I apologize for the poor grammar in my last response and extra email. The site I have setup is internal only. I will not be able to test the site using SSL Labs.
On Fri, Dec 22, 2017 at 9:37 AM, Thomas Delaney <tdelaney....@gmail.com> wrote: > The site is internal so I won't not be able to check via ssllabs > > On Thu, Dec 21, 2017 at 5:36 PM, George S. <geor...@mhsoftware.com> wrote: > >> On 12/21/2017 3:24 PM, Thomas Delaney wrote: >> >>> Thank you for the input so far! >>> >>> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still >>> receive the same result >>> >>> when running the openssl s_client command I recieved this as the Cipher >>> and >>> SSL version >>> Protocol : TLSv1.2 >>> Cipher : DHE-RSA-AES256-GCM-SHA384 >>> >>> I also get a message saying "verify error:num=20:unable to get local >>> issuer certificate" >>> "Verify return code: 20 (unable to get local issuer certificate)" >>> >> >> I second Chris Schultz's recommendation that you run the site through the >> SSL Labs testing site and see what it points out. It's going to check a lot >> more things right off the bat and display them in an easier format: >> >> https://www.ssllabs.com/ssltest/ >> >> >> >> >> >>> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz < >>> ch...@christopherschultz.net> wrote: >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA256 >>>> >>>> Peter, >>>> >>>> On 12/21/17 2:38 AM, l...@kreuser.name wrote: >>>> >>>>> Hi Thomas, >>>>> >>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney >>>>>> <tdelaney....@gmail.com>: >>>>>> >>>>>> Greetings, >>>>>> >>>>>> I am having trouble regarding google chrome's behavior to Apache >>>>>> Tomcat's SSL setup. I have been successful getting an ssl website >>>>>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24 >>>>>> on google chrome. Mozilla Firefox brings me to my site with no >>>>>> problem. >>>>>> >>>>>> When going to https://mydomain.com:8443 I recieve a message from >>>>>> Google Chrome. >>>>>> >>>>>> Google Chrome Error - This site can’t provide a secure >>>>>> connection mydomain.com uses an unsupported protocol. >>>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH >>>>>> >>>>>> Unsupported protocol The client and server don't support a common >>>>>> SSL protocol version or cipher suite. >>>>>> >>>>>> When checking Google Chrome's Browser console in the security tab >>>>>> I recieve: Page is not secure Valid certificate secure resources >>>>>> >>>>>> Here is the following background info I have for the >>>>>> configuration I gave Apache Tomcat when setting up the 8443 >>>>>> connector >>>>>> >>>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit) >>>>>> >>>>>> Linux OS: SUSE Enterprise 12 sp1 >>>>>> >>>>>> Packages installed: >>>>>> >>>>>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79 >>>>>> >>>>> That may be the culprit. >>>>> >>>>> Apparently this (old) version of Java7 will not provide in the >>>>> default modern ciphers that Chrome requires. And the config is >>>>> using the JSSE SSL implementation. But as you have TC Native and >>>>> openssl 1.0.2 you should switch to openssl. >>>>> >>>> This probably isn't the problem since Thomas is using the APR >>>> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is >>>> not relevant. >>>> >>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - >>>>>> tomcat-native-1.2.16-src >>>>>> >>>>>> Server.xml apr connector (Certificates are signed from GoDaddy >>>>>> and are placed in the conf directory of Apache Tomcat): >>>>>> >>>>>> <Connector port="8443" >>>>>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>>>>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName=" >>>>>> mydomain.com" > <SSLHostConfig hostName="mydomain.com" >>>>>> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate >>>>>> certificateKeyFile="conf/server.key" >>>>>> certificateFile="conf/server.crt" >>>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" /> >>>>>> </SSLHostConfig> </Connector> >>>>>> >>>>> This looks okay to me. If you start Tomcat and then use "openssl >>>> s_client -connect <hostname>:<port>", does openssl connect? It should >>>> report the protocol and cipher suite being used to connect. >>>> >>>> If you server is externally-accessible, consider using an external TLS >>>> capabilities scanner such as that from Qualys, >>>> https://www.ssllabs.com/ssltest/ >>>> >>>> - -chris >>>> -----BEGIN PGP SIGNATURE----- >>>> Comment: GPGTools - http://gpgtools.org >>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>>> >>>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo >>>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc >>>> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf >>>> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr >>>> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+ >>>> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1 >>>> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY >>>> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp >>>> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF >>>> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c >>>> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha >>>> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e >>>> /aq7VBV+GiEaWzZweAi8/k4R3wk= >>>> =DEHk >>>> -----END PGP SIGNATURE----- >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>>> >> -- >> George S. >> *MH Software, Inc.* >> >> Voice: 303 438 9585 >> http://www.mhsoftware.com >> > >
