Summary: | JVM crash when SSL connector is enabled | ||
---|---|---|---|
Product: | Tomcat Native | Reporter: | oscar <osegarra> |
Component: | Library | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | blocker | ||
Priority: | P2 | ||
Version: | 1.1.20 | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Windows Server 2003 | ||
Attachments: | jvm stack trace |
Description
oscar
2011-06-27 11:48:42 UTC
Hi, Is there any new about this bug? a big project is stopped due to this error. Thanks a lot. > SSLCACertificateFile="${catalina.base}/conf/ssl/CA/catcert.pem"
Are you sure this is a correct path?
Usually the file is named cacert.pem not catcert.pem
If you can confirm the typo has caused the crash, it would be a
good starting point in making sure it doesn't happen again.
Yes, I'm sure. It cames from Catcert (www.catcert.cat) which is our CA entity. The complete path: C:\Tomcat 6.0\conf\ssl\CA\catcert.pem Thanks a lot for your update. Have you tried without setting the SSLCACertificateFile Also does your presidencia.key requires a password? Hi Mark, I have tried without the SSLCACertificateFile key but system raises the same error at startup. presidencia.key does not require password. Note that the certificate I'm using (crt + key + pem) is correctly working on another apache we have in our infraestructure. Thanks a lot. By "another Apache" are you thinking of Apache Tomcat or Apache Http? And yes, the crash happens before CA file. If not sensitive can you send me privately those certs, since I newer saw this kind of error. Hi, I meant another apache web server (httpd). Where can I send to you the certs ? Thanks a lot. I have found your email and I have sent to you the certificates. You have a wrong certificate format. It should be PEM not DER like in your case Convert it to .pem C:\> openssl x509 -trustout -inform DER -in presidencia.crt -outform PEM -out presidencia.pem Then use SSLCertificateFile="${catalina.base}/conf/ssl/presidencia.pem" In your server.xml However I'll leave this issue open, cause we have some problem in reporting that error. Eg. it should throw something something like openssl.exe prints out: c:\>openssl.exe s_server -cert presidencia.crt -key presidencia.key unable to load certificate 1448:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE Instead crashing the JVM Hi, Transforming certificate into .PEM format makes system work perfectly. Thanks a lot for your quick response. Fix in the SVN. Like Apache Httpd's mod_ssl, the certificate will be loaded in DER format if PEM format indicates PEM_R_NO_START_LINE |