Hi Thomas,
> Am 21.12.2017 um 00:56 schrieb Thomas Delaney <tdelaney....@gmail.com>:
>
> Greetings,
>
> I am having trouble regarding google chrome's behavior to Apache Tomcat's
> SSL setup. I have been successful getting an ssl website to work with
> Apache HTTP web server, but not Apache Tomcat 8.5.24 on google chrome.
> Mozilla Firefox brings me to my site with no problem.
>
> When going to https://mydomain.com:8443 I recieve a message from Google
> Chrome.
>
> Google Chrome Error -
> This site can’t provide a secure connection
> mydomain.com uses an unsupported protocol.
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>
> Unsupported protocol
> The client and server don't support a common SSL protocol version or cipher
> suite.
>
> When checking Google Chrome's Browser console in the security tab I
> recieve:
> Page is not secure
> Valid certificate
> secure resources
>
> Here is the following background info I have for the configuration I gave
> Apache Tomcat when setting up the 8443 connector
>
> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>
> Linux OS: SUSE Enterprise 12 sp1
>
> Packages installed:
>
> - OpenSSL 1.0.2n 7 Dec 2017
> - jdk version 1.7.0_79
That may be the culprit.
Apparently this (old) version of Java7 will not provide in the default modern
ciphers that Chrome requires. And the config is using the JSSE SSL
implementation.
But as you have TC Native and openssl 1.0.2 you should switch to openssl.
> - tomcat version -> apache-tomcat-8.5.24
> - apr-1.6.3
> - tomcat-native-1.2.16-src
>
> Server.xml apr connector (Certificates are signed from GoDaddy and are
> placed in the conf directory of Apache Tomcat):
>
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> mydomain.com" >
> <SSLHostConfig hostName="mydomain.com"
> protocols="TLSv1,TLSv1.1,TLSv1.2">
> <Certificate certificateKeyFile="conf/server.key"
> certificateFile="conf/server.crt"
> certificateChainFile="conf/CA_server_bundle.crt"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
>
My config for openssl is like this:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
server="Apache Tomcat"
allowTrace="false"
maxThreads="150" SSLEnabled="true"
defaultSSLHostConfigName="mydomain.com" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false"
hostName="mydomain.com"
protocols="TLSv1.1+TLSv1.2"
certificateVerification="none"
disableCompression="true"
disableSessionTickets="true"
ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
<Certificate certificateKeyFile="${catalina.base}/conf/ssl/server.key"
certificateFile="${catalina.base}/conf/ssl/server.crt"
certificateChainFile="${catalina.base}/conf/ssl/intermediate.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
It contains openssl 1.1 ciphers but that will not matter for your config.
You may search this’ mailing list archive for some good posts on available
ciphers.
Hope this helps.
Peter
> hostname displays properly when typing command: hostname -f and/or typing:
> cat /etc/HOSTNAME on the linux server
