> ch...@christopherschultz.net> wrote: >>>> >>>> Alexandre, >>>> >>>> On 1/13/15 1:37 PM, Alexandre Lima wrote: >>>>>>> Hello! This is the first time I'm using tomcat, so I'm >>>>>>> a little bit lost... >>>> >>>> Welcome! Configuring SSL always turns out to be a pain in >>>> the neck. >>>> >>>>>>> Using the tutorials, I could make the server and the >>>>>>> application I want to run with it work. The only >>>>>>> modification I did until now was changing the http port >>>>>>> from 8080 to 80, I did that changing the http conector >>>>>>> on servers.xml, enabling authbind and executing the >>>>>>> folowing commands: >>>>>>> >>>>>>> sudo touch /etc/authbind/byport/80 sudo chmod 500 >>>>>>> /etc/authbind/byport/80 sudo chown tomcat7 >>>>>>> /etc/authbind/byport/80 >>>>>>> >>>>>>> So, the server and the application I want to use with >>>>>>> it are actually working on port 80 >>>> >>>> You've confirmed this? I've never used authbind before, so I >>>> just wanted to make sure that you have Tomcat working >>>> properly with non-SSL before you try to add SSL. >>>> >>>>>>> , but the next and last step, which is enabling an SSL >>>>>>> connection, isn't working. >>>>>>> >>>>>>> What I did following the site's tutorial was: created >>>>>>> my self signed certificate with keytools and put it on >>>>>>> /home/myuser/key.keystore >>>> >>>> Can you outline the steps you took? Where is your keystore? >>>> >>>>>>> Additionally, I've created the folowing conector: >>>>>>> >>>>>>> <Connector port="8443" >>>>>>> protocol="org.apache.coyote.http11.Http11Protocol" >>>>>>> SSLEnabled="true" maxThreads="200" scheme="https" >>>>>>> secure="true" keystoreFile="/home/myuser/key.keystore" >>>>>>> keystorePass="mypass" clientAuth="false" >>>>>>> sslProtocol="TLS" /> >>>> >>>> That looks good so far. >>>> >>>>>>> Saved it, restarted server and accessed >>>>>>> https://myip:8443, but it isn't working. Chrome says >>>>>>> "No data recieved" and "Unable to load the webpage >>>>>>> because the server sent no data and "Error code: >>>>>>> ERR_EMPTY_RESPONSE". >>>>>>> >>>>>>> Firefox says that the connection was reset while the >>>>>>> page was being loaded. >>>>>>> >>>>>>> That's where I am now. I don't know what to try >>>>>>> anymore. >>>> >>>> Try: >>>> >>>> $ telnet localhost 8443 >>>> >>>> (on the server with Tomcat running) >>>> >>>> That will tell you if the port is open (it should be, >>>> otherwise you'd be getting different errors from Chrome and >>>> ff) and what, if anything, gets dumped to it when you >>>> connect. >>>> >>>> If you get a connection and nothing happens, try submitting >>>> a request like this: >>>> >>>> $ telnet localhost 8443 GET / >>>> >>>> [output goes here] >>>> >>>> Post the results of the above if you get anything. >>>> >>>> Dumb question: you restarted Tomcat after updating >>>> server.xml, right? >>>> >>>> -chris >>>>> >>>>> --------------------------------------------------------------------- >>>>> >>>>> > >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: >>>>> users-h...@tomcat.apache.org >>>>> >>>>> >>>> Thank you for the reply Christopher! I've used the command: >>>> keytool -genkey -alias tomcat -keyalg RSA -keystore >>>> /home/myuser/key.keystore to generate the keystore. I should >>>> put the keystore in some special directory or this one is >>>> fine? So, after, requesting: telnet localhost 8443 >>>> >>>> I got some strange stuff: >>>> >>>> ~$ telnet localhost 8443 Trying ::1... Connected to >>>> localhost. Escape character is '^]'. GET / ^U^C^A^@^B^B >>>> >>>> >>>> >>>> And yes, I've restarted it :) > > Good. Now, try this: > > $ openssl s_client -debug -connect localhost:8443 > > Assuming that the server is running and listening for SSL > connections, s_client should be able to connect, and it should give > you tons of good information about what's happening, there. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > Hello Chris! I've tried the command you suggested and the most > important thing I found was this: > > subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown > > issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown > --- No client certificate CA names sent --- SSL handshake has read > 1073 bytes and written 555 bytes --- New, TLSv1/SSLv3, Cipher is > ECDHE-RSA-AES256-SHA384 Server public key is 1024 bit Secure > Renegotiation IS supported Compression: NONE Expansion: NONE > SSL-Session: Protocol : TLSv1.2 Cipher : > ECDHE-RSA-AES256-SHA384 Session-ID: > 54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6 > Session-ID-ctx: Master-Key: > F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1 > > Key-Arg : None > PSK identity: None PSK identity hint: None SRP username: None Start > Time: 1421259101 Timeout : 300 (sec) Verify return code: 10 > (certificate has expired) > > SysAid is the application I'm running under tomcat. Does it mean > that SysAid is a server behind tomcat? And so I would have to > configure the connection in it? That's strange. I would like to > hear your opinion. Well, the subject and issuer look a little strange, but that may be just because you configured them that way (when keytool asked you all those questions). Generally speaking, when keytool asks you for your "first and last name", it really means your "common name" which for nearly everybody is actually the DNS name of the server (e.g. www.mysite.com). If you list the contents of your keystore, what's in there? $ keytool -list -keystore path/to/keystore - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUtrydAAoJEBzwKT+lPKRYRtwP/jgYWXK6RolwNr+EHcRIwma/ BdqpbQeZond1QZkA30MkT+MBFEfW+tjCixd6vXAMwe8WSEFmqhiXSi26KvCk9YG8 65xUwL03aLfz7KBCPbomtJEsSWNdCbYgJZIRMT8Q36xbvrJcHbsPKp913xXp151G D5bgLkfz5ha32FJOTvxrU0l7Tc/QWIm3jAc/jfMut62ZlbLBgM6dZ5Te/ss5PXTS 4fm4qPIwzP2ygCq+EIebj84TWmlkRy8Fqn6eHFsi0000s7dNP5KhkJCd51MN2KnY dpoHsnLCjyvXd9/22MtRcL0rF74UdFyxG43ogr2h28C+SYMJeUXVK4un1UosYbkj xnfOb63g834yOV9ca5+5NABYBStBKXb8GHUwdfsfjf1rA6CXIUvrWj5GN15nyiLO dU6j6WWFhSvmcVrkZwevR2I0N47tqKN9aCpWFX/QNL92Ue/UyVZB9ACtZ7bnmNQT 4xqpVx/CEXOq3SfAYPVWjcCRp+h7D+mi32KqFYc+g7zJA8yGSqReDBHC4ml+jZNA t3KwByiGvVNH1uZvaFRvpCM3EnYXW05uvV8+PgXwLcKgT/TSmgAEUW6mNhAR68iF UEFp7fkF768Rc+TR6XqZC/eJuWOduz1l6cTbSm4Xo85VZ/sbST3diPzRu806nopp 7t32DNf5MJicDsR5uFE6 =CnvE -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
