You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Harrie Robins <ha...@eyequestion.nl> on 2016/01/13 19:36:07 UTC
Client TLS 1.2 error for APR
Hi!
I'm running Tomcat 7.0.65 with APR connector over port 443. I'm experiencing
trouble with users that connect with IE11 over SSL. Connecting and browsing
works fine, but sometimes a white screen with this error pops up. Once they
disable TLS 1.2 everything works fine:
This page can't be displayed
Turn on TLS 1.0, TLS1.1 and TLS 1.2 in Advanced settings and try connecting
to https://sub.example.com again. If this error persists, contact your site
administrator.
Right now I'm using SHA-2 encryption (we moved from SHA-1) with A+ rating on
SSLLabs, without any error's.
Server.xml configuration. Ciphers following latest intermediate from Mozilla
openssl config:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
connectionTimeout="6000"
maxThreads="500"
maxKeepAliveRequests="-1"
acceptCount="200"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
enableLookups="false"
SSLCertificateFile="C:\server\ssl\server.crt"
SSLCertificateKeyFile="C: \server\ssl\private.key"
SSLCACertificateFile="C: \server\ssl\intermediate.crt"
SSLPassword="passw"
SSLProtocol="all -SSLv2-SSLv3"
SSLHonorCipherOrder="true"
SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:EC
DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-S
HA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-EC
DSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES2
56-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-A
ES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-
GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DE
S-CBC3-SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC
_SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:
!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE:!EDH"
/>
Does anyone have a pointer about what could be wrong with this
configuration?
Kind regards,
Harrie
RE: Client TLS 1.2 error for APR
Posted by Harrie Robins <ha...@eyequestion.nl>.
Hi Markt,
Sorry, I did not include this since I'm using standard in release (1.1.33).
I know of the more recent releases, but I can't just update (production),
and in release note's I did not find anything that might help.
Thanks,
Harrie
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: woensdag 13 januari 2016 20:59
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Client TLS 1.2 error for APR
On 13/01/2016 18:36, Harrie Robins wrote:
> Hi!
>
> I'm running Tomcat 7.0.65 with APR connector over port 443.
Tomcat version - tick
Connector config - tick
Tomcat-Native version ... ?
Mark
> I'm experiencing
> trouble with users that connect with IE11 over SSL. Connecting and
> browsing works fine, but sometimes a white screen with this error pops
> up. Once they disable TLS 1.2 everything works fine:
>
>
>
> This page can't be displayed
>
> Turn on TLS 1.0, TLS1.1 and TLS 1.2 in Advanced settings and try
> connecting to https://sub.example.com again. If this error persists,
> contact your site administrator.
>
>
>
> Right now I'm using SHA-2 encryption (we moved from SHA-1) with A+
> rating on SSLLabs, without any error's.
>
>
>
> Server.xml configuration. Ciphers following latest intermediate from
> Mozilla openssl config:
>
>
>
> <Connector port="443"
>
> protocol="org.apache.coyote.http11.Http11AprProtocol"
>
> connectionTimeout="6000"
>
> maxThreads="500"
>
> maxKeepAliveRequests="-1"
>
> acceptCount="200"
>
> SSLEnabled="true"
>
> scheme="https"
>
> secure="true"
>
> clientAuth="false"
>
> enableLookups="false"
>
> SSLCertificateFile="C:\server\ssl\server.crt"
>
> SSLCertificateKeyFile="C: \server\ssl\private.key"
>
> SSLCACertificateFile="C: \server\ssl\intermediate.crt"
>
> SSLPassword="passw"
>
> SSLProtocol="all -SSLv2-SSLv3"
>
> SSLHonorCipherOrder="true"
> SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA
> 256:EC
> DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128
> -GCM-S
> HA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:EC
> DHE-EC
> DSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RS
> A-AES2
> 56-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-A
> ES256-
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE
> -RSA-A
> ES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:A
> ES256-
> GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMEL
> LIA:DE
> S-CBC3-SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_1
> 28_CBC
>
_SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:
> !EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE:!EDH"
>
> />
>
>
>
> Does anyone have a pointer about what could be wrong with this
> configuration?
>
>
>
> Kind regards,
>
>
>
> Harrie
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client TLS 1.2 error for APR
Posted by Mark Thomas <ma...@apache.org>.
On 13/01/2016 18:36, Harrie Robins wrote:
> Hi!
>
> I'm running Tomcat 7.0.65 with APR connector over port 443.
Tomcat version - tick
Connector config - tick
Tomcat-Native version ... ?
Mark
> I'm experiencing
> trouble with users that connect with IE11 over SSL. Connecting and browsing
> works fine, but sometimes a white screen with this error pops up. Once they
> disable TLS 1.2 everything works fine:
>
>
>
> This page can't be displayed
>
> Turn on TLS 1.0, TLS1.1 and TLS 1.2 in Advanced settings and try connecting
> to https://sub.example.com again. If this error persists, contact your site
> administrator.
>
>
>
> Right now I'm using SHA-2 encryption (we moved from SHA-1) with A+ rating on
> SSLLabs, without any error's.
>
>
>
> Server.xml configuration. Ciphers following latest intermediate from Mozilla
> openssl config:
>
>
>
> <Connector port="443"
>
> protocol="org.apache.coyote.http11.Http11AprProtocol"
>
> connectionTimeout="6000"
>
> maxThreads="500"
>
> maxKeepAliveRequests="-1"
>
> acceptCount="200"
>
> SSLEnabled="true"
>
> scheme="https"
>
> secure="true"
>
> clientAuth="false"
>
> enableLookups="false"
>
> SSLCertificateFile="C:\server\ssl\server.crt"
>
> SSLCertificateKeyFile="C: \server\ssl\private.key"
>
> SSLCACertificateFile="C: \server\ssl\intermediate.crt"
>
> SSLPassword="passw"
>
> SSLProtocol="all -SSLv2-SSLv3"
>
> SSLHonorCipherOrder="true"
> SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:EC
> DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-S
> HA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-EC
> DSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES2
> 56-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
> SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-A
> ES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-
> GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DE
> S-CBC3-SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC
> _SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:
> !EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE:!EDH"
>
> />
>
>
>
> Does anyone have a pointer about what could be wrong with this
> configuration?
>
>
>
> Kind regards,
>
>
>
> Harrie
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org