1/
Install the latest version of tomcat (8.0.28) and run it on java 8 (I'm using the 1.8.0_45 / 64-Bit version).
I'm running the Tomcat on a Windows 7 64-Bit
2/ Enable SSL on Tomcat:
Activate SSL by creating a keystore and uncommenting the https connector in the server.xml file, add
keystoreFile="" keystorePass=""
to the connector.
FYI: here is my connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystorePass="password"
keystoreFile="/path/to/my/keystore" />
3/ Install Fiddler (www.telerik.com/fiddler) or any other tool to sniff the traffic between your host and the server, the fiddler should run on your host. I did my screen shots with Fiddler.
4/
Go to tools/options/https and check "enable decrypt".
5/
Using Internet explorer 11 (chrome also works but as it compresses the websocket traffic it makes it harder to reach 8KB of data), access your tomcat remotely using https and open the example app at https://server:8443/examples/websocket/echo.xhtml
choose "Programmatic API", hit "Connect", then send a small test message
on fiddler, double click on the websocket session and look at the result in the websocket tab.
Now, try to send a large text of say 20KB, you'll see that the reply is split in frames of 8KB marked "Continuation". There should be a frame marked "Final" which is missing at this point.
Send another small message so that the missing frame is flushed.
Important:
If I connect to a Tomcat running locally on my host I do not reproduce this issue.
If I do not use SSL, I do not reproduce this issue.
Questions:
- why such behavior, did anyone experience the same thing ?
- how to properly troubleshoot this issue ?
- I tried to enable the Tomcat logging but nothing interesting in the logging: org.apache.tomcat.websocket.level = FINE
The issue is apparently OS related:
When Tomcat is on Windows 7 it does not work
When Tomcat is on Windows 10 it works
When Tomcat is on Windows Server 2012 R2 it works
In short this issue a combination of OS (some versions of windows) / SSL and WebSockets.
The "dirty" workaround I found for now is to send a last message to flush the buffer since I have access to the code of the server side.
please let me knwo if you faced such issue as this could be something related to the SSL handshake for some specific windows versions and I don't knwo how to trouble shoot that.
Related
We have implemented APNS connectivity using notnoop. We have been testing it for last 5 months on development and UAT environment and other environment. Things were working as expected but post deployment to production environment we are having tough time getting it work, GCM is working fine it is only APNS were we have tough time.
Initially there was connectivity issue from firewall which we have got opened to connect to gateway.push.apple.com on 2195 as earlier system was throwing connection timeout.
Now system is throwing No Trusted Certificate found I have described below the detail steps we have already taken to debug this.
Please note this is happening only when i deploy it on production that too when it is run inside Tomcat 8.0. We did small POC to test if it can work outside tomcat and it is working properly using same certificate from same absolute path.
We did try after changing the implementation to use absolute path of certificate as shown below
APNS.newService().withCert(PRODcertificatePath, PRODcertificatePassword)
The program is configured to use .withProductionDestination() if it is using production certificate and vice versa so this issue is also taken care.
Then we also tried using ClassLoader InputStream iss = ClassLoader.getSystemResourceAsStream("Axis-APNS.p12")
Yes we do have JKS file on production whose detail is configured in server.xml something like below
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" sslProtocol="TLS" keystoreFile="/root/cert"
Now we are out of idea to debug and find the root cause, Any suggestion, question is most welcome.
As a matter of workaround, i have redesign my system. Instead of running from inside tomcat, Have made it as standalone application using Quartz batch job and system is running properly. Once i get time to find out why tomcat is not able to pick correct certificate, will upate you guys on it. Thank you very much for your time... email me if you need anymore help on above matter. Thanks, Amarjeet
I would like to know if anybody has experience working with SSL and HTTPS on a Google Compute Engine (not GAE) instance. I have been unable to use HTTPS with my website: browsers and online test tools fail to connect to my server.
My environment is ubuntu-1404-trusty-v20141212 and Tomcat 8.
Here's what I did:
I ticked "allow HTTP" and "allow HTTPS traffic" on the instance's network settings
Installed my $4 Comodo certs.
Used as-is Connector configuration on server.xml with only keystore and password added
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/ssl/private/tomcat.keystore"
keystorePass="password"
/>
I get the aforementioned error when I start my Tomcat and go to https://mysite.com:8443. Some diagnostics are:
Log catalina.out doesn't say anything severe.
Using netstat -ntlp |grep :8443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 8500/java shows my tomcat is listening at 8443
Finally I created an AWS EC2 instance with the same environment and installed my SSL certificates. It immediately works without any tinkering with port and firewall.
Any advice on how to make SSL work on GCE is appreciated.
Figured it out myself. As suspected, this does have something to do with firewall.
When allowing HTTPS traffic in a GCE instance, the default port is 443 not 8443.
Either change the listening port or change the firewall rule here:
Google Developers Console->Compute Engine->Networks->the network's
name the instance is associated with->Firewall rules.
Several rules are listed, in my case I need to modify default-allow-https
For a site which is running an old version of Java and Tomcat (6 and 5.5 respectively) the latest build of chrome is failing with ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION.
And that's fine, since chrome disabled SSLv3 becuase of POODLE. I went to conf/server.xml and specified sslProtocol="TLSv1" explicitly.
The the site opens successfully, but sometimes, some of the resources (js and css only) fail to open with the same ERR_SSL. I use iptables forwarding to Tomcat, so no apache/nginx and no proxies.
Here's a screenshot to illustrate the failures. With cache disabled, you can see that some js and css files are served OK (the actual jsps and all images are always served OK), and some are failing:
I could not find any connection between what's failing, and their declaration. Furthermore, sometimes these are not failing.
Can I do something about it (apart from upgrading Java, which is not guaranteed to work and is a lot of effort, as the site potentially won't work, and have to be recompiled, repackaged, etc), or is it a chrome bug?
Specifying sslProtocol="TLSv1" in the Tomcat <Connector /> element only guarantees that the specified protocol will be available, not that it is the only one available. For example, the connector
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1" ... />
will have SSLv3 and TLSv1 available. In order to disable SSLv3, you need to explicitly say which protocols are enabled using another property. I'm not familiar with the syntax for Tomcat 5, but the syntax for Tomcat 6 is protocols="TLSv1" and Tomcat 7 is sslEnabledProtocols="TLSv1".
I've been trying all day to set Tomcat 6.0 up for SSL. I know it shouldn't be that hard. I've followed the Tomcat documentation in creating my own Certificate, configuring the connectors in the server.xml file.
When I go to https://localhost:8443, (8443 is the port I defined in the connector) my certificate does not render on the screen, and my browser tells me that it was unable to make a secure connection to the server and that my client may not have the certificate.
My question is, why isn't my certificate rendering for the user to say "Trust" or "Not"?
There's a full documentation on SSL Howto for Tomcat 6. I don't know how far you've gone to setting up your SSL for me to help you.
Make sure that in server.xml in APACHE_HOME/conf has both Connector for port 8080 and 8443 enabled.
Do you happen to have a tcnative-1.dll file in apache-tomcat-6.xxx\bin\ folder?
If so, it will not work with your current <Connector/> configuration. Remove the file or rename the extension and restart the tomcat server again.
This is stated in "Edit the Tomcat Configuration File" section of http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
I ended up figuring it out.
The issue was regarding to my protocol variable in my Connector:
This is what I had: protocol="HTTP/1.1"
Now I have this: protocol="org.apache.coyote.http11.Http11Protocol"
The only issue now is that chrome or IE won't run the site as HTTPS because i signed the certificate myself and am not a CA.
I'm running a java web app in Eclipse (Helios) using Tomcat 7. The server startups up successfully (duration indicated) however Eclipse's progress bar still spins saying that Tomcat is starting up. Eventually the timeout is reached and an error is thrown.
I believe Tomcat is fine as I've taken the command that it uses and ran it manually in the shell. Tomcat runs fine and I'm able to hit the web app at the expected URL. I can also hit it after it's started up and before the timeout occurs.
I've reinstalled Eclipse, I ran it with clean, I deleted/recreated the server. Nothing has worked. Anybody have any clues?
I had this issue, it seems that the Eclipse calls the application url after start up to make sure it is running.
A proxy client (pshione) had changed the system proxy so the eclipse could not call the start page and thinks that the application is not starting yet!!
I removed the proxy and it works fine now!
Edited:
This can also happen when you start your tomcat with SSL, but the ssl certification is not valid. When you make a call to and invalid SSL certification site, some browser confirm if you want to go one or not, but eclipse can not connect to your invalid ssl site! I suggest test your site with normal http instead of https.
This issue is related to a tomcat configured with HTTPS without a HTTP connector.
I had this SSL connector in server.xml and my tomcat in Eclipse is always showing Starting:
<Connector SSLEnabled="true" asyncTimeout="10000000" clientAuth="false"
connectionTimeout="10000000" keepAliveTimeout="10000000"
keystoreFile="/opt/config/selfsigned.p12" keystorePass="changeit"
keystoreType="PKCS12" maxThreads="200" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS"/>
I suppose Eclipse uses a HTTP connection to the server to verify that instance of Tomcat is available.
I've solve this problem including an aditional HTTP connector redirecting to HTTPS in server.xml.
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
redirectPort="443"/>
<Connector SSLEnabled="true" asyncTimeout="10000000" clientAuth="false"
connectionTimeout="10000000" keepAliveTimeout="10000000"
keystoreFile="/opt/config/selfsigned.p12" keystorePass="changeit"
keystoreType="PKCS12" maxThreads="200" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS"/>
With this change my tomcat in Eclipse starts properly showing Debugging state.
Some updates of Java cause problems with Eclipse's networking operation. Specifically, Eclipse tries to use IPv6 instead of IPv4 and sometimes fails. When Eclipse starts up Tomcat, one of the final steps that it does is tests the a debug call to Tomcat. This is likely to be the part that is hanging. Fortunately, the fix is very easy. We simply tell Eclipse to use IPv4 instead.
To do this, edit the eclipse.ini file (found in the Eclipse directory) and add the following to the end of the file on its own line:
-Djava.net.preferIPv4Stack=true
Restart Eclipse and you should be good to go.
I had the same issue, it was due to the connectors I had defined (I only had an AJP connector).
Adding an HTTP connector to Tomcat's server.xml solved the problem.
I've found the answer (just after posting here which, ironically, seems to be how to find answer's to one's own question.)
The answer was that the port was being used by another process. I should've known but upgraded several different packages will do this. But onto the symptoms:
Tomcat starts successfully. Able to hit the application before timeout.
Eclipse looks like it's unable to determine whether the server has started or stopped.
HTTP is currently running under the default of 8080. Unfortunately, my data store was listening at 8080 (my guess as I'm not particularly sure what it does with the port except that it's allocated for jmx). I'm guessing that Eclipse is unable to detect Tomcat at 8080.
I got this problem, it seems that my tomcat version was buggy (tomcat 7.0.23)
switch your tomcat version to another (i.e tomcat 7.0.14) it works for me.
good luck
This could happen if two servlets have been mapped to the same request URL, Tomcat will start up fine but eclipse won't be able to generate the correct web.xml file and therefore won't be able to publish the webApp.
Check your servlet mapping #WebServlet("\TheURLThatShouldInvokeThisServlet") make sure two servlets dont have the same "TheURLThatShouldInvokeThisServlet".
(putting it for the record!)