I believe that protocols="TLSv1.2">
should be sslEnabledProtocol="TLSv1.2" Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -----Original Message----- From: calder <calder....@gmail.com> Sent: Wednesday, August 5, 2020 12:43 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Connector works fine with Firefox, but not on speaking terms with Chrome! On Wed, Aug 5, 2020, 12:22 James H. H. Lampert <jam...@touchtonecorp.com> wrote: > I've now managed to get an experimental copy of our development AWS > EC2 instance working with a cert from Let's Encrypt, and I've got > Tomcat to launch with a modified connector that uses the LE certs > rather than a Java Keystore file. > > It looks great from Firefox (except for the still-unanswered riddle of > the unwanted Tomcat update), but from Chrome, I get (domain name > "changed to protect the innocent"): > > > This site can’t provide a secure connection > > > > test.foo.net uses an unsupported protocol. > > > > ERR_SSL_VERSION_OR_CIPHER_MISMATCH > > > > Unsupported protocol > > > > The client and server don't support a common SSL protocol version or > cipher suite. > > The modified connector looks like this: > > <Connector port="8443" proxyPort="443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > compression="on" compressionMinSize="2048" > noCompressionUserAgents="gozilla, traviata" > > > compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json" > maxThreads="1000" socket.appReadBufSize="1024" > socket.appWriteBufSize="1024" bufferSize="1024" SSLEnabled="true" > scheme="https" secure="true"> > <SSLHostConfig > > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AE > S_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > > > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_S > HA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, > > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_S > HA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > > > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA2 > 56,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, > > > TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_ > SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" > certificateVerificationh="none" there's one issue (misspelling), though may not be a contributing factor. sslProtocol="TLS" > protocols="TLSv1.2"> > <Certificate > certificateFile="/etc/tomcat8/test.foo.net.crt" > certificateKeyFile="/etc/tomcat8/test.foo.net.key" > > certificateChainFile="/etc/tomcat8/test.foo.net.issuer.crt"/> > </SSLHostConfig> > </Connector> > > > Can anybody shed any light on what I did wrong? > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org