-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tom,
On 4/6/15 10:15 PM, Tom Williamson wrote: > Thank you (and the others who responded). I was tearing my hair > out trying to fix this. Some background (if anyone cares): > > I have a small private site protected by SSL, which has run fine > for 2 years with no maintenance at all. A couple of months ago, > after a Chrome update, it became inaccessible using Chrome. I > switched to Firefox to access it. Last Friday, it became > inaccessible using Firefox. The browser error messages indicated > that my site's encryption was no longer acceptable: > > Chrome said: "A secure connection cannot be established because > this site uses an unsupported protocol. Error code: > ERR_SSL_VERSION_OR_CIPHER_MISMATCH" > > Firefox said: "Cannot communicate securely with peer: no common > encryption algorithm(s). (Error code: > ssl_error_no_cypher_overlap)" > > Naturally, this pointed me in the direction of trying to change > the cipher settings of my site. SSL/TLS cipher settings and the > whole SSL scheme are, shall we say, not clearly documented for > someone who administers Tomcat once every two years. Something like this? http://wiki.apache.org/tomcat/Security/Ciphers > After a weekend of ripping out clumps of my hair and swearing at my > computer, nothing had worked. In desperation, before upgrading > Java and Tomcat, I tried regenerating my self-signed certificate > with new settings (SHA256 instead of SHA1) and that seems to have > solved the problem. Moral of the story: Take browser error > messages with a large grain of salt. The cipher-mismatch was probably solved by something you changed in your configuration. Re-generating the TLS certificate might have ended some of the warnings about certs with a SHA-1 signature, but the cipher-mismatch is a different beast and probably more important. - -chris > -----Original Message----- From: Terence M. Bandoian Sent: Monday, > April 06, 2015 12:21 PM To: Tomcat Users List Subject: Re: Need > configuration example for Tomcat 7.0.55 TLS configuration > > On 4/6/2015 2:11 AM, Ognjen Blagojevic wrote: >> Tom, >> >> On 5.4.2015 3:06, Tom Williamson wrote: >>> I would like to know if anyone has a working example of getting >>> TLS 1.2 working on Tomcat 7.0.55, so that it can be accessed by >>> the latest version of Chrome and Firefox. >> >> Which version of Java do you use? Make sure it is Java 7 or 8, >> and if you already didn't upgrade, then upgrade to the latest >> released version. >> >> Could you clarify do you need TLSv1.2 only, or you need TLSv1.2 >> among other TLS versions (v1 and v1.1)? >> >> >>> <Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true" >>> maxThreads="150" scheme="https" secure="true" >>> keystoreFile="/path/mykeystore" keystorePass="password" >>> clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLS" >>> /> >> >> By specifing protocol="HTTP/1.1" you are using connector >> auto-detection. Depending on the existance of Tomcat native DLL, >> Tomcat will automatically select between APR connector and JSSE >> connector. Those two connectors have completely different set of >> options. The options you are using (keystoreFile, keystorePass), >> are clearly indicating you wish to use JSSE connectors. >> Therefore, to rule out present and future auto-detection >> problems, I would recommend that you explicitly specify connector >> you wish to use. E.g. for JSSE BIO connector that would be: >> >> protocol="org.apache.coyote.http11.Http11Protocol" >> >> >> Next, sslEnabledProtocols should specify exact TLS versions, so >> if you need only TLSv1.2 use: >> >> sslEnabledProtocols="TLSv1.2" >> >> and if you need e.g. all three versions, then omit attribute >> sslEnabledProtocols, or use: >> >> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" >> >> >>> So far based on the Tomcat 7.0 docs, I have tried the >>> following configuration changes: >>> >>> sslEnabledProtocols="TLS" sslEnabledProtocols="TLSv1" >>> sslEnabledProtocols="TLSv1.1" sslEnabledProtocols="TLSv1.2" >>> sslEnabledProtocols="TLSv1.1,TLSv1.2" >> >> Except for the first one, all other examples should be working. >> >> >>> With most of these, I don't get any error in the console (I >>> have logging set to ALL), but I also have not been able to get >>> either Chrome or Firefox to connect. >>> >>> I have also tried various combinations of "sslProtocols=" and >>> "cipher=", also with no luck. >>> >>> Can anyone post a sample <connector> configuration that works? >> >> Try this: >> >> <Connector port="443" >> protocol="org.apache.coyote.http11.Http11Protocol" >> SSLEnabled="true" maxThreads="150" scheme="https" secure="true" >> clientAuth="false" keystoreFile="/path/mykeystore" >> keystorePass="password" sslProtocol="TLS" >> sslEnabledProtocols="TLSv1.2" /> >> >> BTW, the attribute name is "ciphers", not "cipher". >> >> -Ognjen >> > > > Nicely done! > > -Terence Bandoian > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVI9pQAAoJEBzwKT+lPKRY8W4P+gIp2h0ET7xfczRJhI0WORrV fv+42U82gh22RiJmEINGq7I1wnWskKvigGaWNo1hoBtMb+BkyH5iaP+JGWi40DTh sNNuKtiZ5/Ay89VKMki0kdbjYDlwBjRH55HQ1HEYwDdqKGJ62rHYLJcNWowHt9wD uP1V2NKs76aY6Z+fA2lasPhCEXHHidyyOP0Ko2nt3ZPnGkTw/o/Dh2FitrqOi98N XHUN5nQ1N+D/X+yO3h3CL7EBwB2FEOMjU7WMGQJzDV5a7FXUTk2dHVWROiV07v7D IJjj8x9tBNo6S1ZBEV6xDBOk1f5USb8D3MxgVS8hfEodmsvMcDGyW4/MVDe9Z45J vF+DZO5YaR9fHZ8mIt42RXe+jhwYTqwQdIRl+LYbVwTnrSywRKXa6v7UXkHCCyws +WeNu+eC8GINzm4vMd0VKbndAO6n9mfHkI+x+KNbfBX19VLa2WPwvouhpEtS0s6Y dx8f+1jJF5bVqWyNLjs6r93B0eafoPHuua6Tnrp2S1NMDO5Wi1hq3GpRrjt48x8x AtoPSQbGjJLJ6N5WMdece7lHT5RPzzEG2ZPu+i+b6BovgAeLHZk7P7LObjCP4oJL o9PedxmEp3Zc/x2gCmAJb2N77BRS7zvyiqkBPSLnb3kiYuAm5/9nWsHVDno+CqWv Ydj2pQjymEoK3+vfWNsV =JTKH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org