You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tom Williamson <to...@cox.net> on 2015/04/05 03:06:37 UTC
Need configuration example for Tomcat 7.0.55 TLS configuration
I would like to know if anyone has a working example of getting TLS 1.2
working on Tomcat 7.0.55, so that it can be accessed by the latest version
of Chrome and Firefox. Either my Tomcat configuration is wrong, or there
is another problem outside of Tomcat that is keeping me from connecting to
it. Here is the background:
I have a small private website running on Tomcat 7.0.55 on Ubuntu 14.04. I
set it up over two years ago to use HTTPS only, and as far as I know it’s
still working fine. Unfortunately I can no longer reach it because when I
try to access it through the latest Chrome browser I get this error:
"A secure connection cannot be established because this site uses an
unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
With the latest Firefox I get this:
"Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)"
Of course, neither Chrome nor Firefox give you any information about what
ciphers/SSL versions would actually **work**, they just tell you that what
you've got isn't working. I have spent the entire day trying to force
Tomcat to use some version of TLS. I have Googled and posted on
StackExchange. Unfortunately most of the online information I have found
simply does not seem to work. I either get a configuration error in the
Tomcat console or the same messages I referenced above.
Here's my SSL connector entry from server.xml:
<Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/path/mykeystore"
keystorePass="password"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLS" />
So far based on the Tomcat 7.0 docs, I have tried the following
configuration changes:
sslEnabledProtocols="TLS"
sslEnabledProtocols="TLSv1"
sslEnabledProtocols="TLSv1.1"
sslEnabledProtocols="TLSv1.2"
sslEnabledProtocols="TLSv1.1,TLSv1.2"
With most of these, I don't get any error in the console (I have logging set
to ALL), but I also have not been able to get either Chrome or Firefox to
connect.
I have also tried various combinations of "sslProtocols=" and "cipher=",
also with no luck.
Can anyone post a sample <connector> configuration that works?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Need configuration example for Tomcat 7.0.55 TLS configuration
Posted by Ognjen Blagojevic <og...@gmail.com>.
On 7.4.2015 15:23, Christopher Schultz wrote:
>> After a weekend of ripping out clumps of my hair and swearing at my
>> computer, nothing had worked. In desperation, before upgrading
>> Java and Tomcat, I tried regenerating my self-signed certificate
>> with new settings (SHA256 instead of SHA1) and that seems to have
>> solved the problem. Moral of the story: Take browser error
>> messages with a large grain of salt.
>
> The cipher-mismatch was probably solved by something you changed in
> your configuration. Re-generating the TLS certificate might have ended
> some of the warnings about certs with a SHA-1 signature, but the
> cipher-mismatch is a different beast and probably more important.
+1
I just tested Firefox connecting to server that serves SHA-1
certificates, and Firefox issues no warning (except in a web console),
let alone to refuse the connection.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Need configuration example for Tomcat 7.0.55 TLS configuration
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tom,
On 4/6/15 10:15 PM, Tom Williamson wrote:
> Thank you (and the others who responded). I was tearing my hair
> out trying to fix this. Some background (if anyone cares):
>
> I have a small private site protected by SSL, which has run fine
> for 2 years with no maintenance at all. A couple of months ago,
> after a Chrome update, it became inaccessible using Chrome. I
> switched to Firefox to access it. Last Friday, it became
> inaccessible using Firefox. The browser error messages indicated
> that my site's encryption was no longer acceptable:
>
> Chrome said: "A secure connection cannot be established because
> this site uses an unsupported protocol. Error code:
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
>
> Firefox said: "Cannot communicate securely with peer: no common
> encryption algorithm(s). (Error code:
> ssl_error_no_cypher_overlap)"
>
> Naturally, this pointed me in the direction of trying to change
> the cipher settings of my site. SSL/TLS cipher settings and the
> whole SSL scheme are, shall we say, not clearly documented for
> someone who administers Tomcat once every two years.
Something like this?
http://wiki.apache.org/tomcat/Security/Ciphers
> After a weekend of ripping out clumps of my hair and swearing at my
> computer, nothing had worked. In desperation, before upgrading
> Java and Tomcat, I tried regenerating my self-signed certificate
> with new settings (SHA256 instead of SHA1) and that seems to have
> solved the problem. Moral of the story: Take browser error
> messages with a large grain of salt.
The cipher-mismatch was probably solved by something you changed in
your configuration. Re-generating the TLS certificate might have ended
some of the warnings about certs with a SHA-1 signature, but the
cipher-mismatch is a different beast and probably more important.
- -chris
> -----Original Message----- From: Terence M. Bandoian Sent: Monday,
> April 06, 2015 12:21 PM To: Tomcat Users List Subject: Re: Need
> configuration example for Tomcat 7.0.55 TLS configuration
>
> On 4/6/2015 2:11 AM, Ognjen Blagojevic wrote:
>> Tom,
>>
>> On 5.4.2015 3:06, Tom Williamson wrote:
>>> I would like to know if anyone has a working example of getting
>>> TLS 1.2 working on Tomcat 7.0.55, so that it can be accessed by
>>> the latest version of Chrome and Firefox.
>>
>> Which version of Java do you use? Make sure it is Java 7 or 8,
>> and if you already didn't upgrade, then upgrade to the latest
>> released version.
>>
>> Could you clarify do you need TLSv1.2 only, or you need TLSv1.2
>> among other TLS versions (v1 and v1.1)?
>>
>>
>>> <Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
>>> maxThreads="150" scheme="https" secure="true"
>>> keystoreFile="/path/mykeystore" keystorePass="password"
>>> clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLS"
>>> />
>>
>> By specifing protocol="HTTP/1.1" you are using connector
>> auto-detection. Depending on the existance of Tomcat native DLL,
>> Tomcat will automatically select between APR connector and JSSE
>> connector. Those two connectors have completely different set of
>> options. The options you are using (keystoreFile, keystorePass),
>> are clearly indicating you wish to use JSSE connectors.
>> Therefore, to rule out present and future auto-detection
>> problems, I would recommend that you explicitly specify connector
>> you wish to use. E.g. for JSSE BIO connector that would be:
>>
>> protocol="org.apache.coyote.http11.Http11Protocol"
>>
>>
>> Next, sslEnabledProtocols should specify exact TLS versions, so
>> if you need only TLSv1.2 use:
>>
>> sslEnabledProtocols="TLSv1.2"
>>
>> and if you need e.g. all three versions, then omit attribute
>> sslEnabledProtocols, or use:
>>
>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>>
>>
>>> So far based on the Tomcat 7.0 docs, I have tried the
>>> following configuration changes:
>>>
>>> sslEnabledProtocols="TLS" sslEnabledProtocols="TLSv1"
>>> sslEnabledProtocols="TLSv1.1" sslEnabledProtocols="TLSv1.2"
>>> sslEnabledProtocols="TLSv1.1,TLSv1.2"
>>
>> Except for the first one, all other examples should be working.
>>
>>
>>> With most of these, I don't get any error in the console (I
>>> have logging set to ALL), but I also have not been able to get
>>> either Chrome or Firefox to connect.
>>>
>>> I have also tried various combinations of "sslProtocols=" and
>>> "cipher=", also with no luck.
>>>
>>> Can anyone post a sample <connector> configuration that works?
>>
>> Try this:
>>
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11Protocol"
>> SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
>> clientAuth="false" keystoreFile="/path/mykeystore"
>> keystorePass="password" sslProtocol="TLS"
>> sslEnabledProtocols="TLSv1.2" />
>>
>> BTW, the attribute name is "ciphers", not "cipher".
>>
>> -Ognjen
>>
>
>
> Nicely done!
>
> -Terence Bandoian
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVI9pQAAoJEBzwKT+lPKRY8W4P+gIp2h0ET7xfczRJhI0WORrV
fv+42U82gh22RiJmEINGq7I1wnWskKvigGaWNo1hoBtMb+BkyH5iaP+JGWi40DTh
sNNuKtiZ5/Ay89VKMki0kdbjYDlwBjRH55HQ1HEYwDdqKGJ62rHYLJcNWowHt9wD
uP1V2NKs76aY6Z+fA2lasPhCEXHHidyyOP0Ko2nt3ZPnGkTw/o/Dh2FitrqOi98N
XHUN5nQ1N+D/X+yO3h3CL7EBwB2FEOMjU7WMGQJzDV5a7FXUTk2dHVWROiV07v7D
IJjj8x9tBNo6S1ZBEV6xDBOk1f5USb8D3MxgVS8hfEodmsvMcDGyW4/MVDe9Z45J
vF+DZO5YaR9fHZ8mIt42RXe+jhwYTqwQdIRl+LYbVwTnrSywRKXa6v7UXkHCCyws
+WeNu+eC8GINzm4vMd0VKbndAO6n9mfHkI+x+KNbfBX19VLa2WPwvouhpEtS0s6Y
dx8f+1jJF5bVqWyNLjs6r93B0eafoPHuua6Tnrp2S1NMDO5Wi1hq3GpRrjt48x8x
AtoPSQbGjJLJ6N5WMdece7lHT5RPzzEG2ZPu+i+b6BovgAeLHZk7P7LObjCP4oJL
o9PedxmEp3Zc/x2gCmAJb2N77BRS7zvyiqkBPSLnb3kiYuAm5/9nWsHVDno+CqWv
Ydj2pQjymEoK3+vfWNsV
=JTKH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Need configuration example for Tomcat 7.0.55 TLS configuration
Posted by Tom Williamson <to...@cox.net>.
Thank you (and the others who responded). I was tearing my hair out trying
to fix this. Some background (if anyone cares):
I have a small private site protected by SSL, which has run fine for 2 years
with no maintenance at all. A couple of months ago, after a Chrome update,
it became inaccessible using Chrome. I switched to Firefox to access it.
Last Friday, it became inaccessible using Firefox. The browser error
messages indicated that my site's encryption was no longer acceptable:
Chrome said: "A secure connection cannot be established because this site
uses an unsupported protocol. Error code:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Firefox said: "Cannot communicate securely with peer: no common encryption
algorithm(s). (Error code: ssl_error_no_cypher_overlap)"
Naturally, this pointed me in the direction of trying to change the cipher
settings of my site. SSL/TLS cipher settings and the whole SSL scheme are,
shall we say, not clearly documented for someone who administers Tomcat once
every two years. After a weekend of ripping out clumps of my hair and
swearing at my computer, nothing had worked. In desperation, before
upgrading Java and Tomcat, I tried regenerating my self-signed certificate
with new settings (SHA256 instead of SHA1) and that seems to have solved the
problem. Moral of the story: Take browser error messages with a large
grain of salt.
Thanks again.
-----Original Message-----
From: Terence M. Bandoian
Sent: Monday, April 06, 2015 12:21 PM
To: Tomcat Users List
Subject: Re: Need configuration example for Tomcat 7.0.55 TLS configuration
On 4/6/2015 2:11 AM, Ognjen Blagojevic wrote:
> Tom,
>
> On 5.4.2015 3:06, Tom Williamson wrote:
>> I would like to know if anyone has a working example of getting TLS 1.2
>> working on Tomcat 7.0.55, so that it can be accessed by the latest
>> version of Chrome and Firefox.
>
> Which version of Java do you use? Make sure it is Java 7 or 8, and if you
> already didn't upgrade, then upgrade to the latest released version.
>
> Could you clarify do you need TLSv1.2 only, or you need TLSv1.2 among
> other TLS versions (v1 and v1.1)?
>
>
>> <Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="/path/mykeystore"
>> keystorePass="password"
>> clientAuth="false"
>> sslProtocol="TLS"
>> sslEnabledProtocols="TLS" />
>
> By specifing protocol="HTTP/1.1" you are using connector auto-detection.
> Depending on the existance of Tomcat native DLL, Tomcat will automatically
> select between APR connector and JSSE connector. Those two connectors have
> completely different set of options. The options you are using
> (keystoreFile, keystorePass), are clearly indicating you wish to use JSSE
> connectors. Therefore, to rule out present and future auto-detection
> problems, I would recommend that you explicitly specify connector you wish
> to use. E.g. for JSSE BIO connector that would be:
>
> protocol="org.apache.coyote.http11.Http11Protocol"
>
>
> Next, sslEnabledProtocols should specify exact TLS versions, so if you
> need only TLSv1.2 use:
>
> sslEnabledProtocols="TLSv1.2"
>
> and if you need e.g. all three versions, then omit attribute
> sslEnabledProtocols, or use:
>
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>
>
>> So far based on the Tomcat 7.0 docs, I have tried the following
>> configuration changes:
>>
>> sslEnabledProtocols="TLS"
>> sslEnabledProtocols="TLSv1"
>> sslEnabledProtocols="TLSv1.1"
>> sslEnabledProtocols="TLSv1.2"
>> sslEnabledProtocols="TLSv1.1,TLSv1.2"
>
> Except for the first one, all other examples should be working.
>
>
>> With most of these, I don't get any error in the console (I have logging
>> set to ALL), but I also have not been able to get either Chrome or
>> Firefox to connect.
>>
>> I have also tried various combinations of "sslProtocols=" and "cipher=",
>> also with no luck.
>>
>> Can anyone post a sample <connector> configuration that works?
>
> Try this:
>
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11Protocol"
> SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false"
> keystoreFile="/path/mykeystore"
> keystorePass="password"
> sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2" />
>
> BTW, the attribute name is "ciphers", not "cipher".
>
> -Ognjen
>
Nicely done!
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Need configuration example for Tomcat 7.0.55 TLS configuration
Posted by David Wall <d....@computer.org>.
We're on Tomcat 8 with Java 8, so it has more options for ciphers, but
this is what we use:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
connectionTimeout="20000" acceptorThreadCount="2"
URIEncoding="UTF-8"
maxThreads="100" scheme="https" secure="true"
compression="on"
compressableMimeType="text/html,text/xml,text/plain,application/xml,application/json,application/javascript,application/pdf"
keystoreFile="tomcatKeystoreFileName" keystorePass="PUT
YOUR KEYSTORE PASSWORD HERE"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA"
clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1,
TLSv1.2" />
As I understand it, we no longer can be connected by IE6 or even Java 6
clients because they won't have the ciphers required.
Hope that helps some even if a bit off the main question of using Tomcat
7 (though I see no advantage to using the older one unless there's some
problem).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Need configuration example for Tomcat 7.0.55 TLS configuration
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 4/6/2015 2:11 AM, Ognjen Blagojevic wrote:
> Tom,
>
> On 5.4.2015 3:06, Tom Williamson wrote:
>> I would like to know if anyone has a working example of getting TLS 1.2
>> working on Tomcat 7.0.55, so that it can be accessed by the latest
>> version of Chrome and Firefox.
>
> Which version of Java do you use? Make sure it is Java 7 or 8, and if
> you already didn't upgrade, then upgrade to the latest released version.
>
> Could you clarify do you need TLSv1.2 only, or you need TLSv1.2 among
> other TLS versions (v1 and v1.1)?
>
>
>> <Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="/path/mykeystore"
>> keystorePass="password"
>> clientAuth="false"
>> sslProtocol="TLS"
>> sslEnabledProtocols="TLS" />
>
> By specifing protocol="HTTP/1.1" you are using connector
> auto-detection. Depending on the existance of Tomcat native DLL,
> Tomcat will automatically select between APR connector and JSSE
> connector. Those two connectors have completely different set of
> options. The options you are using (keystoreFile, keystorePass), are
> clearly indicating you wish to use JSSE connectors. Therefore, to rule
> out present and future auto-detection problems, I would recommend that
> you explicitly specify connector you wish to use. E.g. for JSSE BIO
> connector that would be:
>
> protocol="org.apache.coyote.http11.Http11Protocol"
>
>
> Next, sslEnabledProtocols should specify exact TLS versions, so if you
> need only TLSv1.2 use:
>
> sslEnabledProtocols="TLSv1.2"
>
> and if you need e.g. all three versions, then omit attribute
> sslEnabledProtocols, or use:
>
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>
>
>> So far based on the Tomcat 7.0 docs, I have tried the following
>> configuration changes:
>>
>> sslEnabledProtocols="TLS"
>> sslEnabledProtocols="TLSv1"
>> sslEnabledProtocols="TLSv1.1"
>> sslEnabledProtocols="TLSv1.2"
>> sslEnabledProtocols="TLSv1.1,TLSv1.2"
>
> Except for the first one, all other examples should be working.
>
>
>> With most of these, I don't get any error in the console (I have logging
>> set to ALL), but I also have not been able to get either Chrome or
>> Firefox to connect.
>>
>> I have also tried various combinations of "sslProtocols=" and "cipher=",
>> also with no luck.
>>
>> Can anyone post a sample <connector> configuration that works?
>
> Try this:
>
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11Protocol"
> SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false"
> keystoreFile="/path/mykeystore"
> keystorePass="password"
> sslProtocol="TLS"
> sslEnabledProtocols="TLSv1.2" />
>
> BTW, the attribute name is "ciphers", not "cipher".
>
> -Ognjen
>
Nicely done!
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Need configuration example for Tomcat 7.0.55 TLS configuration
Posted by Ognjen Blagojevic <og...@gmail.com>.
Tom,
On 5.4.2015 3:06, Tom Williamson wrote:
> I would like to know if anyone has a working example of getting TLS 1.2
> working on Tomcat 7.0.55, so that it can be accessed by the latest
> version of Chrome and Firefox.
Which version of Java do you use? Make sure it is Java 7 or 8, and if
you already didn't upgrade, then upgrade to the latest released version.
Could you clarify do you need TLSv1.2 only, or you need TLSv1.2 among
other TLS versions (v1 and v1.1)?
> <Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="/path/mykeystore"
> keystorePass="password"
> clientAuth="false"
> sslProtocol="TLS"
> sslEnabledProtocols="TLS" />
By specifing protocol="HTTP/1.1" you are using connector auto-detection.
Depending on the existance of Tomcat native DLL, Tomcat will
automatically select between APR connector and JSSE connector. Those two
connectors have completely different set of options. The options you are
using (keystoreFile, keystorePass), are clearly indicating you wish to
use JSSE connectors. Therefore, to rule out present and future
auto-detection problems, I would recommend that you explicitly specify
connector you wish to use. E.g. for JSSE BIO connector that would be:
protocol="org.apache.coyote.http11.Http11Protocol"
Next, sslEnabledProtocols should specify exact TLS versions, so if you
need only TLSv1.2 use:
sslEnabledProtocols="TLSv1.2"
and if you need e.g. all three versions, then omit attribute
sslEnabledProtocols, or use:
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> So far based on the Tomcat 7.0 docs, I have tried the following
> configuration changes:
>
> sslEnabledProtocols="TLS"
> sslEnabledProtocols="TLSv1"
> sslEnabledProtocols="TLSv1.1"
> sslEnabledProtocols="TLSv1.2"
> sslEnabledProtocols="TLSv1.1,TLSv1.2"
Except for the first one, all other examples should be working.
> With most of these, I don't get any error in the console (I have logging
> set to ALL), but I also have not been able to get either Chrome or
> Firefox to connect.
>
> I have also tried various combinations of "sslProtocols=" and "cipher=",
> also with no luck.
>
> Can anyone post a sample <connector> configuration that works?
Try this:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false"
keystoreFile="/path/mykeystore"
keystorePass="password"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2" />
BTW, the attribute name is "ciphers", not "cipher".
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org