Liullen dev daily

Showing all posts tagged #ssl:

用 jstl 的 <c:import url> 遇到 SSL 相關的問題

Posted on March 16th, 2018

在某一個 jsp 頁面使用 jstl core 直接 import 指定位置的 url 時會有問題,例如:

<c:import url="https://ihaveapen.com/ihaveanapple" />

在 macOS 本機(Apache+Tomcat) 連到用到這樣使用的 tag 的頁面時,Tomcat 會發生 SunCertPathBuilderException
(Exception 太長放最後面)

解法:

- 透過 firefox 將目前頁面的根憑證匯出 (這邊直接拿 apache ssl 指定的根憑證應該要也可以)
- 用 keytool 匯入到執行 tomcat 用的 jre 底下的 cacerts


sudo keytool -import -alias ihergo -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home/jre/lib/security/cacerts -file wwwihergocom.crt


- 注意: 要用 sudo 權限, 且調整 cacerts 會要求輸入密碼, 預設密碼是


changeit



- 解決方法來源 stackoverflow https://stackoverflow.com/a/36427118

- Exceptions:


2018/03/16 11:43:36 [ERROR] [com.xxxxxx.mobile.web.controller.GlobalExceptionHandler@ajp-nio-8009-exec-9]_jspService(130) jsp error on:/mobile/WEB-INF/jsp/error/error.jsp
org.apache.jasper.JasperException: javax.servlet.ServletException: javax.servlet.jsp.JspException: Problem accessing the absolute URL "https://www.xxxxxx.com/mobile/ad/banner". javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:596)
...

Caused by: javax.servlet.ServletException: javax.servlet.jsp.JspException: Problem accessing the absolute URL "https://www.xxxxxx.com/mobile/ad/banner". javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:905)
... 81 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
... 84 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
... 101 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
... 107 more



在 Tomcat 關閉已被證實不安全的 SSLv3 protocol, 並改用 TLS

Posted on October 23rd, 2014

  1. 修改檔案 Tomcat7\conf\server.xml

  2. connector 增加 attribute: sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" , 並拿掉 cipher 中非 TLS 的項

修改前


               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                  keystoreFile="tomcat.keystore" keystorePass="intumit"
                  ciphers="SSL_RSA_WITH_RC4_128_SHA,
                  TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                  TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />

修改後


               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                  keystoreFile="tomcat.keystore" keystorePass="intumit"
                  sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
                  ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
                  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                  TLS_DHE_DSS_WITH_AES_128_CBC_SHA" />

修改前 sslscan 掃描

                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | &apos;_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server 10.254.1.233 on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  ADH-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3   40 bits  EXP-ADH-RC4-MD5
    Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3   56 bits  DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-DES-CBC-SHA
    Rejected  SSLv3  128 bits  IDEA-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-RC2-CBC-MD5
    Accepted  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3   40 bits  EXP-RC4-MD5
    Rejected  SSLv3    0 bits  NULL-SHA
    Rejected  SSLv3    0 bits  NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Rejected  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  ADH-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1   40 bits  EXP-ADH-RC4-MD5
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1   56 bits  DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-DES-CBC-SHA
    Rejected  TLSv1  128 bits  IDEA-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-RC2-CBC-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Rejected  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1   40 bits  EXP-RC4-MD5
    Rejected  TLSv1    0 bits  NULL-SHA
    Rejected  TLSv1    0 bits  NULL-MD5

  Prefered Server Cipher(s):
    SSLv3  128 bits  DHE-RSA-AES128-SHA
    TLSv1  128 bits  DHE-RSA-AES128-SHA

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: 馬賽克
    Not valid before: Feb 19 07:35:50 2014 GMT
    Not valid after: Feb 19 07:35:50 2016 GMT
    Subject: 馬賽克
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Modulus (1024 bit):
          00:ad:e3:69:8a:78:d3:f3:fa:0d:60:33:ca:fe:25:
          94:9b:1e:04:85:36:10:ac:76:63:82:62:61:f8:f5:
          eb:0d:31:69:8c:80:54:91:3e:b5:a3:25:05:0a:22:
          5e:5e:b1:c9:fa:9c:a6:08:71:3c:09:dc:22:7a:ee:
          56:96:2c:b3:57:88:02:b0:9f:7b:7d:72:e7:79:bf:
          1f:d6:a0:85:3f:b0:10:c3:dc:46:86:1c:e4:51:c8:
          7c:d4:c2:fb:42:f7:6e:b3:63:f1:6c:2a:38:7a:29:
          35:16:5a:ee:ff:a2:eb:31:0b:40:7e:96:66:8f:f2:
          ac:5b:29:8b:33:74:cd:84:4b
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Subject Key Identifier:
        8B:E6:57:28:9C:DE:99:FE:A6:95:15:89:10:5C:85:AC:6F:3D:CB:90
      X509v3 Authority Key Identifier:
        keyid:0C:CE:36:BA:EB:3D:14:35:D7:C5:C3:CA:59:8B:27:81:8F:59:CD:6F

      X509v3 CRL Distribution Points:
        URI:馬賽克
        URI:馬賽克

      Authority Information Access:
        CA Issuers - URI:馬賽克
        CA Issuers - URI:馬賽克

      1.3.6.1.4.1.311.20.2:
        ...W.e.b.S.e.r.v.e.r
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Key Usage:
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage:
        TLS Web Server Authentication
  Verify Certificate:
    self signed certificate in certificate chain

修改後 sslscan 掃描

                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | &apos;_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server blahblah.com on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Failed    SSLv3  256 bits  ADH-AES256-SHA
    Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA
    Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA
    Failed    SSLv3  256 bits  AES256-SHA
    Failed    SSLv3  128 bits  ADH-AES128-SHA
    Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA
    Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA
    Failed    SSLv3  128 bits  AES128-SHA
    Failed    SSLv3  168 bits  ADH-DES-CBC3-SHA
    Failed    SSLv3   56 bits  ADH-DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Failed    SSLv3  128 bits  ADH-RC4-MD5
    Failed    SSLv3   40 bits  EXP-ADH-RC4-MD5
    Failed    SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Failed    SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Failed    SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Failed    SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Failed    SSLv3  168 bits  DES-CBC3-SHA
    Failed    SSLv3   56 bits  DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-DES-CBC-SHA
    Failed    SSLv3  128 bits  IDEA-CBC-SHA
    Failed    SSLv3   40 bits  EXP-RC2-CBC-MD5
    Failed    SSLv3  128 bits  RC4-SHA
    Failed    SSLv3  128 bits  RC4-MD5
    Failed    SSLv3   40 bits  EXP-RC4-MD5
    Failed    SSLv3    0 bits  NULL-SHA
    Failed    SSLv3    0 bits  NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Rejected  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  ADH-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1   40 bits  EXP-ADH-RC4-MD5
    Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1   56 bits  DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-DES-CBC-SHA
    Rejected  TLSv1  128 bits  IDEA-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-RC2-CBC-MD5
    Rejected  TLSv1  128 bits  RC4-SHA
    Rejected  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1   40 bits  EXP-RC4-MD5
    Rejected  TLSv1    0 bits  NULL-SHA
    Rejected  TLSv1    0 bits  NULL-MD5

  Prefered Server Cipher(s):
    TLSv1  128 bits  DHE-RSA-AES128-SHA

SSL/TLS 設定參考資料

  1. http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher
  2. http://security.stackexchange.com/questions/19096/how-to-determine-if-a-browser-is-using-an-ssl-or-tls-connection
  3. http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
  4. https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/
  5. https://wiki.mozilla.org/Security/Server_Side_TLS

Tomcat SSL 憑證產生教學

Posted on September 4th, 2014

Step1. 建立 private key金鑰

C:\j2sdk1.4.2_05\bin>keytool -genkey -alias mykey( 別名 :可自設) -validity 720( 效期 ) -keyalg RSA -keysize 1024 -keystore tomcat.keystore(產出的 keystore檔名) -storepass mypassword( 密碼自設 ) –keypass mypassword(密碼自設)

Step 2. 輸入憑證資訊

一般名字與姓名會輸入該網站的 daman,若測試輸入localhost即可,其他資訊看客戶是否有要求,否則隨意填即可。

Step 3. 產出憑證要求的 CSR檔

C:\j2sdk1.4.2_05\bin>keytool -certreq -alias mykey(Step1 設定的別名 ) -file cert.csr(產出的csr 檔名 ) -keystore tomcat.keystore (Step1產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )


匯出的憑證內容

Step 4. 匯入 CRE憑證檔

利用 CSR檔產回CRE 憑證檔進行匯入。
此時,請確認客戶產出 CRE檔的程式,是否有根憑證或中繼憑證,若有麻煩先匯入根憑證及中繼憑證,否則會無法匯入憑證。
方法 1: 根憑證及中繼憑證匯入Java Security ,再匯入產出的 CRE憑證檔

Step 4-1-1.匯入根憑證及中繼憑證

C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias tomcat( 別名 :可自設) -file server.cer(根憑證、中繼憑證 ) -keystore  %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit(jre預設密碼是 changeit)

Step 4-1-2.匯入產出的憑證

C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias mykey(Step1 設定的別名 ) -file cert.cer(產出的憑證檔 ) -keystore tomcat.keystore(Step1產出的keystore 檔) -storepass mypassword(Step1 keystore密碼 )

方法 2:直接匯入keystore( 依信任關係,由最上層憑證,依序往下安裝 )

Step 4-2-1.匯入根憑證及中繼憑證

C:\j2sdk1.4.2_05\bin> keytool -import -alias mykey(別名 :可自設) -file server.cer(根憑證、中繼憑證 ) -keystore tomcat .keystore(Step1產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )

Step 4-2-2.匯入產出的憑證

C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias mykey(Step1 設定的別名 ) -file cert.cer(產出的憑證檔 ) -keystore tomcat.keystore(Step1產出的keystore 檔) -storepass mypassword(Step1 keystore密碼 )


匯入完成的訊息

Step 5.修改Tomcat server.xml 的設定

PS.

1.如果客戶是自己認證沒經過第三方大廠,匯入客戶的根憑證及中繼憑證是一定要的,不然匯不進去。
2.記得要改成 protocol="org.apache.coyote.http11.Http11Protocol" ,APR 的方式測試都不成功,等有人成功可以分享一下。
3.查詢keystore 資訊語法

keytool -list -keystore tomcat.keystore(Step1 產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )

感謝 Nick 教學

Liullen

Notes from my experience.