Re: Apache Tomcat 8.5.24 SSL Configuration

[George S.]

On 12/21/2017 3:24 PM, Thomas Delaney wrote:
Thank you for the input so far!
I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
receive the same result

when running the openssl s_client command I recieved this as the Cipher and
SSL version
Protocol  : TLSv1.2
Cipher    : DHE-RSA-AES256-GCM-SHA384

I also get a message saying  "verify error:num=20:unable to get local
issuer certificate"
"Verify return code: 20 (unable to get local issuer certificate)"

I second Chris Schultz's recommendation that you run the site through 
the SSL Labs testing site and see what it points out. It's going to 
check a lot more things right off the bat and display them in an easier 
format:

https://www.ssllabs.com/ssltest/




On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Peter,

On 12/21/17 2:38 AM, l...@kreuser.name wrote:
Hi Thomas,

Am 21.12.2017 um 00:56 schrieb Thomas Delaney
<tdelaney....@gmail.com>:

Greetings,

I am having trouble regarding google chrome's behavior to Apache
Tomcat's SSL setup. I have been successful getting an ssl website
to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
on google chrome. Mozilla Firefox brings me to my site with no
problem.

When going to https://mydomain.com:8443 I recieve a message from
Google Chrome.

Google Chrome Error - This site can’t provide a secure
connection mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol The client and server don't support a common
SSL protocol version or cipher suite.

When checking Google Chrome's Browser console in the security tab
I recieve: Page is not secure Valid certificate secure resources

Here is the following background info I have for the
configuration I gave Apache Tomcat when setting up the 8443
connector

Chrome Version 63.0.3239.108 (Official Build) (64-bit)

Linux OS: SUSE Enterprise 12 sp1

Packages installed:

- OpenSSL 1.0.2n  7 Dec 2017 - jdk version 1.7.0_79
That may be the culprit.

Apparently this (old) version of Java7 will not provide in the
default modern ciphers that Chrome requires. And the config is
using the JSSE SSL implementation. But as you have TC Native and
openssl 1.0.2 you should switch to openssl.
This probably isn't the problem since Thomas is using the APR
connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
not relevant.

- tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
tomcat-native-1.2.16-src

Server.xml apr connector (Certificates are signed from GoDaddy
and are placed in the conf directory of Apache Tomcat):

<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
mydomain.com" > <SSLHostConfig hostName="mydomain.com"
protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate
certificateKeyFile="conf/server.key"
certificateFile="conf/server.crt"
certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
</SSLHostConfig> </Connector>
This looks okay to me. If you start Tomcat and then use "openssl
s_client -connect <hostname>:<port>", does openssl connect? It should
report the protocol and cipher suite being used to connect.

If you server is externally-accessible, consider using an external TLS
capabilities scanner such as that from Qualys,
https://www.ssllabs.com/ssltest/

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
/aq7VBV+GiEaWzZweAi8/k4R3wk=
=DEHk
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com