----- Original Message ----- From: Thomas Delaney <tdelaney....@gmail.com> To: Tomcat Users List <users@tomcat.apache.org> Sent: Thu, 21 Dec 2017 17:24:06 -0500 (EST) Subject: Re: Apache Tomcat 8.5.24 SSL Configuration
Thank you for the input so far! I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still receive the same result when running the openssl s_client command I recieved this as the Cipher and SSL version Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 I also get a message saying "verify error:num=20:unable to get local issuer certificate" "Verify return code: 20 (unable to get local issuer certificate)" On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Peter, > > On 12/21/17 2:38 AM, l...@kreuser.name wrote: > > > > Hi Thomas, > > > >> Am 21.12.2017 um 00:56 schrieb Thomas Delaney > >> <tdelaney....@gmail.com>: > >> > >> Greetings, > >> > >> I am having trouble regarding google chrome's behavior to Apache > >> Tomcat's SSL setup. I have been successful getting an ssl website > >> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24 > >> on google chrome. Mozilla Firefox brings me to my site with no > >> problem. > >> > >> When going to https://mydomain.com:8443 I recieve a message from > >> Google Chrome. > >> > >> Google Chrome Error - This site can’t provide a secure > >> connection mydomain.com uses an unsupported protocol. > >> ERR_SSL_VERSION_OR_CIPHER_MISMATCH > >> > >> Unsupported protocol The client and server don't support a common > >> SSL protocol version or cipher suite. > >> > >> When checking Google Chrome's Browser console in the security tab > >> I recieve: Page is not secure Valid certificate secure resources > >> > >> Here is the following background info I have for the > >> configuration I gave Apache Tomcat when setting up the 8443 > >> connector > >> > >> Chrome Version 63.0.3239.108 (Official Build) (64-bit) > >> > >> Linux OS: SUSE Enterprise 12 sp1 > >> > >> Packages installed: > >> > >> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79 > > > > That may be the culprit. > > > > Apparently this (old) version of Java7 will not provide in the > > default modern ciphers that Chrome requires. And the config is > > using the JSSE SSL implementation. But as you have TC Native and > > openssl 1.0.2 you should switch to openssl. > > This probably isn't the problem since Thomas is using the APR > connector. TLS cipher suite support (or lack thereof) from Java 1.7 is > not relevant. > > >> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - > >> tomcat-native-1.2.16-src > >> > >> Server.xml apr connector (Certificates are signed from GoDaddy > >> and are placed in the conf directory of Apache Tomcat): > >> > >> <Connector port="8443" > >> protocol="org.apache.coyote.http11.Http11AprProtocol" > >> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName=" > >> mydomain.com" > <SSLHostConfig hostName="mydomain.com" > >> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate > >> certificateKeyFile="conf/server.key" > >> certificateFile="conf/server.crt" > >> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" /> > >> </SSLHostConfig> </Connector> > > This looks okay to me. If you start Tomcat and then use "openssl > s_client -connect <hostname>:<port>", does openssl connect? It should > report the protocol and cipher suite being used to connect. > > If you server is externally-accessible, consider using an external TLS > capabilities scanner such as that from Qualys, > https://www.ssllabs.com/ssltest/ > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc > eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf > 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr > W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+ > ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1 > noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY > O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp > 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF > mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c > nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha > 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e > /aq7VBV+GiEaWzZweAi8/k4R3wk= > =DEHk > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Just a guess, but does the whole chain need to leaded. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org