Liullen dev daily

Showing all posts tagged #tomcat:

用 jstl 的 <c:import url> 遇到 SSL 相關的問題

Posted on March 16th, 2018

在某一個 jsp 頁面使用 jstl core 直接 import 指定位置的 url 時會有問題,例如:

<c:import url="https://ihaveapen.com/ihaveanapple" />

在 macOS 本機(Apache+Tomcat) 連到用到這樣使用的 tag 的頁面時,Tomcat 會發生 SunCertPathBuilderException
(Exception 太長放最後面)

解法:

- 透過 firefox 將目前頁面的根憑證匯出 (這邊直接拿 apache ssl 指定的根憑證應該要也可以)
- 用 keytool 匯入到執行 tomcat 用的 jre 底下的 cacerts


sudo keytool -import -alias ihergo -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home/jre/lib/security/cacerts -file wwwihergocom.crt


- 注意: 要用 sudo 權限, 且調整 cacerts 會要求輸入密碼, 預設密碼是


changeit



- 解決方法來源 stackoverflow https://stackoverflow.com/a/36427118

- Exceptions:


2018/03/16 11:43:36 [ERROR] [com.xxxxxx.mobile.web.controller.GlobalExceptionHandler@ajp-nio-8009-exec-9]_jspService(130) jsp error on:/mobile/WEB-INF/jsp/error/error.jsp
org.apache.jasper.JasperException: javax.servlet.ServletException: javax.servlet.jsp.JspException: Problem accessing the absolute URL "https://www.xxxxxx.com/mobile/ad/banner". javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:596)
...

Caused by: javax.servlet.ServletException: javax.servlet.jsp.JspException: Problem accessing the absolute URL "https://www.xxxxxx.com/mobile/ad/banner". javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:905)
... 81 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
... 84 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
... 101 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
... 107 more



apache mod_jk @ MacOS Worker 設定問題

Posted on March 14th, 2017

在 mod_jk 的 log 發現 localhost 無法解析等相關錯誤訊息

嘗試把 workers.properties 中連到 tomcat 的 IP(port 8009那個) 從 localhost 改為 127.0.0.1 後

就可以讓 Apache 的 mod_jk 和 tomcat 順利整合了


P.S. 猜測可能原因: tomcat listen 的 ip 只有 127.0.0.1 並不包含 localhost

Tomcat 弱點 Apache Tomcat Default Error Page Version Detection 與修復方式

Posted on November 7th, 2014

該弱點 Apache Tomcat Default Error Page Version Detection
意思是在 tomcat 的預設錯誤頁會呈現 Tomcat 版本, 可能讓攻擊者得知該版本有什麼弱點並藉此攻擊

這個弱點修復要替換 jar 檔 catalina.jar 中的檔案: org/apache/catalina/util/ServerInfo.properties

原本這行是: server.info=Apache Tomcat/7.042

把版本號拿掉變成: server.info=Apache Tomcat

如附件截圖, 修改後就不會在 Default Error Page 出現 Tomcat 版本


在 Tomcat 關閉已被證實不安全的 SSLv3 protocol, 並改用 TLS

Posted on October 23rd, 2014

  1. 修改檔案 Tomcat7\conf\server.xml

  2. connector 增加 attribute: sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" , 並拿掉 cipher 中非 TLS 的項

修改前


               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                  keystoreFile="tomcat.keystore" keystorePass="intumit"
                  ciphers="SSL_RSA_WITH_RC4_128_SHA,
                  TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                  TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />

修改後


               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                  keystoreFile="tomcat.keystore" keystorePass="intumit"
                  sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
                  ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
                  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                  TLS_DHE_DSS_WITH_AES_128_CBC_SHA" />

修改前 sslscan 掃描

                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | &apos;_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server 10.254.1.233 on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  ADH-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3   40 bits  EXP-ADH-RC4-MD5
    Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3   56 bits  DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-DES-CBC-SHA
    Rejected  SSLv3  128 bits  IDEA-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-RC2-CBC-MD5
    Accepted  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3   40 bits  EXP-RC4-MD5
    Rejected  SSLv3    0 bits  NULL-SHA
    Rejected  SSLv3    0 bits  NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Rejected  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  ADH-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1   40 bits  EXP-ADH-RC4-MD5
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1   56 bits  DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-DES-CBC-SHA
    Rejected  TLSv1  128 bits  IDEA-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-RC2-CBC-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Rejected  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1   40 bits  EXP-RC4-MD5
    Rejected  TLSv1    0 bits  NULL-SHA
    Rejected  TLSv1    0 bits  NULL-MD5

  Prefered Server Cipher(s):
    SSLv3  128 bits  DHE-RSA-AES128-SHA
    TLSv1  128 bits  DHE-RSA-AES128-SHA

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: 馬賽克
    Not valid before: Feb 19 07:35:50 2014 GMT
    Not valid after: Feb 19 07:35:50 2016 GMT
    Subject: 馬賽克
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Modulus (1024 bit):
          00:ad:e3:69:8a:78:d3:f3:fa:0d:60:33:ca:fe:25:
          94:9b:1e:04:85:36:10:ac:76:63:82:62:61:f8:f5:
          eb:0d:31:69:8c:80:54:91:3e:b5:a3:25:05:0a:22:
          5e:5e:b1:c9:fa:9c:a6:08:71:3c:09:dc:22:7a:ee:
          56:96:2c:b3:57:88:02:b0:9f:7b:7d:72:e7:79:bf:
          1f:d6:a0:85:3f:b0:10:c3:dc:46:86:1c:e4:51:c8:
          7c:d4:c2:fb:42:f7:6e:b3:63:f1:6c:2a:38:7a:29:
          35:16:5a:ee:ff:a2:eb:31:0b:40:7e:96:66:8f:f2:
          ac:5b:29:8b:33:74:cd:84:4b
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Subject Key Identifier:
        8B:E6:57:28:9C:DE:99:FE:A6:95:15:89:10:5C:85:AC:6F:3D:CB:90
      X509v3 Authority Key Identifier:
        keyid:0C:CE:36:BA:EB:3D:14:35:D7:C5:C3:CA:59:8B:27:81:8F:59:CD:6F

      X509v3 CRL Distribution Points:
        URI:馬賽克
        URI:馬賽克

      Authority Information Access:
        CA Issuers - URI:馬賽克
        CA Issuers - URI:馬賽克

      1.3.6.1.4.1.311.20.2:
        ...W.e.b.S.e.r.v.e.r
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Key Usage:
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage:
        TLS Web Server Authentication
  Verify Certificate:
    self signed certificate in certificate chain

修改後 sslscan 掃描

                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | &apos;_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server blahblah.com on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Failed    SSLv3  256 bits  ADH-AES256-SHA
    Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA
    Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA
    Failed    SSLv3  256 bits  AES256-SHA
    Failed    SSLv3  128 bits  ADH-AES128-SHA
    Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA
    Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA
    Failed    SSLv3  128 bits  AES128-SHA
    Failed    SSLv3  168 bits  ADH-DES-CBC3-SHA
    Failed    SSLv3   56 bits  ADH-DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Failed    SSLv3  128 bits  ADH-RC4-MD5
    Failed    SSLv3   40 bits  EXP-ADH-RC4-MD5
    Failed    SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Failed    SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Failed    SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Failed    SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Failed    SSLv3  168 bits  DES-CBC3-SHA
    Failed    SSLv3   56 bits  DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-DES-CBC-SHA
    Failed    SSLv3  128 bits  IDEA-CBC-SHA
    Failed    SSLv3   40 bits  EXP-RC2-CBC-MD5
    Failed    SSLv3  128 bits  RC4-SHA
    Failed    SSLv3  128 bits  RC4-MD5
    Failed    SSLv3   40 bits  EXP-RC4-MD5
    Failed    SSLv3    0 bits  NULL-SHA
    Failed    SSLv3    0 bits  NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Rejected  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  ADH-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1   40 bits  EXP-ADH-RC4-MD5
    Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1   56 bits  DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-DES-CBC-SHA
    Rejected  TLSv1  128 bits  IDEA-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-RC2-CBC-MD5
    Rejected  TLSv1  128 bits  RC4-SHA
    Rejected  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1   40 bits  EXP-RC4-MD5
    Rejected  TLSv1    0 bits  NULL-SHA
    Rejected  TLSv1    0 bits  NULL-MD5

  Prefered Server Cipher(s):
    TLSv1  128 bits  DHE-RSA-AES128-SHA

SSL/TLS 設定參考資料

  1. http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher
  2. http://security.stackexchange.com/questions/19096/how-to-determine-if-a-browser-is-using-an-ssl-or-tls-connection
  3. http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
  4. https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/
  5. https://wiki.mozilla.org/Security/Server_Side_TLS

Tomcat SSL 憑證產生教學

Posted on September 4th, 2014

Step1. 建立 private key金鑰

C:\j2sdk1.4.2_05\bin>keytool -genkey -alias mykey( 別名 :可自設) -validity 720( 效期 ) -keyalg RSA -keysize 1024 -keystore tomcat.keystore(產出的 keystore檔名) -storepass mypassword( 密碼自設 ) –keypass mypassword(密碼自設)

Step 2. 輸入憑證資訊

一般名字與姓名會輸入該網站的 daman,若測試輸入localhost即可,其他資訊看客戶是否有要求,否則隨意填即可。

Step 3. 產出憑證要求的 CSR檔

C:\j2sdk1.4.2_05\bin>keytool -certreq -alias mykey(Step1 設定的別名 ) -file cert.csr(產出的csr 檔名 ) -keystore tomcat.keystore (Step1產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )


匯出的憑證內容

Step 4. 匯入 CRE憑證檔

利用 CSR檔產回CRE 憑證檔進行匯入。
此時,請確認客戶產出 CRE檔的程式,是否有根憑證或中繼憑證,若有麻煩先匯入根憑證及中繼憑證,否則會無法匯入憑證。
方法 1: 根憑證及中繼憑證匯入Java Security ,再匯入產出的 CRE憑證檔

Step 4-1-1.匯入根憑證及中繼憑證

C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias tomcat( 別名 :可自設) -file server.cer(根憑證、中繼憑證 ) -keystore  %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit(jre預設密碼是 changeit)

Step 4-1-2.匯入產出的憑證

C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias mykey(Step1 設定的別名 ) -file cert.cer(產出的憑證檔 ) -keystore tomcat.keystore(Step1產出的keystore 檔) -storepass mypassword(Step1 keystore密碼 )

方法 2:直接匯入keystore( 依信任關係,由最上層憑證,依序往下安裝 )

Step 4-2-1.匯入根憑證及中繼憑證

C:\j2sdk1.4.2_05\bin> keytool -import -alias mykey(別名 :可自設) -file server.cer(根憑證、中繼憑證 ) -keystore tomcat .keystore(Step1產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )

Step 4-2-2.匯入產出的憑證

C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias mykey(Step1 設定的別名 ) -file cert.cer(產出的憑證檔 ) -keystore tomcat.keystore(Step1產出的keystore 檔) -storepass mypassword(Step1 keystore密碼 )


匯入完成的訊息

Step 5.修改Tomcat server.xml 的設定

PS.

1.如果客戶是自己認證沒經過第三方大廠,匯入客戶的根憑證及中繼憑證是一定要的,不然匯不進去。
2.記得要改成 protocol="org.apache.coyote.http11.Http11Protocol" ,APR 的方式測試都不成功,等有人成功可以分享一下。
3.查詢keystore 資訊語法

keytool -list -keystore tomcat.keystore(Step1 產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )

感謝 Nick 教學

Liullen

Notes from my experience.