12 Replies Latest reply on Jun 1, 2006 1:49 PM by skmirch

    Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA

      I had previously setup SSL certs using Apache and IIS so I guess I figured JBoss (Tomcat) couldn't possibly be much different - I was *obviously* very, very mistaken.

      I'm now in a real bind. I developed a web storefront for my conpany and need to push it out by the end of this week. I had no idea that I was going to spend 4+ days making futile attempts at getting my Verisign SSL cert to work right so users could switch to HTTPS while completing an order on the site.

      That's where I'm at, I've followed all the instructions for generating the CSR, then importing the cert, generating the keystore, etc. I'm confident this part is right and that my trouble lies w/ JBoss/Tomcat at this point.

      I've pored over these forums for days and have found a lot of information - but nothing that quite solved my problem.

      Yesterday I found this post which got me closer than ever to a potential solution:

      http://www.jboss.com/index.html?module=bb&op=viewtopic&t=81646

      The JBoss documentation mentioned nothing about setting up the ciphers, trustedstoreFile, and trustedstorePass attributes in the Connector tag in Tomcat's server.xml file.

      Here is mine:

       <Connector port="8443" address="${jboss.bind.address}"
       maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
       emptySessionPath="true"
       scheme="https" secure="true" clientAuth="false"
       sslProtocol="TLS"
       ciphers="SSL_DH_anon_WITH_RC4_128_MD5"
       keystoreFile="${jboss.server.home.dir}/conf/mykey.keystore"
       keystorePass="mysecretpass"
       truststoreFile="${jboss.server.home.dir}/conf/mykey.keystore"
       truststorePass="mysecretpass" />
      


      Once I added the ciphers, truststoreFile, and truststorePass attributes I stopped getting the dreaded SSLException when I started JBoss, I *was* previously getting this exception:

      javax.net.ssl.SSLException: No available certificate corresponds
      to the SSL cipher suites which are enabled.
      


      ...I'm *not* getting this now thanks to the "anon" cipher listed in the "ciphers" attribute in the Connector tag above. Naturally I was excited when I could finally boot JBoss w/o this exception.

      However, now I cannot browse https://localhost:8443/MyApp. In Internet Explorer I simply get a "The page cannot be displayed" error page and Firefox 1.5.x gives me this dialog message:

      Firefox and localhost cannot communicate securely because they have no common encryption algorithms.
      


      The error seems pretty obvious, however, I have all SSL options enabled in both browsers so the problem has to be w/ the cipher, as far as I can see?

      I'm completely tapped out of ideas and have been doing this for so long I'm probably making more problems for myself at this point rather than progressing.

      I have no other ideas, I'm at the mercy of this forum, can anyone help me understand what the problem is here?

        • 1. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA
          starksm64

          You should not be setting the ciphers unless you know its needed.

          • 2. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA

             

            "scott.stark@jboss.org" wrote:
            You should not be setting the ciphers unless you know its needed.


            If I don't, I get this error while starting JBoss:

            13:13:29,538 ERROR [PoolTcpEndpoint] Endpoint [SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=8443]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
            java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
             at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
             at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
             at org.apache.tomcat.util.net.PoolTcpEndpoint.run(PoolTcpEndpoint.java:647)
             at java.lang.Thread.run(Thread.java:595)
            13:13:29,588 WARN [PoolTcpEndpoint] Reinitializing ServerSocket
            


            This happens on WinXP (sp2), Win2000, and Win2003 serv. w/ JBoss 4.0.4.GA.

            The aforementioned exception appears about 100+ times while booting JBoss. When I set the ciper="SSL_DH_anon_WITH_RC4_128_MD5" in the Connector tag in server.xml...the exception goes away but https still doesn't work right.

            In my desperation, I went to:

            http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#SSLOverview

            And filled in *every single* available ciper listed there in the "cipher" attribute and I still can't do https.

            • 3. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA
              starksm64

              Go through the "Another (untested) keystore/openssl recipe:" section here:
              http://wiki.jboss.org/wiki/Wiki.jsp?page=SSLSetup

              Another example of this type of problem:
              http://forum.java.sun.com/thread.jspa?threadID=492188

              Verisign should have a step by step guide for setting up tomcat with their certs and that should work for jboss.

              • 4. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA

                 

                "scott.stark@jboss.org" wrote:
                Go through the "Another (untested) keystore/openssl recipe:" section here:
                http://wiki.jboss.org/wiki/Wiki.jsp?page=SSLSetup


                I would do this if I were using openssl but I've been using keytool from the JDK and I'm on Windows, is openssl even available for Windows? I notice there's no explanation for what some of those attributes mean...

                "scott.stark@jboss.org" wrote:

                Another example of this type of problem:
                http://forum.java.sun.com/thread.jspa?threadID=492188


                I read through this thread and didn't see anything relevant, honestly. I didn't have the error the original author had and it's a little off-topic as he was using Jetty. In the end he never explained *how* to fix the problem, regardless. Also, I'm using JDK 1.5.0_6, this thread is based on 1.4.x.

                "scott.stark@jboss.org" wrote:

                Verisign should have a step by step guide for setting up tomcat with their certs and that should work for jboss.


                You're right, they do, right here:

                http://verisign.com/support/ssl-certificates-support/page_dev020184.html
                http://www.verisign.com/support/ssl-certificates-support/page_dev020195.html

                I followed those instructions to a "T" over a week ago and have looked it over again and again every day since. We even called support and they were not helpful at all - they're convinced (as am I) that the problem is not on their end w/ the cert or their instructions.

                As you can imagine, this is exceptionally frustrating. Let me just be entirely clear so I'm not missing something simple; If I followed Verisign's instructions above (and I did), and then changed my "Connector" for port 8443 in JBoss 4.0.4.GA like so:

                http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch9.chapt.html#ch9.https.sect

                ...I should have a working SSL cert for my site? Man, I wish it would have gone that smoothly, that's how I did it several days ago. The temporary keystore I created my CSR from worked fine (thought I got the popup warning about an unsigned cert) - however it bombed after trying to use the real Versign cert.

                Any other ideas?

                • 5. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA
                  starksm64

                  Its either the cert or the procedure since another cert works. cygwin provides openssl for windows. The fact that jetty was used is not relevant as it also uses the underlying jsse implementation from the jdk, and this is what needs to be configured.

                  Specify -Djavax.net.debug=all in the jboss JAVA_OPTS setting of run.bat to see the full details of why the handshake fails.

                  • 6. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA

                     

                    "scott.stark@jboss.org" wrote:
                    Its either the cert or the procedure since another cert works. cygwin provides openssl for windows. The fact that jetty was used is not relevant as it also uses the underlying jsse implementation from the jdk, and this is what needs to be configured.


                    If we go through the process of revoking and re-creating a new cert through Verisign, will I have problems w/ the old aliases I used w/ keytool to import the original Versign cert (a.k.a. the 'bad one')? I get a warning that 'tomcat' alias exists if I try to use the same one to re-generate the keystore.

                    "scott.stark@jboss.org" wrote:

                    Specify -Djavax.net.debug=all in the jboss JAVA_OPTS setting of run.bat to see the full details of why the handshake fails.


                    OK, with debugging on, some interesting output is given:

                    (15:31:44,233 INFO [STDOUT] http-0.0.0.0-8443-2, called closeSocket()
                    15:31:44,233 INFO [STDOUT] http-0.0.0.0-8443-2, handling exception: javax.net.s
                    sl.SSLHandshakeException: no cipher suites in common
                    15:31:44,233 INFO [STDOUT] http-0.0.0.0-8443-2, called close()
                    15:31:44,233 INFO [STDOUT] http-0.0.0.0-8443-2, called closeInternal(true)
                    15:31:44,233 INFO [STDOUT] 242
                    15:31:44,233 INFO [STDOUT] }
                    15:31:44,233 INFO [STDOUT] Session ID:
                    15:31:44,233 INFO [STDOUT] {}
                    15:31:44,233 INFO [STDOUT] Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
                    S_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_A
                    ES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_
                    RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CB
                    C_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SS
                    L_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_
                    CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT
                    1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_R
                    C4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5]
                    15:31:44,613 INFO [STDOUT] Compression Methods: {
                    15:31:44,613 INFO [STDOUT] 0
                    15:31:44,613 INFO [STDOUT] }
                    15:31:44,613 INFO [STDOUT] ***
                    15:31:44,613 INFO [STDOUT] http-0.0.0.0-8443-4
                    15:31:44,613 INFO [STDOUT] , SEND SSLv3 ALERT:
                    15:31:44,613 INFO [STDOUT] fatal,
                    15:31:44,613 INFO [STDOUT] description = handshake_failure
                    15:31:44,613 INFO [STDOUT] http-0.0.0.0-8443-4, WRITE: SSLv3 Alert, length = 2
                    15:31:44,613 INFO [STDOUT] [Raw write]: length = 7
                    


                    It's not particularly helpful to me but perhaps it means something to you?

                    Thanks again!

                    • 7. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA

                      Also, I just went back and removed the cipher="" attribute from the Connector tag and started it w/ the debug-enabled run.bat file.

                      Of course, I still get the SSLException when starting up. When making a request to an https page in this configuration I get this feedback in STDOUT:

                      15:43:28,576 INFO [STDOUT] , SEND TLSv1 ALERT:
                      15:43:28,576 INFO [STDOUT] warning,
                      15:43:28,576 INFO [STDOUT] description = close_notify
                      15:43:28,576 INFO [STDOUT] Finalizer, WRITE: TLSv1 Alert, length = 2
                      15:43:28,576 INFO [STDOUT] Finalizer, called close()
                      15:43:28,576 INFO [STDOUT] Finalizer, called closeInternal(true)
                      15:43:28,576 INFO [STDOUT] Finalizer
                      


                      Didn't see that w/ cipher specified like I had in my last post.

                      Just an FYI - if it helps.

                      • 8. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA
                        starksm64

                        Show the full debug output without the cipher attribute.

                        • 9. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA

                          That's what I saw, repeated for each request to an https page, i.e. https://localhost:8443/MyApp/test.jsp

                          What else can I show you? I suppose I could post the whole jboss log but that's all the output I got in a terminal window.

                          We decided to revoke and re-create the SSL cert just to be sure.

                          • 10. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA
                            starksm64

                            There has to be much more output than that. Look at the server.log for all of the STDOUT statements.

                            • 11. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA

                              OK, that was it, the old cert was "bad" for whatever reason...haven't really figured out what went wrong there.

                              Anyhow, after creating the new cert everything just works!! I was able to use the basic setup (no cipher attribute, etc.) once the new cert was installed.

                              Thanks a ton for your help & patience Scott!

                              • 12. Re: Newbie needs help w/ HTTPS (SSL) JBoss 4.0.4.GA
                                skmirch

                                What you saw may have been due to not adding/importing the certificates to the same keystore that you created when generating the CSR. I was bitten by this and the solution was in the following link:

                                http://forum.java.sun.com/thread.jspa?threadID=629316&tstart=255