You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Thomas Delaney <td...@gmail.com> on 2017/12/20 23:56:22 UTC
Apache Tomcat 8.5.24 SSL Configuration
Greetings,
I am having trouble regarding google chrome's behavior to Apache Tomcat's
SSL setup. I have been successful getting an ssl website to work with
Apache HTTP web server, but not Apache Tomcat 8.5.24 on google chrome.
Mozilla Firefox brings me to my site with no problem.
When going to https://mydomain.com:8443 I recieve a message from Google
Chrome.
Google Chrome Error -
This site can’t provide a secure connection
mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher
suite.
When checking Google Chrome's Browser console in the security tab I
recieve:
Page is not secure
Valid certificate
secure resources
Here is the following background info I have for the configuration I gave
Apache Tomcat when setting up the 8443 connector
Chrome Version 63.0.3239.108 (Official Build) (64-bit)
Linux OS: SUSE Enterprise 12 sp1
Packages installed:
- OpenSSL 1.0.2n 7 Dec 2017
- jdk version 1.7.0_79
- tomcat version -> apache-tomcat-8.5.24
- apr-1.6.3
- tomcat-native-1.2.16-src
Server.xml apr connector (Certificates are signed from GoDaddy and are
placed in the conf directory of Apache Tomcat):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
mydomain.com" >
<SSLHostConfig hostName="mydomain.com"
protocols="TLSv1,TLSv1.1,TLSv1.2">
<Certificate certificateKeyFile="conf/server.key"
certificateFile="conf/server.crt"
certificateChainFile="conf/CA_server_bundle.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
hostname displays properly when typing command: hostname -f and/or typing:
cat /etc/HOSTNAME on the linux server
Re: Apache Tomcat 8.5.24 SSL Configuration
Posted by Peter Kreuser <lo...@kreuser.name>.
Thomas,
> Am 22.12.2017 um 15:38 schrieb Thomas Delaney <td...@gmail.com>:
>
> I apologize for the poor grammar in my last response and extra email. The
> site I have setup is internal only. I will not be able to test the site
> using SSL Labs.
>
You may try https://testssl.sh and download the script from there.
That works in internal networks.
It even simulates connects with different clients (eg Chrome)
Peter
> On Fri, Dec 22, 2017 at 9:37 AM, Thomas Delaney <td...@gmail.com>
> wrote:
>
>> The site is internal so I won't not be able to check via ssllabs
>>
>>> On Thu, Dec 21, 2017 at 5:36 PM, George S. <ge...@mhsoftware.com> wrote:
>>>
>>>> On 12/21/2017 3:24 PM, Thomas Delaney wrote:
>>>>
>>>> Thank you for the input so far!
>>>>
>>>> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
>>>> receive the same result
>>>>
>>>> when running the openssl s_client command I recieved this as the Cipher
>>>> and
>>>> SSL version
>>>> Protocol : TLSv1.2
>>>> Cipher : DHE-RSA-AES256-GCM-SHA384
>>>>
>>>> I also get a message saying "verify error:num=20:unable to get local
>>>> issuer certificate"
>>>> "Verify return code: 20 (unable to get local issuer certificate)"
>>>>
>>>
>>> I second Chris Schultz's recommendation that you run the site through the
>>> SSL Labs testing site and see what it points out. It's going to check a lot
>>> more things right off the bat and display them in an easier format:
>>>
>>> https://www.ssllabs.com/ssltest/
>>>
>>>
>>>
>>>
>>>
>>>> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
>>>> chris@christopherschultz.net> wrote:
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA256
>>>>>
>>>>> Peter,
>>>>>
>>>>>> On 12/21/17 2:38 AM, logo@kreuser.name wrote:
>>>>>>
>>>>>> Hi Thomas,
>>>>>>
>>>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>>>>>>> <td...@gmail.com>:
>>>>>>>
>>>>>>> Greetings,
>>>>>>>
>>>>>>> I am having trouble regarding google chrome's behavior to Apache
>>>>>>> Tomcat's SSL setup. I have been successful getting an ssl website
>>>>>>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>>>>>>> on google chrome. Mozilla Firefox brings me to my site with no
>>>>>>> problem.
>>>>>>>
>>>>>>> When going to https://mydomain.com:8443 I recieve a message from
>>>>>>> Google Chrome.
>>>>>>>
>>>>>>> Google Chrome Error - This site can’t provide a secure
>>>>>>> connection mydomain.com uses an unsupported protocol.
>>>>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>>>>>>
>>>>>>> Unsupported protocol The client and server don't support a common
>>>>>>> SSL protocol version or cipher suite.
>>>>>>>
>>>>>>> When checking Google Chrome's Browser console in the security tab
>>>>>>> I recieve: Page is not secure Valid certificate secure resources
>>>>>>>
>>>>>>> Here is the following background info I have for the
>>>>>>> configuration I gave Apache Tomcat when setting up the 8443
>>>>>>> connector
>>>>>>>
>>>>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>>>>>>
>>>>>>> Linux OS: SUSE Enterprise 12 sp1
>>>>>>>
>>>>>>> Packages installed:
>>>>>>>
>>>>>>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79
>>>>>>>
>>>>>> That may be the culprit.
>>>>>>
>>>>>> Apparently this (old) version of Java7 will not provide in the
>>>>>> default modern ciphers that Chrome requires. And the config is
>>>>>> using the JSSE SSL implementation. But as you have TC Native and
>>>>>> openssl 1.0.2 you should switch to openssl.
>>>>>>
>>>>> This probably isn't the problem since Thomas is using the APR
>>>>> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
>>>>> not relevant.
>>>>>
>>>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>>>>>>> tomcat-native-1.2.16-src
>>>>>>>
>>>>>>> Server.xml apr connector (Certificates are signed from GoDaddy
>>>>>>> and are placed in the conf directory of Apache Tomcat):
>>>>>>>
>>>>>>> <Connector port="8443"
>>>>>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>>>>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
>>>>>>> mydomain.com" > <SSLHostConfig hostName="mydomain.com"
>>>>>>> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate
>>>>>>> certificateKeyFile="conf/server.key"
>>>>>>> certificateFile="conf/server.crt"
>>>>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>>>>>>> </SSLHostConfig> </Connector>
>>>>>>>
>>>>>> This looks okay to me. If you start Tomcat and then use "openssl
>>>>> s_client -connect <hostname>:<port>", does openssl connect? It should
>>>>> report the protocol and cipher suite being used to connect.
>>>>>
>>>>> If you server is externally-accessible, consider using an external TLS
>>>>> capabilities scanner such as that from Qualys,
>>>>> https://www.ssllabs.com/ssltest/
>>>>>
>>>>> - -chris
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Comment: GPGTools - http://gpgtools.org
>>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>>>
>>>>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
>>>>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
>>>>> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
>>>>> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
>>>>> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
>>>>> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
>>>>> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
>>>>> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
>>>>> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
>>>>> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
>>>>> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
>>>>> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
>>>>> /aq7VBV+GiEaWzZweAi8/k4R3wk=
>>>>> =DEHk
>>>>> -----END PGP SIGNATURE-----
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>> --
>>> George S.
>>> *MH Software, Inc.*
>>>
>>> Voice: 303 438 9585
>>> http://www.mhsoftware.com
>>>
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache Tomcat 8.5.24 SSL Configuration
Posted by Thomas Delaney <td...@gmail.com>.
I apologize for the poor grammar in my last response and extra email. The
site I have setup is internal only. I will not be able to test the site
using SSL Labs.
On Fri, Dec 22, 2017 at 9:37 AM, Thomas Delaney <td...@gmail.com>
wrote:
> The site is internal so I won't not be able to check via ssllabs
>
> On Thu, Dec 21, 2017 at 5:36 PM, George S. <ge...@mhsoftware.com> wrote:
>
>> On 12/21/2017 3:24 PM, Thomas Delaney wrote:
>>
>>> Thank you for the input so far!
>>>
>>> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
>>> receive the same result
>>>
>>> when running the openssl s_client command I recieved this as the Cipher
>>> and
>>> SSL version
>>> Protocol : TLSv1.2
>>> Cipher : DHE-RSA-AES256-GCM-SHA384
>>>
>>> I also get a message saying "verify error:num=20:unable to get local
>>> issuer certificate"
>>> "Verify return code: 20 (unable to get local issuer certificate)"
>>>
>>
>> I second Chris Schultz's recommendation that you run the site through the
>> SSL Labs testing site and see what it points out. It's going to check a lot
>> more things right off the bat and display them in an easier format:
>>
>> https://www.ssllabs.com/ssltest/
>>
>>
>>
>>
>>
>>> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
>>> chris@christopherschultz.net> wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> Peter,
>>>>
>>>> On 12/21/17 2:38 AM, logo@kreuser.name wrote:
>>>>
>>>>> Hi Thomas,
>>>>>
>>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>>>>>> <td...@gmail.com>:
>>>>>>
>>>>>> Greetings,
>>>>>>
>>>>>> I am having trouble regarding google chrome's behavior to Apache
>>>>>> Tomcat's SSL setup. I have been successful getting an ssl website
>>>>>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>>>>>> on google chrome. Mozilla Firefox brings me to my site with no
>>>>>> problem.
>>>>>>
>>>>>> When going to https://mydomain.com:8443 I recieve a message from
>>>>>> Google Chrome.
>>>>>>
>>>>>> Google Chrome Error - This site can’t provide a secure
>>>>>> connection mydomain.com uses an unsupported protocol.
>>>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>>>>>
>>>>>> Unsupported protocol The client and server don't support a common
>>>>>> SSL protocol version or cipher suite.
>>>>>>
>>>>>> When checking Google Chrome's Browser console in the security tab
>>>>>> I recieve: Page is not secure Valid certificate secure resources
>>>>>>
>>>>>> Here is the following background info I have for the
>>>>>> configuration I gave Apache Tomcat when setting up the 8443
>>>>>> connector
>>>>>>
>>>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>>>>>
>>>>>> Linux OS: SUSE Enterprise 12 sp1
>>>>>>
>>>>>> Packages installed:
>>>>>>
>>>>>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79
>>>>>>
>>>>> That may be the culprit.
>>>>>
>>>>> Apparently this (old) version of Java7 will not provide in the
>>>>> default modern ciphers that Chrome requires. And the config is
>>>>> using the JSSE SSL implementation. But as you have TC Native and
>>>>> openssl 1.0.2 you should switch to openssl.
>>>>>
>>>> This probably isn't the problem since Thomas is using the APR
>>>> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
>>>> not relevant.
>>>>
>>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>>>>>> tomcat-native-1.2.16-src
>>>>>>
>>>>>> Server.xml apr connector (Certificates are signed from GoDaddy
>>>>>> and are placed in the conf directory of Apache Tomcat):
>>>>>>
>>>>>> <Connector port="8443"
>>>>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>>>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
>>>>>> mydomain.com" > <SSLHostConfig hostName="mydomain.com"
>>>>>> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate
>>>>>> certificateKeyFile="conf/server.key"
>>>>>> certificateFile="conf/server.crt"
>>>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>>>>>> </SSLHostConfig> </Connector>
>>>>>>
>>>>> This looks okay to me. If you start Tomcat and then use "openssl
>>>> s_client -connect <hostname>:<port>", does openssl connect? It should
>>>> report the protocol and cipher suite being used to connect.
>>>>
>>>> If you server is externally-accessible, consider using an external TLS
>>>> capabilities scanner such as that from Qualys,
>>>> https://www.ssllabs.com/ssltest/
>>>>
>>>> - -chris
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Comment: GPGTools - http://gpgtools.org
>>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>>
>>>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
>>>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
>>>> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
>>>> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
>>>> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
>>>> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
>>>> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
>>>> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
>>>> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
>>>> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
>>>> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
>>>> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
>>>> /aq7VBV+GiEaWzZweAi8/k4R3wk=
>>>> =DEHk
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>> --
>> George S.
>> *MH Software, Inc.*
>>
>> Voice: 303 438 9585
>> http://www.mhsoftware.com
>>
>
>
Re: Apache Tomcat 8.5.24 SSL Configuration
Posted by Thomas Delaney <td...@gmail.com>.
The site is internal so I won't not be able to check via ssllabs
On Thu, Dec 21, 2017 at 5:36 PM, George S. <ge...@mhsoftware.com> wrote:
> On 12/21/2017 3:24 PM, Thomas Delaney wrote:
>
>> Thank you for the input so far!
>>
>> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
>> receive the same result
>>
>> when running the openssl s_client command I recieved this as the Cipher
>> and
>> SSL version
>> Protocol : TLSv1.2
>> Cipher : DHE-RSA-AES256-GCM-SHA384
>>
>> I also get a message saying "verify error:num=20:unable to get local
>> issuer certificate"
>> "Verify return code: 20 (unable to get local issuer certificate)"
>>
>
> I second Chris Schultz's recommendation that you run the site through the
> SSL Labs testing site and see what it points out. It's going to check a lot
> more things right off the bat and display them in an easier format:
>
> https://www.ssllabs.com/ssltest/
>
>
>
>
>
>> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
>> chris@christopherschultz.net> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Peter,
>>>
>>> On 12/21/17 2:38 AM, logo@kreuser.name wrote:
>>>
>>>> Hi Thomas,
>>>>
>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>>>>> <td...@gmail.com>:
>>>>>
>>>>> Greetings,
>>>>>
>>>>> I am having trouble regarding google chrome's behavior to Apache
>>>>> Tomcat's SSL setup. I have been successful getting an ssl website
>>>>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>>>>> on google chrome. Mozilla Firefox brings me to my site with no
>>>>> problem.
>>>>>
>>>>> When going to https://mydomain.com:8443 I recieve a message from
>>>>> Google Chrome.
>>>>>
>>>>> Google Chrome Error - This site can’t provide a secure
>>>>> connection mydomain.com uses an unsupported protocol.
>>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>>>>
>>>>> Unsupported protocol The client and server don't support a common
>>>>> SSL protocol version or cipher suite.
>>>>>
>>>>> When checking Google Chrome's Browser console in the security tab
>>>>> I recieve: Page is not secure Valid certificate secure resources
>>>>>
>>>>> Here is the following background info I have for the
>>>>> configuration I gave Apache Tomcat when setting up the 8443
>>>>> connector
>>>>>
>>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>>>>
>>>>> Linux OS: SUSE Enterprise 12 sp1
>>>>>
>>>>> Packages installed:
>>>>>
>>>>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79
>>>>>
>>>> That may be the culprit.
>>>>
>>>> Apparently this (old) version of Java7 will not provide in the
>>>> default modern ciphers that Chrome requires. And the config is
>>>> using the JSSE SSL implementation. But as you have TC Native and
>>>> openssl 1.0.2 you should switch to openssl.
>>>>
>>> This probably isn't the problem since Thomas is using the APR
>>> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
>>> not relevant.
>>>
>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>>>>> tomcat-native-1.2.16-src
>>>>>
>>>>> Server.xml apr connector (Certificates are signed from GoDaddy
>>>>> and are placed in the conf directory of Apache Tomcat):
>>>>>
>>>>> <Connector port="8443"
>>>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
>>>>> mydomain.com" > <SSLHostConfig hostName="mydomain.com"
>>>>> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate
>>>>> certificateKeyFile="conf/server.key"
>>>>> certificateFile="conf/server.crt"
>>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>>>>> </SSLHostConfig> </Connector>
>>>>>
>>>> This looks okay to me. If you start Tomcat and then use "openssl
>>> s_client -connect <hostname>:<port>", does openssl connect? It should
>>> report the protocol and cipher suite being used to connect.
>>>
>>> If you server is externally-accessible, consider using an external TLS
>>> capabilities scanner such as that from Qualys,
>>> https://www.ssllabs.com/ssltest/
>>>
>>> - -chris
>>> -----BEGIN PGP SIGNATURE-----
>>> Comment: GPGTools - http://gpgtools.org
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
>>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
>>> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
>>> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
>>> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
>>> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
>>> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
>>> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
>>> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
>>> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
>>> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
>>> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
>>> /aq7VBV+GiEaWzZweAi8/k4R3wk=
>>> =DEHk
>>> -----END PGP SIGNATURE-----
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
> --
> George S.
> *MH Software, Inc.*
>
> Voice: 303 438 9585
> http://www.mhsoftware.com
>
Re: Apache Tomcat 8.5.24 SSL Configuration
Posted by "George S." <ge...@mhsoftware.com>.
On 12/21/2017 3:24 PM, Thomas Delaney wrote:
> Thank you for the input so far!
>
> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
> receive the same result
>
> when running the openssl s_client command I recieved this as the Cipher and
> SSL version
> Protocol : TLSv1.2
> Cipher : DHE-RSA-AES256-GCM-SHA384
>
> I also get a message saying "verify error:num=20:unable to get local
> issuer certificate"
> "Verify return code: 20 (unable to get local issuer certificate)"
I second Chris Schultz's recommendation that you run the site through
the SSL Labs testing site and see what it points out. It's going to
check a lot more things right off the bat and display them in an easier
format:
https://www.ssllabs.com/ssltest/
>
> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Peter,
>>
>> On 12/21/17 2:38 AM, logo@kreuser.name wrote:
>>> Hi Thomas,
>>>
>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>>>> <td...@gmail.com>:
>>>>
>>>> Greetings,
>>>>
>>>> I am having trouble regarding google chrome's behavior to Apache
>>>> Tomcat's SSL setup. I have been successful getting an ssl website
>>>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>>>> on google chrome. Mozilla Firefox brings me to my site with no
>>>> problem.
>>>>
>>>> When going to https://mydomain.com:8443 I recieve a message from
>>>> Google Chrome.
>>>>
>>>> Google Chrome Error - This site can’t provide a secure
>>>> connection mydomain.com uses an unsupported protocol.
>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>>>
>>>> Unsupported protocol The client and server don't support a common
>>>> SSL protocol version or cipher suite.
>>>>
>>>> When checking Google Chrome's Browser console in the security tab
>>>> I recieve: Page is not secure Valid certificate secure resources
>>>>
>>>> Here is the following background info I have for the
>>>> configuration I gave Apache Tomcat when setting up the 8443
>>>> connector
>>>>
>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>>>
>>>> Linux OS: SUSE Enterprise 12 sp1
>>>>
>>>> Packages installed:
>>>>
>>>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79
>>> That may be the culprit.
>>>
>>> Apparently this (old) version of Java7 will not provide in the
>>> default modern ciphers that Chrome requires. And the config is
>>> using the JSSE SSL implementation. But as you have TC Native and
>>> openssl 1.0.2 you should switch to openssl.
>> This probably isn't the problem since Thomas is using the APR
>> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
>> not relevant.
>>
>>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>>>> tomcat-native-1.2.16-src
>>>>
>>>> Server.xml apr connector (Certificates are signed from GoDaddy
>>>> and are placed in the conf directory of Apache Tomcat):
>>>>
>>>> <Connector port="8443"
>>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
>>>> mydomain.com" > <SSLHostConfig hostName="mydomain.com"
>>>> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate
>>>> certificateKeyFile="conf/server.key"
>>>> certificateFile="conf/server.crt"
>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>>>> </SSLHostConfig> </Connector>
>> This looks okay to me. If you start Tomcat and then use "openssl
>> s_client -connect <hostname>:<port>", does openssl connect? It should
>> report the protocol and cipher suite being used to connect.
>>
>> If you server is externally-accessible, consider using an external TLS
>> capabilities scanner such as that from Qualys,
>> https://www.ssllabs.com/ssltest/
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
>> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
>> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
>> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
>> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
>> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
>> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
>> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
>> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
>> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
>> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
>> /aq7VBV+GiEaWzZweAi8/k4R3wk=
>> =DEHk
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
Re: Apache Tomcat 8.5.24 SSL Configuration
Posted by "George S." <ge...@mhsoftware.com>.
On 12/21/2017 3:24 PM, Thomas Delaney wrote:
> Thank you for the input so far!
>
> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
> receive the same result
>
> when running the openssl s_client command I recieved this as the Cipher and
> SSL version
> Protocol : TLSv1.2
> Cipher : DHE-RSA-AES256-GCM-SHA384
>
> I also get a message saying "verify error:num=20:unable to get local
> issuer certificate"
> "Verify return code: 20 (unable to get local issuer certificate)"
This may not be a meaningful error. Are you specifying the CAPath or
CAFile arguments on the command line? See this page:
https://stackoverflow.com/questions/11548336/openssl-verify-return-code-20-unable-to-get-local-issuer-certificate.
You did double-check the path and permissions on your various
certificate files right? Also, did you inspect your files using openssl?
E.G.:
openssl x509 -in conf/CA_server_bundle.crt -text
You might try running Tomcat with:
|-Djavax.net.debug=ssl |
|to enable SSL Debugging. I'm not going to lie though, it can be pretty
difficult to weed through the tons of content generated.|
||
>
> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Peter,
>>
>> On 12/21/17 2:38 AM, logo@kreuser.name wrote:
>>> Hi Thomas,
>>>
>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>>>> <td...@gmail.com>:
>>>>
>>>> Greetings,
>>>>
>>>> I am having trouble regarding google chrome's behavior to Apache
>>>> Tomcat's SSL setup. I have been successful getting an ssl website
>>>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>>>> on google chrome. Mozilla Firefox brings me to my site with no
>>>> problem.
>>>>
>>>> When going to https://mydomain.com:8443 I recieve a message from
>>>> Google Chrome.
>>>>
>>>> Google Chrome Error - This site can’t provide a secure
>>>> connection mydomain.com uses an unsupported protocol.
>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>>>
>>>> Unsupported protocol The client and server don't support a common
>>>> SSL protocol version or cipher suite.
>>>>
>>>> When checking Google Chrome's Browser console in the security tab
>>>> I recieve: Page is not secure Valid certificate secure resources
>>>>
>>>> Here is the following background info I have for the
>>>> configuration I gave Apache Tomcat when setting up the 8443
>>>> connector
>>>>
>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>>>
>>>> Linux OS: SUSE Enterprise 12 sp1
>>>>
>>>> Packages installed:
>>>>
>>>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79
>>> That may be the culprit.
>>>
>>> Apparently this (old) version of Java7 will not provide in the
>>> default modern ciphers that Chrome requires. And the config is
>>> using the JSSE SSL implementation. But as you have TC Native and
>>> openssl 1.0.2 you should switch to openssl.
>> This probably isn't the problem since Thomas is using the APR
>> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
>> not relevant.
>>
>>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>>>> tomcat-native-1.2.16-src
>>>>
>>>> Server.xml apr connector (Certificates are signed from GoDaddy
>>>> and are placed in the conf directory of Apache Tomcat):
>>>>
>>>> <Connector port="8443"
>>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
>>>> mydomain.com" > <SSLHostConfig hostName="mydomain.com"
>>>> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate
>>>> certificateKeyFile="conf/server.key"
>>>> certificateFile="conf/server.crt"
>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>>>> </SSLHostConfig> </Connector>
>> This looks okay to me. If you start Tomcat and then use "openssl
>> s_client -connect <hostname>:<port>", does openssl connect? It should
>> report the protocol and cipher suite being used to connect.
>>
>> If you server is externally-accessible, consider using an external TLS
>> capabilities scanner such as that from Qualys,
>> https://www.ssllabs.com/ssltest/
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
>> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
>> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
>> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
>> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
>> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
>> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
>> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
>> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
>> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
>> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
>> /aq7VBV+GiEaWzZweAi8/k4R3wk=
>> =DEHk
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
Re: Apache Tomcat 8.5.24 SSL Configuration
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Thomas,
On 12/21/17 5:24 PM, Thomas Delaney wrote:
> Thank you for the input so far!
>
> I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and
> still receive the same result
>
> when running the openssl s_client command I recieved this as the
> Cipher and SSL version Protocol : TLSv1.2 Cipher :
> DHE-RSA-AES256-GCM-SHA384
Good, OpenSSL can connect which means that TLS is at least set up
properly and running.
> I also get a message saying "verify error:num=20:unable to get
> local issuer certificate" "Verify return code: 20 (unable to get
> local issuer certificate)"
That's not a problem, especially if you are using a self-signed
certificate or a CA that OpenSSL doesn't recognize.
If you can't use SSLLabs's test, you might be able to use this one:
https://wiki.apache.org/tomcat/tools/SSLTest.java
(and)
https://wiki.apache.org/tomcat/tools/SSLUtils.java
- -chris
> On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> Peter,
>
> On 12/21/17 2:38 AM, logo@kreuser.name wrote:
>>>>
>>>> Hi Thomas,
>>>>
>>>>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>>>>> <td...@gmail.com>:
>>>>>
>>>>> Greetings,
>>>>>
>>>>> I am having trouble regarding google chrome's behavior to
>>>>> Apache Tomcat's SSL setup. I have been successful getting
>>>>> an ssl website to work with Apache HTTP web server, but not
>>>>> Apache Tomcat 8.5.24 on google chrome. Mozilla Firefox
>>>>> brings me to my site with no problem.
>>>>>
>>>>> When going to https://mydomain.com:8443 I recieve a message
>>>>> from Google Chrome.
>>>>>
>>>>> Google Chrome Error - This site can’t provide a secure
>>>>> connection mydomain.com uses an unsupported protocol.
>>>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>>>>
>>>>> Unsupported protocol The client and server don't support a
>>>>> common SSL protocol version or cipher suite.
>>>>>
>>>>> When checking Google Chrome's Browser console in the
>>>>> security tab I recieve: Page is not secure Valid
>>>>> certificate secure resources
>>>>>
>>>>> Here is the following background info I have for the
>>>>> configuration I gave Apache Tomcat when setting up the
>>>>> 8443 connector
>>>>>
>>>>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>>>>
>>>>> Linux OS: SUSE Enterprise 12 sp1
>>>>>
>>>>> Packages installed:
>>>>>
>>>>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79
>>>>
>>>> That may be the culprit.
>>>>
>>>> Apparently this (old) version of Java7 will not provide in
>>>> the default modern ciphers that Chrome requires. And the
>>>> config is using the JSSE SSL implementation. But as you have
>>>> TC Native and openssl 1.0.2 you should switch to openssl.
>
> This probably isn't the problem since Thomas is using the APR
> connector. TLS cipher suite support (or lack thereof) from Java 1.7
> is not relevant.
>
>>>>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>>>>> tomcat-native-1.2.16-src
>>>>>
>>>>> Server.xml apr connector (Certificates are signed from
>>>>> GoDaddy and are placed in the conf directory of Apache
>>>>> Tomcat):
>>>>>
>>>>> <Connector port="8443"
>>>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>>> maxThreads="150" SSLEnabled="true"
>>>>> defaultSSLHostConfigName=" mydomain.com" > <SSLHostConfig
>>>>> hostName="mydomain.com" protocols="TLSv1,TLSv1.1,TLSv1.2">
>>>>> <Certificate certificateKeyFile="conf/server.key"
>>>>> certificateFile="conf/server.crt"
>>>>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA"
>>>>> /> </SSLHostConfig> </Connector>
>
> This looks okay to me. If you start Tomcat and then use "openssl
> s_client -connect <hostname>:<port>", does openssl connect? It
> should report the protocol and cipher suite being used to connect.
>
> If you server is externally-accessible, consider using an external
> TLS capabilities scanner such as that from Qualys,
> https://www.ssllabs.com/ssltest/
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo9SQIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFinRxAAgr+i0PtFCGPAqWJ7
Y0VvfFSGPsQCiUz3qkp9mCiXCl87TLy5PrbpPT9avDyTjjtA1gbl16goc4jtB5zt
zcjZuasQkwz9cDMkmlJ4T0USd/TfepJXbssaqi7tLUxFM0dBChoP7uzprO7HF3hE
yqGD7nm1YEDcSgVqXrx8FkHA5D9hY1yP47djPkJL9/yxWunc1BqeoJ2JMoXLX7Sx
78LYywT1oYm1fj+UP6wacKDU/6gZINBQsLRmCVkpE4iYlyUnswdo4FChSQb9HTMp
pK0nyCVXG4RWPO90qCdSbuTZmIy0WvHxZL9O6CSkBdIycz09nYDVxTQQuyJusrYh
35BGCxzAgRfoj9bu04O6ezXoIpmWXLB48cFu5BrhX2I6/WXy/a9SSCzgaztj9rGS
X/9TFrI7DvOkMw0VCI162159QpuzcpRG0H13VGq36ldqdfrQ0DUYSqSwuS36I+2P
aIJ2vY6T0P7G5KBg4uqKyTDTwNq5zANRpJqMfQkQHD3fh0tHT35dBWj46aFBtXrq
YUT2O99eA459XMGKl6j85d4LU3aSU35EK7xSqUQmWGHpgjDXMcktcF9opV3Tdb1h
n13Yjr6Oyj0M4XUYNSAI73FXgd7VP5x51ttTI4hgXdPbGz/4e4QYpDmNmfLRhtvP
wsWEKfnZA/BDDX3ES3x0cioAzV8=
=zAMc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache Tomcat 8.5.24 SSL Configuration
Posted by Thomas Delaney <td...@gmail.com>.
Thank you for the input so far!
I have used both java versions jdk 1.7.0_79 and jdk1.8.0_152 and still
receive the same result
when running the openssl s_client command I recieved this as the Cipher and
SSL version
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
I also get a message saying "verify error:num=20:unable to get local
issuer certificate"
"Verify return code: 20 (unable to get local issuer certificate)"
On Thu, Dec 21, 2017 at 2:31 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Peter,
>
> On 12/21/17 2:38 AM, logo@kreuser.name wrote:
> >
> > Hi Thomas,
> >
> >> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
> >> <td...@gmail.com>:
> >>
> >> Greetings,
> >>
> >> I am having trouble regarding google chrome's behavior to Apache
> >> Tomcat's SSL setup. I have been successful getting an ssl website
> >> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
> >> on google chrome. Mozilla Firefox brings me to my site with no
> >> problem.
> >>
> >> When going to https://mydomain.com:8443 I recieve a message from
> >> Google Chrome.
> >>
> >> Google Chrome Error - This site can’t provide a secure
> >> connection mydomain.com uses an unsupported protocol.
> >> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> >>
> >> Unsupported protocol The client and server don't support a common
> >> SSL protocol version or cipher suite.
> >>
> >> When checking Google Chrome's Browser console in the security tab
> >> I recieve: Page is not secure Valid certificate secure resources
> >>
> >> Here is the following background info I have for the
> >> configuration I gave Apache Tomcat when setting up the 8443
> >> connector
> >>
> >> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
> >>
> >> Linux OS: SUSE Enterprise 12 sp1
> >>
> >> Packages installed:
> >>
> >> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79
> >
> > That may be the culprit.
> >
> > Apparently this (old) version of Java7 will not provide in the
> > default modern ciphers that Chrome requires. And the config is
> > using the JSSE SSL implementation. But as you have TC Native and
> > openssl 1.0.2 you should switch to openssl.
>
> This probably isn't the problem since Thomas is using the APR
> connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
> not relevant.
>
> >> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
> >> tomcat-native-1.2.16-src
> >>
> >> Server.xml apr connector (Certificates are signed from GoDaddy
> >> and are placed in the conf directory of Apache Tomcat):
> >>
> >> <Connector port="8443"
> >> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> >> mydomain.com" > <SSLHostConfig hostName="mydomain.com"
> >> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate
> >> certificateKeyFile="conf/server.key"
> >> certificateFile="conf/server.crt"
> >> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
> >> </SSLHostConfig> </Connector>
>
> This looks okay to me. If you start Tomcat and then use "openssl
> s_client -connect <hostname>:<port>", does openssl connect? It should
> report the protocol and cipher suite being used to connect.
>
> If you server is externally-accessible, consider using an external TLS
> capabilities scanner such as that from Qualys,
> https://www.ssllabs.com/ssltest/
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
> eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
> 8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
> W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
> ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
> noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
> O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
> 5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
> mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
> nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
> 4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
> /aq7VBV+GiEaWzZweAi8/k4R3wk=
> =DEHk
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Apache Tomcat 8.5.24 SSL Configuration
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Peter,
On 12/21/17 2:38 AM, logo@kreuser.name wrote:
>
> Hi Thomas,
>
>> Am 21.12.2017 um 00:56 schrieb Thomas Delaney
>> <td...@gmail.com>:
>>
>> Greetings,
>>
>> I am having trouble regarding google chrome's behavior to Apache
>> Tomcat's SSL setup. I have been successful getting an ssl website
>> to work with Apache HTTP web server, but not Apache Tomcat 8.5.24
>> on google chrome. Mozilla Firefox brings me to my site with no
>> problem.
>>
>> When going to https://mydomain.com:8443 I recieve a message from
>> Google Chrome.
>>
>> Google Chrome Error - This site can’t provide a secure
>> connection mydomain.com uses an unsupported protocol.
>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>>
>> Unsupported protocol The client and server don't support a common
>> SSL protocol version or cipher suite.
>>
>> When checking Google Chrome's Browser console in the security tab
>> I recieve: Page is not secure Valid certificate secure resources
>>
>> Here is the following background info I have for the
>> configuration I gave Apache Tomcat when setting up the 8443
>> connector
>>
>> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>>
>> Linux OS: SUSE Enterprise 12 sp1
>>
>> Packages installed:
>>
>> - OpenSSL 1.0.2n 7 Dec 2017 - jdk version 1.7.0_79
>
> That may be the culprit.
>
> Apparently this (old) version of Java7 will not provide in the
> default modern ciphers that Chrome requires. And the config is
> using the JSSE SSL implementation. But as you have TC Native and
> openssl 1.0.2 you should switch to openssl.
This probably isn't the problem since Thomas is using the APR
connector. TLS cipher suite support (or lack thereof) from Java 1.7 is
not relevant.
>> - tomcat version -> apache-tomcat-8.5.24 - apr-1.6.3 -
>> tomcat-native-1.2.16-src
>>
>> Server.xml apr connector (Certificates are signed from GoDaddy
>> and are placed in the conf directory of Apache Tomcat):
>>
>> <Connector port="8443"
>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
>> mydomain.com" > <SSLHostConfig hostName="mydomain.com"
>> protocols="TLSv1,TLSv1.1,TLSv1.2"> <Certificate
>> certificateKeyFile="conf/server.key"
>> certificateFile="conf/server.crt"
>> certificateChainFile="conf/CA_server_bundle.crt" type="RSA" />
>> </SSLHostConfig> </Connector>
This looks okay to me. If you start Tomcat and then use "openssl
s_client -connect <hostname>:<port>", does openssl connect? It should
report the protocol and cipher suite being used to connect.
If you server is externally-accessible, consider using an external TLS
capabilities scanner such as that from Qualys,
https://www.ssllabs.com/ssltest/
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlo8C/0dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiayA//Ugc6nwLR2yddEvDc
eqwBYhDib1AZlx2m2iju1tBngWu8Wr/x+MsHTZq+tTzKqPXrvXeTqd3AiBVZhBFf
8mwGZdf7dmcXZeCYgAVk+p7QxWpPt0hM27KJPeSXNCclrkG3REAPf5XkQBJx6Spr
W7/JbejXooYl27D6+iHg+SsaMNnMuq1nPm0kCP1UyEN40bHzWqHfZbtgfi+wrKB+
ldJ/fRzMdUO+FMWosuCteHL5CoDotTUSuztWtjGA/raXgX2UJg1LvKxmhYU8mcA1
noMdpbQX6wYP/XtcKvIplHUJj8UUgZbe5bndDLw7HV2Im3wdN/659GpdAbEBN9EY
O1gQRLVIyvO0XuY7RpDP7RNjbw8Sp7H1Y2Ptou3yJ3dezRQz9vi9M8i78OeEEfMp
5ZfxaN+bZoT0WteHpbR243DcFzO+HbShPEiSL0zKlltR2qzWBMXd+9XjjkIU8JeF
mfqxdN6HBS5YXOT0IJcd6+uw3FTh2vPEf64K5r4hpIsWxvpmbkYqNIf4GQGuqS7c
nm6gsOP6Wd/PiL67mVClJ6cN9LEPEqxs2QivK2/zzBcmYunXQK0GAbi25C5tG9Ha
4zB5VuRo0IjPmEKnRuqfZ2KcOVCQaJFbWgV0dJ9UWb7vO5662hYvSssX7jS6or5e
/aq7VBV+GiEaWzZweAi8/k4R3wk=
=DEHk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache Tomcat 8.5.24 SSL Configuration
Posted by lo...@kreuser.name.
Hi Thomas,
> Am 21.12.2017 um 00:56 schrieb Thomas Delaney <td...@gmail.com>:
>
> Greetings,
>
> I am having trouble regarding google chrome's behavior to Apache Tomcat's
> SSL setup. I have been successful getting an ssl website to work with
> Apache HTTP web server, but not Apache Tomcat 8.5.24 on google chrome.
> Mozilla Firefox brings me to my site with no problem.
>
> When going to https://mydomain.com:8443 I recieve a message from Google
> Chrome.
>
> Google Chrome Error -
> This site can’t provide a secure connection
> mydomain.com uses an unsupported protocol.
> ERR_SSL_VERSION_OR_CIPHER_MISMATCH
>
> Unsupported protocol
> The client and server don't support a common SSL protocol version or cipher
> suite.
>
> When checking Google Chrome's Browser console in the security tab I
> recieve:
> Page is not secure
> Valid certificate
> secure resources
>
> Here is the following background info I have for the configuration I gave
> Apache Tomcat when setting up the 8443 connector
>
> Chrome Version 63.0.3239.108 (Official Build) (64-bit)
>
> Linux OS: SUSE Enterprise 12 sp1
>
> Packages installed:
>
> - OpenSSL 1.0.2n 7 Dec 2017
> - jdk version 1.7.0_79
That may be the culprit.
Apparently this (old) version of Java7 will not provide in the default modern ciphers that Chrome requires. And the config is using the JSSE SSL implementation.
But as you have TC Native and openssl 1.0.2 you should switch to openssl.
> - tomcat version -> apache-tomcat-8.5.24
> - apr-1.6.3
> - tomcat-native-1.2.16-src
>
> Server.xml apr connector (Certificates are signed from GoDaddy and are
> placed in the conf directory of Apache Tomcat):
>
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="
> mydomain.com" >
> <SSLHostConfig hostName="mydomain.com"
> protocols="TLSv1,TLSv1.1,TLSv1.2">
> <Certificate certificateKeyFile="conf/server.key"
> certificateFile="conf/server.crt"
> certificateChainFile="conf/CA_server_bundle.crt"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
>
My config for openssl is like this:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
server="Apache Tomcat"
allowTrace="false"
maxThreads="150" SSLEnabled="true"
defaultSSLHostConfigName="mydomain.com" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false"
hostName="mydomain.com"
protocols="TLSv1.1+TLSv1.2"
certificateVerification="none"
disableCompression="true"
disableSessionTickets="true"
ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
<Certificate certificateKeyFile="${catalina.base}/conf/ssl/server.key"
certificateFile="${catalina.base}/conf/ssl/server.crt"
certificateChainFile="${catalina.base}/conf/ssl/intermediate.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
It contains openssl 1.1 ciphers but that will not matter for your config.
You may search this’ mailing list archive for some good posts on available ciphers.
Hope this helps.
Peter
> hostname displays properly when typing command: hostname -f and/or typing:
> cat /etc/HOSTNAME on the linux server