Madhan,
> Am 04.06.2020 um 18:41 schrieb Christopher Schultz > <ch...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Madhan, > > On 6/3/20 21:08, Madhan Raj wrote: >> OS - CentOS 7.6.1810( Core) >> >> Below connector doesn't load my EC keystore whereas it works with >> RSA . Any insights please . Try to update to the latest version. Check the change log. In 9.0.31 support for EC keys was at least updated. Maybe this will work. I had problems using unencrypted EC keys in Tomcat 8.5.50 in JSSE connectors - however with pem encoded cert files (fixed in 8.5.51). But yours may be a similar problem. Regards Peter > > When you say "doesn't load", what do you mean? Possible reasonable > responses are: > > 1. I can only complete a handshake with RSA cert, not ECDSA cert > 2. Error message (please post) > 3. JVM crashes > 4. OS crashes > 5. Universe ends (possible, but unlikely to be reproducible) > >> this is my connector tag in server.xml <Connector >> SSLEnabled="true" URIEncoding="UTF-8" maxThreads="200" port="443" >> scheme="https" secure="true" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementat > ion" >> >> > disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="819 > 2" >> minSpareThreads="25"> <SSLHostConfig sslProtocol="TLS" >> certificateVerification="none" sessionTimeout="1800" >> protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3" >> ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECD > HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DS > S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA" >> >> > sessionCacheSize="10000"> >> <Certificate certificateKeyAlias="tomcat-ecdsa" >> certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/ce > rts/tomcat-ECDSA.keystore" >> >> > certificateKeystorePassword="8o8yeAH2qSJbJ2sn" >> certificateKeystoreType="PKCS12" type="EC"/> </SSLHostConfig> >> </Connector> >> >> tomcat start up command used :- /home/tomcat/tomcat -user tomcat >> -home /usr/local/thirdparty/java/j2sdk -pidfile >> /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname >> /home/tomcat/tomcat -outfile >> /usr/local/thirdparty/jakarta-tomcat/logs/catalina.out -errfile &1 >> -Djdk.tls.ephemeralDHKeySize=2048 >> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources >> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 >> -Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/c > onf/logging.properties >> >> > - -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspe > nd=n >> -XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80 >> -Xmx1824m -Xms256m >> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager >> -cp >> /usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thir > dparty/jakarta-tomcat/bin/tomcat-juli.jar >> >> > - -Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/catali > na.policy >> -Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat >> -Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat >> -Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp >> org.apache.catalina.startup.Bootstrap start' >> >> JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH >> -Djavax.net.ssl.sessionCacheSize=10000 >> -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust- > certs/tomcat-trust.keystore >> >> > - -Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD >> -XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat. > txt >> >> > - -Dsun.zip.disableMemoryMapping=true >> -XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh >> -XX:OnError=/home/tomcat/tomcat_diagnostics.sh $TOMCAT_JAVA_OPTS >> >> Also can i have both RSA and ECDSA in a single keystore. Will that >> work in tomcat 9? > > Yes. You have to use two <Certificate> elements each with a different > "type" and "certificateKeyAlias" > >> it used to work with tomat 7 > > It still works with Tomcat 9. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7ZJEwACgkQHPApP6U8 > pFg/Tg/9El60qkdMWwk6SpBiKjy0rgQEYgmdv2hkVQXmfX4uaWHZuEBDydX/xQ9L > 3JaS+rDeM/4Z6Y7HrKqLGQ0Q+mtgWSoXohhGAqZMcsaGtdiz9oBYukRW7e0JG4Hv > OZgmyPUifLH0kPDyrql3feLQL9TW7G998rR9+N2BsFWnyVdaHYIWt2vSu+/vak7T > OqqNj0Wze9G8/OudKXCEQBi1ADql8XAt7hRCaQLHRcaDLEVLnULq6lgol0dV9qXM > suzNGud9VWNUgsoNX7wZDmx2xYnvDUfOnUJSEYLfRV6zFHOJOLiKLk8GBjymLVt3 > PEW3EXlJpq2rQo++s4tNhJGjZRR7yEGNRUO1bl/eB7O4MZrwpZyV9lmy2TN2Im5g > LsMas3p3m87vz8ajafo9SDSZkmXmJ270dUZd8MAxxIvDSCnhw0trSTxbppgeb7p4 > LGn/gA9igAY9S9PUKkyLocKVW9XpRg1v21WCSyifKzM7b0787e1EFx6rhxBTsZAk > 7D7nL+0Em61LRQKaM3noDtyofEzYGoUtaRwv5gx+dCfF5huDCKvkhWxGQfAwiE/3 > fRHCZK1la1Jn3wikApLXU6iEjXV33TmF/hAjLOPaizl90AYxR6O4pvwRKOF+9+fV > Z4CO1ysmLK/WHTYXcpZ8/zPEo9EgXbTULU9DiDu3N6+LKrUFQcc= > =L+y6 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
