On 2/6/15 2:44 PM, nicksemai...@juno.com wrote: > I have a SHA2 certificate for a RHEL 6 server using tomcat 7.0.57.
That's an x509 certificate for SSL/TLS, using a SHA2-based signature algorithm, right? Yes, it is a SHA-2 algorithm from GoDaddy. > Port 8443 is listening, selinux is disabled, and have tried it > with 8443 enabled in firewall and with firewall off. > > After receiving the .crt file from GoDaddy: ran the 4 keytool > -import commands: > > For the alias=root, I used gdroot-g2.crt(from repository) For the > alias=intermed, I used gd_ig2.crt(from GoDaddy) For the > alias=cross, I used gdroot-g2_cross.crt(from repository) For the > alias= tomcat, I used the <the alphanumeric>.crt(from GoDaddy) > > I see all the entries when I did the keytool -list Good. Everything above looks good, except that you need to make sure that the certificates you imported were all the correct ones... thee days, CAs tend to have a variety of intermediate certificates for various purposes: one for code-signing, one for European certificates and another for American ones, an old one with SHA1-based signature, new ones with SHA2-based signatures, etc. Verifying the accuracy of the certificate chain should be a priority. Checked the filed from repository and checked with support that gdroot-g2.crt, gdig2.crt, gdroot-g2_cross.crt, and the alphanumeric.crt are accurate. > I made this change in server.xml: > > <Connector port="8443" maxThreads="200" SSLEnabled="true" > scheme="https" secure="true" clientAuth="false" > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="path to > .keystore file" keystorePass="keystore password" /> > > I then shutdown tomcat; startup tomcat. > > When I go to the URL in the browser with the port 8443, I get > this:Firefox: Cannot communicate securely with peer: no common > encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) > > Chrome: A secure connection cannot be established because this > site uses an unsupported protocol.Error code: > ERR_SSL_VERSION_OR_CIPHER_MISMATCH What version of Chrome are you using? Firefox 33.1 Chrome Version 40.0.2214.111 m I upgrade to Firefox 35 and got this when I put in the 8443 url:Firefox cannot guarantee the safety of your data on <URL> because it uses SSLv3, a broken security protocol. Advanced info: ssl_error_no_cypher_overlap Do you have access to an OpenSSL library? Can you run "openssl -debug - -showcerts s_client -connect https://host:8443/"; and post the (possibly sanitized) results? When I ran this:#openssl s_client -connect <my url>:8443 (-debug and -showcerts was giving me invalid commands) I received:CONNECTED(00000003) error14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 249 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Thanks, Nick You could also grab and compile the source of this tool from the tomcat-dev archives and run it against your server: http://markmail.org/thread/tz4z44nfjl7sy2lj This will tell you what is and is not supported. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU2MSbAAoJEBzwKT+lPKRYOa4P+gNuh8c8eHozKFAHvdJd9UYc 4C1UYHGCJ6R6JYDysTG/iKWSZH94GbzNldtP/DuiNelDFy/vPDEagXrrFdMNyGWp PksnjVqneKxSs9Sm1ccYD03A3WTGryz5r1MKRezfMlYJWRxAPcsaNotSHzI8pkpT HG2nqVGGGbgZI88fJOZD58eJLB6fRTVC/Z2CfXmJSUns/A35AdfBZjc+FrrAGVqi 7ssMfLK4gdpUsnZWqjTpoICRhJiAzayptJOpIVK3rkmCQzccw4DUU87QZqVK57md /TsNHsnQsnLzKwM1lxrs0H3AVHYxPZyS5mTW7PcM8zWI4Iudlao6U+5mUZQCeEoK 6/+AvXiE+SEqDj3sS6p2IeYl19IcITCp57UD8IR3P8vFKmaF6cjDguJEnJi9BAh+ LkLZeMsuqRQpUusuXlQaCOxZjFUvQk2WtAA06e+vrtNP6+GtSyD8JyVspD5QlarS XMqeE5aPoaKbQKTpqBKDyasC2ae8KP0RkxfLYq+NSWxHw727Rl65nr/PVLmjQ00E n/+fzq9U8vj+8k/IRPpErwg0Ns9wkztkNlH9hJUSXALdfXPVKo6joqI7eRfqXa+K uJ57fgRi3fMk7Z0h4z/hvxENkebn9ySeS5bH9sfceVc6FBS1mcTuHxq4G8XYd/WO 2CA9DwlS0hMtRDLuPvAl =sJsq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ____________________________________________________________ The #1 Worst Carb Ever? Click to Learn #1 Carb that Kills Your Blood Sugar (Don't Eat This!) http://thirdpartyoffers.juno.com/TGL3131/54d905c8d415f5c8073dst04duc
