-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nick,
(The formatting was awful on the message and made it difficult to read. I've adjusted it to make it readable and reply-able). On 2/6/15 2:44 PM, nicksemai...@juno.com wrote: > I have a SHA2 certificate for a RHEL 6 server using tomcat 7.0.57. That's an x509 certificate for SSL/TLS, using a SHA2-based signature algorithm, right? > Port 8443 is listening, selinux is disabled, and have tried it > with 8443 enabled in firewall and with firewall off. > > After receiving the .crt file from GoDaddy: ran the 4 keytool > -import commands: > > For the alias=root, I used gdroot-g2.crt(from repository) For the > alias=intermed, I used gd_ig2.crt(from GoDaddy) For the > alias=cross, I used gdroot-g2_cross.crt(from repository) For the > alias= tomcat, I used the <the alphanumeric>.crt(from GoDaddy) > > I see all the entries when I did the keytool -list Good. Everything above looks good, except that you need to make sure that the certificates you imported were all the correct ones... thee days, CAs tend to have a variety of intermediate certificates for various purposes: one for code-signing, one for European certificates and another for American ones, an old one with SHA1-based signature, new ones with SHA2-based signatures, etc. Verifying the accuracy of the certificate chain should be a priority. > I made this change in server.xml: > > <Connector port="8443" maxThreads="200" SSLEnabled="true" > scheme="https" secure="true" clientAuth="false" > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="path to > .keystore file" keystorePass="keystore password" /> > > I then shutdown tomcat; startup tomcat. > > When I go to the URL in the browser with the port 8443, I get > this:Firefox: Cannot communicate securely with peer: no common > encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) > > Chrome: A secure connection cannot be established because this > site uses an unsupported protocol.Error code: > ERR_SSL_VERSION_OR_CIPHER_MISMATCH What version of Chrome are you using? Do you have access to an OpenSSL library? Can you run "openssl -debug - -showcerts s_client -connect https://host:8443/" and post the (possibly sanitized) results? You could also grab and compile the source of this tool from the tomcat-dev archives and run it against your server: http://markmail.org/thread/tz4z44nfjl7sy2lj This will tell you what is and is not supported. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU2MSbAAoJEBzwKT+lPKRYOa4P+gNuh8c8eHozKFAHvdJd9UYc 4C1UYHGCJ6R6JYDysTG/iKWSZH94GbzNldtP/DuiNelDFy/vPDEagXrrFdMNyGWp PksnjVqneKxSs9Sm1ccYD03A3WTGryz5r1MKRezfMlYJWRxAPcsaNotSHzI8pkpT HG2nqVGGGbgZI88fJOZD58eJLB6fRTVC/Z2CfXmJSUns/A35AdfBZjc+FrrAGVqi 7ssMfLK4gdpUsnZWqjTpoICRhJiAzayptJOpIVK3rkmCQzccw4DUU87QZqVK57md /TsNHsnQsnLzKwM1lxrs0H3AVHYxPZyS5mTW7PcM8zWI4Iudlao6U+5mUZQCeEoK 6/+AvXiE+SEqDj3sS6p2IeYl19IcITCp57UD8IR3P8vFKmaF6cjDguJEnJi9BAh+ LkLZeMsuqRQpUusuXlQaCOxZjFUvQk2WtAA06e+vrtNP6+GtSyD8JyVspD5QlarS XMqeE5aPoaKbQKTpqBKDyasC2ae8KP0RkxfLYq+NSWxHw727Rl65nr/PVLmjQ00E n/+fzq9U8vj+8k/IRPpErwg0Ns9wkztkNlH9hJUSXALdfXPVKo6joqI7eRfqXa+K uJ57fgRi3fMk7Z0h4z/hvxENkebn9ySeS5bH9sfceVc6FBS1mcTuHxq4G8XYd/WO 2CA9DwlS0hMtRDLuPvAl =sJsq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org