Client TLS 1.2 error for APR

Wed, 13 Jan 2016 10:36:27 -0800 

Hi!

I'm running Tomcat 7.0.65 with APR connector over port 443. I'm experiencing
trouble with users that connect with IE11 over SSL. Connecting and browsing
works fine, but sometimes a white screen with this error pops up. Once they
disable TLS 1.2 everything works fine:

 

This page can't be displayed

Turn on TLS 1.0, TLS1.1 and TLS 1.2 in Advanced settings and try connecting
to https://sub.example.com again. If this error persists, contact your site
administrator.

 

Right now I'm using SHA-2 encryption (we moved from SHA-1) with A+ rating on
SSLLabs, without any error's.

 

Server.xml configuration. Ciphers following latest intermediate from Mozilla
openssl config:

 

<Connector port="443"

protocol="org.apache.coyote.http11.Http11AprProtocol"

connectionTimeout="6000"

maxThreads="500"

maxKeepAliveRequests="-1"

acceptCount="200"

SSLEnabled="true"

scheme="https"

secure="true"

clientAuth="false"

enableLookups="false"

SSLCertificateFile="C:\server\ssl\server.crt"

SSLCertificateKeyFile="C: \server\ssl\private.key"

SSLCACertificateFile="C: \server\ssl\intermediate.crt"

SSLPassword="passw"

SSLProtocol="all -SSLv2-SSLv3"

SSLHonorCipherOrder="true"
SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:EC
DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-S
HA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-EC
DSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES2
56-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-
SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-A
ES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-
GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DE
S-CBC3-SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC
_SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:
!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE:!EDH"

/>

 

Does anyone have a pointer about what could be wrong with this
configuration?

 

Kind regards,

 

Harrie

Reply via email to