Hot questions for Using Ubuntu in ssl

Question:

I am currently running an instance of Tomcat8 on a ubuntu server that I installed using apt-get install tomcat8. I hosted an application and it was running fine without a SSL certificate.

Recently I bought a SSL certificate from sslcertificate.com and followed https://support.comodo.com/index.php?/Knowledgebase/Article/View/638/0/certificate-installation-java-based-web-servers-tomcat-using-keytool to install it. I was able to package it together and configure the server.xml file.

Here is what the server.xml file looks like:

<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="443"
            useIPVHosts="true"/>

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" keyAlias="tomcat" keystoreFile="myfile.jks" keystorePass="my_pass"/>

Nothing else was changed and the server suddenly stopped working. When I try to go to my site it says that the server refused to connect. I tried to remove the changes I made to the server.xml but it's still refusing to connect.

I tried sudo lsof -i -P -n | grep LISTEN and this was the output:

sshd     1018    root    3u  IPv4  13571      0t0  TCP *:22 (LISTEN)
sshd     1018    root    4u  IPv6  13573      0t0  TCP *:22 (LISTEN)
mysqld   1083   mysql   19u  IPv4  16958      0t0  TCP 127.0.0.1:3306 
(LISTEN)
sshd     1351  ubuntu    9u  IPv6  13938      0t0  TCP [::1]:6010 (LISTEN)
sshd     1351  ubuntu   10u  IPv4  13939      0t0  TCP 127.0.0.1:6010 
(LISTEN)
sshd     2623  ubuntu    9u  IPv6  22382      0t0  TCP [::1]:6011 (LISTEN)
sshd     2623  ubuntu   10u  IPv4  22383      0t0  TCP 127.0.0.1:6011 
(LISTEN)
java     2721 tomcat8   62u  IPv4  21439      0t0  TCP 127.0.0.1:8005 
(LISTEN)

I'm not sure what is wrong. Any help is appreciated!


Answer:

Issue SOLVED.

I searched around and was able to find a solution, it was at: https://wolfpaulus.com/java/tomcat-ssl/

The server issue was fixed by the following command:

sudo setcap cap_net_bind_service+ep /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java

Restarted the server and everything worked!

Question:

On Ubuntu 18.04

sudo apt install openjdk-11-source

results in a ProtocolVersion.java that does not know about TLSv1.3 . Is there any way to correct that (without restrictive licencing)?


Answer:

Update

Since April 23rd 2019, Ubuntu (18.04 LTS and more recent editions) ships with a JRE/JDK version 11.0.3. For this reason, the original answer by alamar is outdated.

For reasons of curiosity, I wrote a little TLS v1.3 check tool that programmatically checks the TLS v1.3 support of a target runtime environment. This way, one can quickly spot what's going on:

public class TLS13Checker {

    public static void main(String[] args) {
        SSLContext context = null;
        try {
            KeyStore keyStore = KeyStore.getInstance("pkcs12");
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
            trustManagerFactory.init(keyStore);
            TrustManager[] trustAllCerts = trustManagerFactory.getTrustManagers();
            context = SSLContext.getInstance("TLSv1.3");
            context.init(null, trustAllCerts, new SecureRandom());

            SSLParameters params = context.getSupportedSSLParameters();
            String[] protocols = params.getProtocols();
            System.out.println("Java version : " + System.getProperty("java.runtime.version"));
            boolean supportsTLSv13 = false;
            for (String protocol : protocols) {
                if ("TLSv1.3".equals(protocol)) {
                    supportsTLSv13 = true;
                    break;
                }
            }
            if(supportsTLSv13) {
                System.out.println("JRE supports TLS v1.3!");
            } else {
                System.out.println("JRE does NOT support TLS v1.3!");
            }
            String[] suites = params.getCipherSuites();
            System.out.println("A total of " + suites.length + " TLS cipher suites is supported.");

        } catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException e) {
            e.printStackTrace();
            System.exit(42);
        }

    }
}

You can simply compile and run it, and the output will be similar to what I got with a recent OpenJDK environment (under MacOS):

Java version : 11.0.3+7
JRE supports TLS v1.3!
A total of 45 TLS cipher suites is supported.

In addition, this list gives an overview over all regular JSSE Cipher Suite Names. It might be helpful for reference or other (implementation) purposes.

Hope it helps.

Question:

I am facing the same problem as mentioned in this question

HTTP Status 500 - Internal Server Error on Glassfish

I do this

root@user1:~# asadmin enable-secure-admin
No command 'asadmin' found, did you mean:
 Command 'amadmin' from package 'amanda-server' (universe)
 Command 'acsadmin' from package 'ion' (universe)
asadmin: command not found

I have a Linux 16.04 and

tried this and i got another email. I appreciate if you can comment on this

glassfish4/bin/asadmin enable-secure-admin
remote failure: At least one admin user has an empty password, which secure admin does not permit. Use the change-admin-password command or the admin console to create non-empty passwords for admin accounts.
Command enable-secure-admin failed. 

Answer:

Change the password of admin this way:

asadmin --host localhost --port 4848 change-admin-password

It will prompt you with user, type "admin", admin password, retype admin password

Once this is done, enable the security with the following command:

asadmin --host localhost --port 4848 enable-secure-admin

This should fix the problem.

Resource Link: https://stackoverflow.com/a/12323491/2293534

Question:

I have a vps and I wanted to install a java server programm on it. It contains ssl but I believe that is not used for java. At least it doesn't seem really encrypted. The weird thing is that sending from the ubuntu server 2 bytes get added that I didn't specify, and some bytes change. I know need to know why it doesn't do that on windows and does on my ubuntu vps... And if it is different how to solve it.

I use printWriter and then flush to the client. and the "ISO8859-1" to encrypt the packets and those are not strings or numbers just plain bytes that I sended.

protected Socket socket;
protected BufferedReader socketIn;
protected PrintWriter socketOut;
protected LoginServer server;

public static final byte[] LOGIN_SUCCESSBYTE = {(byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00,         (byte)0x00, (byte)0x01, (byte)0xFF, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00};

this.socketOut.write(new String(LoginServer.LOGINHEADER, "ISO8859-1"));
this.socketOut.flush();
this.socketOut.write(new String(LoginServer.LOGIN_SUCCESSBYTE,"ISO8859-1"));
this.socketOut.flush();

the packet send by windows 00000000 EC 2C 4A 00 01 00 02 00 00 00 FF 00 00 00 00 00 .,J..... ........ 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ......

the packet send by ubuntu 00000000 C3 AC 2C 4A 00 01 00 02 00 00 00 C3 BF 00 00 00 ..,J.... ........ 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........


Answer:

String is not a container for binary data, and Writers are for character data, not binary. Just write the bytes directly, with an OutputStream, not a Writer. Java doesn't handle packets at all, let alone differently, but it has different default character encodings on different platforms.