Hi Mark, Sanaullah, Thank you for your valuable suggestion.
I just ran the openssl s_client scan, and it looks like the server side is running fine on *TLSv1.2* Protocol. [root]## *openssl s_client -connect 16.183.93.84:8444 <http://16.183.93.84:8444>* CONNECTED(00000003) - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU d/A4 -----END CERTIFICATE----- subject=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN= IWFVM01284.hpswlabs.adapps.hp.com issuer=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN= IWFVM01284.hpswlabs.adapps.hp.com --- No client certificate CA names sent --- SSL handshake has read 1476 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : *TLSv1.2* Cipher : 0000 Session-ID: 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377 Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1438771286 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) So could it be an issue with the browser? Since the browser is not FIPS compliant, could it be the reason for the issue? Regards, Nikitha On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah <sanaulla...@gmail.com> wrote: > Hi Nikhita, > > run the sslscan tool from the command line or openssl s_client in debug > mode > https://github.com/rbsec/sslscan > > Regards, > Sanaullah > > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny <nikki.be...@gmail.com> > wrote: > > > Hi Mark, > > > > My server is not on a public domain. > > How can i verify the setup which is on a private network? > > > > Regards, > > Nikitha > > > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas <ma...@apache.org> wrote: > > > > > On 05/08/2015 07:32, Nikitha Benny wrote: > > > > Hi Mark, > > > > > > > > When I try to run Tomcat on the https server port: > > > > > > > > *https://<ip address>:8444/* > > > > > > > > It says as below: > > > > ---------- > > > > > > > > *SSL connection error* > > > > > > > > *ERR_SSL_PROTOCOL_ERROR* > > > > > > > > *Unable to make a secure connection to the server. This may be a > > problem > > > > with the server, or it may be requiring a client authentication > > > certificate > > > > that you don't have* > > > > *------------* > > > > > > That is the client side. What about server side logs? > > > > > > > We have set the client authentication to False, so it does not need > any > > > > client authorized certificate. > > > > > > I recommend you run https://www.ssllabs.com/ssltest/ against your > > > server. That will tell you if you have a server side issue, a client > > > side issue or simply a mismatch between the two. > > > > > > Mark > > > > > > > > > > > Regards, > > > > Nikitha > > > > > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny < > nikki.be...@gmail.com> > > > > wrote: > > > > > > > >>> But still Tomcat does not run on the https port. > > > >> > > > >> As in, when we run Tomcat on the https server port it does not > display > > > the > > > >> page. > > > >> Where as it goes through fine on the http port. The url opens. > > > >> > > > >> > > > >> > > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas <ma...@apache.org> > wrote: > > > >> > > > >>> On 04/08/2015 13:19, Nikitha Benny wrote: > > > >>>> Hello Mark, > > > >>>> > > > >>>> Thanks for your valuable suggestion. > > > >>>> > > > >>>> We were successful in creating the pkcs12 keystore which picks up > > > >>> SHA256 as > > > >>>> shown below: > > > >>> > > > >>> <snip/> > > > >>> > > > >>>> But still Tomcat does not run on the https port. > > > >>> > > > >>> Define "does not run". > > > >>> > > > >>>> Any clue as to why this happens? > > > >>> > > > >>> Based on the information provided so far, no. > > > >>> > > > >>>> The protocol I am using is* > > > "org.apache.coyote.http11.Http11Protocol".* > > > >>> > > > >>> OK. That is the HTTP BIO connector. > > > >>> > > > >>>> Could it be because I am not using an APR connector protocol? > > > >>> > > > >>> No. > > > >>> > > > >>> Mark > > > >>> > > > >>> > > > >>> > --------------------------------------------------------------------- > > > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > > >>> > > > >>> > > > >> > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > >
