From 99736eb6e8baf025ff723deaf75a1feb421c793d Mon Sep 17 00:00:00 2001 From: markt Date: Fri, 8 Dec 2006 03:37:17 +0000 Subject: [PATCH] Port fix for bug 41051. git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk@483810 13f79535-47bb-0310-9956-ffa450edef68 --- webapps/docs/config/http.xml | 40 ++++++++++++++++++++++++++++------------ webapps/docs/ssl-howto.xml | 29 +++++++++++++++++++++++++---- 2 files changed, 53 insertions(+), 16 deletions(-) diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index b53373ce7..9aa5640c3 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -444,23 +444,20 @@ -

The certificate encoding algorithm to be used. If not - specified, the default value is SunX509.

+

The certificate encoding algorithm to be used. This defaults to the Sun + implementation (SunX509). For IBM JVMs you should use the + value IbmX509. For other vendors, consult the JVM + documentation for the correct value.

Set to true if you want the SSL stack to require a - valid certificate chain from the client before - accepting a connection. - Set to want if you - want the SSL stack to request a client - Certificate, but - not fail if one isn't presented. A false + valid certificate chain from the client before accepting a connection. + Set to want if you want the SSL stack to request a client + Certificate, but not fail if one isn't presented. A false value (which is the default) will not require a certificate chain - unless - the client requests a resource protected by a security - constraint - that uses CLIENT-CERT authentication. See the + unless the client requests a resource protected by a security + constraint that uses CLIENT-CERT authentication. See the SSL HowTo for an example.

 @@ -492,6 +489,25 @@ If not specified, then any available cipher may be used.

+ +

The alias used to for the server certificate in the keystore. If not + specified the first key read in the keystore will be used.

+ + + +

The TrustStore file to use to validate client certificates.

+ + + +

The password to access the TrustStore. This defaults to the value + of keystorePass.

+ + + +

Add this element if your are using a different format for the + TrustStore then you are using for the KeyStore.

+ +

For more information, see the diff --git a/webapps/docs/ssl-howto.xml b/webapps/docs/ssl-howto.xml index 1a927c111..086c4abeb 100644 --- a/webapps/docs/ssl-howto.xml +++ b/webapps/docs/ssl-howto.xml @@ -183,6 +183,14 @@ The PKCS12 format is an internet standard, and can be manipulated via (among other things) OpenSSL and Microsoft's Key-Manager.

+

Each entry in a keystore is identified by an alias string. Whilst many +keystore implmentations treat alaises in a case insensitive manner, case +sensitive implementations are available. The PKCS11 specification, +for example, requires that aliases are case sensitive. To avoid issues related +to the case sensitivity of aliaises, it is not recommended to use aliases that +differ only in case. +

+

To import an existing certificate into a JKS keystore, please read the documentation (in your JDK documentation package) about keytool. Note that openssl often adds a readable comments before the key, keytooldoes not support that, so remove the openssl comments if they exist before importing the key using keytool. @@ -424,8 +432,8 @@ values, depending on how you configured your keystore earlier:

keystoreType - Add this element if using a PKCS12 keystore. The valid values are - JKS and PKCS12. + Add this element if using a keystore type other than + JKS. sslProtocol @@ -460,8 +468,7 @@ values, depending on how you configured your keystore earlier:

truststoreType Add this element if your are using a different format for the - TrustStore then you are using for the KeyStore. The valid values are - JKS and PKCS12. + TrustStore then you are using for the KeyStore. keyAlias @@ -581,6 +588,20 @@ SSL communications, and what to do about them.

file. REMINDER - Passwords are case sensitive!

+
  • When Tomcat starts up, I get an exception like + "java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No + available certificate or key corresponds to the SSL cipher suites which are + enabled." +
    +

    A likely explanation is that Tomcat cannot find the alias for the server + key withinthe specified keystore. Check that the correct + keystoreFile and keyAlias are specified in the + <Connector> element in the + Tomcat configuration file. + REMINDER - keyAlias values may be case + sensitive!

    +
    • +

    If you are still having problems, a good source of information is the -- 2.11.0