Has anyone tried getting Tomcat to use SSL-J for Tomcat? I'm trying to set up Tomcat to use SSL-J for it's SSL sockets, but I'm having troubles getting things to work and I don't see anything helpful in the SSL-J documentation. Things work fine when Sun's default JSSE provider is used. Any help would be greatly appreciated.
Using: Java 1.6.0_13, Tomcat 5.5.27, RSA BSAFE SSL-J 5.0.2
Here is what I've done so far to set things up:
- I've put the following jars required by SSL-J into [JRE_HOME]/ext/lib: certj.jar, jsafe.jar, jsafeJCE.jar, and sslj.jar.
I've edited the list of security providers in [JRE_HOME]/lib/security/java.security to be the following:
security.provider.1=com.rsa.jsafe.provider.JsafeJCE security.provider.2=com.rsa.jsse.JsseProvider security.provider.3=sun.security.provider.Sun security.provider.4=sun.security.rsa.SunRsaSign security.provider.5=com.sun.net.ssl.internal.ssl.Provider security.provider.6=com.sun.crypto.provider.SunJCE security.provider.7=sun.security.jgss.SunProvider security.provider.8=com.sun.security.sasl.Provider security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.10=sun.security.smartcardio.SunPCSC security.provider.11=sun.security.mscapi.SunMSCAPI
I would think this would be enough. The required jar files are on the classpath, and the RSA JSSE provider has a higher priority than Sun's. With this setup, Tomcat starts up without error, and, by debugging into the class org.apache.tomcat.util.net.jsse.JSSE14SocketFactory, I can see that the RSA SSL-J provider is used for the SSLServerSocketFactory.
However, when I try to connect with Firefox 3.0.14, it shows the "Page Load Error" page with the following:
SSL peer rejected a handshake message for unacceptable content.
(Error code: ssl_error_illegal_parameter_alert)
On the server side, the following is logged when the -Djavax.net.debug=all system property is set.
***Session invalidated:
[Session ID [
0000: 5e c1 f3 b9 3f 03 0a 2e df d5 27 92 a7 f5 96 89 [^...?.....'.....]
0010: e3 2a 95 ed c7 39 a4 3e 0d 51 27 f3 1e 0a 67 ac [.*...9.>.Q'...g.]
], TLS_DHE_RSA_WITH_AES_256_CBC_SHA]
***SEND Alert Fatal, Illegal Parameter
Is there something missing in my setup? I would think just specifying SSL-J as the default JSSE provider would be all that is needed.