I was able to resolve this by using "-Dcom.sun.net.ssl.enableECC=false" when starting tomcat to disable the use of Elliptic Curves, the only issue now is that Google Chrome is having issues finding a common cipher suite to use, giving the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
-----Original Message----- From: Kevin Mango [mailto:kma...@nysif.com] Sent: Friday, July 7, 2017 9:52 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: RE: Errors establishing secure connections with tomcat 8.5.15 -----Original Message----- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Friday, July 7, 2017 4:14 AM To: users@tomcat.apache.org Subject: Re: Errors establishing secure connections with tomcat 8.5.15 1) don't top-post On 07.07.2017 02:39, Guang Chao wrote: > Sorry, the Tomcat will connect to other web applications hosted > somewhere else in your network? Is my understanding correct? > > On Fri, Jul 7, 2017 at 12:38 AM, Kevin Mango <kma...@nysif.com> wrote: > >> Hello, >> >> I have been working to setup Apache Tomcat 8.5.15 to establish a >> secure connection to web applications on our server. However I have >> been having difficulties setting up this functionality. >> >> The most meaningful error we have been getting is from Firefox, >> "Unsupported elliptic curve. Error code: >> SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE". >> We have setup Tomcat to fully debug javax.net, and from these logs it >> appears that the handshake is failing at the server or client key >> exchanges. Below is the output after reaching the server key exchange: >> >> ECDH ServerKeyExchange >> Signature Algorithm SHA256withRSA >> Server key: <key value> >> *** ServerHelloDone >> [write] MD5 and SHA1 hashes: len = 5073 <Large block of hex> >> https-jsse-nio-8443-exec-3, WRITE: TLSv1.2 Handshake, length = 5073 >> [Raw write]: length = 5078 <Large block of hex> >> https-jsse-nio-8443-exec-1, WRITE: TLSv1.2 Handshake, length = 5073 >> [Raw write]: length = 5078 <Large block of hex> [Raw read]: length = >> 2 <small block of hex> <Large block of hex> >> https-jsse-nio-8443-exec-5, READ: TLSv1.2 Alert, length = 2 >> https-jsse-nio-8443-exec-5, RECV TLSv1.2 ALERT: fatal, >> illegal_parameter https-jsse-nio-8443-exec-5, fatal: engine already >> closed. Rethrowing >> javax.net.ssl.SSLException: Received fatal alert: illegal_parameter >> https-jsse-nio-8443-exec-5, fatal: engine already closed. Rethrowing >> javax.net.ssl.SSLException: Received fatal alert: illegal_parameter >> https-jsse-nio-8443-exec-5, called closeOutbound() >> https-jsse-nio-8443-exec-5, closeOutboundInternal() >> https-jsse-nio-8443-exec-5, SEND TLSv1.2 ALERT: warning, description >> = close_notify https-jsse-nio-8443-exec-5, WRITE: TLSv1.2 Alert, >> length = 2 >> ------------------------------------------------------------ >> ------------------------------------------------------------ >> ------------------------------------------------------------ >> -------------------------- >> There isn't any error output from stderr, only standard print statements. >> The ciphersuite that is chosen is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. >> Below are some details about the machine we are running tomcat on: >> >> Windows Server 2012 R2 64 bit >> 16gb ram >> 2.2ghz intel xeon cpu >> Java 1.8.131 >> >> Here is the connector in our server.xml file: >> >> <Connector port="8443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> maxThreads="200" >> scheme="https" secure="true" SSLEnabled="true" >> defaultSSLHostConfigName="<hostname> " >> > >> <SSLHostConfig >> hostname="<hostname> " >> protocols="TLSv1.2" >> sslProtocol="TLSv1.2"> >> <Certificate certificateKeystoreFile="<pfx cert location >> and full file name>" >> certificateKeystorePassword="<password>" >> certificateKeystoreType="PKCS12" >> type="RSA"/> >> </SSLHostConfig> >> >> </Connector> >> >> Some additional notes: >> >> 1. The server we are running this on is internal and therefore >> can't be accessed outside our network >> 2. The web browser on the machine is unable to access the web >> application locally due to our network security >> 3. I am able to connect via http to the web apps >> >> Any assistance that could be provided in this matter would be greatly >> appreciated. >> >> Thank you, >> Kevin >> >> 2) One thing which you could/should try first, is to look at the Tomcat User's list archives. See : http://tomcat.apache.org/lists.html -> tomcat users -> archives There is a considrable amount of correspondence there related to such themes, and the answer you are looking for is probably already there. --------------------------------------------------------------------- @Guang Chao No the web apps are installed in the tomcat webapps folder, I am able to access these web apps through http, but when trying to connect through https it fails to connect with ssl errors, with Firefox's unsupported elliptical curve error being the most meaningful. @André Warnier I will look through the archive and see if I can find anything helpful. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ________________________________ This e-mail transmission contains confidential information that is the property of the sender. If you are not the intended recipient, you are notified that any retention, disclosure, reproduction or distribution of the contents of this e-mail transmission, or the taking of any action in reliance thereon or pursuant thereto, is strictly prohibited. No warranty is given by NYSIF that this e-mail is free of viruses, interception or interference. NYSIF disclaims liability for any unauthorized opinion, representation, statement, offer or contract made by the sender on behalf of NYSIF. NYSIF's delegation of authorities, setting out who may make representations or contract on behalf of NYSIF, is available by contacting NYSIF at mail...@nysif.com. Jurisdiction for all actions arising out of dealings with NYSIF shall lie only in a court of competent jurisdiction of the State of New York ________________________________ This e-mail transmission contains confidential information that is the property of the sender. If you are not the intended recipient, you are notified that any retention, disclosure, reproduction or distribution of the contents of this e-mail transmission, or the taking of any action in reliance thereon or pursuant thereto, is strictly prohibited. No warranty is given by NYSIF that this e-mail is free of viruses, interception or interference. NYSIF disclaims liability for any unauthorized opinion, representation, statement, offer or contract made by the sender on behalf of NYSIF. NYSIF's delegation of authorities, setting out who may make representations or contract on behalf of NYSIF, is available by contacting NYSIF at mail...@nysif.com. Jurisdiction for all actions arising out of dealings with NYSIF shall lie only in a court of competent jurisdiction of the State of New York