Mark, > Am 09.01.2020 um 20:36 schrieb Mark Thomas <ma...@apache.org>: > > On 02/01/2020 09:24, logo wrote: > > <snip/> > >> The connector comes up correctly, is accessible through the browser but if I >> test the ssl setup, I get an error message that the key/cert may not be used >> for "Key agreement" >> >> See: >> testssl.sh <tomcat>:8443 >> >> Signature Algorithm ECDSA with SHA256 >> Server key size EC 256 bits >> Server key usage Digital Signature, Key Encipherment >> Certificate incorrectly used for key agreement >> Server extended key usage TLS Web Server Authentication, TLS Web Client >> Authentication
The key usage error is caused by identifying ECDH_RSA ciphers on the connector… (most certainly an unexpected edge case, I’ve debugged it that far). That should not be the case - as it is an ECDSA Cert, right? > > The allowed usages are configured when a certificate is created. See: > https://www.openssl.org/docs/manmaster/man5/x509v3_config.html > > You need to take this up with your Certificate Authority. The CA is issuing the right cert with appropriate usage for a Webserver "Digital Signature, Key Encipherment". > > I'll look at the cipher differences next. > testssl.sh -e https://<server>:<port> should give you my result. Thanks. Peter [1] https://github.com/drwetter/testssl.sh <https://github.com/drwetter/testssl.sh> > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >