tomcat 9.0 doesn't load the ECDSA keystore. (ver # 9.0.24)

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

tomcat 9.0 doesn't load the ECDSA keystore. (ver # 9.0.24)

Madhan Raj
Hi All,

OS - CentOS 7.6.1810( Core)

Below connector doesn't load my EC keystore whereas it works with RSA . Any
insights please .

this is my connector tag  in server.xml
<Connector SSLEnabled="true" URIEncoding="UTF-8"  maxThreads="200"
port="443"  scheme="https" secure="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192"
minSpareThreads="25">
<SSLHostConfig sslProtocol="TLS" certificateVerification="none"
sessionTimeout="1800" protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3"
ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DSS-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA"
sessionCacheSize="10000">
<Certificate certificateKeyAlias="tomcat-ecdsa"
certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/certs/tomcat-ECDSA.keystore"
certificateKeystorePassword="8o8yeAH2qSJbJ2sn"
certificateKeystoreType="PKCS12" type="EC"/>
</SSLHostConfig>
</Connector>

tomcat start up command used :-
 /home/tomcat/tomcat -user tomcat -home /usr/local/thirdparty/java/j2sdk
-pidfile /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname
/home/tomcat/tomcat -outfile
/usr/local/thirdparty/jakarta-tomcat/logs/catalina.out -errfile &1
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/conf/logging.properties
-agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n
-XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80 -Xmx1824m
-Xms256m -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-cp
/usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thirdparty/jakarta-tomcat/bin/tomcat-juli.jar
-Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/catalina.policy
-Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat
-Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat
-Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp
org.apache.catalina.startup.Bootstrap start'

JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH
-Djavax.net.ssl.sessionCacheSize=10000
 -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust-certs/tomcat-trust.keystore
-Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD
-XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat.txt
-Dsun.zip.disableMemoryMapping=true
-XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh
-XX:OnError=/home/tomcat/tomcat_diagnostics.sh $TOMCAT_JAVA_OPTS

Also can i have both RSA and ECDSA in a single keystore .Will that work in
tomcat 9  ? it used to work with tomat 7

Thanks,
Madhan
Reply | Threaded
Open this post in threaded view
|

Re: tomcat 9.0 doesn't load the ECDSA keystore. (ver # 9.0.24)

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Madhan,

On 6/3/20 21:08, Madhan Raj wrote:
> OS - CentOS 7.6.1810( Core)
>
> Below connector doesn't load my EC keystore whereas it works with
> RSA . Any insights please .

When you say "doesn't load", what do you mean? Possible reasonable
responses are:

1. I can only complete a handshake with RSA cert, not ECDSA cert
2. Error message (please post)
3. JVM crashes
4. OS crashes
5. Universe ends (possible, but unlikely to be reproducible)

> this is my connector tag  in server.xml <Connector
> SSLEnabled="true" URIEncoding="UTF-8"  maxThreads="200" port="443"
> scheme="https" secure="true"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementat
ion"
>
>
disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="819
2"
> minSpareThreads="25"> <SSLHostConfig sslProtocol="TLS"
> certificateVerification="none" sessionTimeout="1800"
> protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3"
> ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECD
HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DS
S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA"
>
>
sessionCacheSize="10000">
> <Certificate certificateKeyAlias="tomcat-ecdsa"
> certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/ce
rts/tomcat-ECDSA.keystore"
>
>
certificateKeystorePassword="8o8yeAH2qSJbJ2sn"

> certificateKeystoreType="PKCS12" type="EC"/> </SSLHostConfig>
> </Connector>
>
> tomcat start up command used :- /home/tomcat/tomcat -user tomcat
> -home /usr/local/thirdparty/java/j2sdk -pidfile
> /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname
> /home/tomcat/tomcat -outfile
> /usr/local/thirdparty/jakarta-tomcat/logs/catalina.out -errfile &1
> -Djdk.tls.ephemeralDHKeySize=2048
> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
> -Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/c
onf/logging.properties
>
>
- -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspe
nd=n
> -XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80
> -Xmx1824m -Xms256m
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -cp
> /usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thir
dparty/jakarta-tomcat/bin/tomcat-juli.jar
>
>
- -Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/catali
na.policy
> -Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat
> -Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat
> -Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp
> org.apache.catalina.startup.Bootstrap start'
>
> JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH
> -Djavax.net.ssl.sessionCacheSize=10000
> -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust-
certs/tomcat-trust.keystore
>
>
- -Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD
> -XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat.
txt
>
>
- -Dsun.zip.disableMemoryMapping=true
> -XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh
> -XX:OnError=/home/tomcat/tomcat_diagnostics.sh $TOMCAT_JAVA_OPTS
>
> Also can i have both RSA and ECDSA in a single keystore. Will that
> work in tomcat 9?

Yes. You have to use two <Certificate> elements each with a different
"type" and "certificateKeyAlias"

> it used to work with tomat 7

It still works with Tomcat 9.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7ZJEwACgkQHPApP6U8
pFg/Tg/9El60qkdMWwk6SpBiKjy0rgQEYgmdv2hkVQXmfX4uaWHZuEBDydX/xQ9L
3JaS+rDeM/4Z6Y7HrKqLGQ0Q+mtgWSoXohhGAqZMcsaGtdiz9oBYukRW7e0JG4Hv
OZgmyPUifLH0kPDyrql3feLQL9TW7G998rR9+N2BsFWnyVdaHYIWt2vSu+/vak7T
OqqNj0Wze9G8/OudKXCEQBi1ADql8XAt7hRCaQLHRcaDLEVLnULq6lgol0dV9qXM
suzNGud9VWNUgsoNX7wZDmx2xYnvDUfOnUJSEYLfRV6zFHOJOLiKLk8GBjymLVt3
PEW3EXlJpq2rQo++s4tNhJGjZRR7yEGNRUO1bl/eB7O4MZrwpZyV9lmy2TN2Im5g
LsMas3p3m87vz8ajafo9SDSZkmXmJ270dUZd8MAxxIvDSCnhw0trSTxbppgeb7p4
LGn/gA9igAY9S9PUKkyLocKVW9XpRg1v21WCSyifKzM7b0787e1EFx6rhxBTsZAk
7D7nL+0Em61LRQKaM3noDtyofEzYGoUtaRwv5gx+dCfF5huDCKvkhWxGQfAwiE/3
fRHCZK1la1Jn3wikApLXU6iEjXV33TmF/hAjLOPaizl90AYxR6O4pvwRKOF+9+fV
Z4CO1ysmLK/WHTYXcpZ8/zPEo9EgXbTULU9DiDu3N6+LKrUFQcc=
=L+y6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: tomcat 9.0 doesn't load the ECDSA keystore. (ver # 9.0.24)

logo
Madhan,


> Am 04.06.2020 um 18:41 schrieb Christopher Schultz <[hidden email]>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Madhan,
>
> On 6/3/20 21:08, Madhan Raj wrote:
>> OS - CentOS 7.6.1810( Core)
>>
>> Below connector doesn't load my EC keystore whereas it works with
>> RSA . Any insights please .

Try to update to the latest version. Check the change log. In 9.0.31 support for EC keys was at least updated. Maybe this will work. I had problems using unencrypted EC keys in Tomcat 8.5.50 in JSSE connectors - however with pem encoded cert files (fixed in 8.5.51). But yours may be a similar problem.

Regards

Peter

>
> When you say "doesn't load", what do you mean? Possible reasonable
> responses are:
>
> 1. I can only complete a handshake with RSA cert, not ECDSA cert
> 2. Error message (please post)
> 3. JVM crashes
> 4. OS crashes
> 5. Universe ends (possible, but unlikely to be reproducible)
>
>> this is my connector tag  in server.xml <Connector
>> SSLEnabled="true" URIEncoding="UTF-8"  maxThreads="200" port="443"
>> scheme="https" secure="true"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementat
> ion"
>>
>>
> disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="819
> 2"
>> minSpareThreads="25"> <SSLHostConfig sslProtocol="TLS"
>> certificateVerification="none" sessionTimeout="1800"
>> protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3"
>> ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECD
> HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DS
> S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA"
>>
>>
> sessionCacheSize="10000">
>> <Certificate certificateKeyAlias="tomcat-ecdsa"
>> certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/ce
> rts/tomcat-ECDSA.keystore"
>>
>>
> certificateKeystorePassword="8o8yeAH2qSJbJ2sn"
>> certificateKeystoreType="PKCS12" type="EC"/> </SSLHostConfig>
>> </Connector>
>>
>> tomcat start up command used :- /home/tomcat/tomcat -user tomcat
>> -home /usr/local/thirdparty/java/j2sdk -pidfile
>> /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname
>> /home/tomcat/tomcat -outfile
>> /usr/local/thirdparty/jakarta-tomcat/logs/catalina.out -errfile &1
>> -Djdk.tls.ephemeralDHKeySize=2048
>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
>> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
>> -Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/c
> onf/logging.properties
>>
>>
> - -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspe
> nd=n
>> -XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80
>> -Xmx1824m -Xms256m
>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>> -cp
>> /usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thir
> dparty/jakarta-tomcat/bin/tomcat-juli.jar
>>
>>
> - -Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/catali
> na.policy
>> -Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat
>> -Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat
>> -Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp
>> org.apache.catalina.startup.Bootstrap start'
>>
>> JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH
>> -Djavax.net.ssl.sessionCacheSize=10000
>> -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust-
> certs/tomcat-trust.keystore
>>
>>
> - -Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD
>> -XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat.
> txt
>>
>>
> - -Dsun.zip.disableMemoryMapping=true
>> -XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh
>> -XX:OnError=/home/tomcat/tomcat_diagnostics.sh $TOMCAT_JAVA_OPTS
>>
>> Also can i have both RSA and ECDSA in a single keystore. Will that
>> work in tomcat 9?
>
> Yes. You have to use two <Certificate> elements each with a different
> "type" and "certificateKeyAlias"
>
>> it used to work with tomat 7
>
> It still works with Tomcat 9.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7ZJEwACgkQHPApP6U8
> pFg/Tg/9El60qkdMWwk6SpBiKjy0rgQEYgmdv2hkVQXmfX4uaWHZuEBDydX/xQ9L
> 3JaS+rDeM/4Z6Y7HrKqLGQ0Q+mtgWSoXohhGAqZMcsaGtdiz9oBYukRW7e0JG4Hv
> OZgmyPUifLH0kPDyrql3feLQL9TW7G998rR9+N2BsFWnyVdaHYIWt2vSu+/vak7T
> OqqNj0Wze9G8/OudKXCEQBi1ADql8XAt7hRCaQLHRcaDLEVLnULq6lgol0dV9qXM
> suzNGud9VWNUgsoNX7wZDmx2xYnvDUfOnUJSEYLfRV6zFHOJOLiKLk8GBjymLVt3
> PEW3EXlJpq2rQo++s4tNhJGjZRR7yEGNRUO1bl/eB7O4MZrwpZyV9lmy2TN2Im5g
> LsMas3p3m87vz8ajafo9SDSZkmXmJ270dUZd8MAxxIvDSCnhw0trSTxbppgeb7p4
> LGn/gA9igAY9S9PUKkyLocKVW9XpRg1v21WCSyifKzM7b0787e1EFx6rhxBTsZAk
> 7D7nL+0Em61LRQKaM3noDtyofEzYGoUtaRwv5gx+dCfF5huDCKvkhWxGQfAwiE/3
> fRHCZK1la1Jn3wikApLXU6iEjXV33TmF/hAjLOPaizl90AYxR6O4pvwRKOF+9+fV
> Z4CO1ysmLK/WHTYXcpZ8/zPEo9EgXbTULU9DiDu3N6+LKrUFQcc=
> =L+y6
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: tomcat 9.0 doesn't load the ECDSA keystore. (ver # 9.0.24)

Madhan Raj
In reply to this post by Christopher Schultz-2
Hi all,

Any insights please .

Thanks,
Madhan

On Thu, 4 Jun, 2020, 11:12 pm Madhan Raj, <[hidden email]> wrote:

> Hi Christopher,
>
> Yes you correct I can only complete a handshake with RSA cert, not ECDSA
> cert. when i try to connect with ECDSA ciphers using s_client negotiation
> fails.
> Madhan
>
> On Thu, Jun 4, 2020 at 12:41 PM Christopher Schultz <
> [hidden email]> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Madhan,
>>
>> On 6/3/20 21:08, Madhan Raj wrote:
>> > OS - CentOS 7.6.1810( Core)
>> >
>> > Below connector doesn't load my EC keystore whereas it works with
>> > RSA . Any insights please .
>>
>> When you say "doesn't load", what do you mean? Possible reasonable
>> responses are:
>>
>> 1. I can only complete a handshake with RSA cert, not ECDSA cert
>> 2. Error message (please post)
>> 3. JVM crashes
>> 4. OS crashes
>> 5. Universe ends (possible, but unlikely to be reproducible)
>>
>> > this is my connector tag  in server.xml <Connector
>> > SSLEnabled="true" URIEncoding="UTF-8"  maxThreads="200" port="443"
>> > scheme="https" secure="true"
>> > protocol="org.apache.coyote.http11.Http11NioProtocol"
>> > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementat
>> ion"
>> >
>> >
>> disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="819
>> 2"
>> > minSpareThreads="25"> <SSLHostConfig sslProtocol="TLS"
>> > certificateVerification="none" sessionTimeout="1800"
>> > protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3"
>> > ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECD
>> HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DS
>> S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA"
>> >
>> >
>> sessionCacheSize="10000">
>> > <Certificate certificateKeyAlias="tomcat-ecdsa"
>> > certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/ce
>> rts/tomcat-ECDSA.keystore"
>> >
>> >
>> certificateKeystorePassword="8o8yeAH2qSJbJ2sn"
>> > certificateKeystoreType="PKCS12" type="EC"/> </SSLHostConfig>
>> > </Connector>
>> >
>> > tomcat start up command used :- /home/tomcat/tomcat -user tomcat
>> > -home /usr/local/thirdparty/java/j2sdk -pidfile
>> > /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname
>> > /home/tomcat/tomcat -outfile
>> > /usr/local/thirdparty/jakarta-tomcat/logs/catalina.out -errfile &1
>> > -Djdk.tls.ephemeralDHKeySize=2048
>> > -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
>> > -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
>> > -Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/c
>> onf/logging.properties
>> >
>> >
>> - -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspe
>> nd=n
>> > -XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80
>> > -Xmx1824m -Xms256m
>> > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>> > -cp
>> > /usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thir
>> dparty/jakarta-tomcat/bin/tomcat-juli.jar
>> >
>> >
>> - -Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/catali
>> na.policy
>> > -Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat
>> > -Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat
>> > -Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp
>> > org.apache.catalina.startup.Bootstrap start'
>> >
>> > JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH
>> > -Djavax.net.ssl.sessionCacheSize=10000
>> > -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust-
>> certs/tomcat-trust.keystore
>> >
>> >
>> - -Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD
>> > -XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat.
>> txt
>> >
>> >
>> - -Dsun.zip.disableMemoryMapping=true
>> > -XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh
>> > -XX:OnError=/home/tomcat/tomcat_diagnostics.sh $TOMCAT_JAVA_OPTS
>> >
>> > Also can i have both RSA and ECDSA in a single keystore. Will that
>> > work in tomcat 9?
>>
>> Yes. You have to use two <Certificate> elements each with a different
>> "type" and "certificateKeyAlias"
>>
>> > it used to work with tomat 7
>>
>> It still works with Tomcat 9.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7ZJEwACgkQHPApP6U8
>> pFg/Tg/9El60qkdMWwk6SpBiKjy0rgQEYgmdv2hkVQXmfX4uaWHZuEBDydX/xQ9L
>> 3JaS+rDeM/4Z6Y7HrKqLGQ0Q+mtgWSoXohhGAqZMcsaGtdiz9oBYukRW7e0JG4Hv
>> OZgmyPUifLH0kPDyrql3feLQL9TW7G998rR9+N2BsFWnyVdaHYIWt2vSu+/vak7T
>> OqqNj0Wze9G8/OudKXCEQBi1ADql8XAt7hRCaQLHRcaDLEVLnULq6lgol0dV9qXM
>> suzNGud9VWNUgsoNX7wZDmx2xYnvDUfOnUJSEYLfRV6zFHOJOLiKLk8GBjymLVt3
>> PEW3EXlJpq2rQo++s4tNhJGjZRR7yEGNRUO1bl/eB7O4MZrwpZyV9lmy2TN2Im5g
>> LsMas3p3m87vz8ajafo9SDSZkmXmJ270dUZd8MAxxIvDSCnhw0trSTxbppgeb7p4
>> LGn/gA9igAY9S9PUKkyLocKVW9XpRg1v21WCSyifKzM7b0787e1EFx6rhxBTsZAk
>> 7D7nL+0Em61LRQKaM3noDtyofEzYGoUtaRwv5gx+dCfF5huDCKvkhWxGQfAwiE/3
>> fRHCZK1la1Jn3wikApLXU6iEjXV33TmF/hAjLOPaizl90AYxR6O4pvwRKOF+9+fV
>> Z4CO1ysmLK/WHTYXcpZ8/zPEo9EgXbTULU9DiDu3N6+LKrUFQcc=
>> =L+y6
>> -----END PGP SIGNATURE-----
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: tomcat 9.0 doesn't load the ECDSA keystore. (ver # 9.0.24)

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Madhan,

On 6/10/20 22:08, Madhan Raj wrote:
> Any insights please .

How did you create your certificate?

What are the details of your certificate and key? For example, which
curve are you using? How many key bits? What type of signature on the
certificate? What is the alias for that certificate in your keystore?
Does it match what you have configured in Tomcat? Do you have a
password on your keystore? Are you setting that correctly in your
<Certificate> element? (I see no password in your posted config.)

What client are you using to attempt the handshake?

What error(s) do you get with the handshake?

If you configure *only* ESDSA, can you handshake? Or does ECDSA never
work?

You haven't give us much to go on, other than "I can't get ESDSA to
work" when it's pretty clear others can get it to work.

- -chris

> On Thu, 4 Jun, 2020, 11:12 pm Madhan Raj, <[hidden email]
> <mailto:[hidden email]>> wrote:
>
> Hi Christopher,
>
> Yes you correct I can only complete a handshake with RSA cert, not
> ECDSA cert. when i try to connect with ECDSA ciphers using
> s_client negotiation fails. Madhan
>
> On Thu, Jun 4, 2020 at 12:41 PM Christopher Schultz
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
> Madhan,
>
> On 6/3/20 21:08, Madhan Raj wrote:
>> OS - CentOS 7.6.1810( Core)
>
>> Below connector doesn't load my EC keystore whereas it works
>> with RSA . Any insights please .
>
> When you say "doesn't load", what do you mean? Possible reasonable
> responses are:
>
> 1. I can only complete a handshake with RSA cert, not ECDSA cert 2.
> Error message (please post) 3. JVM crashes 4. OS crashes 5.
> Universe ends (possible, but unlikely to be reproducible)
>
>> this is my connector tag  in server.xml <Connector
>> SSLEnabled="true" URIEncoding="UTF-8"  maxThreads="200"
>> port="443" scheme="https" secure="true"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementat
>
>
ion"

>
>
> disableUploadTimeout="true" enableLookups="false"
> maxHttpHeaderSize="819 2"
>> minSpareThreads="25"> <SSLHostConfig sslProtocol="TLS"
>> certificateVerification="none" sessionTimeout="1800"
>> protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3"
>
> ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECD
>
>
HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DS
> S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA"
>
>
> sessionCacheSize="10000">
>> <Certificate certificateKeyAlias="tomcat-ecdsa"
>
> certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/ce
>
>
rts/tomcat-ECDSA.keystore"

>
>
> certificateKeystorePassword="8o8yeAH2qSJbJ2sn"
>> certificateKeystoreType="PKCS12" type="EC"/> </SSLHostConfig>
>> </Connector>
>
>> tomcat start up command used :- /home/tomcat/tomcat -user tomcat
>> -home /usr/local/thirdparty/java/j2sdk -pidfile
>> /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname
>> /home/tomcat/tomcat -outfile
>> /usr/local/thirdparty/jakarta-tomcat/logs/catalina.out -errfile
>> &1 -Djdk.tls.ephemeralDHKeySize=2048
>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
>> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
>
> -Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/c
>
>
onf/logging.properties
>
>
> -
> -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,sus
pe
>
>
nd=n
>> -XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80
>> -Xmx1824m -Xms256m
>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>>
>>
- -cp
>
> /usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thir
>
>
dparty/jakarta-tomcat/bin/tomcat-juli.jar
>
>
> -
> -Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/cata
li
>
>
na.policy

>> -Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat
>> -Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat
>> -Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp
>> org.apache.catalina.startup.Bootstrap start'
>
>> JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH
>> -Djavax.net.ssl.sessionCacheSize=10000
>
> -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust-
>
>
certs/tomcat-trust.keystore
>
>
> -Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD
>
> -XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat.
>
>
txt

>
>
> -Dsun.zip.disableMemoryMapping=true
>> -XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh
>> -XX:OnError=/home/tomcat/tomcat_diagnostics.sh $TOMCAT_JAVA_OPTS
>
>> Also can i have both RSA and ECDSA in a single keystore. Will
>> that work in tomcat 9?
>
> Yes. You have to use two <Certificate> elements each with a
> different "type" and "certificateKeyAlias"
>
>> it used to work with tomat 7
>
> It still works with Tomcat 9.
>
> -chris
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7ibjkACgkQHPApP6U8
pFheVg//akO4QY2HP7S7zfseHqH3lb1ZsU4JxjGkCXNCGhX1lju3tAaGEqAEb/VG
ecnGaf/lvdhKlcNfI26ZdRjb0QM6CWwrhIvrnkRe8Yf5kYHFMRkIkllMMF27hhGd
aJV2urneiP8S2vHVVqyVnR+lZklIkm/TyC5h31E1lE/J0urE/ZE/hzB9IEPly9Bc
x7dbI22pA40ZpQgj+1vLRvdvjziQCo9I1erpy3IJhjsx9Ro30GBY+UZ3gNKtrOID
HEi5+gQO2TdKV+k3D41fF5t0GJY119T98O4Hat1/R49XgHOPw290PP2i4eswhXG1
kGfTeRpTB7WI2X050RNWJL80Mb4HShi0VwtYhLdPaelR/0aqefFHGu03VB33+vRm
FxMoKpKyHo1DqnaKuTBxFCdLHpwjGP2GWWC9zRyBPc5WIuClf9xgIkagCENs3UvG
CDVjtG5qhOw681rGSAO/zYa+DnKahyc+xar44xlfewxbtuMpI47vYilH4vehnEsl
/BawOct37LFauSY8sp0Rbr2CGgmjoCI4M1TvIN9xVrXhSpsu8RHXAzj0fEWmKh+u
Is3Jpy/4tQtMC5QAtiPjxPHVfy8WvU15ZkGBhGgsfTXaZ+FushdMYRCUHc2sR3dX
cchXIjQjHg7b1/Lvp3/TbLXhbRMjcdSpiJgdH1ZxOHbJT+JroZs=
=p/97
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: tomcat 9.0 doesn't load the ECDSA keystore. (ver # 9.0.24)

Madhan Raj
Hi Chris, 

Just attached the outputs logs and my server.xml including my ecdsa cert. in keystoreand s_client outputs.txt file i have attached all the required cert and keystore outputs.

What client are you using to attempt the handshake? i am using openssl command line utility to test 

What error(s) do you get with the handshake?  secure negotiation not supported 

If you configure *only* ESDSA, can you handshake? Or does ECDSA never
work?   correct ECDSA never work for me. 
here in my case on port 443 i hosted only ECDSA keystore and on 8443 i have hosted RSA keystore. 
8443 works like charm and 443 is down 

Thanks,
Madhan.

On Thu, Jun 11, 2020 at 1:47 PM Christopher Schultz <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Madhan,

On 6/10/20 22:08, Madhan Raj wrote:
> Any insights please .

How did you create your certificate?

What are the details of your certificate and key? For example, which
curve are you using? How many key bits? What type of signature on the
certificate? What is the alias for that certificate in your keystore?
Does it match what you have configured in Tomcat? Do you have a
password on your keystore? Are you setting that correctly in your
<Certificate> element? (I see no password in your posted config.)

What client are you using to attempt the handshake?

What error(s) do you get with the handshake?

If you configure *only* ESDSA, can you handshake? Or does ECDSA never
work?

You haven't give us much to go on, other than "I can't get ESDSA to
work" when it's pretty clear others can get it to work.

- -chris

> On Thu, 4 Jun, 2020, 11:12 pm Madhan Raj, <[hidden email]
> <mailto:[hidden email]>> wrote:
>
> Hi Christopher,
>
> Yes you correct I can only complete a handshake with RSA cert, not
> ECDSA cert. when i try to connect with ECDSA ciphers using
> s_client negotiation fails. Madhan
>
> On Thu, Jun 4, 2020 at 12:41 PM Christopher Schultz
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
> Madhan,
>
> On 6/3/20 21:08, Madhan Raj wrote:
>> OS - CentOS 7.6.1810( Core)
>
>> Below connector doesn't load my EC keystore whereas it works
>> with RSA . Any insights please .
>
> When you say "doesn't load", what do you mean? Possible reasonable
> responses are:
>
> 1. I can only complete a handshake with RSA cert, not ECDSA cert 2.
> Error message (please post) 3. JVM crashes 4. OS crashes 5.
> Universe ends (possible, but unlikely to be reproducible)
>
>> this is my connector tag  in server.xml <Connector
>> SSLEnabled="true" URIEncoding="UTF-8"  maxThreads="200"
>> port="443" scheme="https" secure="true"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementat
>
>
ion"
>
>
> disableUploadTimeout="true" enableLookups="false"
> maxHttpHeaderSize="819 2"
>> minSpareThreads="25"> <SSLHostConfig sslProtocol="TLS"
>> certificateVerification="none" sessionTimeout="1800"
>> protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3"
>
> ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECD
>
>
HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DS
> S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA"
>
>
> sessionCacheSize="10000">
>> <Certificate certificateKeyAlias="tomcat-ecdsa"
>
> certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/ce
>
>
rts/tomcat-ECDSA.keystore"
>
>
> certificateKeystorePassword="8o8yeAH2qSJbJ2sn"
>> certificateKeystoreType="PKCS12" type="EC"/> </SSLHostConfig>
>> </Connector>
>
>> tomcat start up command used :- /home/tomcat/tomcat -user tomcat
>> -home /usr/local/thirdparty/java/j2sdk -pidfile
>> /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname
>> /home/tomcat/tomcat -outfile
>> /usr/local/thirdparty/jakarta-tomcat/logs/catalina.out -errfile
>> &1 -Djdk.tls.ephemeralDHKeySize=2048
>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
>> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
>
> -Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/c
>
>
onf/logging.properties
>
>
> -
> -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,sus
pe
>
>
nd=n
>> -XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80
>> -Xmx1824m -Xms256m
>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>>
>>
- -cp
>
> /usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thir
>
>
dparty/jakarta-tomcat/bin/tomcat-juli.jar
>
>
> -
> -Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/cata
li
>
>
na.policy
>> -Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat
>> -Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat
>> -Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp
>> org.apache.catalina.startup.Bootstrap start'
>
>> JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH
>> -Djavax.net.ssl.sessionCacheSize=10000
>
> -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust-
>
>
certs/tomcat-trust.keystore
>
>
> -Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD
>
> -XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat.
>
>
txt
>
>
> -Dsun.zip.disableMemoryMapping=true
>> -XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh
>> -XX:OnError=/home/tomcat/tomcat_diagnostics.sh $TOMCAT_JAVA_OPTS
>
>> Also can i have both RSA and ECDSA in a single keystore. Will
>> that work in tomcat 9?
>
> Yes. You have to use two <Certificate> elements each with a
> different "type" and "certificateKeyAlias"
>
>> it used to work with tomat 7
>
> It still works with Tomcat 9.
>
> -chris
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7ibjkACgkQHPApP6U8
pFheVg//akO4QY2HP7S7zfseHqH3lb1ZsU4JxjGkCXNCGhX1lju3tAaGEqAEb/VG
ecnGaf/lvdhKlcNfI26ZdRjb0QM6CWwrhIvrnkRe8Yf5kYHFMRkIkllMMF27hhGd
aJV2urneiP8S2vHVVqyVnR+lZklIkm/TyC5h31E1lE/J0urE/ZE/hzB9IEPly9Bc
x7dbI22pA40ZpQgj+1vLRvdvjziQCo9I1erpy3IJhjsx9Ro30GBY+UZ3gNKtrOID
HEi5+gQO2TdKV+k3D41fF5t0GJY119T98O4Hat1/R49XgHOPw290PP2i4eswhXG1
kGfTeRpTB7WI2X050RNWJL80Mb4HShi0VwtYhLdPaelR/0aqefFHGu03VB33+vRm
FxMoKpKyHo1DqnaKuTBxFCdLHpwjGP2GWWC9zRyBPc5WIuClf9xgIkagCENs3UvG
CDVjtG5qhOw681rGSAO/zYa+DnKahyc+xar44xlfewxbtuMpI47vYilH4vehnEsl
/BawOct37LFauSY8sp0Rbr2CGgmjoCI4M1TvIN9xVrXhSpsu8RHXAzj0fEWmKh+u
Is3Jpy/4tQtMC5QAtiPjxPHVfy8WvU15ZkGBhGgsfTXaZ+FushdMYRCUHc2sR3dX
cchXIjQjHg7b1/Lvp3/TbLXhbRMjcdSpiJgdH1ZxOHbJT+JroZs=
=p/97
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

keystore and s_client_outputs.txt (11K) Download Attachment
server.xml (12K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: tomcat 9.0 doesn't load the ECDSA keystore. (ver # 9.0.24)

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Madhan,

On 6/12/20 00:57, Madhan Raj wrote:
> Just attached the outputs logs and my server.xml including my
> ecdsa cert. in keystoreand s_client outputs.txt file i have
> attached all the required cert and keystore outputs.

In-line would be better in the future. I hate having to save
attachments on my own computer and then edit them just to see them.
And then copy/paste to quote.

> [root@sapphire-69 conf]# keytool -list -v -keystore
> /usr/local/platform/.security/tomcat-ECDSA/certs/tomcat-ECDSA.keystore
> -storepass iY4VjgcxNrTLp57b  -storetype PKCS12        log4j:WARN No
> appenders could be found for logger
> (com.cisco.ciscossl.provider.ciscojce.CiscoJEnv). log4j:WARN Please
> initialize the log4j system properly. log4j:WARN See
> http://logging.apache.org/log4j/1.2/faq.html#noconfig for more
> info. Keystore type: PKCS12 Keystore provider: JsafeJCE

Could this be of interest (repeating above):
> Keystore provider: JsafeJCE

I didn't see certificateKeystoreProvider="JsafeJCE" in your
<Certificate> configuration.

Does your RSA keystore show the same keystore provider if you dump it?

> [snip] [from keytool] Owner: L=blr, ST=kr, CN=sapphire-69-EC,
> OU=cisco, O=infy, C=IN [snip] Signature algorithm name:
> SHA384withECDSA Subject Public Key Algorithm: 384-bit EC key>
> [snip] [from openssl] X509v3 Subject Alternative Name:
> DNS:sapphire-69

Your CN is "sapphire-69-EC" and you have a SAN for "sapphire-69". Is
that also the hostname being used to connect?

> What client are you using to attempt the handshake? i am using
> openssl command line utility to test

Good.

> What error(s) do you get with the handshake?  secure negotiation
> not supported

That's not an error. It's one of many messages from openssl s_client:

> # openssl s_client -connect localhost:443 CONNECTED(00000003)
> 139656609052336:error:140790E5:SSL routines:ssl23_write:ssl
> handshake failure:s23_lib.c:177: --- no peer certificate available
> --- No client certificate CA names sent --- SSL handshake has read
> 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported Compression: NONE Expansion:
> NONE No ALPN negotiated SSL-Session: Protocol  : TLSv1.2 Cipher
> : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg   : None PSK
> identity: None PSK identity hint: None SRP username: None Start
> Time: 1591935501 Timeout   : 300 (sec) Verify return code: 0 (ok)
> ---

You are using "localhost". What if you use "sapphire-69"?

...although localhost:8443 seems to work with your RSA certificate.

> If you configure *only* ESDSA, can you handshake? Or does ECDSA
> never work?   correct ECDSA never work for me. here in my case on
> port 443 i hosted only ECDSA keystore and on 8443 i have hosted RSA
> keystore. 8443 works like charm and 443 is down

> [From your config:] <SSLHostConfig certificateVerification="none"
> ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECD
HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-DS
S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA"
>
>
protocols="TLSv1,TLSv1.1,TLSv1.2" sessionCacheSize="10000"
> sessionTimeout="1800" sslProtocol="TLS" truststoreType="PKCS12">
Note that you can't handshake using an RSA authentication with an
ECDSA certificate. While those ECDHE-RSA-* ciphers in there won't
hurt, they will never work and are a little confusing.

What happens if you point this tool at your localhost:443 and
localhost:8443 endpoints?

https://github.com/ChristopherSchultz/ssltest

- -chris

> On Thu, Jun 11, 2020 at 1:47 PM Christopher Schultz
> <[hidden email]
> <mailto:[hidden email]>>
wrote:

>
> Madhan,
>
> On 6/10/20 22:08, Madhan Raj wrote:
>> Any insights please .
>
> How did you create your certificate?
>
> What are the details of your certificate and key? For example,
> which curve are you using? How many key bits? What type of
> signature on the certificate? What is the alias for that
> certificate in your keystore? Does it match what you have
> configured in Tomcat? Do you have a password on your keystore? Are
> you setting that correctly in your <Certificate> element? (I see no
> password in your posted config.)
>
> What client are you using to attempt the handshake?
>
> What error(s) do you get with the handshake?
>
> If you configure *only* ESDSA, can you handshake? Or does ECDSA
> never work?
>
> You haven't give us much to go on, other than "I can't get ESDSA
> to work" when it's pretty clear others can get it to work.
>
> -chris
>
>> On Thu, 4 Jun, 2020, 11:12 pm Madhan Raj, <[hidden email]
> <mailto:[hidden email]>
>> <mailto:[hidden email] <mailto:[hidden email]>>>
>> wrote:
>
>> Hi Christopher,
>
>> Yes you correct I can only complete a handshake with RSA cert,
>> not ECDSA cert. when i try to connect with ECDSA ciphers using
>> s_client negotiation fails. Madhan
>
>> On Thu, Jun 4, 2020 at 12:41 PM Christopher Schultz
>> <[hidden email]
>> <mailto:[hidden email]>
>> <mailto:[hidden email]
> <mailto:[hidden email]>>> wrote:
>
>> Madhan,
>
>> On 6/3/20 21:08, Madhan Raj wrote:
>>> OS - CentOS 7.6.1810( Core)
>
>>> Below connector doesn't load my EC keystore whereas it works
>>> with RSA . Any insights please .
>
>> When you say "doesn't load", what do you mean? Possible
>> reasonable responses are:
>
>> 1. I can only complete a handshake with RSA cert, not ECDSA cert
>> 2. Error message (please post) 3. JVM crashes 4. OS crashes 5.
>> Universe ends (possible, but unlikely to be reproducible)
>
>>> this is my connector tag  in server.xml <Connector
>>> SSLEnabled="true" URIEncoding="UTF-8"  maxThreads="200"
>>> port="443" scheme="https" secure="true"
>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>
>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementa
t

>
>>
>
> ion"
>
>
>> disableUploadTimeout="true" enableLookups="false"
>> maxHttpHeaderSize="819 2"
>>> minSpareThreads="25"> <SSLHostConfig sslProtocol="TLS"
>>> certificateVerification="none" sessionTimeout="1800"
>>> protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3"
>
>> ciphers="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:EC
D
>
>>
>
> HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES256-SHA:DHE-
DS
>>
>
S-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA"
>
>
>> sessionCacheSize="10000">
>>> <Certificate certificateKeyAlias="tomcat-ecdsa"
>
>> certificateKeystoreFile="/usr/local/platform/.security/tomcat-ECDSA/c
e

>
>>
>
> rts/tomcat-ECDSA.keystore"
>
>
>> certificateKeystorePassword="8o8yeAH2qSJbJ2sn"
>>> certificateKeystoreType="PKCS12" type="EC"/> </SSLHostConfig>
>>> </Connector>
>
>>> tomcat start up command used :- /home/tomcat/tomcat -user
>>> tomcat -home /usr/local/thirdparty/java/j2sdk -pidfile
>>> /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname
>>> /home/tomcat/tomcat -outfile
>>> /usr/local/thirdparty/jakarta-tomcat/logs/catalina.out
>>> -errfile &1 -Djdk.tls.ephemeralDHKeySize=2048
>>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
>>> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
>
>> -Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/
c
>
>>
>
> onf/logging.properties
>
>
>> -
>> -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,su
s
>
>>
pe

>
>
> nd=n
>>> -XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80
>>> -Xmx1824m -Xms256m
>>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>>>
>>>
>
>>>
- -cp
>
>> /usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thi
r
>
>>
>
> dparty/jakarta-tomcat/bin/tomcat-juli.jar
>
>
>> -
>> -Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/cat
a
>
>>
li

>
>
> na.policy
>>> -Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat
>>> -Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat
>>> -Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp
>>> org.apache.catalina.startup.Bootstrap start'
>
>>> JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH
>>> -Djavax.net.ssl.sessionCacheSize=10000
>
>> -Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust
- -
>
>>
>
> certs/tomcat-trust.keystore
>
>
>> -Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD
>
>> -XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat
.

>
>>
>
> txt
>
>
>> -Dsun.zip.disableMemoryMapping=true
>>> -XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh
>>> -XX:OnError=/home/tomcat/tomcat_diagnostics.sh
>>> $TOMCAT_JAVA_OPTS
>
>>> Also can i have both RSA and ECDSA in a single keystore. Will
>>> that work in tomcat 9?
>
>> Yes. You have to use two <Certificate> elements each with a
>> different "type" and "certificateKeyAlias"
>
>>> it used to work with tomat 7
>
>> It still works with Tomcat 9.
>
>> -chris
>
>
>
- ---------------------------------------------------------------------

> To unsubscribe, e-mail: [hidden email]
> <mailto:[hidden email]> For additional
> commands, e-mail: [hidden email]
> <mailto:[hidden email]>
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7jxjEACgkQHPApP6U8
pFjyVRAAyyAouwNf+E0reAuz7SyR/SDvadmWUcQYZyQ3GuGdM8u68oI5zkiGE9Kr
y1VCPenL7I//fcTRLhrYeZ/HWnFyQoUk0hTkKoRSVYAouIikJEwasAEVj+l5c3nc
SLu65E+OZPvvB4LQBK6U94S0ujhHUhdbGSksHlzKtTomNCgn3fh6JQ0qLyvyaXcE
fkXGvV3fmwCfBy9lw0+96yQBB2wmE+HKiO4XvwbA/u8YCX2DAAhgGII1G4joVAp5
Bqw4gijKSZJqXXk/MQegDAEAovOSsF84LpL3aZB3y4jICExFQT7ekmkFOmD5yjkb
NFpehkIWssg7cqE1Y4468PNwaQpkkrm+QHz7g+ElMQgwNVvUn/eqL2VhNPBqEJhF
+T5DR0PA6BTBr0uVnTJjohl9SUrpQKQ4Umui7fMDru1FfJ9zgf0VAkBvM6YEBGtV
WvHhFE+etoBtf2qwPSLSdKrm7f8MUTNr687oH2kzD0CsE2tsebgLEdcnXdv4iyLp
sUxUF35/VSvV4PCvqzgFebwOZD3+bkDdIUxfvH7Sl2erZ9+oTimEBn5ukSsEJqyC
+Ld1PtYkdi2ZtemS4SOFXrdChSE3TRxTH2Clccax+X2gqpGn4Y+joARPuQD+wyK2
Jm7/W007D2arJL7XM4HgtjZPgsyKoH8UnWMXWbfsAElZ+l0S2ag=
=3rtX
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]