Hi all: Certainly late on the SHA-2 move from SHA-1 SSL certificates but ours hadn't expired yet and wasn't causing any issues. Our environment is Windows Server 2008 R2, JVM 1.6.0_22-b04 and Apache Tomcat 6.0.26
I'm testing replacement of my soon to expire SHA-1 certificate with an SHA-2. Regardless of what I give as the SSL HTTP / 1.1 connector description in server.xml I get invalid ssl conf and cipher error messages in the catalina.log file. In server.xml in place of the ciphers= parameter I've tried: the current line which has worked since 2013 with the SHA-1 certificate, removed the ciphers=, ciphers=HIGH, ciphers=RSA, ciphers=ALL and then the same existing line but with all of the 128's as 256's. The output in catalina.log is: SEVERE: Error initializing endpoint java.io.IOException: jsse.invalid_ssl_conf at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130) at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176) at org.apache.catalina.connector.Connector.initialize(Connector.java:1014) at org.apache.catalina.core.StandardService.initialize(StandardService.java:680) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795) at org.apache.catalina.startup.Catalina.load(Catalina.java:524) at org.apache.catalina.startup.Catalina.load(Catalina.java:548) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751) ... 15 more Any resolution from others who have encountered this already or new directions to point me in would be appreciated. Thanks, John John J. Fuchs IACS - Lead Information Technologist Rensselaer Polytechnic Institute J. Bldg. Room 5202 1223 Peoples Avenue Troy, NY 12180-3590 phone: 518.276.2079 fax: 518.276.4834 email: fuc...@rpi.edu