Apache Tomcat/8.0.36 HTTPS implementation - Red Hat Enterprise Linux Server release 6.8 (Santiago)

["BANGERTER, Eric (SQLI)" <er...@airbus.com>]

Dear all,


I need to implement secure connection within tomcat. That's why I need to implement certificate on tomcat.
I've made a CSR in order for my company to provide me certificates and CA.
I've implemented the configuration in TOMCAT to activate https to use my keystore.
But now when I connect to TOMCAT my browser warns me like that


This Page can't be displayed : Turn on TLS 1.0,TLS 1?1 and TLS1.2 in advanced settings...
It is possible that this site uses an unsupported protocol or cipher suite such as RC4.


Here is my connector configuration:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
         maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
         keystoreFile="/local/home/root_168563/.keystore" keystorePass="changeit"
         clientAuth="false"  />


Thanks by advance.


<html><head></head><body><font color="black" face="arial" size="2">
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
</font>
</body>
</html>

AW: Apache Tomcat/8.0.36 HTTPS implementation - Red Hat Enterprise Linux Server release 6.8 (Santiago)

["Kreuser, Peter" <pk...@airplus.com>]

Hi Eric,

> Dear all,
> 
> 
> I need to implement secure connection within tomcat. That's why I need to implement certificate on tomcat.
> I've made a CSR in order for my company to provide me certificates and CA.
> I've implemented the configuration in TOMCAT to activate https to use my keystore.
> But now when I connect to TOMCAT my browser warns me like that
> 
> 
> This Page can't be displayed : Turn on TLS 1.0,TLS 1?1 and TLS1.2 in advanced settings...
> It is possible that this site uses an unsupported protocol or cipher suite such as RC4.
> 
> 
> Here is my connector configuration:
> 
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>          maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
>          keystoreFile="/local/home/root_168563/.keystore" keystorePass="changeit"
>          clientAuth="false"  />
> 
> 
> Thanks by advance.
>

Your connector settings may be incomplete. Do you see anything on the console or catalina.out? It should show an exception when the Connector fails to initialize.

    <Connector
      port="8443"
      protocol="org.apache.coyote.http11.Http11NioProtocol" <-- OK Nio2 in your case
      server="Apache Tomcat"
      SSLEnabled="true"
      allowTrace="false"
      maxThreads="150"
      scheme="https"
      secure="true"
      useServerCipherSuitesOrder="true" <<-- important
      clientAuth="false"
      sslEnabledProtocols="TLSv1.0, TLSv1.1, TLSv1.2"   <<-- you should leave TLSv1.0 out if possible
     ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" <<-- Ciphers are based on Hynek Schlawacks suggestions https://hynek.me
      useBodyEncodingForURI="true"
      keystoreFile="/local/home/root_168563/.keystore"
      keystorePass="changeit"
      keyAlias="<your alias>"
    />

Did you check that the cert is in the keystore. With the expected alias? Is it the private key?

Then your possible protocols and ciphers depend heavily on your java version. Which version do you use? 

Please provide more info and I will gladly help.

Best regards

Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org