SSL inconsistency

Thu, 14 Jul 2016 06:10:09 -0700

While testing locally the new 8.5 branch, I did experience some inconsistency with self-sigend SSL certs. I did manage to resolve them by installing Tomcat-Native library / APR, but maybe it is still worth reporting in regard of the different behaviour for the same cert, between Tomcat versions and configuartions.
I didn't want to file a bug, since this very likely is a configuration and/or self-signed cert problem. 

Thanks for considering.

Markus

Tomcat 8, works fine.
Tomcat 8.5  error => Alias name tomcat does not identify a key entry

    <Connector SSLEnabled="true"
           URIEncoding="UTF-8"
           clientAuth="false"
           keystoreType="PKCS12"
           keystoreFile="[path-to]/localhost.p12"
           keystorePass="tomcat"
           maxThreads="150"
           port="8443"
           protocol="HTTP/1.1"
           scheme="https"
           secure="true"
           sslProtocol="TLS"/>

---

Tomcat 8.5, same cert, starts fine but throws on first SSL invocation:


java.lang.IllegalArgumentException: Invalid character found in method 
name. HTTP method names must be tokens


    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
           port="8443"
           URIEncoding="UTF-8"
           clientAuth="false"
           keystoreType="PKCS12"
           keystoreFile="[path-to]/localhost.p12"
           keystorePass="tomcat"
           maxThreads="150"
           scheme="https"
           secure="true"
           sslProtocol="TLS" />

---

Tomcat 8.5, new cert
Tomcat-Native / APR disabled


Failed to initialize end point associated with ProtocolHandler 
["https-jsse-nio-8443"]

java.security.KeyStoreException: Cannot store non-PrivateKeys

Same cert works with Tomcat-Native / APR enabled


    <Connector port="8443" 
protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" secure="true" scheme="https" 
SSLEnabled="true" defaultSSLHostConfigName="localhost">

        <SSLHostConfig hostName="*.test.localhost">
            <Certificate certificateKeyFile="[path-to]/localhost.key"
                         certificateFile="[path-to]/localhost.crt"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>


Also works with protocol="org.apache.coyote.http11.Http11AprProtocol" 
with Tomcat-Native / APR enabled



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to