top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

TLS certificate configuration in Tomcat 9

+1 vote
661 views

Is the PEM-based certificate configuration available for both JSSE-based and APR-based connectors in Tomcat 9 at this point? The documentation says e.g. the "certificateFile" attribute is for "OpenSSL Only", and when I try to launch Tomcat using the NIO connector and a PEM-based certificate file, Tomcat says that the keystore is corrupted (even though no keystore was actually specified).

posted Nov 25, 2015 by Seema Siddique

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes

No, you really have to use OpenSSL, so either the APR connector, or the NIOx connectors with the OpenSSL implementation. You will get warnings as well if you don't use the appropriate properties for your connector.

answer Nov 25, 2015 by Ankit
Similar Questions
+1 vote

I've been off the list for a bit, getting ducks in a row here and everything.

I noticed a number of posts about SSL & TLS security settings lately and I wanted to point out that maintaining your SSL configurations is an on-going processes.

New exploits are discovered and released quite often, and often the fault lies with a cipher and not necessarily an overall SSL/TLS protocol.

So using a cipher list like "all except RC4" is probably not sufficient anymore. And what is secure may depend completely on the SSL/TLS software you use, be it OpenSSL or Java's built in SSL libraries.

For example, with OpenSSL, you should be using 1.0.1t or higher, and even then only TLS1.2 with a handful of ciphers. I'm not sure what the recommended options for java's libraries are at the moment. A really good, free tool is Qualys' SSL Labs server test tool located at: https://www.ssllabs.com/ssltest/ Run that against your implementation and follow its recommendations.

Of course, at the end of the day, it will be up to you and your firm to decide what risks you are willing to take with your SSL communications and whether or not you need to support insecure browsers, i.e. browsers that cannot negotiate up to the most secure protocol and ciphers.

+2 votes

I'm trying to set TLS protocol with the next parameter into the ssl.conf file:

 SSLProtocol all -SSLv2 -SSLv3 

but then my web application fails. I only can see next error in log file

[info] SSL library error 1 in handshake (server my.server:443, client xx.xx.xx.xx)
[info] SSL Library Error: 336027900 error:140760FC:SSL routines:func(118):reason(252)
[info] Connection to child 4 closed with abortive shutdown(server my.server:443, client xx.xx.xx.xx) 

I can`t see as well, into the customlog file, a "GET" that I can see when all protocols are enabled (no forcing TLS):

10.5.137.162 - - [03/Feb/2015:09:30:47 0100] "GET /application/resources/css/template_v6.0.xsl HTTP/1.0" 200 28323  

Any help will be appreciated

0 votes

I've just upgraded my server (Slackware64-14.0) and installed freeDiameter-1.1.6 and now I can't run this app. The error "The certificate hasn't got a known issuer" received.

Cerificate is generated by provided with sources make_certs.sh script.

Logfile:
root@rad1a:/usr/local/src/freeDiameter-1.1.6/build# freeDiameterd libfdproto initialized.
libgnutls '3.0.23' initialized.
TLS: Local certificate chain '/usr/local/etc/freeDiameter/mycert' is invalid :
 - The certificate hasn't got a known issuer.
ERROR: in '__v__ = (fd_conf_parse())': Invalid argument
ERROR: in '__v__ = (fd_core_parseconf(conffile))': Invalid argument

Is there any simple solution for this?

0 votes

Has somebody of you ever tried to configure certificate mutual authentication between a MS IIS webserver and a Tomcat instance Does somebody know if this is even possible in IIS ?

I usually do it very well with Apache but this time I'm requested to put in front of Tomcat an IIS webserver.
Thanks in advance.

0 votes

I am trying to find out through registry checking whether or not Apache Tomcat 9.0.8 is already installed or not. If the below registry is not there, then my program installs Apache Tomcat 9.0.8 installer otherwise it moves on to other installation and completes. It's kind of prerequisite check program.

HKEY_LOCAL_MACHINESOFTWAREApache Software FoundationTomcat9.0Tomcat9

However, everytime program just proceeds to install Tomcat despite it is already installed? Am I checking wrong registry?

...