Tomcat, no cipher suites in common, SSL, Cannot Get Verisign Certificate to Work.
This is a discussion on Tomcat, no cipher suites in common, SSL, Cannot Get Verisign Certificate to Work. within the Windows Web Servers forums, part of the Web Server and Related Forums category; Howdy, I'm running Tomcat 5.5.9, on a Windows 2003 server. Tomcat is setup to run as a ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-03-2005
|
|||
|
|||
Tomcat, no cipher suites in common, SSL, Cannot Get Verisign Certificate to Work.
Howdy,
I'm running Tomcat 5.5.9, on a Windows 2003 server. Tomcat is setup to run as a service, and uses my account to run (BIGD\t_carbon). When I delete the .keystore file under C:\Documents and Settings\t_carbon and create a new certificate using keytool - everything works fine. I stop tomcat, delete the .keystore, create a new certificate, restart Tomcat and it picks up the certificate every time. https has no problems like this (https is running at 8443, http is on 8080). Anyway - I just got a new key from Verisign. 1. I shut down tomcat 2. I deleted the .keystore file (and the self generated cert and moved the Verisign cert into my home directory). 3. I downloaded the root certificate from Verisign at: http://www.verisign.com/support/inst...ermediate.html 4. I ran the following commands: C:\Documents and Settings\t_carbon>keytool -import -alias root -keystore "C:\Documents and Settings\t_carbon\.keystore" -trustcacerts -file "C:\Documents and Settings\t_carbon\chain.cer" Enter keystore password: changeit Certificate was added to keystore C:\Documents and Settings\t_carbon>keytool -import -alias tomcat -keystore "C:\Documents and Settings\t_carbon\.keystore" -trustcacerts -file "C:\Documents and Settings\t_carbon\cert.cer" Enter keystore password: changeit Certificate was added to keystore 5. Now I have the .keystore, my cert from Verisign (cert.cer) and the root Verisign cert (chain.cer) all sitting in my home directory. I restart tomcat. 6. My website is up - but when I try to use SSL, it fails. (I get nothing) - in the log I see the following message: javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:150) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1476) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:174) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:164) at com.sun.net.ssl.internal.ssl.ServerHandshaker.choo seCipherSuite(ServerHandshaker.java:639) at com.sun.net.ssl.internal.ssl.ServerHandshaker.clie ntHello(ServerHandshaker.java:450) at com.sun.net.ssl.internal.ssl.ServerHandshaker.proc essMessage(ServerHandshaker.java:178) at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:495) at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:433) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:815) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1025) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1038) at org.apache.tomcat.util.net.jsse.JSSESocketFactory. handshake(JSSESocketFactory.java:119) at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:520) at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) DEBUG http-8443-Processor24 org.apache.tomcat.util.net.PoolTcpEndpoint - Handshake failed javax.net.ssl.SSLException: Unsupported SSL v2.0 ClientHello at com.sun.net.ssl.internal.ssl.InputRecord.handleUnk nownRecord(InputRecord.java:453) at com.sun.net.ssl.internal.ssl.InputRecord.read(Inpu tRecord.java:343) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:720) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1025) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1038) at org.apache.tomcat.util.net.jsse.JSSESocketFactory. handshake(JSSESocketFactory.java:119) at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:520) at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:595) Any help or ideas would be greatfully appreciated. Thanks, TC |
|
11-03-2005
|
|||
|
|||
|
Re: Tomcat, no cipher suites in common, SSL, Cannot Get Verisign Certificate to Work.
Howdy,
Problem solved. Here's what I did not know. The Keystore file (which I named .keystore) has to be the same Keystore file you generated the CSR from, and that same file is the one you install the certificate into. Verisign revoked my old certificate and issued me a new one. Here are the exact steps I took to make it work. 1. I stopped Tomcat 2. I deleted my .keystore file 3. I deleted all certs (the intermediate and my old one). 4. I then: keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore .keystore -storepass changeit 5. I used the revoke/renew on Verisign's website to get a new cert (was fast - took less than 30 minutes), using the certreq.csr file I generated above. [NOTE: I made sure to leave the .keystore file alone.] 6. Next I took the cert and copied it down and then ran: keytool -import -alias tomcat -keyalg RSA -keystore .keystore -trustcacerts -file cert.cer -storepass changeit 7. I started Tomcat It all worked perfectly :) TC |
Linear Mode
