Mark, Thanks for the hint! I added the following line to my connector and it did the trick!
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" Cheers, James On 6/22/16, 9:55 AM, "Mark Thomas" <ma...@apache.org> wrote: On 22/06/2016 16:47, James Wiley wrote: > Hi Tomcat Users, > > Has anyone run into any issues supporting SSL using the JSSE Connector when > upgrading from 7.0.68 to 7.0.69? > > I help maintain a web application that uses tomcat7. A recent upgrade from > 7.0.68 to 7.0.69 has caused the tomcat7 instance to throw an “Error during > SSL Handshake” with the Apache proxy server. The tomcat instance is running > in AWS using a Amazon Linux image (very similar to CentOS) using JDK 1.7. > Also, it is proxied by an Apache HTTP server, version 2.2.31. > > I’ve gone through the SSL documentation a nd updated the settings without any luck. This instance is configured to use the JSSE Connector. The following configuration settings work fine under 7.0.68, but break under 7.0.69: > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11Protocol" > SSLEnabled="true" > maxThreads="150" > scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" > keystoreFile="<some path to a keystore>" > keystorePass="<some keystore password>" /> I suspect the more restricted cipher list is the root cause. You can use the Manager app or JMX to see which ciphers are enabled for a connector. Compare the results for 7.0.68 and 7.0.69 along with what httpd supports and adjust accordingly. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org