aspose file tools*
The moose likes Web Services and the fly likes cant get ssl to work with tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "cant get ssl to work with tomcat" Watch "cant get ssl to work with tomcat" New topic
Author

cant get ssl to work with tomcat

Thomas Willingham
Greenhorn

Joined: Jun 24, 2010
Posts: 8
I am trying to get ssl working with tomcat
I have ssl pem file in tomcat home c:\tomcat6

tomcat config looks like (non-apr version - I got an error whenever I used any apr dll file at startup)

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" SSLEngine="on" SSLPassword="mypassword"
keystoreFile="/tomcatkeystore" keystorePass="mypassword"
/>

I have generated my keys multiple times from isntructions on the internet and dont think they are the issue,
I used getty to put the pem files into the keystore and believe them to be ok, the openssl commands are below:

to test I am using:
openssl s_client -cert h:\stuff2\client.pem -CAfile h:\stuff3\ca.pem -connect 1.2.3.4:443


here are the ssl commands:
# generate the certificate authority key (key)
openssl genrsa -out h:\stuff3\ca.key
# generate the certificate authority unsigned certificate (csr)
openssl req -new -key h:\stuff3\ca.key -out h:\stuff3\ca.csr
# create the signed certificate (crt)
openssl x509 -req -days 3650 -in h:\stuff3\ca.csr -signkey h:\stuff3\ca.key -out h:\stuff3\ca.crt
# generate the server key
openssl genrsa -out h:\stuff3\server.key
# generate the service unsigned certificate (csr)
openssl req -new -key h:\stuff3\server.key -out h:\stuff3\server.csr
# create the signed server certificate (crt) using the server unsigned certificate and ca signed certificate
openssl ca -in h:\stuff3\server.csr -cert h:\stuff3\ca.crt -keyfile h:\stuff3\ca.key -out h:\stuff3\server.crt
# generate a client key (key)
openssl genrsa -des3 -out h:\stuff3\client1.key 1024
# generate the client unsigned certificate (csr)
openssl req -new -key h:\stuff3\client1.key -out h:\stuff3\client1.csr
# sign the client key
openssl ca -in h:\stuff3\client1.csr -cert h:\stuff3\ca.crt -keyfile h:\stuff3\ca.key -out h:\stuff3\client1.crt
# convert the client certificate to pkcs12
openssl pkcs12 -export -clcerts -in h:\stuff3\client1.crt -inkey h:\stuff3\client1.key -out h:\stuff3\client1.p12
# convert the client certificate to pem
openssl pkcs12 -in client1.p12 -out client1.pem -nodes -passin pass:mypassword
# create a javakeystore out of the client
java -classpath h:\jetty-util-6.1.24.jar;h:\jetty-6.1.24.jar org.mortbay.jetty.security.PKCS12Import h:\stuff3\server.p12 h:\stuff3\tomcatkeystore
copy h:\stuff3\tomcatkeystore c:\tomcat6\
openssl pkcs12 -export -clcerts -in h:\stuff3\ca.crt -inkey h:\stuff3\ca.key -out h:\stuff3\ca.p12
openssl pkcs12 -in h:\stuff3\ca.p12 -out h:\stuff3\ca.pem -nodes -passin pass:mypassword
openssl pkcs12 -export -clcerts -in h:\stuff3\server.crt -inkey h:\stuff3\server.key -out h:\stuff3\server.p12
openssl pkcs12 -in h:\stuff3\server.p12 -out h:\stuff3\server.pem -nodes -passin pass:mypassw

to test I am using:
openssl s_client -cert h:\stuff3\client1.pem -CAfile h:\stuff3\ca.pem -connect myhost.com:443


the error I get is below:

C:\Openssl-0.9.8l-Win32\bin>openssl s_client -cert h:\stuff3\client1.pem -CAfile h:\stuff3\ca.pem -connect myhost.com:443
Loading 'screen' into random state - done
CONNECTED(00000774)
depth=1 /C=US/ST=New York/L=MyCompany/O=MyCompany/OU=MyCompany/CN=MyCompanyCA/emailAddress=someone@yahoo.com
verify return:1
depth=0 /C=US/ST=New York/O=MyCompany/OU=MyCompany/CN=myhost.com/emailAddress=someone@yahoo.com
verify return:1
2988:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:.\ssl\s3_pkt.c:1061:SSL alert number 46
2988:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:


any ideas, I have spent days figuring out the certs and getting everything setup, still no luck, I get the same sslv3 alert certificate unknown error in firefox after
importing the client certificate and ca there
Ivan Krizsan
Ranch Hand

Joined: Oct 04, 2006
Posts: 2198
    
    1
Hi!
Have you seen the Tomcat 6 documentation on SSL? http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
I recently set up SSL on a Tomcat 6 server following the instructions from the above link and I had no problems.
Best wishes!


My free books and tutorials: http://www.slideshare.net/krizsan
Thomas Willingham
Greenhorn

Joined: Jun 24, 2010
Posts: 8
unfortunately I tried that many times, getting it to work without client authentication is easy but that doesnt provide any security, we need to use the
certificates we already have and have the client authenticate
Thomas Willingham
Greenhorn

Joined: Jun 24, 2010
Posts: 8
after going thru dozen of tutorials that don't work, this one

http://marc.info/?l=tomcat-user&m=106293430225790&w=2

actually works in firefox (p12),



but the converted (p12 to pem) doesnt work in my php stream socket client,
getting,
Warning: stream_socket_client() [function.stream-socket-client]: SSL operation failed with code 1. OpenSSL Error messages: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown in C:\apache2\htdocs\rtest2.php on line 44

Warning: stream_socket_client() [function.stream-socket-client]: Failed to enable crypto in C:\apache2\htdocs\rtest2.php on line 44

Warning: stream_socket_client() [function.stream-socket-client]: unable to connect to ssl://localhost:443 (Unknown error) in C:\apache2\htdocs\rtest2.php on line 44



same error in openssl client test
C:\Documents and Settings\guest>openssl s_client -cert c:\apache2\htdocs\apache2client.pem -CAfile c:\ssl\ca\ca.pem -
connect localhost:443
Loading 'screen' into random state - done
CONNECTED(00000774)
depth=1 /C=US/ST=NY/L=NY/O=MyCA/OU=MyCA/CN=MyCA/emailAddress=me@me.com
verify return:1
depth=0 /C=US/ST=NY/L=NY/O=MyCompany/OU=MyCompany/CN=First Last
verify return:1
4556:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:.\ssl\s3_pkt.c:1061:SSL alert number 46
4556:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: cant get ssl to work with tomcat