Hi Eric,
> Dear all,
>
>
> I need to implement secure connection within tomcat. That's why I need to
> implement certificate on tomcat.
> I've made a CSR in order for my company to provide me certificates and CA.
> I've implemented the configuration in TOMCAT to activate https to use my
> keystore.
> But now when I connect to TOMCAT my browser warns me like that
>
>
> This Page can't be displayed : Turn on TLS 1.0,TLS 1?1 and TLS1.2 in advanced
> settings...
> It is possible that this site uses an unsupported protocol or cipher suite
> such as RC4.
>
>
> Here is my connector configuration:
>
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
> keystoreFile="/local/home/root_168563/.keystore"
> keystorePass="changeit"
> clientAuth="false" />
>
>
> Thanks by advance.
>
Your connector settings may be incomplete. Do you see anything on the console
or catalina.out? It should show an exception when the Connector fails to
initialize.
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" <-- OK Nio2 in your
case
server="Apache Tomcat"
SSLEnabled="true"
allowTrace="false"
maxThreads="150"
scheme="https"
secure="true"
useServerCipherSuitesOrder="true" <<-- important
clientAuth="false"
sslEnabledProtocols="TLSv1.0, TLSv1.1, TLSv1.2" <<-- you should leave
TLSv1.0 out if possible
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
<<-- Ciphers are based on Hynek Schlawacks suggestions https://hynek.me
useBodyEncodingForURI="true"
keystoreFile="/local/home/root_168563/.keystore"
keystorePass="changeit"
keyAlias="<your alias>"
/>
Did you check that the cert is in the keystore. With the expected alias? Is it
the private key?
Then your possible protocols and ciphers depend heavily on your java version.
Which version do you use?
Please provide more info and I will gladly help.
Best regards
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
