-----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, July 13, 2017 4:32 PM To: users@tomcat.apache.org Subject: Re: Errors establishing secure connections with tomcat 8.5.15
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kevin, On 7/11/17 3:48 PM, Kevin Mango wrote: > > > -----Original Message----- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: Tuesday, July 11, 2017 > 1:58 PM To: users@tomcat.apache.org Subject: Re: Errors establishing > secure connections with tomcat 8.5.15 > > Kevin, > > On 7/7/17 12:40 PM, Kevin Mango wrote: >> I was able to resolve this by using >> "-Dcom.sun.net.ssl.enableECC=false" when starting tomcat to disable >> the use of Elliptic Curves, the only issue now is that Google Chrome >> is having issues finding a common cipher suite to use, giving the >> error ERR_SSL_VERSION_OR_CIPHER_MISMATCH. > > Your configuration does not include any specification for cipher > suites: > >>>> Here is the connector in our server.xml file: >>>> >>>> <Connector port="8443" >>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>> maxThreads="200" scheme="https" secure="true" >>>> SSLEnabled="true" defaultSSLHostConfigName="<hostname> " >>>>> >>>> <SSLHostConfig hostname="<hostname> " protocols="TLSv1.2" >>>> sslProtocol="TLSv1.2"> <Certificate certificateKeystoreFile="<pfx >>>> cert location and full file >>>> name>" certificateKeystorePassword="<password>" >>>> certificateKeystoreType="PKCS12" type="RSA"/> </SSLHostConfig> >>>> >>>> </Connector> > > So it would be unusual for a client and server not to be able to agree > on a cipher suite. > > Are you adjusting the available cipher suites any other way (e.g. > system property that affects JSSE, edits to > $JAVA_HOME/jre/security/*.policy, etc.)? > > What kind of certificate are you using? Is it an ECC certificate > (rather than the more common RSA certificates)? > > -chris > --------------------------------------------------------------------- > > Hi Chris, > > I 'm not adjusting the cipher suites in any way. My *.policy files are > the default ones that came with the JDK installation, same with the > .security file. The only thing I changed in that directory was adding > the Unlimited Strength policy JAR's. > > As for the certificates, we are using self-signed RSA certificates. > > On our older machines that are running Tomcat 7 and JDK 7, these > certificates work fine for our purposes and are still working. In > these cases the handshake uses the cipher ECDHE-RSA-AES128-GCM-SHA256. > But with Tomcat 8.5.15 and JDK 8 we have been getting error's with > unsupported elliptic curve, even when it uses the same or similar > cipher suites. > > Additionally I have tried debugging this with OpenSSL, but when trying > to connect it gives an error message "SSL > routines:tls_process_ske_ecdhe:wrong > curve:ssl\statem\statem_clnt.c:2057:". Even when specifying curves and > cipher suites into the OpenSSL client connection, I continue to get > this error. > > The only thing that has come close to working for us is by using > "-Dcom.sun.net.ssl.enableECC=false" when starting Tomcat to disable > all EC ciphers, but Google Chrome won't accept the connection due to > being unable to find a common cipher suite. Can you try "repairing" your Java installation to restore the original policy files? I've added the Unlimited Cipher Strength Policy Files before and it's fairly straightforward, but I'm wondering if maybe you botched the installation of those and broke the JRE. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZZ9i/AAoJEBzwKT+lPKRYNc4QALtN5E8EXuPDhXh7p+MhrSZk y8/YWeGo10mFS6mvD89QiHrYl6dzvmu9EXctlGCsQ+tS/u/4at3T9wN/eqx9E5X2 UokD2NoaC1P8D/dWNGq2c+p0UONX6g//w1UNeS4//b2OfW/AfiSut45jifiaNI+G 2iXIiT90cv9JzvRKPD3X48SH2SXm55SqMz+EzV59ajR8HDJRflEKIzrqCV/5pXuI oT9Sxbh++daE78+h0TgHI0d2O9sWJQRlswzg5Kmt9pJ3Yu08sgKP1hFADfZeKM/b XeOVh+BqwnkEQhwubO5aL6UOKaww2IGhZZiWJo0sOzP/uGTiDfe4Mk8vw1Sa1hXo H90sSaBAsGHQE65VjDAJqOMlqYDcckO89wHbBmcS4f19VMiQwv8qHzn4n1ci+jpg z/jkmpHNFkXoHWL0fF5ZJj7CrVoJ6NGihE1qPziyxveWiPex7G1gGrMsrFGPea+i 2BdAil4FnM5YUOwRaThGsS88JHbfRalh/N3N+EhxOuubNT13z/YWul5rdzr1XfRC fzWiJS0Mu3nUPV5FVjt9sQ6AVeviw3vNpQ6uNZbnRahl9W7y4mCLxe4EmNmE6VwB /O+xBlCHyb69ONGCJTAPPUrYwN+hMz9bjh0R2Quq+bngt6ns/IvR10ZAulKvni+j jY52Cnq+IVL+GjY5Mn18 =pmjM -----END PGP SIGNATURE----- --------------------------------------------------------------------- When I installed the Unlimited Strength files I just copied them into the security folder and overwrote the existing JARs that were there. I reverted this folder after I was getting these errors and it appeared to do nothing, and then I added them back in. Though we managed to find a solution to this. Instead of using a JSSE connector we are instead using the APR and OpenSSL. I was able to take our current pfx file and extract the certificate and key into separate files that Tomcat now can use in the connection. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ________________________________ This e-mail transmission contains confidential information that is the property of the sender. If you are not the intended recipient, you are notified that any retention, disclosure, reproduction or distribution of the contents of this e-mail transmission, or the taking of any action in reliance thereon or pursuant thereto, is strictly prohibited. No warranty is given by NYSIF that this e-mail is free of viruses, interception or interference. NYSIF disclaims liability for any unauthorized opinion, representation, statement, offer or contract made by the sender on behalf of NYSIF. NYSIF's delegation of authorities, setting out who may make representations or contract on behalf of NYSIF, is available by contacting NYSIF at mail...@nysif.com. Jurisdiction for all actions arising out of dealings with NYSIF shall lie only in a court of competent jurisdiction of the State of New York --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
