Closed Bug 224604 Opened 22 years ago Closed 21 years ago

Tomcat 5 SSL fails

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Solaris
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: jamesrome, Assigned: wtc)

Details

I installed the Sun jwsdp-1.3 on my Solaris 8 machine. This installs Tomcat 5. If I enable SSL in the server.xml file (following their instructions), and I access it with Mozilla 1.4- 1.6 (https://localhost:8443), after presenting the server certificate, it gets an unexpected massage error -12229. The browser can be on solaris, XP, or Linux. The pages serve up just fine with Mozilla 1.2.1 and Internet Explorer. A friend who rescued me from a week of hair-pulling tracking this down said it does not occur with Tomcat 4.1. The same problem occurred when we installed it on his RedHat server.
.
Assignee: general → ssaux
Component: Browser-General → Client Library
Product: Browser → PSM
QA Contact: general → bmartin
Version: Trunk → unspecified
not sure if it's related but Tomcat 5 changelog mentions the following: "Add the caching flags even over a secure connection, due to Mozilla bugs (remm)" http://jakarta.apache.org/tomcat/tomcat-5.0-doc/changelog.html James, have you tried latest Tomcat 5.0.14 release ? Would be interesting to know which bug they faced with Mozilla exactly.
comment 2 may not be related after all (as an Apache developer replied on your bug report: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24363)
By the way, the same problem existed in jwsdp-1.2
If I'm calculating correctly, error code 12229 means SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT. I think we need a trace of the SSL session (created with ssltap) in order to look into the problem. Either you could try to provide the trace of a failed session yourself, or you provide a publicly accessible server that can be used to provide the problem. Once you have either, you could cc nelsonb
please cc misterssl@aol.com once you provided more details or a test server
It was error -12229 I suspect the minus sign means there is an overflow. It is very easy to reproduce this. I have done it on multiple machines. Just install jwsdp 1.3 from Sun, edit server.xml to enable ssl, issue a certificate, and go to https://localhost:8443. Unfortunately I do not have a machine that has a firewall exception. However, the error does NOT occur with the latest nightly Tomcat build. It is ONLY with jwsdp. It also occurred with version 1.2 of jwsdp. Sun is looking into it also.
> It was error -12229 I suspect the minus sign means there is an overflow. No, all SSL error codes are negative. I disagree the setup you describe is easy to do :-) You need a machine, the software and know how to install it. In theory the reported error could also have do with the specific certificate you are using. If you can't provide a public accessible server, please use SSLTAP to create a session log.
I generated a certificate as per the instructions in server.xml using openssl. How do I use SSLTAP? What is it?
Error code -12229 is SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT: SSL peer was not expecting a handshake message it received. (This confirms Kai's error code calculation in comment 5.) By the way, NSS error code tables are at http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html.
Assignee: ssaux → kaie
Sun must have fixed something because I downloaded the program and installed it on my linux machine and Mozilla could access it properly. Or else there is an issue with the install on Solaris. My home machine is at https://romeja.dyndns.org:8443 I hope I allowed it through the firewall
The same problem occurs with Netscape 7.1 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) ) and plain Tomcat 4.1.27, with no jwsdp. Also the latest Mozilla 1.5 (the latest from Mozilla.org) and Tomcat 4.1.27. Same error. I wonder whether it is mozilla or tomcat....
It sounds like James (Reporter) is now happy. Is anyone else still able to reproduce this bug? If so, please send me email. If not, I will resolve this bug shortly. But first I am changing this bug's product to NSS.
Assignee: kaie → wchang0222
Component: Client Library → Libraries
Product: PSM → NSS
QA Contact: bmartin → bishakhabanerjee
Version: unspecified → 3.8
Having heard nothing further for 60 days, I'm resolving this WORKSFORME.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
Target Milestone: --- → 3.10
(In reply to comment #14) > Having heard nothing further for 60 days, I'm resolving this WORKSFORME. I'm using Jetty 5RC1, and I have the same problem. I've forced jetty to use TLS,SSLv3,... and Mozilla with TLS,SSL,... always error -12229
Fabdouglas, If you will create an SSLtap capture of the SSL/TLS connection and attach it to this bug, I will consider reopening it.
It's working well! In fact the missing of AuthorityKeyId extension makes this error. Nevertheless, while degugging, after find this, I've seen that a bad value of AuthorityKeyId makes Mozilla totally frozen at the start of handshack. I'll post this bug with SSLtap capture.
You need to log in before you can comment on or make changes to this bug.