Tomcat SSL - unsupported protocol or cipher suit error

2019-01-06 Thread Sameer Umbrajkar 
Dear All,

I am trying to  configure SSL (HTTPS) for Apache Tomcat 8.5.13. I am facing
below error after importing the certificates.

==

This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try
connecting to *https://localhost:8443  *again. If
this error persists, it is possible that this site uses an unsupported
protocol or cipher suite such as RC4 (link for the details)
, which is not considered
secure. Please contact your site administrator

===


To generate Key store
keytool.exe -genkey -alias tomcat -keysize 2048 -keyalg RSA

To generate Certificate request i.e. CSR
keytool -certreq -keyalg RSA -alias tomcat -file boqa.csr -keystore
E:\SSL\.keystore

To import chain (intermediate CA)
keytool -import -trustcacerts -alias intermediate -keystore
E:\SSL\.keystore -file E:\SSL\MOFChain.cer

To import the signed server certificate
keytool -import -alias tomcat -keystore E:\SSL\.keystore -file
E:\SSL\mbq.cer

We did not face error while importing the signed certificates however
facing TLS protocol/cipher suit related issue now.
Please help with your insights to resolve the issue

Regards,

Sameer

Re: Tomcat SSL - unsupported protocol or cipher suit error

2019-01-06 Thread Sameer Umbrajkar 
Dear John & Raj,

*My JVM version is 8.1.015 and Tomcat version is 8.5.13*
Please see the version details below -
==
E:\BOE\tomcat\bin>version
Using CATALINA_BASE:   "E:\BOE\tomcat"
Using CATALINA_HOME:   "E:\BOE\tomcat"
Using CATALINA_TMPDIR: "E:\BOE\tomcat\temp"
Using JRE_HOME:"E:\BOE\SAP BusinessObjects Enterprise XI
4.0\win64_x64\sapjvm\"
Using CLASSPATH:
 "E:\BOE\tomcat\bin\bootstrap.jar;E:\BOE\tomcat\bin\tomcat-juli.jar"
Server version: Apache Tomcat/8.5.13
Server built:   Mar 27 2017 14:25:04 UTC
Server number:  8.5.13.0
OS Name:Windows NT (unknown)
OS Version: 10.0
Architecture:   amd64
JVM Version:8.1.015
JVM Vendor: SAP AG
E:\BOE\tomcat\bin>
===

As suggested I added below parameters in Java Option of Tomcat
configuration still facing the same error related to TLS protocol and
ciphers
===
-Dhttps.protocols=TLSv1.2
-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
===
As requested, please find the HTTPS connector details below from server.xml
===



Regards,

Sameer


On Sun, Jan 6, 2019 at 7:57 PM Rajendra  wrote:

> Yes, TLS 1.2 protocol not enabled by default prior to jdk1.7.0_131
> version. It has to enabled explicitly in order to support TLS1.2 if you are
> using earlier versions of jdk1.7.
>
> Thanks !
>
> Rajendra
>
> From: John Larsen
> Sent: 06 January 2019 11:17
> To: Tomcat Users List
> Subject: Re: Tomcat SSL - unsupported protocol or cipher suit error
>
> I have run into this and solved it.
>
> Basically its due to JDK versions 7 and older.
> Two options to fix.
> 1. upgrade to jdk8
> 2. Add the following to your JAVA_OPTS or CATALINA_OPTS:
> -Dhttps.protocols=TLSv1.2
> -Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>
> John
>
> On Sun, Jan 6, 2019 at 6:39 AM Rajendra 
> wrote:
>
> > Sameer, can you please share Connector element for ssl port in server.xml
> > file?
> >
> > Also, what is Jdk version you are using?
> >
> > Thanks !
> >
> > Rajendra
> >
> > From: Sameer Umbrajkar
> > Sent: 06 January 2019 08:13
> > To: users@tomcat.apache.org
> > Subject: Tomcat SSL - unsupported protocol or cipher suit error
> >
> > Dear All,
> >
> > I am trying to  configure SSL (HTTPS) for Apache Tomcat 8.5.13. I am
> facing
> > below error after importing the certificates.
> >
> > ==
> >
> > This page can’t be displayed
> >
> > Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try
> > connecting to *https://localhost:8443 <https://localhost:8443/> *again.
> If
> > this error persists, it is possible that this site uses an unsupported
> > protocol or cipher suite such as RC4 (link for the details)
> > <http://go.microsoft.com/fwlink/?LinkId=735074>, which is not considered
> > secure. Please contact your site administrator
> >
> > ===
> >
> >
> > To generate Key store
> > keytool.exe -genkey -alias tomcat -keysize 2048 -keyalg RSA
> >
> > To generate Certificate request i.e. CSR
> > keytool -certreq -keyalg RSA -alias tomcat -file boqa.csr -keystore
> > E:\SSL\.keystore
> >
> > To import chain (intermediate CA)
> > keytool -import -trustcacerts -alias intermediate -keystore
> > E:\SSL\.keystore -file E:\SSL\MOFChain.cer
> >
> > To import the signed server certificate
> > keytool -import -alias tomcat -keystore E:\SSL\.keystore -file
> > E:\SSL\mbq.cer
> >
> > We did not face error while importing the signed certificates however
> > facing TLS protocol/cipher suit related issue now.
> > Please help with your insights to resolve the issue
> >
> > Regards,
> >
> > Sameer
> >
> >
>
>

-- 
sameer007

Re: Tomcat SSL - unsupported protocol or cipher suit error

2019-01-07 Thread Sameer Umbrajkar 
Dear Chris,

Could you help me out with the connector sample with sslhostconfig. I have
mentioned the connector details in my previous email.

On Mon 7 Jan, 2019, 12:22 AM Christopher Schultz <
ch...@christopherschultz.net wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Sameer,
>
> On 1/6/19 13:40, Sameer Umbrajkar wrote:
> > Dear John & Raj,
> >
> > *My JVM version is 8.1.015 and Tomcat version is 8.5.13* Please see
> > the version details below -
> > ==
> 
> >
> >
> E:\BOE\tomcat\bin>version
> > Using CATALINA_BASE:   "E:\BOE\tomcat" Using CATALINA_HOME:
> > "E:\BOE\tomcat" Using CATALINA_TMPDIR: "E:\BOE\tomcat\temp" Using
> > JRE_HOME:"E:\BOE\SAP BusinessObjects Enterprise XI
> > 4.0\win64_x64\sapjvm\" Using CLASSPATH:
> > "E:\BOE\tomcat\bin\bootstrap.jar;E:\BOE\tomcat\bin\tomcat-juli.jar"
> >
> >
> Server version: Apache Tomcat/8.5.13
> > Server built:   Mar 27 2017 14:25:04 UTC Server number:  8.5.13.0
> > OS Name:Windows NT (unknown) OS Version: 10.0
> > Architecture:   amd64 JVM Version:8.1.015 JVM Vendor: SAP
> > AG E:\BOE\tomcat\bin>
> > ==
> =
> >
> >  As suggested I added below parameters in Java Option of Tomcat
> > configuration still facing the same error related to TLS protocol
> > and ciphers
> > ==
> =
> >
> >
> - -Dhttps.protocols=TLSv1.2
> > -Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> > ==
> =
> >
> >
> As requested, please find the HTTPS connector details below from server.
> xml
> > ==
> =
> >
> >
>  > port="8443" maxThreads="200" scheme="https" secure="true"
> > SSLEnabled="true" keystoreFile="E:\SSL\.keystore"
> > keystorePass="Am1@k123" clientAuth="false" sslProtocol="TLS"/>
>
> It would be better to use the more modern configuration which includes
>  elements within your  elements.
>
> http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwycYkACgkQHPApP6U8
> pFi+tw//ajl4qF4/leS0vP7GTZmxom3WtVbbxYQHRIL1+GDD922etcS60kgsD4cE
> dcQlmzPuChA0HOOn7MXgL8NH2edxRc6rssoQx2TuQcNotD2QfAQhRaLuV5usKG6h
> 1sv4tz2BuBVbAtEWSjwI3qtqv6feaJCtR1AU2kIlQilnbcKS2yEy/7jtW58UcmvZ
> SxjQ6Bxedm0LGcu7rwRVVKkYzKkJhhz+W1Bv8fFEp5KeY+sLPupsntlsVrC2cXL5
> c44XMBKHnRudiIk0p+d2gQPwYGTH4UtRMIX8W74Vfen60YweI9TpfuNSf9wC5TEP
> kLUk2+++hPTMxDW8BliZIMxJW7V+m9BpaGffGygGPbmMaVAWFg0v7yefmPVaiGz0
> QLLRstMpySoHDg51mptQpj49YHTZtuYtKlwQbSVIBxy+BAGUzAFnGRIAG9MYRyLG
> 4HpwDzYplyCRev/C+btjogMUWv+czxbqig5tcNtmMtX/Ycsiu24rq5EQbgqxzFTC
> IiSXqEz8zguJJZfgv676CJzzuWskSFZHLWeShiDN5H1EMj/NOzkwGESvFkuwrhVd
> RRQNNpS9+Z9754dd9iy8QwCR0avtE3Gxcfa6ID2JeuRpLSKpOg9JMcp/WkSjNMyc
> futM588UHDPm8Mv2+9pPirPSc9EOFeAXJ3cb7oxc/ef65SGnFxE=
> =Y8ni
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>