Rob,
On 2/15/21 18:26, Rob Sargent wrote:
Thanks again, Chris,
On 2/15/21 1:32 PM, Christopher Schultz wrote:
Try this:
$ openssl s_client -showcerts -connect k1:16004 -tls1_2
openssl s_client -showcerts -connect k1:16004 -tls1_2
CONNECTED(00000003)
140444510528832:error:1408F10B:SSL routines:ssl3_get_record:wrong
version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 217 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1613429202
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
Check the port? Remember that TLS is enabled on one port (Connector)
while plaintext is on another port (Connector). So switch from
plaintext to TLS you will need to change port numbers in your s_client
connection string (and browser).
How many connectors are you configuring? And how? Your code only shows
configuring a local "connector" reference, but not where it came from,
if it was added to the server component, etc.
I'm not following perfectly. I did localhost lookup at Luis's
suggestion, but I name k1 in all my code/runs.
Do I have to add a doOptions handler in my servlets to handle prefight?
This is my Connector generation and consumption code:
Service service = embeddedTomcat.getService();
service.addConnector(addTLSConnector(tomcatPort));
private Connector addTLSConnector(int tcport) {
Connector connector = new Connector();
addTLSConnector(connector, tcport);
return connector;
}
private Connector addTLSConnector(Connector connector, int tcport) {
File keyFile = new File
(System.getProperty("SGSSRVR_keystoreFile"));
if (! keyFile.exists()) throw new RuntimeException("where's the
keystore?");
File trustFile = new File
(System.getProperty("SGSSRVR_truststoreFile"));
if (! trustFile.exists()) throw new RuntimeException("where's
the truststore?");
boolean done = true;
connector.setPort(tcport);
connector.setSecure(true);
connector.setScheme(System.getProperty("SGSSRVR_scheme"));
//done = done && connector.setProperty("protocol", "HTTP/1.1");
done = done && connector.setProperty("sslProtocol", "TLS");
done = done &&
connector.setProperty("address",System.getProperty("SGSSRVR_hostaddr"));
done = done && connector.setProperty("keyAlias",
System.getProperty("SGSSRVR_keystoreAlias"));
done = done && connector.setProperty("keystorePass",
System.getProperty("SGSSRVR_keystorePwd"));
done = done && connector.setProperty("keystoreFile",
keyFile.getAbsolutePath());
done = done && connector.setProperty("keystoreType",
System.getProperty("SGSSRVR_storeType"));
// done = done && connector.setProperty("truststoreType",
System.getProperty("SGSSRVR_storeType"));
// done = done && connector.setProperty("truststoreFile",
trustFile.getAbsolutePath());
// done = done && connector.setProperty("truststoreAlias",
System.getProperty("SGSSRVR_truststoreAlias"));
// done = done && connector.setProperty("truststorePassword",
System.getProperty("SGSSRVR_truststorePwd"));
done = done && connector.setProperty("clientAuth", "false");
done = done && connector.setProperty("maxThreads", "200");
done = done && connector.setProperty("SSLEnabled", "true");
if (! done) {
System.out.println("Some problem(s) in connector setup");
}
return connector;
}
with comments on trust or key lines or neither. trust.Alias and
trust.pass, in either order, always fail (seen in IntelliJ when 'done'
flips to false)
and the properties are sent in from files:
SGSSRVR_socketPort = 16004
SGSSRVR_scheme = https
SGSSRVR_databaseConnection = jdbc:postgresql://%s:%d/%s
SGSSRVR_emergencyJsonDir = /home/u0138544/aws/deploy/crash/
SGSSRVR_ContextRootDir =
/home/u0138544/aws/deploy/webroot/tomcat.16004/work/Tomcat/k1
SGSSRVR_dbTestUser = viv
SGSSRVR_dbTestDb = postgres
SGSSRVR_databasePort = 5432
SGSSRVR_databaseHost = k2
SGSSRVR_roleExtension = _notnull
SGSSRVR_expansionStep = 5
SGSSRVR_hostaddr = k1
SGSSRVR_keystoreFile = /home/u0138544/aws/deploy/server/k1.p12
SGSSRVR_keystoreAlias = k1
SGSSRVR_keystorePwd = changeit
SGSSRVR_truststoreFile = /home/u0138544/aws/deploy/server/k1.p12
SGSSRVR_truststoreAlias = k1
SGSSRVR_truststorePwd = changeit
SGSSRVR_storeType = PKCS
No warnings or anything like that in your logs? Are you even logging
anything? I see some weird things in your config that I would usually
expect to cause a WARN or worse log message to be emitted:
SGSSRVR_hostaddr is being used to set the "address" property, which is
usually an IP address for an interface. I'm not sure what happens if you
hand a string to setProperty on that.
SGSSRVR_storeType refers to a type that is not valid. You probably meant
PKCS12. The trailing "12" is pretty important.
If you launch your Tomcat server and then connect via JMX, are you able
to see the various settings that you have attempted to set on your
connector? E.g. SSLEnabled="true"?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
