4 Replies Latest reply on Apr 6, 2004 8:09 AM by martin0

    Tomcat SSL does not work on Windows but fine on Unix/Linux

    osf_lover

      Hi All,

      I am using Jboss 3.2.4 and webcontainer Tomcat 5 bundled with it. I configured it for SSL. It works fine on Unix and Linux. But the same does not work on windows, shows following errors, any ideas?




      2004-03-19 12:24:41,617 WARN [org.apache.coyote.http11.Http11Processor] Exception getting SSL Cert
      java.net.SocketException: SSL Cert handshake timeout
      at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:139)
      at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:105)
      at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:163)
      at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1087)
      at org.apache.coyote.Request.action(Request.java:405)
      at org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java:951)
      at org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:261)
      at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:184)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:551)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:66)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:92)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:463)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
      at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:833)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:732)
      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:619)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:688)
      at java.lang.Thread.run(Thread.java:536)
      2004-03-19 12:24:41,664 INFO [org.apache.tomcat.util.net.jsse.JSSE14Support] SSL Error getting client Certs
      javax.net.ssl.SSLHandshakeException: null cert chain
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.ServerHandshaker.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(DashoA6275)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
      at java.io.InputStream.read(InputStream.java:88)
      at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:126)
      at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:105)
      at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:163)
      at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1087)
      at org.apache.coyote.Request.action(Request.java:405)
      at org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java:951)
      at org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:261)
      at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:184)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:551)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:66)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:92)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:463)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
      at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:833)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:732)
      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:619)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:688)
      at java.lang.Thread.run(Thread.java:536)

      2004-03-19 12:24:42,414 WARN [org.apache.coyote.http11.Http11Processor] Exception getting SSL Cert
      javax.net.ssl.SSLHandshakeException: null cert chain
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.ServerHandshaker.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(DashoA6275)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
      at java.io.InputStream.read(InputStream.java:88)
      at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:126)
      at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:105)
      at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:163)
      at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1087)
      at org.apache.coyote.Request.action(Request.java:405)
      at org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java:951)
      at org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:261)
      at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:184)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:551)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:66)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:92)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:463)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
      at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:833)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:732)
      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:619)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:688)
      at java.lang.Thread.run(Thread.java:536)


      thanks
      krishna

        • 1. Re: Tomcat SSL does not work on Windows but fine on Unix/Lin
          starksm64

          Validate that the keystore file is valid on windows using the keytool to print the server cert. If its valid, enable debugging of the jsse layer by adding the -Djavax.net.debug=all system property to the run.bat command line or by setting the JAVA_OPTS="-Djavax.net.debug=all" env variable.

          • 2. Re: Tomcat SSL does not work on Windows but fine on Unix/Lin
            osf_lover

            Thanks Scott for your reply. Incorporated your suggestions
            1) Checked the Keystore file, its valid.
            2) Enabled debugging -Djavax.net.debug=all

            Now looking at logs ( below is a truncated server log ), SSL Handshake READ & WRITE length never match? And probably hence it decided to go for Plaintext? Shall i be using any specific ciphers??

            thanks
            krishna
            --------------------SERVER LOG------------------------------
            2004-03-22 12:22:33,803 INFO [STDOUT] *** ServerHelloDone
            2004-03-22 12:22:33,803 INFO [STDOUT] [write] MD5 and SHA1 hashes: len = 2894
            ....
            2004-03-22 12:22:44,928 INFO [STDOUT] http8443-Processor5, WRITE: SSL v3.1 Handshake, length = 2894
            2004-03-22 12:22:44,928 INFO [STDOUT] http8443-Processor5, READ: SSL v3.1 Handshake, length = 134
            2004-03-22 12:22:44,943 INFO [STDOUT] JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
            .....
            2004-03-22 12:22:46,912 INFO [STDOUT] http8443-Processor5, READ: SSL v3.1 Change Cipher Spec, length = 1
            2004-03-22 12:22:46,912 INFO [STDOUT] JsseJCE: Using JSSE internal implementation for cipher RC4
            2004-03-22 12:22:46,928 INFO [STDOUT] http8443-Processor5, READ: SSL v3.1 Handshake, length = 32
            2004-03-22 12:22:46,928 INFO [STDOUT] Plaintext after DECRYPTION: len = 32
            ......
            2004-03-22 12:22:47,256 INFO [STDOUT] http8443-Processor5, WRITE: SSL v3.1 Change Cipher Spec, length = 1
            2004-03-22 12:22:47,256 INFO [STDOUT] JsseJCE: Using JSSE internal implementation for cipher RC4
            ......
            2004-03-22 12:22:47,631 INFO [STDOUT] http8443-Processor5, WRITE: SSL v3.1 Handshake, length = 32
            2004-03-22 12:22:47,631 INFO [STDOUT] %% Cached server session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
            2004-03-22 12:22:47,678 INFO [STDOUT] http8443-Processor5, READ: SSL v3.1 Application Data, length = 291
            2004-03-22 12:22:47,678 INFO [STDOUT] Plaintext after DECRYPTION: len = 291
            ....
            2004-03-22 12:22:49,053 INFO [STDOUT] %% Invalidated: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
            2004-03-22 12:22:49,068 INFO [STDOUT] *** HelloRequest (empty)
            2004-03-22 12:22:49,068 INFO [STDOUT] [write] MD5 and SHA1 hashes: len = 4
            .....
            ...
            2004-03-22 12:22:49,271 INFO [STDOUT] http8443-Processor5, WRITE: SSL v3.1 Handshake, length = 20
            2004-03-22 12:22:49,287 INFO [STDOUT] http8443-Processor5, READ: SSL v3.1 Handshake, length = 81
            2004-03-22 12:22:49,287 INFO [STDOUT] Plaintext after DECRYPTION: len = 81
            .....
            2004-03-22 12:23:15,724 INFO [STDOUT] http8443-Processor5, WRITE: SSL v3.1 Handshake, length = 3185
            2004-03-22 12:23:15,740 INFO [STDOUT] http8443-Processor5, READ: SSL v3.1 Handshake, length = 2002
            2004-03-22 12:23:15,740 INFO [STDOUT] Plaintext after DECRYPTION: len = 2002
            2004-03-22 12:23:15,740 INFO [STDOUT] :
            --------------------------------------------------------------------------------

            • 3. Re: Tomcat SSL does not work on Windows but fine on Unix/Lin
              osf_lover

              I sorted it by passing -Djavax.net.ssl.trustStore=%JBOSS_HOME%\server\default\keystore-my as starting argument for Jboss.

              The error messages were misleading.

              thanks
              krishna

              • 4. Re: Tomcat SSL does not work on Windows but fine on Unix/Lin
                martin0

                Is javax.net.ssl.trustStore equivelent to Connector keystoreFile attribute in tomcat5 server.xml?

                Why use one instead of the other?

                Thanks
                Martin