On Mon, Feb 9, 2015 at 10:13 AM, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sean, > > On 2/9/15 9:46 AM, Sean Dawson wrote: > > We've had customers who have had issues with Java and GoDaddy > > certs. > > > > > http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java > > > > > > > http://tozny.com/blog/godaddys-ssl-certs-dont-work-in-java-the-right-solution/ > > Did > > > you read the OP? He's already installed the GoDaddy cross-signed > certificate. > It's also not a Java client problem, since the client in this case is > Google Chrome. > Oh ok sorry - I read it last week and forgot that it wasn't the same issue. Just wanted to help out anyone else that might have run into the GoDaddy/Java issue. > - -chris > > > On Mon, Feb 9, 2015 at 9:30 AM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Nick, > > > > (The formatting was awful on the message and made it difficult to > > read. I've adjusted it to make it readable and reply-able). > > > > On 2/6/15 2:44 PM, nicksemai...@juno.com wrote: > >>>> I have a SHA2 certificate for a RHEL 6 server using tomcat > >>>> 7.0.57. > > > > That's an x509 certificate for SSL/TLS, using a SHA2-based > > signature algorithm, right? > > > >>>> Port 8443 is listening, selinux is disabled, and have tried > >>>> it with 8443 enabled in firewall and with firewall off. > >>>> > >>>> After receiving the .crt file from GoDaddy: ran the 4 > >>>> keytool -import commands: > >>>> > >>>> For the alias=root, I used gdroot-g2.crt(from repository) For > >>>> the alias=intermed, I used gd_ig2.crt(from GoDaddy) For the > >>>> alias=cross, I used gdroot-g2_cross.crt(from repository) For > >>>> the alias= tomcat, I used the <the alphanumeric>.crt(from > >>>> GoDaddy) > >>>> > >>>> I see all the entries when I did the keytool -list > > > > Good. Everything above looks good, except that you need to make > > sure that the certificates you imported were all the correct > > ones... thee days, CAs tend to have a variety of intermediate > > certificates for various purposes: one for code-signing, one for > > European certificates and another for American ones, an old one > > with SHA1-based signature, new ones with SHA2-based signatures, > > etc. > > > > Verifying the accuracy of the certificate chain should be a > > priority. > > > >>>> I made this change in server.xml: > >>>> > >>>> <Connector port="8443" maxThreads="200" SSLEnabled="true" > >>>> scheme="https" secure="true" clientAuth="false" > >>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > >>>> keystoreFile="path to .keystore file" keystorePass="keystore > >>>> password" /> > >>>> > >>>> I then shutdown tomcat; startup tomcat. > >>>> > >>>> When I go to the URL in the browser with the port 8443, I > >>>> get this:Firefox: Cannot communicate securely with peer: no > >>>> common encryption algorithm(s). (Error code: > >>>> ssl_error_no_cypher_overlap) > >>>> > >>>> Chrome: A secure connection cannot be established because > >>>> this site uses an unsupported protocol.Error code: > >>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH > > > > What version of Chrome are you using? > > > > Do you have access to an OpenSSL library? Can you run "openssl > > -debug -showcerts s_client -connect https://host:8443/"; and post > > the (possibly sanitized) results? > > > > You could also grab and compile the source of this tool from the > > tomcat-dev archives and run it against your server: > > http://markmail.org/thread/tz4z44nfjl7sy2lj > > > > This will tell you what is and is not supported. > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJU2M6yAAoJEBzwKT+lPKRYdo8QAKqyY87oXjHy4CkNc3fPjYQH > IQMRzFrnH/Dgk2g1eO9WXlJXg+4drjmDtsHpRBsJR17nZaDBz282lgVh4x8OUEhW > tK6eagXHHnwhA8HBCCey5f6EfCF7dMR6AbwLkbhTUN7aym4gYMmQM18q2Nt6jxz7 > qmtHW5GZ4OscqA6MQ5SVT6FckKR83570WakPQsl64JJwCUbC0uwOL9nU654nckNy > hFiSznDugopfIICrmgHoX6HkAx7lChmCmfpexbUsDZkj/xpPriuvPMPu//sZ4zFc > euqin0/gDMy76Qr+H0ExHaMKH734vXWgjXTakHg5D/V0C8U4iQEJSBsDWCaXqvDX > kA+O2s/mYeiqqPVvA4nZ3JrNUQFgZPvOik8ubyCb2+/p7PLL9Hshikgl+sZ4cAW2 > +NfertfDZ483IQKCKN1LKnWZNQ2ofF+jJ1vEoceqV/ybFi8fKipbJ37aU6c7EltL > h4zJFv86l/irYzVKweGuszX7xX9DwWUu7YdKx4wIVArncb+wrALx3NXF0bI8pMaC > C5sUoM2EBrOIZZkrpPDPdgr5O+XvWEaARd6eDnCDvZ1xjHcQxiHuVrnglzH3LE2L > rU6wfg4ZRaX5rMA++yetf4/qYOe+/+YW84zLK3VkL0jWdlldr6/QoActiUquI2OD > 7fGjoyFAdo2GcZP1OloD > =T8m8 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
