11 Replies Latest reply on Apr 19, 2004 4:48 AM by nitin888

    SSL, Tomcat, JBoss - desperatly needing help

    iliuta25

      Hello,

      I know this was discussed above, but none of the topics helped me. I am trying to enable SSL in Tomcat (JBoss 3.2.2).
      I edit the tomcat's jboss-service.xml:




      The certificate was created using keytool, using RSA algorithm and imported into the x.keystore.

      During Jboss' startup, first of all I have the following exception:
      java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.puretls.PureTLSImplementation :java.lang.ClassNotFoundException: No ClassLoaders found for: org.apache.tomcat.util.net.puretls.PureTLSImplementation

      but I found on a forum's topic that this is not really and error and we can ignore it.

      I am trying to access via HTTPS my server and I get the following 2 exceptions:

      2003-12-08 12:04:41,439 DEBUG [org.apache.tomcat.util.net.PoolTcpEndpoint] Handshake failed
      javax.net.ssl.SSLHandshakeException: no cipher suites in common
      at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
      at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:206)
      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:540)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
      at java.lang.Thread.run(Thread.java:536)
      2003-12-08 12:04:41,454 DEBUG [org.apache.tomcat.util.net.PoolTcpEndpoint] Handshake failed
      javax.net.ssl.SSLException: Unsupported SSL v2.0 ClientHello
      at com.sun.net.ssl.internal.ssl.InputRecord.b(DashoA6275)
      at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
      at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:206)
      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:540)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
      at java.lang.Thread.run(Thread.java:536)


      What is going on?! What should I do in order to have this work?

      Adrian

        • 1. Re: SSL, Tomcat, JBoss - desperatly needing help
          draftdog

          I am not sure what the problem is, but did you check whether you have the proper JCE crypto extension in your classpath ?

          are you running the JRE ? or the full JDK ? which version ? also, be careful what you put in the $JAVA_HOME/jre/lib/endorsed directory (if you have it) because this will override default JDK libs

          typically you will need to have a file jsse.jar and jce.jar in your classpath, most likely in your Java installation directory, $JAVA_HOME/jre/lib/

          it might also be a problem with the tomcat libs, but I very much doubt that (unless you deleted some jars on purpose)

          hth
          Wouter.

          • 2. Re: SSL, Tomcat, JBoss - desperatly needing help
            jonlee

            Actually, the first is a real error. You need to get the class from the full Tomcat distribution. Otherwise the listener/connector isn't created properly and your TLS cipher-based handshake fails. Alternately, don't use the pure TLS implementation for your SSL connector.

            • 3. Re: SSL, Tomcat, JBoss - desperatly needing help
              iliuta25

              I don't find the PureTLSImplementation class in any of the tomcat jars? Where is it?

              Actually I use the standard JBoss installation, with tomcat in it, so the class should be there...

              Meanwhile, I found that If I don't specify the keystore file in the jboss-service.xml, it searches for the .keysore file in the Documents and settings\default user directory on Windows. And if the .keysore is there, I always have the class not found exception (and also an exception on each HTTPS request), but, by miracle, the SSL works...

              • 4. Re: SSL, Tomcat, JBoss - desperatly needing help
                jonlee

                Have a look at this discussion:

                http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t= seems that there are some missing bits in the distribution with JBoss. I don't use Tomcat with JBoss normally for the 3.2.2 and 3.2.3 releases.

                • 5. Re: SSL, Tomcat, JBoss - desperatly needing help
                  iliuta25

                  Well, I still didn't find the PureTLS class (actually I found one in Tomcat 5 distribution, but I work with 4) but there is a mean to specify which SSL Implementation we wish to use:


                  It seems to work, but I still have exceptions in the server.log, on every HTTPS request:
                  2003-12-09 12:16:48,156 DEBUG [org.apache.tomcat.util.net.jsse.JSSE14Support] Error getting client certs
                  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
                  at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(DashoA6275)
                  at org.apache.tomcat.util.net.jsse.JSSE14Support.getX509Certificates(JSSE14Support.java:151)
                  at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:161)
                  at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:748)


                  Is this only a warning? How this can be avoided?
                  As you can see, the clientAuth is set to false...

                  Thanks,
                  Adrian

                  • 6. Re: SSL, Tomcat, JBoss - desperatly needing help
                    jonlee

                    When I have used Tomcat 4.1, the definition has been:

                    <Connector className="org.apache.catalina.connector.http.HttpConnector"
                     port="8443" minProcessors="5" maxProcessors="75"
                     enableLookups="true"
                     acceptCount="10" debug="0" scheme="https" secure="true">
                     <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
                     clientAuth="false" protocol="TLS"/>
                    </Connector>


                    • 7. Re: SSL, Tomcat, JBoss - desperatly needing help
                      iliuta25

                      I already tried the SSLServerSocketFactory.
                      The only result it gave is that I couldn't access my server via https but via http, like this:
                      http://my_host:8443
                      :)

                      • 8. Re: SSL, Tomcat, JBoss - desperatly needing help
                        jonlee

                        I forgot to add the keystoreFile directive in the example.

                        keystoreFile="${jboss.server.home.dir}/conf/tomcat-cert.key"


                        You added this I assume?

                        • 9. Re: SSL, Tomcat, JBoss - desperatly needing help
                          martin.stechert

                          But isn't HttpConnector on tomcat's deprecated list, not supported and not contained in tomcat5 anymore?

                          The "new" one is CoyoteConnector, but that is causing trouble with my JBoss 3.2.3.

                          • 10. Re: SSL, Tomcat, JBoss - desperatly needing help
                            sysuser1

                            I am having the same problem with jboss 3.2.3 and tomcat.
                            The SSL appears to work, but there are tons of the stack trace in the log, besides the 'class not found' debug message....i.e.

                            Error getting client certs
                            javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
                            ....

                            Could someone who got it to work without getting the exceptions share their how-tos ? I am just about to give up on it.

                            • 11. Re: SSL, Tomcat, JBoss - desperatly needing help
                              nitin888

                              I'm also trying to get rid of the above error.
                              If anyone has got a solution please can you'll inform us....