1

I have configured Tomcat Server (apache-tomcat-9.0.1) with self-signed certificate. On this added required configuration on server.xml, and copied .jks file on conf folder.

Create Self Signed Certificate Configure Tomcat with SSL Stuff

HTTPS Works on browser as expected.

disableSSL Verification while making HttpsURLConnection call to fetch an REST API

Certificate Exception Stuff Disable Certificate Exception

It works ! -

On Server.xml -= only 8443 port configured. On Web Application Security Constraint Configured:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>OVS</web-resource-name>
        <!-- all URLs are protected -->
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <!-- redirect all requests to HTTPS -->
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Tomcat Server starts without showing any exception on anywhere.

But SSL/TLS communication not happening with Tomcat Server on using self-signed certificate ? . Wireshark captured the packets , expected to see TLS Packets or SSL Handshake But nothing, Only TCP Packets.

Why SSL Handshake not happening ?, Its like because Its verifying only SSL server certificate ? ( as Client Authentication is false )

   <Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false" maxThreads="150"
    port="8443" keyAlias="london" keystoreFile="conf/londonkey.jks" keystorePass="sumit123"
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
    secure="true" sslProtocol="TLS" /> 

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Have you ever tested after configuring the self-signed certificate etc stuff to see If SSL/TLS Communication take place ?

Edit

AS Far as I know that to have SSL Communication between two network entity say A and B, both must have their own private key and public certificate, but on above we have configured only Server with Certificate and Private Key stuff nothing with Client ?, Please correct ?

I have checked various example : posts , but all talking about the generating the key and only configuring the Tomcat Server. For Test, Its talking like browser would be showing certificate exception , accept that exception and all would be set, No Where I found discussion about the actual TLS/SSL handshaking for which we actually configuring the Tomcat Server.

Sumit Arora
  • 5,051
  • 7
  • 37
  • 57
  • 1
    When a SSL communication link is established occurs the verification of both sides certificate, if exists. That means that if exists client certificate, then server checks out it is valid and so, if server certificate exists, client attempts to verify server's certificate one. A server self-signed certificate ITS NOT valid for the most of the cases. So, attempting a raw curl to a SSL self-signed domain its directly rejected, unless you accept it using the -k option. Same with browsers, c# or java client, where you must delegate server SSL certificate verification to an 'always-ok' procedure. – DvTr Oct 07 '17 at 21:45
  • But from same java client(actually calling HttpsURLConnection con = (HttpsURLConnection)url.openConnection(); when I access any other URL which is not self-signed (sure no certificate/key for client is installed)- On this situation SSL/TLS communciation happening, I can see TLS packets on Wireshark and SSL handshake stuff. – Sumit Arora Oct 07 '17 at 22:06
  • Handshake can happens, but will be rejected if server certificate is self-signed. In Java, you can avoid the verification of this using a delegate that accepts any kind of certificate (http://www.nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/). In php, this is done, for example in SOAP Client, using https://stackoverflow.com/questions/8443618/disable-certificate-verification-in-php-soapclient; in c#, using this https://stackoverflow.com/questions/2675133/c-sharp-ignore-certificate-errors. – DvTr Oct 08 '17 at 11:40

1 Answers1

0

No, ssl cert in tomcat is not enough if non browser Clients Do two way ssl: Import the cert of tomcat on client side and import Client ‘s cert in tomcat This way u can achieve 2way ssl You just have to either create proper ssl context or override javax.ssl.* which includes keystore Keystore password and key password if any That’s it

Amit Singhai
  • 33
  • 5