2

I am trying to use HTTPS with Tomcat 8. I have followed the procedure mentioned at tomcat8-ssl-howto to use HTTPS but currently I can't seem to get it working.

Since, the problem seems to be with keystore, I am listing the steps followed-

1. keytool -genkeypair -keyalg RSA -validity 3650 -alias tomcat 
2. keytool -certreq -alias tomcat -file tomcat.csr 
3. openssl req -nodes -config conf/openssl.cnf -days 3650 -x509 -newkey rsa:2048 -out public/company_public.pem -outform PEM
4. openssl x509 -in public/company_public.pem -outform DER -out public/company_public.crt and then place it in docroot
5. Updated web.xml with
<mime-mapping>
<extension>crt</extension>
<mime-type>application/x-x509-ca-cert</mime-type>
</mime-mapping>
<mime-mapping>
<extension>cert</extension>
<mime-type>application/x-x509-ca-cert</mime-type>
</mime-mapping>
<mime-mapping>
<extension>pem</extension>
<mime-type>application/x-x509-ca-cert</mime-type>
</mime-mapping>
6.Imported the trusted root certificate into the web browser
7. openssl ca -batch -config conf/openssl.cnf -in tomcat.csr -out tomcat.cert
8. openssl x509 -in tomca.cert -out tomcat.crt
9. keytool -importcert -v -trustcacerts -alias companycaroot -file company_public.crt
10. keytool -import -v -alias tomcat -file tomcat.crt

The below error is logged in catalina.out:-

#|INFO|2016-03-02 21:03:30.385+1000|129|org.apache.coyote.http11.AbstractHttp11Processor.process|Error parsing HTTP request header 
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.|#

As the issue is with parsing HTTP request header, I have updated the maxHttpHeaderSize=99999 just to ensure that is not causing a problem.

Below are the configuration in server.xml:

<Connector executor="tomcatThreadPool"
           port="50915"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxHttpHeaderSize="99999"
           server="Test Web"
           keepAliveTimeout="90000"
           maxKeepAliveRequests="-1"
           acceptorThreadCount="40"
           redirectPort="50921" />

<Connector executor="tomcatThreadPool"
           port="50921"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxHttpHeaderSize="99999"
           SSLEnabled="true"
           maxThreads="150"
           scheme="https"
           secure="true"
           clientAuth="false"
           server="Test Web"
           keepAliveTimeout="90000"
           maxKeepAliveRequests="-1"
           acceptorThreadCount="40"
           keystoreFile="/web/home/wb10d1/.keystore"
           keystorePass="changeit"
           allowTrace="true"
           sslProtocol="TLS" />

I have tried using Fiddler to investigate the HTTPS response:

fiddler.network.https> HTTPS handshake to hostname.domainname.com (for #4) failed. System.IO.IOException The handshake failed due to an unexpected packet format.

Error returned for Firefox 44.0.2: With HTTP Connect - PORT 50915

An error occurred during a connection to hostname:50915. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

UPDATE #1 With HTTPS Connector - PORT 50921 The owner of hostname:50921 has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. Advanced info: ssl_error_no_cypher_overlap

Update#2: Added more debugging information Here, I see the below errors in catalina.out:- http://pastebin.com/PTatkMQN

Unsupported extension type_23, data:
Extension renegotiation_info, renegotiated_connection: <empty>
***

I got the code which causes this error:- http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/HelloExtensions.java/

It seems that the Extension type is being checked to one from the below enum values but it is not http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/ExtensionType.java#ExtensionType.0EXT_SERVER_NAME

I am not able to figure out what causes the an unknown extension to be set.

I have checked other links on internet about the error, but the things recommended for others have already been done.

**Note:**I am able to access the URL using HTTP without any problem. So, the issue is clearly with HTTPS.

Phalgun
  • 1,181
  • 2
  • 15
  • 42
  • Have you set the certificate ? – Xvolks Mar 02 '16 at 12:03
  • Yep, I have created certificate and imported in the browser. – Phalgun Mar 02 '16 at 12:06
  • Is your Tomcat trying to negotiate a SSL v3 ? See http://serverfault.com/questions/637649/how-do-i-disable-sslv3-support-in-apache-tomcat – Xvolks Mar 02 '16 at 12:12
  • @Xvolks I changed sslProtocol="TLS" to sslProtocols = "TLSv1,TLSv1.1,TLSv1.2", but still the same – Phalgun Mar 02 '16 at 14:37
  • What if you explicitly add ciphers?ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" – TheFiddlerWins Mar 02 '16 at 16:20
  • @TheFiddlerWins I tried with the explicit ciphers and then with ciphers="ALL", but the issue is same - it fails because of common ciphers. Here is detailed output in catalina.out:- http://pastebin.com/PTatkMQN – Phalgun Mar 02 '16 at 18:55
  • 2
    `keytool -list -keystore /web/home/wb10d1/.keystore` and make sure it contains a `PrivateKeyEntry` (**NOT** `trustedCert`). – dave_thompson_085 Mar 02 '16 at 23:32
  • @dave_thompson_085 Yes, it contains a trustedCertEntry and not a PrivateKeyEntry. – Phalgun Mar 03 '16 at 03:36
  • @dave_thompson I tried with a new key store containing just a PrivateKeyEntry and it worked. – Phalgun Mar 03 '16 at 03:48
  • @dave_thompson_085 I guess I did not get the keystore setup correctly. At the moment, I am able to access via HTTP and HTTPS at their corresponding ports. `http://hostname:50915/webapp and https://hostname:50921/webapp` However, when I enter https://hostname:50915/webapp The response it does not redirect to the HTTPS connect at 50921. – Phalgun Mar 04 '16 at 12:55
  • The Connector for port 50915 does plain HTTP not SSL=HTTPS, and it is impossible to serve HTTP and HTTPS on the same port (and address) simultaneously, so connecting to `https://host:50915/` does not work. `redirectPort=50921` on that Connector will cause `http-NOT-S://host:50915/whatever` to return a redirect to `httpS://host:50921/samething` ONLY for URLs subject to a `security-constraint` that requires SSL; see http://stackoverflow.com/questions/7790141/is-security-constraint-configuration-for-tomcat-mandatory – dave_thompson_085 Mar 05 '16 at 04:04
  • @dave_thompson_085 Would you add this to another [question](http://stackoverflow.com/questions/35798406/http-to-https-redirection-issue-with-tomcat-8?noredirect=1#comment59270462_35798406) I had raised for HTTP to HTTPS redirection? I would be happy to mark it as the accepted answer and close it – Phalgun Mar 08 '16 at 10:01

0 Answers0