(Code d'erreur: ssl_error_rx_record_too_long) Tomcat+OpenSSL

Je suis en train d'activer le SSL dans mon Tomcat.
Mais quand je lance Tomcat et aller à https://localhost:8443 je vois

An error occurred during a connection to localhost:8443.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

À faire que j'ai utilisé CA.sh pour générer la clé privée et du certificat signé comme ceci:

progerlaptop:/usr/share/ssl/misc # ./CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
................................++++++
.............................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: pass
Verifying - Enter PEM pass phrase: pass
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Chernihiv
Locality Name (eg, city) []:Chernihiv
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University
Organizational Unit Name (eg, section) []:student
Common Name (eg, YOUR name) []:localhost
Email Address []:proger@localhost

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c6:55:7e:58:1b:4d:9c:7e
        Validity
            Not Before: Nov 25 13:17:31 2010 GMT
            Not After : Nov 24 13:17:31 2013 GMT
        Subject:
            countryName               = UK
            stateOrProvinceName       = Chernihiv
            organizationName          = University
            organizationalUnitName    = student
            commonName                = localhost
            emailAddress              = proger@localhost
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C7:98:1E:68:A7:3A:C4:B2:46:C8:88:99:C8:D5:CA:66:D3:94:23:66
            X509v3 Authority Key Identifier: 
                keyid:C7:98:1E:68:A7:3A:C4:B2:46:C8:88:99:C8:D5:CA:66:D3:94:23:66

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Nov 24 13:17:31 2013 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
progerlaptop:/usr/share/ssl/misc # ./CA.sh -newreq
Generating a 1024 bit RSA private key
............++++++
.........................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: pass
Verifying - Enter PEM pass phrase: pass
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Chernihiv
Locality Name (eg, city) []:Chernihiv
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University
Organizational Unit Name (eg, section) []:student
Common Name (eg, YOUR name) []:localhost
Email Address []:proger@localhost

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

progerlaptop:/usr/share/ssl/misc # CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: pass
...
Sign the certificate? [y/n]:y
...
Signed certificate is in newcert.pem

Copié la clé et cert dans mon répertoire de Tomcat.

cp newcert.pem newkey.pem /path/to/tomcat-6.0.29/ssl/

Ajouté Connecteur à mon server.xml:

   <Connector port="8443" maxHttpHeaderSize="8192" 
      maxThreads="150" minSpareThreads="25" maxSpareThreads="75" 
      enableLookups="false" disableUploadTimeout="true" 
      acceptCount="100" scheme="https" secure="true" 
      SSLEngine="on". 
      SSLCertificateFile="${catalina.base}/ssl/newcert.pem" 
      SSLCertificateKeyFile="${catalina.base}/ssl/newkey.pem". 
      SSLPassword="pass"/>

Puis-je commencer catalina.sh exécuter.
Et quand je vais à https://localhost:8443/ je vois cette erreur méchante.
Quand je fais, je fais de mal?
Je vous remercie à l'avance

OriginalL'auteur Ivan Mushketyk | 2010-11-25

  1. 4

    Tomcat 6 et au-dessus? Vous devez définir le SSLEnabled="true", comme déjà répondu ici ou ici.

    OriginalL'auteur Pavel

  2. 0

    On dirait que vous êtes en utilisant AVR/OpenSSL pour https, auquel cas SSLEngine="on" est correct.

    Avez-vous installé libtcnative?

    En supposant que tomcat 6: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

    Étapes rapides:

    tar zxf tomcat-native-1.1.20-src.tar.gz
cd tomcat-native-1.1.20-src/jni/native/
./configure --with-apr=/usr/bin/apr-1-config --with-ssl=yes
make && make install
cd /usr/java/default/jre/lib/amd64/
ln -s /usr/local/apr/lib/libtcnative-1.so

    Lorsque vous démarrer tomcat, vous devez voir cette ligne dans votre catalina.:

    INFO: Loaded APR based Apache Tomcat Native library 1.1.20.

    L'alternative est d'utiliser JSSE et ajouter vos certificats/clés d'un keystore java (.fichier de magasin de clés). Je trouve le keystore java une douleur dans le cul pour l'utiliser donc j'ai l'habitude d'aller avec AVR.

    OriginalL'auteur Thiago Figueiro

  3. 0

    J'ai eu le même problème. Je l'ai corrigé en ajoutant protocol="org.apache.coyote.http11.Http11NioProtocol" pour le connecteur

    OriginalL'auteur damian

  4. 0

    Je l'espère, vous devriez avoir le fichier de magasin de clés dans votre machine à

    Assurez-vous dans le server.xml fichier et également consulter cette lien il pourrait être utile pour vous de résoudre

         <Connector port=”8443” maxHttpHeaderSize=”8192″
      maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
      enableLookups=”false” disableUploadTimeout=”true”
      acceptCount=”100″ scheme=”https” secure=”true”
      **keystoreFile=”/../../../Tomcat/mycert.jks”**
      clientAuth=”false” sslProtocol=”TLS>

    OriginalL'auteur gks

  5. 0

    J'ai réussi à résoudre ce problème en modifiant un port de la valeur. La valeur 443 a été réservé, j'ai donc mis 1443, redémarrez Tomcat, et cela a fonctionné.

    Mon Connector est:

    <Connector port="1443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" keystoreFile="D:/path_to_ca.jks" 
    keystorePass="somePass" />

    Maintenant l'URL est:

    https://localhost:1443/index.jsp

    Cheers!

    OriginalL'auteur akelec