This week's book giveaway is in the Cloud/Virtualizaton forum.
We're giving away four copies of Mesos in Action and have Roger Ignazio on-line!
See this thread for details.
Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

cant get ssl to work with tomcat

 
Thomas Willingham
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to get ssl working with tomcat
I have ssl pem file in tomcat home c:\tomcat6

tomcat config looks like (non-apr version - I got an error whenever I used any apr dll file at startup)

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" SSLEngine="on" SSLPassword="mypassword"
keystoreFile="/tomcatkeystore" keystorePass="mypassword"
/>

I have generated my keys multiple times from isntructions on the internet and dont think they are the issue,
I used getty to put the pem files into the keystore and believe them to be ok, the openssl commands are below:

to test I am using:
openssl s_client -cert h:\stuff2\client.pem -CAfile h:\stuff3\ca.pem -connect 1.2.3.4:443


here are the ssl commands:
# generate the certificate authority key (key)
openssl genrsa -out h:\stuff3\ca.key
# generate the certificate authority unsigned certificate (csr)
openssl req -new -key h:\stuff3\ca.key -out h:\stuff3\ca.csr
# create the signed certificate (crt)
openssl x509 -req -days 3650 -in h:\stuff3\ca.csr -signkey h:\stuff3\ca.key -out h:\stuff3\ca.crt
# generate the server key
openssl genrsa -out h:\stuff3\server.key
# generate the service unsigned certificate (csr)
openssl req -new -key h:\stuff3\server.key -out h:\stuff3\server.csr
# create the signed server certificate (crt) using the server unsigned certificate and ca signed certificate
openssl ca -in h:\stuff3\server.csr -cert h:\stuff3\ca.crt -keyfile h:\stuff3\ca.key -out h:\stuff3\server.crt
# generate a client key (key)
openssl genrsa -des3 -out h:\stuff3\client1.key 1024
# generate the client unsigned certificate (csr)
openssl req -new -key h:\stuff3\client1.key -out h:\stuff3\client1.csr
# sign the client key
openssl ca -in h:\stuff3\client1.csr -cert h:\stuff3\ca.crt -keyfile h:\stuff3\ca.key -out h:\stuff3\client1.crt
# convert the client certificate to pkcs12
openssl pkcs12 -export -clcerts -in h:\stuff3\client1.crt -inkey h:\stuff3\client1.key -out h:\stuff3\client1.p12
# convert the client certificate to pem
openssl pkcs12 -in client1.p12 -out client1.pem -nodes -passin pass:mypassword
# create a javakeystore out of the client
java -classpath h:\jetty-util-6.1.24.jar;h:\jetty-6.1.24.jar org.mortbay.jetty.security.PKCS12Import h:\stuff3\server.p12 h:\stuff3\tomcatkeystore
copy h:\stuff3\tomcatkeystore c:\tomcat6\
openssl pkcs12 -export -clcerts -in h:\stuff3\ca.crt -inkey h:\stuff3\ca.key -out h:\stuff3\ca.p12
openssl pkcs12 -in h:\stuff3\ca.p12 -out h:\stuff3\ca.pem -nodes -passin pass:mypassword
openssl pkcs12 -export -clcerts -in h:\stuff3\server.crt -inkey h:\stuff3\server.key -out h:\stuff3\server.p12
openssl pkcs12 -in h:\stuff3\server.p12 -out h:\stuff3\server.pem -nodes -passin pass:mypassw

to test I am using:
openssl s_client -cert h:\stuff3\client1.pem -CAfile h:\stuff3\ca.pem -connect myhost.com:443


the error I get is below:

C:\Openssl-0.9.8l-Win32\bin>openssl s_client -cert h:\stuff3\client1.pem -CAfile h:\stuff3\ca.pem -connect myhost.com:443
Loading 'screen' into random state - done
CONNECTED(00000774)
depth=1 /C=US/ST=New York/L=MyCompany/O=MyCompany/OU=MyCompany/CN=MyCompanyCA/emailAddress=someone@yahoo.com
verify return:1
depth=0 /C=US/ST=New York/O=MyCompany/OU=MyCompany/CN=myhost.com/emailAddress=someone@yahoo.com
verify return:1
2988:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:.\ssl\s3_pkt.c:1061:SSL alert number 46
2988:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:


any ideas, I have spent days figuring out the certs and getting everything setup, still no luck, I get the same sslv3 alert certificate unknown error in firefox after
importing the client certificate and ca there
 
Ivan Krizsan
Ranch Hand
Posts: 2198
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi!
Have you seen the Tomcat 6 documentation on SSL? http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
I recently set up SSL on a Tomcat 6 server following the instructions from the above link and I had no problems.
Best wishes!
 
Thomas Willingham
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
unfortunately I tried that many times, getting it to work without client authentication is easy but that doesnt provide any security, we need to use the
certificates we already have and have the client authenticate
 
Thomas Willingham
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
after going thru dozen of tutorials that don't work, this one

http://marc.info/?l=tomcat-user&m=106293430225790&w=2

actually works in firefox (p12),



but the converted (p12 to pem) doesnt work in my php stream socket client,
getting,
Warning: stream_socket_client() [function.stream-socket-client]: SSL operation failed with code 1. OpenSSL Error messages: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown in C:\apache2\htdocs\rtest2.php on line 44

Warning: stream_socket_client() [function.stream-socket-client]: Failed to enable crypto in C:\apache2\htdocs\rtest2.php on line 44

Warning: stream_socket_client() [function.stream-socket-client]: unable to connect to ssl://localhost:443 (Unknown error) in C:\apache2\htdocs\rtest2.php on line 44



same error in openssl client test
C:\Documents and Settings\guest>openssl s_client -cert c:\apache2\htdocs\apache2client.pem -CAfile c:\ssl\ca\ca.pem -
connect localhost:443
Loading 'screen' into random state - done
CONNECTED(00000774)
depth=1 /C=US/ST=NY/L=NY/O=MyCA/OU=MyCA/CN=MyCA/emailAddress=me@me.com
verify return:1
depth=0 /C=US/ST=NY/L=NY/O=MyCompany/OU=MyCompany/CN=First Last
verify return:1
4556:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:.\ssl\s3_pkt.c:1061:SSL alert number 46
4556:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic