-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Madhan,
On 6/3/20 21:08, Madhan Raj wrote: > OS - CentOS 7.6.1810( Core) > > Below connector doesn't load my EC keystore whereas it works with > RSA . Any insights please . When you say "doesn't load", what do you mean? Possible reasonable responses are: 1. I can only complete a handshake with RSA cert, not ECDSA cert 2. Error message (please post) 3. JVM crashes 4. OS crashes 5. Universe ends (possible, but unlikely to be reproducible) > this is my connector tag in server.xml <Connector > SSLEnabled="true" URIEncoding="UTF-8" maxThreads="200" port="443" > scheme="https" secure="true" > protocol="org.apache.coyote.http11.Http11NioProtocol" > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementat ion" > > disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="819 2" > minSpareThreads="25"> <SSLHostConfig sslProtocol="TLS" > certificateVerification="none" sessionTimeout="1800" > protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3" > ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECD HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DS S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA" > > sessionCacheSize="10000"> > <Certificate certificateKeyAlias="tomcat-ecdsa" > certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/ce rts/tomcat-ECDSA.keystore" > > certificateKeystorePassword="8o8yeAH2qSJbJ2sn" > certificateKeystoreType="PKCS12" type="EC"/> </SSLHostConfig> > </Connector> > > tomcat start up command used :- /home/tomcat/tomcat -user tomcat > -home /usr/local/thirdparty/java/j2sdk -pidfile > /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname > /home/tomcat/tomcat -outfile > /usr/local/thirdparty/jakarta-tomcat/logs/catalina.out -errfile &1 > -Djdk.tls.ephemeralDHKeySize=2048 > -Djava.protocol.handler.pkgs=org.apache.catalina.webresources > -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 > -Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/c onf/logging.properties > > - -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspe nd=n > -XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80 > -Xmx1824m -Xms256m > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > -cp > /usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thir dparty/jakarta-tomcat/bin/tomcat-juli.jar > > - -Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/catali na.policy > -Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat > -Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat > -Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp > org.apache.catalina.startup.Bootstrap start' > > JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH > -Djavax.net.ssl.sessionCacheSize=10000 > -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust- certs/tomcat-trust.keystore > > - -Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD > -XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat. txt > > - -Dsun.zip.disableMemoryMapping=true > -XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh > -XX:OnError=/home/tomcat/tomcat_diagnostics.sh $TOMCAT_JAVA_OPTS > > Also can i have both RSA and ECDSA in a single keystore. Will that > work in tomcat 9? Yes. You have to use two <Certificate> elements each with a different "type" and "certificateKeyAlias" > it used to work with tomat 7 It still works with Tomcat 9. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7ZJEwACgkQHPApP6U8 pFg/Tg/9El60qkdMWwk6SpBiKjy0rgQEYgmdv2hkVQXmfX4uaWHZuEBDydX/xQ9L 3JaS+rDeM/4Z6Y7HrKqLGQ0Q+mtgWSoXohhGAqZMcsaGtdiz9oBYukRW7e0JG4Hv OZgmyPUifLH0kPDyrql3feLQL9TW7G998rR9+N2BsFWnyVdaHYIWt2vSu+/vak7T OqqNj0Wze9G8/OudKXCEQBi1ADql8XAt7hRCaQLHRcaDLEVLnULq6lgol0dV9qXM suzNGud9VWNUgsoNX7wZDmx2xYnvDUfOnUJSEYLfRV6zFHOJOLiKLk8GBjymLVt3 PEW3EXlJpq2rQo++s4tNhJGjZRR7yEGNRUO1bl/eB7O4MZrwpZyV9lmy2TN2Im5g LsMas3p3m87vz8ajafo9SDSZkmXmJ270dUZd8MAxxIvDSCnhw0trSTxbppgeb7p4 LGn/gA9igAY9S9PUKkyLocKVW9XpRg1v21WCSyifKzM7b0787e1EFx6rhxBTsZAk 7D7nL+0Em61LRQKaM3noDtyofEzYGoUtaRwv5gx+dCfF5huDCKvkhWxGQfAwiE/3 fRHCZK1la1Jn3wikApLXU6iEjXV33TmF/hAjLOPaizl90AYxR6O4pvwRKOF+9+fV Z4CO1ysmLK/WHTYXcpZ8/zPEo9EgXbTULU9DiDu3N6+LKrUFQcc= =L+y6 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
