On Wed, Aug 5, 2020, 12:22 James H. H. Lampert <jam...@touchtonecorp.com> wrote:
> I've now managed to get an experimental copy of our development AWS EC2 > instance working with a cert from Let's Encrypt, and I've got Tomcat to > launch with a modified connector that uses the LE certs rather than a > Java Keystore file. > > It looks great from Firefox (except for the still-unanswered riddle of > the unwanted Tomcat update), but from Chrome, I get (domain name > "changed to protect the innocent"): > > > This site can’t provide a secure connection > > > > test.foo.net uses an unsupported protocol. > > > > ERR_SSL_VERSION_OR_CIPHER_MISMATCH > > > > Unsupported protocol > > > > The client and server don't support a common SSL protocol version or > cipher suite. > > The modified connector looks like this: > > <Connector port="8443" proxyPort="443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > compression="on" compressionMinSize="2048" > noCompressionUserAgents="gozilla, traviata" > > > compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json" > maxThreads="1000" socket.appReadBufSize="1024" > socket.appWriteBufSize="1024" bufferSize="1024" SSLEnabled="true" > scheme="https" secure="true"> > <SSLHostConfig > > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > > > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, > > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > > > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, > > > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" > certificateVerificationh="none" there's one issue (misspelling), though may not be a contributing factor. sslProtocol="TLS" > protocols="TLSv1.2"> > <Certificate > certificateFile="/etc/tomcat8/test.foo.net.crt" > certificateKeyFile="/etc/tomcat8/test.foo.net.key" > > certificateChainFile="/etc/tomcat8/test.foo.net.issuer.crt"/> > </SSLHostConfig> > </Connector> > > > Can anybody shed any light on what I did wrong? >