[Pki-users] Problems with java11
Timo Aaltonen
tjaalton at ubuntu.com
Tue Jan 15 17:40:23 UTC 2019
On 15.1.2019 19.25, Endi Sukma Dewata wrote:
> ----- Original Message -----
>> On 15.1.2019 16.46, Endi Sukma Dewata wrote:
>>> Hi,
>>>
>>> The error message is not very helpful, but I think this error
>>> happens because the clientAuth in Connector has been replaced
>>> by certificateVerification in SSLHostConfig and they cannot be
>>> specified at the same time. See the following page:
>>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>>
>>> So try removing the clientAuth and set the certificateVerification
>>> to "required". I have not tried this myself though.
>>
>> nope, still get the same
>>
>>
>> --
>> t
>>
>
> Could you show me the entire Connector element and its children?
> Make sure all attributes replaced by SSLHostConfig have been
> deleted from the Connector element (see the above link).
<Connector name="Secure"
port="8443"
protocol="org.dogtagpki.tomcat.Http11NioProtocol"
SSLEnabled="true"
scheme="https"
secure="true"
connectionTimeout="80000"
keepAliveTimeout="300000"
maxHttpHeaderSize="8192"
acceptCount="100"
maxThreads="150"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
enableOCSP="false"
ocspResponderURL="http://sid1.leon.tyrell:8080/ca/ocsp"
ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
ocspCacheSize="1000"
ocspMinCacheEntryDuration="7200"
ocspMaxCacheEntryDuration="14400"
ocspTimeout="10"
strictCiphers="true"
sslVersionRangeStream="tls1_1:tls1_2"
sslVersionRangeDatagram="tls1_1:tls1_2"
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384"
serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
certdbDir="/var/lib/pki/pki-tomcat/alias">
<SSLHostConfig sslProtocol="SSL"
certificateVerification="required"
trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
<Certificate certificateKeystoreType="pkcs11"
certificateKeystoreProvider="Mozilla-JSS"
certificateKeyAlias="sslserver"/>
</SSLHostConfig>
</Connector>
I don't see what should be dropped from Connector..
--
t
More information about the Pki-users
mailing list