Connector works fine with Firefox, but not on speaking terms with Chrome!

[James H. H. Lampert]

I've now managed to get an experimental copy of our development AWS EC2
instance working with a cert from Let's Encrypt, and I've got Tomcat to
launch with a modified connector that uses the LE certs rather than a
Java Keystore file.
It looks great from Firefox (except for the still-unanswered riddle of
the unwanted Tomcat update), but from Chrome, I get (domain name 
"changed to protect the innocent"):

This site can’t provide a secure connection

test.foo.net uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol

The client and server don't support a common SSL protocol version or cipher 
suite.

The modified connector looks like this:

<Connector port="8443" proxyPort="443" 
protocol="org.apache.coyote.http11.Http11NioProtocol"
               compression="on" compressionMinSize="2048" 
noCompressionUserAgents="gozilla, traviata"

compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json"
               maxThreads="1000" socket.appReadBufSize="1024" 
socket.appWriteBufSize="1024" bufferSize="1024" SSLEnabled="true" 
scheme="https" secure="true">
               <SSLHostConfig 
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
                 certificateVerificationh="none" sslProtocol="TLS" 
protocols="TLSv1.2">
                 <Certificate 
certificateFile="/etc/tomcat8/test.foo.net.crt" 
certificateKeyFile="/etc/tomcat8/test.foo.net.key"

certificateChainFile="/etc/tomcat8/test.foo.net.issuer.crt"/>
              </SSLHostConfig>
            </Connector>


Can anybody shed any light on what I did wrong?

--
James H. H. Lampert

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org