Bill Digman is a Java EE / Servlet enthusiast and Open Source enthusiast who loves working with Caucho's Resin Servlet Container, a Java EE Web Profile Servlet Container. Bill has posted 12 posts at DZone. You can read more from them at their website. View Full User Profile

Setting up OpenSSL with Resin 4.0.32 on Ubuntu 12.0.4

02.13.2013
| 3628 views |
  • submit to reddit

Testing your OpenSSL setup if something goes wrong

If for some reason OpenSSL is not working, then you can use the tools that ship with OpenSSL to verify your setup.

Open up two terminals.

$  cd /etc/resin/keys
$ sudo openssl s_server -accept 9999 -key myprivate.key -cert my-self-signed-certificate.crt 

The above opens up a TLS server listening on port 9999 that is using the key and certificate that you just generated.

See http://www.openssl.org/docs/apps/s_server.html# for more details.

Now in a separate terminal window connect to this utility server.

$ openssl s_client -connect localhost:9999
CONNECTED(00000003)
depth=0 C = US, ST = CA, L = San Francisco, O = Caucho Tech, OU = QA Documentation, CN = www.caucho.com, emailAddress = info@caucho.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = Caucho Tech, OU = QA Documentation, CN = www.caucho.com, emailAddress = info@caucho.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
   i:/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsTCCAhoCCQCbeymZWYc9lzANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMC
VVABCDEFGNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRQwEgYDVQQK
EwtDYXVjaG8gVGVjaDEZMBcGA1UECxMQUUEgRG9jdW1lbnRhdGlvbjEXMBUGA1UE
AxMOd3d3LmNhdWNoby5jb20xHjAcBgkqhkiG9w0BCQEWD2luZm9AY2F1Y2hvLmNv
bTAeFw0xMzAxMTcyMDU2MjhaFw0xMzAyMTYyMDU2MjhaMIGcMQswCQYDVQQGEwJV
...
...
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
issuer=/C=US/ST=CA/L=San Francisco/O=Caucho Tech/OU=QA Documentation/CN=www.caucho.com/emailAddress=info@caucho.com
---
No client certificate CA names sent
---
SSL handshake has read 1246 bytes and written 376 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 07C6B7627821D29E814F069D2C7Casdfasdfasdfasdfasdfasdfasdfasdf
    Session-ID-ctx: 
    Master-Key: C38B943A0E5570A2662695ABCDEFlkjalkj;lkjl;kjasdlfkjasdlkfjasl;kdfjalksdjf
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 71 24 62 44 f1 c0 bc 95-8f e7 04 FF 73 c1 5c de   q$bD...00...s.\.
    0010 - 13 54 e8 f3 20 1d 2b 82-e8 83 05 62 4d 46 f9 3c   .T.. .+....bMF.<
...
    0040 - db 2b 3f d3 fa 7d b9 04-9f 65 95 d8 bb 10 d3 ca   .+?..}...e......
    0050 - 47 79 cf 0c 65 67 e5 5f-90 4e a5 43 c7 b0 31 bb   Gy..eg._.N.C..1.
    0060 - f3 9b a4 c4 72 9c 24 18-5b 7a 90 63 4f 25 35 2c   ....r.$.[z.cO%5,
   ...
    Compression: 1 (zlib compression)
    Start Time: 1358459991
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

See http://www.openssl.org/docs/apps/s_client.html# for more details.

To try this out in Resin, you just need to modify etc/resin/resin.properties as follows:

# OpenSSL certificate configuration                                             
# Keys are typically stored in the resin configuration directory.               
openssl_file : keys/my-self-signed-certificate.crt                                                 
openssl_key : keys/myprivate.key             
openssl_password : password

Just navigate to:

https://mydomain.com:8443/resin-admin/

It should all work now. The browser will complain because you are using a certificate that is not from a certificate authority. Proceed past there errors.

GoDaddy is becoming a popular SSL certificate authority because it is a low cost alternative. Let's use GoDaddy to setup a real SSL to show how it is done.

___________________________________________________

Bill Digman is a Java EE / Servlet enthusiast and Open Source enthusiast who loves working with Caucho's Resin Servlet Container, a Java EE Web Profile Servlet Container.

Caucho's Resin OpenSource Servlet Container

Java EE Web Profile Servlet Container

Caucho's Resin 4.0 JCache blog post

Published at DZone with permission of its author, Bill Digman.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)