2014-12-18 4:12 GMT+03:00 Mike Wertheim <m...@hyperreal.org>: > I'm trying to upgrade from Tomcat 7.0.41 with APR to Tomcat 8.0.15 with > APR. (I'm using JDK 1.8.0.25 on CentOS.) > > My first step was to upgrade to Tomcat Native library 1.1.32 and APR 1.5.1 > while still using Tomcat 7.0.41. This combination works great. My webapp > starts up and is accessible using either SSL or non-SSL. > > Next I upgraded to Tomcat 8.0.15 (again with Tomcat Native library 1.1.32 > and APR 1.5.1). Tomcat 8.0.15 starts up, and the first lines of > catalina.out are a message that shows that Tomcat Native library 1.1.32 and > APR 1.5.1 are indeed in use. My webapp starts up and is accessible using > non-SSL requests, but SSL requests don't work. > > When I saw that SSL wasn't working, I looked in catalina.out and saw this: > > org.apache.coyote.AbstractProtocol.init Failed to initialize end point > associated with ProtocolHandler ["http-apr-8443"] > java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is > enabled in the AprLifecycleListener, the AprLifecycleListener has > initialised correctly and that a valid SSLProtocol has been specified > at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:532) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:730) > [...] > Caused by: java.lang.Exception: Invalid Server SSL Protocol > (error:00000000:lib(0):func(0):reason(0 > )) > at org.apache.tomcat.jni.SSLContext.make(Native Method) > at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:527) > > > The SSL Connector in server.xml looks like this: > <Connector port="8443" URIEncoding="utf-8" > maxKeepAliveRequests="3" keepAliveTimeout="3000" > scheme="https" secure="true" SSLEnabled="true" > SSLCertificateFile="/home/scuser/ssl/cert.crt" > SSLCertificateKeyFile="/home/scuser/ssl/cert.key" > > SSLCertificateChainFile="/home/scuser/ssl/intermediateCA.cer" > clientAuth="false" sslProtocol="TLS"/> > > Can anyone see what might be going wrong?
The correct property name for APR connector is "SSLProtocol", not sslProtocol. The spelling matters. SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" I think that you would also like to configure SSLCipherSuite http://tomcat.apache.org/tomcat-8.0-doc/config/http.html#SSL_Support_-_APR/Native Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org