-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Alexandre,
On 1/14/15 2:15 PM, Alexandre Lima wrote: > On 14 January 2015 at 15:59, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Alexandre, > > On 1/14/15 1:18 PM, Alexandre Lima wrote: >>>> On 13 January 2015 at 18:20, Christopher Schultz < >>>> ch...@christopherschultz.net> wrote: >>>> >>>> Alexandre, >>>> >>>> On 1/13/15 2:41 PM, Alexandre Lima wrote: >>>>>>> On 13 January 2015 at 16:11, Christopher Schultz < >>>>>>> ch...@christopherschultz.net> wrote: >>>>>>> >>>>>>> Alexandre, >>>>>>> >>>>>>> On 1/13/15 1:37 PM, Alexandre Lima wrote: >>>>>>>>>> Hello! This is the first time I'm using tomcat, >>>>>>>>>> so I'm a little bit lost... >>>>>>> >>>>>>> Welcome! Configuring SSL always turns out to be a pain >>>>>>> in the neck. >>>>>>> >>>>>>>>>> Using the tutorials, I could make the server and >>>>>>>>>> the application I want to run with it work. The >>>>>>>>>> only modification I did until now was changing >>>>>>>>>> the http port from 8080 to 80, I did that >>>>>>>>>> changing the http conector on servers.xml, >>>>>>>>>> enabling authbind and executing the folowing >>>>>>>>>> commands: >>>>>>>>>> >>>>>>>>>> sudo touch /etc/authbind/byport/80 sudo chmod >>>>>>>>>> 500 /etc/authbind/byport/80 sudo chown tomcat7 >>>>>>>>>> /etc/authbind/byport/80 >>>>>>>>>> >>>>>>>>>> So, the server and the application I want to use >>>>>>>>>> with it are actually working on port 80 >>>>>>> >>>>>>> You've confirmed this? I've never used authbind before, >>>>>>> so I just wanted to make sure that you have Tomcat >>>>>>> working properly with non-SSL before you try to add >>>>>>> SSL. >>>>>>> >>>>>>>>>> , but the next and last step, which is enabling >>>>>>>>>> an SSL connection, isn't working. >>>>>>>>>> >>>>>>>>>> What I did following the site's tutorial was: >>>>>>>>>> created my self signed certificate with keytools >>>>>>>>>> and put it on /home/myuser/key.keystore >>>>>>> >>>>>>> Can you outline the steps you took? Where is your >>>>>>> keystore? >>>>>>> >>>>>>>>>> Additionally, I've created the folowing >>>>>>>>>> conector: >>>>>>>>>> >>>>>>>>>> <Connector port="8443" >>>>>>>>>> protocol="org.apache.coyote.http11.Http11Protocol" >>>>>>>>>> >>>>>>>>>> SSLEnabled="true" maxThreads="200" scheme="https" >>>>>>>>>> secure="true" >>>>>>>>>> keystoreFile="/home/myuser/key.keystore" >>>>>>>>>> keystorePass="mypass" clientAuth="false" >>>>>>>>>> sslProtocol="TLS" /> >>>>>>> >>>>>>> That looks good so far. >>>>>>> >>>>>>>>>> Saved it, restarted server and accessed >>>>>>>>>> https://myip:8443, but it isn't working. Chrome >>>>>>>>>> says "No data recieved" and "Unable to load the >>>>>>>>>> webpage because the server sent no data and >>>>>>>>>> "Error code: ERR_EMPTY_RESPONSE". >>>>>>>>>> >>>>>>>>>> Firefox says that the connection was reset while >>>>>>>>>> the page was being loaded. >>>>>>>>>> >>>>>>>>>> That's where I am now. I don't know what to try >>>>>>>>>> anymore. >>>>>>> >>>>>>> Try: >>>>>>> >>>>>>> $ telnet localhost 8443 >>>>>>> >>>>>>> (on the server with Tomcat running) >>>>>>> >>>>>>> That will tell you if the port is open (it should be, >>>>>>> otherwise you'd be getting different errors from Chrome >>>>>>> and ff) and what, if anything, gets dumped to it when >>>>>>> you connect. >>>>>>> >>>>>>> If you get a connection and nothing happens, try >>>>>>> submitting a request like this: >>>>>>> >>>>>>> $ telnet localhost 8443 GET / >>>>>>> >>>>>>> [output goes here] >>>>>>> >>>>>>> Post the results of the above if you get anything. >>>>>>> >>>>>>> Dumb question: you restarted Tomcat after updating >>>>>>> server.xml, right? >>>>>>> >>>>>>> -chris >>>>>>>> >>>>>>>> --------------------------------------------------------------------- >>>>>>>> >>>>>>>> >>>> >>>>>>>> > >>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>>> For additional commands, e-mail: >>>>>>>> users-h...@tomcat.apache.org >>>>>>>> >>>>>>>> >>>>>>> Thank you for the reply Christopher! I've used the >>>>>>> command: keytool -genkey -alias tomcat -keyalg RSA >>>>>>> -keystore /home/myuser/key.keystore to generate the >>>>>>> keystore. I should put the keystore in some special >>>>>>> directory or this one is fine? So, after, requesting: >>>>>>> telnet localhost 8443 >>>>>>> >>>>>>> I got some strange stuff: >>>>>>> >>>>>>> ~$ telnet localhost 8443 Trying ::1... Connected to >>>>>>> localhost. Escape character is '^]'. GET / >>>>>>> ^U^C^A^@^B^B >>>>>>> >>>>>>> >>>>>>> >>>>>>> And yes, I've restarted it :) >>>> >>>> Good. Now, try this: >>>> >>>> $ openssl s_client -debug -connect localhost:8443 >>>> >>>> Assuming that the server is running and listening for SSL >>>> connections, s_client should be able to connect, and it >>>> should give you tons of good information about what's >>>> happening, there. >>>> >>>> -chris >>>>> >>>>> --------------------------------------------------------------------- >>>>> >>>>> > >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: >>>>> users-h...@tomcat.apache.org >>>>> >>>>> >>>> Hello Chris! I've tried the command you suggested and the >>>> most important thing I found was this: >>>> >>>> subject=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown >>>> >>>> > >>>> issuer=/C=Unknown/ST=Unknown/L=Unknown/O=SysAid/OU=Unknown/CN=Unknown >>>> --- No client certificate CA names sent --- SSL handshake has >>>> read 1073 bytes and written 555 bytes --- New, TLSv1/SSLv3, >>>> Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 1024 >>>> bit Secure Renegotiation IS supported Compression: NONE >>>> Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : >>>> ECDHE-RSA-AES256-SHA384 Session-ID: >>>> 54B6B15D0A70F67D6044536473C28EE0A9E4CD7752925C3B2ECB03908B9B77D6 >>>> >>>> Session-ID-ctx: Master-Key: >>>> > F79F0B995AD24ABEC16A216A361B75BE72EF004F95DAF1459DA744B9D50F75A1431F0E60BA9CA1924C98EA01032373C1 >>>> >>>> > > Key-Arg : None >>>> PSK identity: None PSK identity hint: None SRP username: None >>>> Start Time: 1421259101 Timeout : 300 (sec) Verify return >>>> code: 10 (certificate has expired) >>>> >>>> SysAid is the application I'm running under tomcat. Does it >>>> mean that SysAid is a server behind tomcat? And so I would >>>> have to configure the connection in it? That's strange. I >>>> would like to hear your opinion. > > Well, the subject and issuer look a little strange, but that may > be just because you configured them that way (when keytool asked > you all those questions). > > Generally speaking, when keytool asks you for your "first and last > name", it really means your "common name" which for nearly > everybody is actually the DNS name of the server (e.g. > www.mysite.com). > > If you list the contents of your keystore, what's in there? > > $ keytool -list -keystore path/to/keystore > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > I actually didn't configure it that way! I didn't put "sysaid" > anywhere when I was making the keystore. That's why I think that my > application (Sysaid) created that keystore shown, otherwise there > wouldn't be "O=SysAid"... That's really strange... I think I'm > gonna ask this on SysAid forums. It's realling giving my a > headache. Well, if you have Tomcat listening on port 8443 and you have configured your own keystore, then you should have your own certificate in there and not something coming from SysAid. But it looks like you have found a critical symptom of the problem: your keystore is not being used. I'm curious to see what else is in your keystore, since Tomcat will use the "first" certificate in the keystore unless you supply an "alias" in your configuration, which you did not do. If You have multiple certificates in your keystore, I highly recommend that you use the "alias" attribute in your <Connector> to point to your own certificate. I'll bet that Chrome/ff aren't willing to connect to a web server with an SSL certificate with such an odd CN value. I'm not sure if the CN value is actually "Unknown" (which should be valid... "Unknown" is a perfectly valid hostname) or that the value is somehow NULL (or "unset" or whatever) in the certificate. If that's the case, the cert is essentially invalid and these clients might be refusing to connect and giving you a really weird error message in the process. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUts18AAoJEBzwKT+lPKRY9OwP/2AcG61t5Agrok1lJ2ZwDMQr Mz122PV0ureMRf0rwmWhp8VEv/svTIK/RfKRG7TAc/CHH+BalqPAhD7JDRIKQP4V VwcVsNOLr1LogBldIAVbiyv2mWbfWxxawZVIoV7dRN6h6MPBenPNOJoCve3gRlgp DXcXHHp4fOybifOO1Cith5Tp6OPx+7FZzuGplwFJD337xkuQ4TtkKp9yzOmYbBKn kluXeekQgdygQHtfOxWS4iA0p6+OVnjDXbyeI/u5ffITtr6DP/ystoDI3ZS5EcdS rrJixy4O+mnaov0880r/Is2xIYspBxSEeQHZ3SdBvjGRPeAiO+aShc5xZtFdikvx rzhFinxYzegma4NICeHjkuowW4nLWRk3Vo9kaiY+WB+6GHywkdeYIQYBP5s6u0D3 MWMlEpSWRMwc5e71cfq0m9NzA92bGtqwdfvKIyG8EGz9Oote3Iu5ATZ0tR5zkW3v st1CC7HeR06RaFmPJUyHinQGvBMNyptNw2JEHBxwS6LcQci10VZHe3ghA6keASHQ hODuq/L52XMH2hJ8l1E3C3SAfY7WIGkPe1wLL4GWBerFNqS2wn13R0rklnJr2hM0 B/YlJ3/MhSRbxVfTL4ys9V2PNl+deHhVfx6HSimYJ8ipa3YS+UjCYGk545fM8pc8 mak2EoGgEFcN9fK81xRp =fKI9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
