Thomas,
> Am 22.12.2017 um 15:38 schrieb Thomas Delaney <tdelaney....@gmail.com>: > > I apologize for the poor grammar in my last response and extra email. The > site I have setup is internal only. I will not be able to test the site > using SSL Labs. > You may try https://testssl.sh and download the script from there. That works in internal networks. It even simulates connects with different clients (eg Chrome) Peter > On Fri, Dec 22, 2017 at 9:37 AM, Thomas Delaney <tdelaney....@gmail.com> > wrote: > >> The site is internal so I won't not be able to check via ssllabs >> >>> On Thu, Dec 21, 2017 at 5:36 PM, George S. <geor...@mhsoftware.com> wrote: >>> >>>> On 12/21/2017 3:24 PM, Thomas Delaney wrote: >>>> >>>> Thank you for the input so far! >>>> >>>> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still >>>> receive the same result >>>> >>>> when running the openssl s_client command I recieved this as the Cipher >>>> and >>>> SSL version >>>> Protocol : TLSv1.2 >>>> Cipher : DHE-RSA-AES256-GCM-SHA384 >>>> >>>> I also get a message saying "verify error:num=20:unable to get local >>>> issuer certificate" >>>> "Verify return code: 20 (unable to get local issuer certificate)" >>>> >>> >>> I second Chris Schultz's recommendation that you run the site through the >>> SSL Labs testing site and see what it points out. It's going to check a lot >>> more things right off the bat and display them in an easier format: >>> >>> https://www.ssllabs.com/ssltest/ >>> >>> >>> >>> >>> >>>> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz < >>>> ch...@christopherschultz.net> wrote: >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA256 >>>>> >>>>> Peter, >>>>> >>>>>> On 12/21/17 2:38 AM, l...@kreuser.name wrote: >>>>>> >>>>>> Hi Thomas, >>>>>> >>>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney >>>>>>> <tdelaney....@gmail.com>: >>>>>>> >>>>>>> Greetings, >>>>>>> >>>>>>> I am having trouble regarding google chrome's behavior to Apache >>>>>>> Tomcat's SSL setup. I have been successful getting an ssl website >>>>>>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24 >>>>>>> on google chrome. Mozilla Firefox brings me to my site with no >>>>>>> problem. >>>>>>> >>>>>>> When going to https://mydomain.com:8443 I recieve a message from >>>>>>> Google Chrome. >>>>>>> >>>>>>> Google Chrome Error - This site can’t provide a secure >>>>>>> connection mydomain.com uses an unsupported protocol. >>>>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH >>>>>>> >>>>>>> Unsupported protocol The client and server don't support a common >>>>>>> SSL protocol version or cipher suite. >>>>>>> >>>>>>> When checking Google Chrome's Browser console in the security tab >>>>>>> I recieve: Page is not secure Valid certificate secure resources >>>>>>> >>>>>>> Here is the following background info I have for the >>>>>>> configuration I gave Apache Tomcat when setting up the 8443 >>>>>>> connector >>>>>>> >>>>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit) >>>>>>> >>>>>>> Linux OS: SUSE Enterprise 12 sp1 >>>>>>> >>>>>>> Packages installed: >>>>>>> >>>>>>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79 >>>>>>> >>>>>> That may be the culprit. >>>>>> >>>>>> Apparently this (old) version of Java7 will not provide in the >>>>>> default modern ciphers that Chrome requires. And the config is >>>>>> using the JSSE SSL implementation. But as you have TC Native and >>>>>> openssl 1.0.2 you should switch to openssl. >>>>>> >>>>> This probably isn't the problem since Thomas is using the APR >>>>> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is >>>>> not relevant. >>>>> >>>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 - >>>>>>> tomcat-native-1.2.16-src >>>>>>> >>>>>>> Server.xml apr connector (Certificates are signed from GoDaddy >>>>>>> and are placed in the conf directory of Apache Tomcat): >>>>>>> >>>>>>> <Connector port="8443" >>>>>>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>>>>>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName=" >>>>>>> mydomain.com" > <SSLHostConfig hostName="mydomain.com" >>>>>>> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate >>>>>>> certificateKeyFile="conf/server.key" >>>>>>> certificateFile="conf/server.crt" >>>>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" /> >>>>>>> </SSLHostConfig> </Connector> >>>>>>> >>>>>> This looks okay to me. If you start Tomcat and then use "openssl >>>>> s_client -connect <hostname>:<port>", does openssl connect? It should >>>>> report the protocol and cipher suite being used to connect. >>>>> >>>>> If you server is externally-accessible, consider using an external TLS >>>>> capabilities scanner such as that from Qualys, >>>>> https://www.ssllabs.com/ssltest/ >>>>> >>>>> - -chris >>>>> -----BEGIN PGP SIGNATURE----- >>>>> Comment: GPGTools - http://gpgtools.org >>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>>>> >>>>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo >>>>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc >>>>> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf >>>>> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr >>>>> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+ >>>>> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1 >>>>> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY >>>>> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp >>>>> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF >>>>> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c >>>>> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha >>>>> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e >>>>> /aq7VBV+GiEaWzZweAi8/k4R3wk= >>>>> =DEHk >>>>> -----END PGP SIGNATURE----- >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>>> >>>>> >>> -- >>> George S. >>> *MH Software, Inc.* >>> >>> Voice: 303 438 9585 >>> http://www.mhsoftware.com >>> >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
