-----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, July 11, 2017 1:58 PM To: users@tomcat.apache.org Subject: Re: Errors establishing secure connections with tomcat 8.5.15
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kevin, On 7/7/17 12:40 PM, Kevin Mango wrote: > I was able to resolve this by using > "-Dcom.sun.net.ssl.enableECC=false" when starting tomcat to disable > the use of Elliptic Curves, the only issue now is that Google Chrome > is having issues finding a common cipher suite to use, giving the > error ERR_SSL_VERSION_OR_CIPHER_MISMATCH. Your configuration does not include any specification for cipher suites: >>> Here is the connector in our server.xml file: >>> >>> <Connector port="8443" >>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>> maxThreads="200" scheme="https" secure="true" >>> SSLEnabled="true" defaultSSLHostConfigName="<hostname> " >>>> >>> <SSLHostConfig hostname="<hostname> " protocols="TLSv1.2" >>> sslProtocol="TLSv1.2"> <Certificate >>> certificateKeystoreFile="<pfx cert location and full file >>> name>" certificateKeystorePassword="<password>" >>> certificateKeystoreType="PKCS12" type="RSA"/> </SSLHostConfig> >>> >>> </Connector> So it would be unusual for a client and server not to be able to agree on a cipher suite. Are you adjusting the available cipher suites any other way (e.g. system property that affects JSSE, edits to $JAVA_HOME/jre/security/*.policy, etc.)? What kind of certificate are you using? Is it an ECC certificate (rather than the more common RSA certificates)? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZZRGfAAoJEBzwKT+lPKRYXw4P/Rp2LJILdM0w5xVpVoyF/yyo PCj3TWJPMS2F188gYZnpAEj69bXjfP7nIvFt0JpWN6VYhYkLaiOKot9IUp7aRUBQ jJgJqJ7LEVA2pS9fE+ioQV0APdchXKhuab3iiRs+dikulJWhvWPO+8+N7jzCrhvQ iohHdmnOK8DdoJdd9OL1j/+vWPj3Bwc9sucR4DCvEeCZ2jG+zRNDM0mFcwqSkz0T 0QdEdvbj6VeBQTJiGRFVGF+RncdTH2D266Jh/8Xc3DUut8sQEI/gUrlSSluFw33e B9Aye4V20c8KJ5gJ92pCyGHbsOkdxgQobKvfOp/2UlYJyGZxQcfabLN99wc8TPqm mHxvq9s3eEYCesvd1AiVGeguO8Pmdg62ml5/CR7/QIJFXKvXmn+IxTsqj+1VWDmK QqQmvw8vwVEDXMYppzT4UX8UX9xWWGLEGL5eOTgcsI81Qeo0sBO5r1KojhNgv1kl JB/1V0jS4RJ3E4BzOPMM+lB3DOwHpdtVFPotQq+4bVI8W87bM2nQL3mGZvBsMF6Q Zj9FWUB5d7wS0KLeOlIJANQT+1kwjbK1i08irwmLYCqQyrUq7+csR+xh1TZRKuhT paVCNRmx7Xryk/kWQf4g2d0yoSwJhTduIgMmrrLqIUY6UNfjZtNXF4fX5q93nnvP F6twQiax7locrje76JUo =0o+S -----END PGP SIGNATURE----- --------------------------------------------------------------------- Hi Chris, I 'm not adjusting the cipher suites in any way. My *.policy files are the default ones that came with the JDK installation, same with the .security file. The only thing I changed in that directory was adding the Unlimited Strength policy JAR's. As for the certificates, we are using self-signed RSA certificates. On our older machines that are running Tomcat 7 and JDK 7, these certificates work fine for our purposes and are still working. In these cases the handshake uses the cipher ECDHE-RSA-AES128-GCM-SHA256. But with Tomcat 8.5.15 and JDK 8 we have been getting error's with unsupported elliptic curve, even when it uses the same or similar cipher suites. Additionally I have tried debugging this with OpenSSL, but when trying to connect it gives an error message "SSL routines:tls_process_ske_ecdhe:wrong curve:ssl\statem\statem_clnt.c:2057:". Even when specifying curves and cipher suites into the OpenSSL client connection, I continue to get this error. The only thing that has come close to working for us is by using "-Dcom.sun.net.ssl.enableECC=false" when starting Tomcat to disable all EC ciphers, but Google Chrome won't accept the connection due to being unable to find a common cipher suite. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ________________________________ This e-mail transmission contains confidential information that is the property of the sender. If you are not the intended recipient, you are notified that any retention, disclosure, reproduction or distribution of the contents of this e-mail transmission, or the taking of any action in reliance thereon or pursuant thereto, is strictly prohibited. No warranty is given by NYSIF that this e-mail is free of viruses, interception or interference. NYSIF disclaims liability for any unauthorized opinion, representation, statement, offer or contract made by the sender on behalf of NYSIF. NYSIF's delegation of authorities, setting out who may make representations or contract on behalf of NYSIF, is available by contacting NYSIF at mail...@nysif.com. Jurisdiction for all actions arising out of dealings with NYSIF shall lie only in a court of competent jurisdiction of the State of New York --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org