Incorrect certificate installation

Support for security such as Firewalls and securing linux
Post Reply
fern
Posts: 2
Joined: 2015/08/21 17:15:50

Incorrect certificate installation

Post by fern » 2015/08/21 21:50:02

Hello all,
We are working in a CentOS which have the following characteristic:

Operating system CentOS Linux 5.5
Webmin version 1.510
Kernel and CPU Linux 2.6.18-194.3.1.el5xen on i686
Processor information Intel(R) Xeon(TM) CPU 3.20GHz, 1 cores

Over this OS we have tomcat 7 running for several domains in the path:

Using CATALINA_BASE: /usr/local/software/tomcat7
Using CATALINA_HOME: /usr/local/software/tomcat7

there we have some applications runing, then I have installed a certificate which I have acquired from CA GoDaddy. This installation was made in a wrong way by misunderstanding, I have installed as root a wrong certificate, then I have deleted the certificates (root, intermediate & Primary) and after that I have installed the correct ones, when I list my keystore I can see:

CMD:-list -keystore myKeyStore.jks

ASW:Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

root, Aug 21, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): XXXXXXX
tomcat, Aug 21, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): XXXXXXX
intermed, Aug 21, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): XXXXXXX

But when I try to check if certificates work properly I'm getting errors which I don't understand.

I have test certificate installation as follow (command CMD / answer ASW):

CMD: echo "" | openssl s_client -state -showcerts -connect www.latiendamiga.com:443

ASW: CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
4721:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

CMD: echo "" | openssl s_client -nbio_test -showcerts -connect www.latiendamiga.com:443

ASW: CONNECTED(00000003)
write W BLOCK
write W BLOCK
write W BLOCK
write W BLOCK
write W BLOCK
write W BLOCK
4728:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

CMD: echo "" | openssl s_client -msg -showcerts -connect www.latiendamiga.com:443

ASW: CONNECTED(00000003)
>>> SSL 2.0 [length 0077], CLIENT-HELLO
01 03 01 00 4e 00 00 00 20 00 00 39 00 00 38 00
00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
33 00 00 32 00 00 2f 03 00 80 00 00 05 00 00 04
01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 00
00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00
03 02 00 80 00 00 ff 93 fc 24 f4 45 d0 ec bf 2d
3d 4d ae 59 e8 77 1d 6c 04 5f 59 0d 5b 19 a2 c3
78 74 06 fc ab 4a 72
4732:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

CMD: echo "" | openssl s_client -debug -showcerts -connect www.latiendamiga.com:443

ASW: CONNECTED(00000003)
write to 0x90372f8 [0x90b5528] (121 bytes => 121 (0x79))
0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00 .w....N... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 @...............
0050 - 00 00 03 02 00 80 00 00-ff 97 5c 69 fd 61 9d 2e ..........\i.a..
0060 - e5 58 60 d5 83 9b 1a 70-ce 3c b2 0e b3 3b 03 31 .X`....p.<...;.1
0070 - 0d 02 16 09 1f 76 eb d2-7f .....v...
read from 0x90372f8 [0x90baa88] (7 bytes => 0 (0x0))
4737:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

CMD: echo "" | openssl s_client -showcerts -showcerts -connect www.latiendamiga.com:443

ASW: CONNECTED(00000003)
4742:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

CMD: echo "" | openssl s_client -key myKeyStore.jks -state -showcerts -connect www.latiendamiga.com:443

ASW: unable to load client certificate private key file
4762:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
-bash: echo: write error: Broken pipe

CMD: echo "" | openssl s_client -verify depth -state -showcerts -connect www.latiendamiga.com:443

ASW: verify depth is 0
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
4770:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

CMD: echo "" | openssl s_client -nbio -state -showcerts -connect www.latiendamiga.com:443

ASW: CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
4774:error:140780E5:SSL routines:SSL23_READ:ssl handshake failure:s23_lib.c:142:

CMD: openssl s_client -ssl3 -connect www.latiendamiga.com:443 -prexit

ASW: CONNECTED(00000003)
4810:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
Start Time: 1440220364
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---

Regarding environment configuration it are as follow:

/usr/local/software/tomcat7/conf/server.xml

<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxThreads="25" port="443" keystoreFile="/etc/webmin/myKeyStore.jks" keystorePass="mypass" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" />

<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />

/usr/local/software/tomcat7/conf/web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic SSL Forward</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>

I need some help to understand what is wrong and what I must to do to fix it.

Please, could somebody tell me if there are any documentation where I can search for a solution or how I could check what is wrong?


Thanks in advance.

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: Incorrect certificate installation

Post by gerald_clark » 2015/08/21 22:19:17

CentOS 5.5 is years out of support and has many exploits.
You need to 'yum update' to CentOS 5.11.
Then see if you still have a problem.

fern
Posts: 2
Joined: 2015/08/21 17:15:50

Re: Incorrect certificate installation

Post by fern » 2015/08/22 06:53:34

Thanks gerald_clark, we will work in this way and will be back if it fix the issue to share with community.

aks
Posts: 2524
Joined: 2014/09/20 11:22:14

Re: Incorrect certificate installation

Post by aks » 2015/08/22 13:58:04

Are you using APR with your tomcat?

Post Reply