Re: Connector works fine with Firefox, but not on speaking terms with Chrome!

Wed, 05 Aug 2020 10:44:07 -0700 

On Wed, Aug 5, 2020, 12:22 James H. H. Lampert <[email protected]>
wrote:

> I've now managed to get an experimental copy of our development AWS EC2
> instance working with a cert from Let's Encrypt, and I've got Tomcat to
> launch with a modified connector that uses the LE certs rather than a
> Java Keystore file.
>
> It looks great from Firefox (except for the still-unanswered riddle of
> the unwanted Tomcat update), but from Chrome, I get (domain name
> "changed to protect the innocent"):
>
> > This site can’t provide a secure connection
> >
> > test.foo.net uses an unsupported protocol.
> >
> > ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> >
> > Unsupported protocol
> >
> > The client and server don't support a common SSL protocol version or
> cipher suite.
>
> The modified connector looks like this:
>
> <Connector port="8443" proxyPort="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>                 compression="on" compressionMinSize="2048"
> noCompressionUserAgents="gozilla, traviata"
>
>
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json"
>                 maxThreads="1000" socket.appReadBufSize="1024"
> socket.appWriteBufSize="1024" bufferSize="1024" SSLEnabled="true"
> scheme="https" secure="true">
>                 <SSLHostConfig
>
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>
>
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
>
>
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
>
>
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
>
>
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
>
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
>



                  certificateVerificationh="none"


there's one issue (misspelling), though may not be a contributing factor.



sslProtocol="TLS"
> protocols="TLSv1.2">
>                   <Certificate
> certificateFile="/etc/tomcat8/test.foo.net.crt"
> certificateKeyFile="/etc/tomcat8/test.foo.net.key"
>
> certificateChainFile="/etc/tomcat8/test.foo.net.issuer.crt"/>
>                </SSLHostConfig>
>              </Connector>
>
>
> Can anybody shed any light on what I did wrong?
>

Reply via email to