Thank you (and the others who responded). I was tearing my hair out trying
to fix this. Some background (if anyone cares):
I have a small private site protected by SSL, which has run fine for 2 years
with no maintenance at all. A couple of months ago, after a Chrome update,
it became inaccessible using Chrome. I switched to Firefox to access it.
Last Friday, it became inaccessible using Firefox. The browser error
messages indicated that my site's encryption was no longer acceptable:
Chrome said: "A secure connection cannot be established because this site
uses an unsupported protocol. Error code:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Firefox said: "Cannot communicate securely with peer: no common encryption
algorithm(s). (Error code: ssl_error_no_cypher_overlap)"
Naturally, this pointed me in the direction of trying to change the cipher
settings of my site. SSL/TLS cipher settings and the whole SSL scheme are,
shall we say, not clearly documented for someone who administers Tomcat once
every two years. After a weekend of ripping out clumps of my hair and
swearing at my computer, nothing had worked. In desperation, before
upgrading Java and Tomcat, I tried regenerating my self-signed certificate
with new settings (SHA256 instead of SHA1) and that seems to have solved the
problem. Moral of the story: Take browser error messages with a large
grain of salt.
Thanks again.
-----Original Message-----
From: Terence M. Bandoian
Sent: Monday, April 06, 2015 12:21 PM
To: Tomcat Users List
Subject: Re: Need configuration example for Tomcat 7.0.55 TLS configuration
On 4/6/2015 2:11 AM, Ognjen Blagojevic wrote:
Tom,
On 5.4.2015 3:06, Tom Williamson wrote:
I would like to know if anyone has a working example of getting TLS 1.2
working on Tomcat 7.0.55, so that it can be accessed by the latest
version of Chrome and Firefox.
Which version of Java do you use? Make sure it is Java 7 or 8, and if you
already didn't upgrade, then upgrade to the latest released version.
Could you clarify do you need TLSv1.2 only, or you need TLSv1.2 among
other TLS versions (v1 and v1.1)?
<Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/path/mykeystore"
keystorePass="password"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLS" />
By specifing protocol="HTTP/1.1" you are using connector auto-detection.
Depending on the existance of Tomcat native DLL, Tomcat will automatically
select between APR connector and JSSE connector. Those two connectors have
completely different set of options. The options you are using
(keystoreFile, keystorePass), are clearly indicating you wish to use JSSE
connectors. Therefore, to rule out present and future auto-detection
problems, I would recommend that you explicitly specify connector you wish
to use. E.g. for JSSE BIO connector that would be:
protocol="org.apache.coyote.http11.Http11Protocol"
Next, sslEnabledProtocols should specify exact TLS versions, so if you
need only TLSv1.2 use:
sslEnabledProtocols="TLSv1.2"
and if you need e.g. all three versions, then omit attribute
sslEnabledProtocols, or use:
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
So far based on the Tomcat 7.0 docs, I have tried the following
configuration changes:
sslEnabledProtocols="TLS"
sslEnabledProtocols="TLSv1"
sslEnabledProtocols="TLSv1.1"
sslEnabledProtocols="TLSv1.2"
sslEnabledProtocols="TLSv1.1,TLSv1.2"
Except for the first one, all other examples should be working.
With most of these, I don't get any error in the console (I have logging
set to ALL), but I also have not been able to get either Chrome or
Firefox to connect.
I have also tried various combinations of "sslProtocols=" and "cipher=",
also with no luck.
Can anyone post a sample <connector> configuration that works?
Try this:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false"
keystoreFile="/path/mykeystore"
keystorePass="password"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2" />
BTW, the attribute name is "ciphers", not "cipher".
-Ognjen
Nicely done!
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
