Apache Tomcat for Windows SSL Implementation not working

Question

• Environment: Windows 2003 Server - 64-bit
• Server Name: devtest.domain.local
• Apache Tomcat 6.0.36 Server - http://tomcat.apache.org/ (Windows)
• Sun Java JDK: jdk1.6.0_26

Have both: %CATALINA_HOME% and %JAVA_HOME% defined.

CATALINA_HOME=d:\tomcat
JAVA_HOME=D:\Program Files\Java\jdk1.6.0_26

Generating the CSR for our Certificate Authority..

"%JAVA_HOME%\bin\keytool.exe" -genkey -alias "test.domain.local" -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore "C:\NewCert\keystore.ks" -dname "CN=test.domain.local, OU=IT, O=Company Name, L=AnyTown, ST=State, C=US" -storepass "APASSWORD" && "%JAVA_HOME%\bin\keytool.exe" -certreq -keyalg RSA -sigalg SHA256withRSA -alias "test.domain.local" -file "C:\NewCert\test.csr" -keystore "C:\NewCert\keystore.ks" -storepass "APASSWORD"

Yes, I know that the server name: devtest.domain.local is different than the CSR for test.domain.local.. I have modified the windows hosts file as well and still does not work either.

Then, I sent off the test.csr to our certificate admin and received back a file called: test.cer

Let's import the cert:

"%JAVA_HOME%\bin\keytool.exe" -importcert -file "C:\NewCert\test.cer" -keystore "C:\NewCert\keystore.ks" -alias "tomcat" -storepass "APASSWORD"

Edit the file D:\\tomcat\\conf\\server.xml and we have:

    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true"
maxThreads="200" scheme="https" secure="true"
keystoreFile="C:\NewCert\keystore.ks" keystorePass="APASSWORD"
clientAuth="false" keyAlias="tomcat" sslProtocol="TLS" />

Then restarted Apache Tomcat for Windows..

Site comes up fine.. http://localhost/manager/html

Let's go look at port 8443: https://localhost:8443/manager/html We are unable to pull up a SSL-based web page. I have also tried port 443 with no success either. Self-signed Certs are not an option - we got stopped on audits with those.

Errors are found, see below..

-Djavax.net.debug=ssl,handshake

In fact, I have added our customized server options:

-Xms1g
-Xmx6g
-XX:PermSize=256m
-XX:NewSize=256m
-XX:MaxNewSize=256m
-XX:MaxPermSize=256m
-XX:+AggressiveHeap
-XX:+PrintGCDetails
-XX:+PrintGCTimeStamps
-verbose:gc
-Dcom.sun.management.jmxremote.port.8086
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Dhttps.proxyHost=10.10.10.10
-Dhttps.proxyPort=8080
-Djavax.net.debug=ssl,handshake

Did some more digging and found the following in our stdout log..

*** ClientHello, TLSv1
RandomCookie:  GMT: 1409089044 bytes = { <REMOVED_COOKIE> }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
***
http-8443-exec-1, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-1, SEND TLSv1 ALERT:  fatal, description = handshake_failure
http-8443-exec-1, WRITE: TLSv1 Alert, length = 2
http-8443-exec-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-8443-exec-1, called closeOutbound()
http-8443-exec-1, closeOutboundInternal()
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-8443-exec-2, READ: SSLv3 Handshake, length = 67

Found this post - seems to be exactly what I need - Tomcat 7 getting SSLv2Hello is disabled error when trying to make client server ssl authntication

Thanks!

Answer 1

1. Try to use the same alias for key, certreq and cert (eg test.domain.local). Then configure keyAlias="test.domain.local" in server.xml.
2. Did you specify key password when generating private key using keytool? Try to specify keyPass=<password> for https connector in server.xml.

Really no error/warning/fatal message in any log file in logs dir? There should be one.

Answer 2

Juraj - I gave you the credit because I had not completed my research. Anyway, I am temporarily turning off the:

-Dhttps.proxyHost=10.10.10.10
-Dhttps.proxyPort=8080

as I think this maybe confusing the local cert. I will have to turn it back on as we have a vendor connection and have to gather data from them.

In the post, Tomcat 7 getting SSLv2Hello is disabled error when trying to make client server ssl authntication

I am testing what the responder suggested:

 sslProtocol="TLS"
 sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"

Since I am the on-call guy this week, I will take some time to sort this out and let folks know when I get resolution. Thanks.

Answer 3

The problem is that SSL has a load of vulnerabilities. Servers that do not support SSL should not accept an SSL formatted hello, and no servers should accept a non TLS connection as secure. Some vendors are slower to secure against vulnerabilities than others, but the question is if you want to sacrifice your security to accommodate others who do so.

RC4 recently was found to be less secure than previously thought, and your client is offering a bunch of export suites. This all strikes me as a disaster waiting to happen. Get a firm grip on what cipher suites you are allowing on your server, and which you would like to use. This is where a risk analysis comes in. Consider what sacrifices you will accept to accommodate clients.